https://authzed.com logo
Join Discord
Powered by
Hi, I am trying to understand a bit more about how...
# spicedb
p
Hi, I am trying to understand a bit more about how ZedTokens are supposed to be used. In the docs, you say that when editing a resource (I assume without changing its relationships), the CheckPermission call should be fully consistent, and to store the resulting ZedToken (https://authzed.com/docs/reference/zedtokens-and-zookies#when-changing-the-content-of-a-resource) next to the resource. (Why) Can I not use an existing ZedToken here? What's the difference to the advice in the last paragraph (https://authzed.com/docs/reference/zedtokens-and-zookies#using-the-stored-zedtoken)? Another related question: if I run the same LookupResources query multiple times in fully consistent mode, but no writes are happening to the database at all in the meantime, should I expect to see any speed-up at all using a ZedToken?
Also: is this really accurate: https://authzed.com/docs/reference/zedtokens-and-zookies#how-do-i-use-zedtokens-with-authzedapiv1lookupresources ? If we have: - a parent resource with many children, - a user with direct relations written to some of those children Then, the user's relation to one of those resources is removed. When we LookupResources, and we supply the ZedToken of the time time the resource was created, i.e. "connected" to the parent. -> Wouldn't SpiceDB incorrectly say that the user still has access to that resource?
j
> Another related question: if I run the same LookupResources query multiple times in fully consistent mode, but no writes are happening to the database at all in the meantime, should I expect to see any speed-up at all using a ZedToken? No more or less than if you run without full consistency
> -> Wouldn't SpiceDB incorrectly say that the user still has access to that resource?
incorrectly, no
it was correct when cached
after the cache window passes (~5s by default), then it will show the current result
LookupResources is not intended to respect the New Enemy Problem, because the expectation is that a Check will be issued to see the contents of a document
if it is necessary, you can make the call with full consistency
p
Ah, got it - was not aware of this time window. Thanks for clearing this up
But in general, do individual ZedTokens become worthless after those 5 seconds? Or is this specific to lookupresources
j
more or less they do, yes
but that's an implementation detail
and that could change: you could reconfigure SpiceDB to use a 30s window, for example
a ZedToken exists as a guarantee of freshness
without it, you have to either always choose to use full consistency to guarantee no staleness OR accept the staleness that the server decides to give
the ZedToken is the client saying "I need freshness as of this point"
p
Okay, that makes sense. So if we're not too concerned with the new enemy problem, and 5 ( or say 30s) of staleness is not an issue for us, minimize_latency is fine to use I assume?
j
yep
PreviousNext
Powered by