https://authzed.com logo
#spicedb
Data Domiciling with CockroachDB
# spicedb
p

pradyuman

03/12/2023, 7:59 AM
Is there a way to specify a region when using cockroachdb as the data store to implement something like this? https://www.cockroachlabs.com/docs/stable/data-domiciling.html
v

vroldanbet

03/12/2023, 8:57 PM
this is an interesting question! As far as I understand Zanzibar was designed for global replication but I'm not 100% sure it mentions anything about data domiciling. This is not supported out of the box by SpiceDB. I think it would be possible but the main challenge would be how to expose it via the API when not all datastores support this concept. It would require a bit of a refactor of the datastore implementation to make sure: - datastore is aware of data domiciling - relationships have a column with such information - as authorization decisions are computed, the datastore collects only those relationships that are either global or specific to the region the request is originating from. It would be a bit of an undertaking but I think it's an interesting topic and one that could be implemented. Would you mind filling an issue with your requirements?
p

pradyuman

03/13/2023, 4:40 AM
Sure! I’ll file an issue.
j

jzelinskie

06/28/2023, 7:06 PM
In practice, a global deployment is going to have regional SpiceDB clusters that keep most of the data in that region. If you're segmenting data for compliance reasons, I'm not sure CRDB's data domiciling functionality meets those requirements as it doesn't prevent data from leaving the region. I'd recommend having a separate datastore to be 100% sure in that case.
If you're not after compliance, I'd like to hear back after trying regional SpiceDB clusters so that we better understand the scenarios when we'd recommend exposing CRDB's data domiciling through SpiceDB
2 Views