Improvement: Prevent ZedToken's from being used cross-datastore #1541
Assignees
Labels
area/api v1
Affects the v1 API
area/datastore
Affects the storage system
kind/tech debt
Addresses legacy code/decisions
priority/3 low
This would be nice to have
Comments
josephschorr
added
priority/3 low
|
Please consider that stored tokens can be scattered across multiple services managed by multiple teams. Somehow invalidating all of those tokens and keeping new ones from saving during a datastore change can be a herculean effort. I'd like to suggest that SpiceDB's response to tokens that don't match its current datastore be configurable. To wit. If I were to have this kind of control and have to migrate data stores, I'd perform the following steps:
I may opt for intentional downtime and instead do:
|
|
I think making it configurable is reasonable |
josephschorr
added a commit
to josephschorr/spicedb
that referenced
this issue
Jan 29, 2024
an older datastore is used All ZedTokens are now minted with the datastore's unique ID included in the ZedToken and that ID is checked when the ZedToken is decoded. In scenarios where the datastore ID does not match, either an error is raised (watch, at_exact_snapshot) or configurable behavior is used (at_least_as_fresh) Fixes authzed#1541
josephschorr
added a commit
to josephschorr/spicedb
that referenced
this issue
Jan 29, 2024
an older datastore is used All ZedTokens are now minted with the datastore's unique ID included in the ZedToken and that ID is checked when the ZedToken is decoded. In scenarios where the datastore ID does not match, either an error is raised (watch, at_exact_snapshot) or configurable behavior is used (at_least_as_fresh) Fixes authzed#1541
josephschorr
added a commit
to josephschorr/spicedb
that referenced
this issue
Jan 29, 2024
an older datastore is used All ZedTokens are now minted with the datastore's unique ID included in the ZedToken and that ID is checked when the ZedToken is decoded. In scenarios where the datastore ID does not match, either an error is raised (watch, at_exact_snapshot) or configurable behavior is used (at_least_as_fresh) Fixes authzed#1541
josephschorr
added a commit
to josephschorr/spicedb
that referenced
this issue
Jan 29, 2024
an older datastore is used All ZedTokens are now minted with the datastore's unique ID included in the ZedToken and that ID is checked when the ZedToken is decoded. In scenarios where the datastore ID does not match, either an error is raised (watch, at_exact_snapshot) or configurable behavior is used (at_least_as_fresh) Fixes authzed#1541
josephschorr
added a commit
to josephschorr/spicedb
that referenced
this issue
Jan 30, 2024
an older datastore is used All ZedTokens are now minted with the datastore's unique ID included in the ZedToken and that ID is checked when the ZedToken is decoded. In scenarios where the datastore ID does not match, either an error is raised (watch, at_exact_snapshot) or configurable behavior is used (at_least_as_fresh) Fixes authzed#1541
josephschorr
added a commit
to josephschorr/spicedb
that referenced
this issue
Mar 13, 2024
an older datastore is used All ZedTokens are now minted with the datastore's unique ID included in the ZedToken and that ID is checked when the ZedToken is decoded. In scenarios where the datastore ID does not match, either an error is raised (watch, at_exact_snapshot) or configurable behavior is used (at_least_as_fresh) Fixes authzed#1541
josephschorr
added a commit
to josephschorr/spicedb
that referenced
this issue
Mar 13, 2024
an older datastore is used All ZedTokens are now minted with the datastore's unique ID included in the ZedToken and that ID is checked when the ZedToken is decoded. In scenarios where the datastore ID does not match, either an error is raised (watch, at_exact_snapshot) or configurable behavior is used (at_least_as_fresh) Fixes authzed#1541
josephschorr
added a commit
to josephschorr/spicedb
that referenced
this issue
Mar 13, 2024
an older datastore is used All ZedTokens are now minted with the datastore's unique ID included in the ZedToken and that ID is checked when the ZedToken is decoded. In scenarios where the datastore ID does not match, either an error is raised (watch, at_exact_snapshot) or configurable behavior is used (at_least_as_fresh) Fixes authzed#1541
josephschorr
added a commit
to josephschorr/spicedb
that referenced
this issue
Apr 1, 2024
an older datastore is used All ZedTokens are now minted with the datastore's unique ID included in the ZedToken and that ID is checked when the ZedToken is decoded. In scenarios where the datastore ID does not match, either an error is raised (watch, at_exact_snapshot) or configurable behavior is used (at_least_as_fresh) Fixes authzed#1541
josephschorr
added a commit
to josephschorr/spicedb
that referenced
this issue
Apr 16, 2024
an older datastore is used All ZedTokens are now minted with the datastore's unique ID included in the ZedToken and that ID is checked when the ZedToken is decoded. In scenarios where the datastore ID does not match, either an error is raised (watch, at_exact_snapshot) or configurable behavior is used (at_least_as_fresh) Fixes authzed#1541
josephschorr
added a commit
to josephschorr/spicedb
that referenced
this issue
Apr 22, 2024
an older datastore is used All ZedTokens are now minted with the datastore's unique ID included in the ZedToken and that ID is checked when the ZedToken is decoded. In scenarios where the datastore ID does not match, either an error is raised (watch, at_exact_snapshot) or configurable behavior is used (at_least_as_fresh) Fixes authzed#1541
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Right now, ZedTokens simply encode the datastore-provided revision information, with no additional information as to the kind of datastore used. This can result in weird behavior if a ZedToken from one SpiceDB cluster is used with a completely different cluster, or the datastore has been swapped out.
We should instead encode the datastore kind (and perhaps a unique ID) into the ZedToken, and either reject all such tokens, or automatically switch to full consistency (likely the former)
The text was updated successfully, but these errors were encountered: