Hi!
First of all thank you for setting up this Discord server and allowing people to ask questions!
I have a consistency question (I think?).
I'm thinking about using SpiceDB in a proxy performing a bunch of authz checks and found myself wondering which consistency would I need to specify when doing CheckPermission there. I wanted to store zedtokens on said proxy level so the services protected by it don't have to care about them.
If I store zedtokens in Redis I think following the situation is possible:
Starting state:
User A has permission to read document stored in a service. ZedToken1 is stored in proxy Redis.
T1 - permission is revoked for User A, document is updated, ZedToken2 gets stored in Redis
T2 - proxy performs CheckPermission, but because of the Redis consistency ZedToken1 is used
If I understand correctly, calling CheckPermission with
fully_consistent
consistency in this situation will guarantee that we will get "no permission", but what about
at_least_as_fresh
using ZedToken1?
Is it possible that the permission revoke from T1 is still not propagated in T2 and CheckPermission with
at_least_as_fresh
and ZedToken1 would return "has permission"?
Or because of Consistent Hash Load Balancing even though permission revoke is not propagated across all nodes - CheckPermission with
at_least_as_fresh
and ZedToken1 will return "no permission" anyway because we would "talk" to the same node each time?