11/10/2022, 7:18 AM
Hi! First of all thank you for setting up this Discord server and allowing people to ask questions! I have a consistency question (I think?). I'm thinking about using SpiceDB in a proxy performing a bunch of authz checks and found myself wondering which consistency would I need to specify when doing CheckPermission there. I wanted to store zedtokens on said proxy level so the services protected by it don't have to care about them. If I store zedtokens in Redis I think following the situation is possible: Starting state: User A has permission to read document stored in a service. ZedToken1 is stored in proxy Redis. T1 - permission is revoked for User A, document is updated, ZedToken2 gets stored in Redis T2 - proxy performs CheckPermission, but because of the Redis consistency ZedToken1 is used If I understand correctly, calling CheckPermission with
consistency in this situation will guarantee that we will get "no permission", but what about
using ZedToken1? Is it possible that the permission revoke from T1 is still not propagated in T2 and CheckPermission with
and ZedToken1 would return "has permission"? Or because of Consistent Hash Load Balancing even though permission revoke is not propagated across all nodes - CheckPermission with
and ZedToken1 will return "no permission" anyway because we would "talk" to the same node each time?