-
Notifications
You must be signed in to change notification settings - Fork 246
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
document the implications of using the insecure
overlap strategy for cockroachdb
#1251
Conversation
insecure
is okay to the crdb readmeinsecure
overlap strategy for cockroachdb
insecure
overlap strategy for cockroachdbinsecure
overlap strategy for cockroachdb
fee7afa
to
dc48af1
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, left some nits and questions. I think I'd be worth adding this also to https://authzed.com/docs/spicedb/selecting-a-datastore#cockroachdb
internal/datastore/crdb/README.md
Outdated
## When is `insecure` overlap a problem? | ||
|
||
Using `insecure` overlap strategy for SpiceDB with CockroachDB means that it is _possible_ that timestamps for two subsequent writes will be out of order. | ||
When this happens, it's _possible_ for the [New Enemy Problem](https://zanzibar.tech/2B__bAI52Q:0:J) to occur. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
perhaps https://authzed.com/blog/prevent-newenemy-cockroachdb/ may be an even better link to reference
- When two writes are made in short succession against CockroachDB | ||
- And those two writes hit two different gateway nodes | ||
- And the CRDB gateway node clocks have a delta `D` | ||
- And the writes touch disjoint sets of relationships |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
couldn't it technically be still possible if the writes touch the same relationships? (so long we hit different gateway nodes)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nope, if the the writes land in the same ranges (which they would if any relationships overlap) then the timestamps will get synchronized
internal/datastore/crdb/README.md
Outdated
- Not allowing the write from `B` within the max_offset time of the CRDB cluster (or the quantization window). | ||
- Not allowing a Check on a resource within max_offset of its ACL modification (or the quantization window). | ||
|
||
## Mis-apply Old ACLs to New Content |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe this is part of When does a timestamp reversal matter?
section
## Mis-apply Old ACLs to New Content | |
### Mis-apply Old ACLs to New Content |
internal/datastore/crdb/README.md
Outdated
Note that this is only possible if `A - T < quantization window`: the check has to happen soon enough after the write for `A` that it's possible that SpiceDB picks a timestamp in between them. | ||
The default quantization window is `5s`. | ||
|
||
### Application Mitigations for ACL Update Order |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: may be better to make this a subsection of Neglecting ACL Update Order
### Application Mitigations for ACL Update Order | |
#### Application Mitigations for ACL Update Order |
internal/datastore/crdb/README.md
Outdated
|
||
Same as before, this is only possible if `A - T < quantization window`: Bob's check has to happen soon enough after the write for `A` that it's possible that SpiceDB picks a timestamp in between `A` and `B`, and the default quantization window is `5s`. | ||
|
||
### Application Mitigations for Misapplying Old ACLs |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: may be better to make this a subsection of Mis-apply Old ACLs to New Content
### Application Mitigations for Misapplying Old ACLs | |
#### Application Mitigations for Misapplying Old ACLs |
internal/datastore/crdb/README.md
Outdated
|
||
Then it's possible that the second write will be assigned a timestamp earlier than the first write. In the next section we'll look at whether that matters for your application, but for now let's look at what makes the above conditions more or less likely: | ||
|
||
- **Clock skew**. A larger clock skew gives a bigger window in which timestamps can be reversed. But note that CRDB enforces a max offset between clocks, and getting within some fraction of that max offset will boot the node from the cluster. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"boot" -> "kick"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You might also want to address the fact that timestamp reversals on disjoint graphs (not just non-overlapping) will never result in the new enemy problem. Maybe write up some examples on when there wouldn't be any impact whatsoever.
@jakedt updated with examples like you suggested |
04a426c
to
bc62d69
Compare
@ecordell linter error |
91232d7
to
7284223
Compare
@jakedt fixed |
No description provided.