-
Notifications
You must be signed in to change notification settings - Fork 268
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow Read-Only API in production usage. #1729
Comments
@winstaan74 |
Hey @vroldanbet !. I don't think I'd still like to have single privileged service writing relationships - but would like to ensure other services can't accidently trample the relationships. |
@winstaan74 got it. As a workaround for now, you could have 2 clusters using the same datastore. One handles writes, and the other one has So if I understand correctly, you'd like to see the API exposed in two different ports, one that has write access, and another that is readonly, correct? |
Ohh 2 clusters - ok. interesting tip. thanks. Yep - two different ports was what I was thinking - inspired by the serve-testing setup. but maybe separate clusters solves the problem already. |
Separate clusters also allows for different preshared keys to be used, so you can have a "read only" key |
@winstaan74 Also, AuthZed's paid offering provides support for https://authzed.com/docs/spicedb-dedicated/fgam, which allows for very specific permissions on the tokens calling into SpiceDB Enterprise |
Thanks for the pointers to alternatives - I'll close this ticket. |
@winstaan74 Let us know if the separate clusters doesn't work for some reason; if not, we can investigate exposing the readonly endpoint at its own endpoint via |
+1 to the idea of allowing readonly endpoint/key(s) with a single cluster. We have a similar setup to OP and I suspect this will be a fairly common pattern for others self-hosting SpiceDB. While the multiple cluster setup would work it does add complexity/cost. |
Problem Statement
We have a use case where a single service writes relationships to SpiceDB, but other services will be calling SpiceDB to checkPermissions.
The
serve-testing
mode provides a read-only API on a different port.I'd like to propose an option to enable the read-only API in the production
serve
mode.If this was available then network policies, etc could be used to ensure that services that should only be checking permissions could never accidentally write to SpiceDB.
Solution Brainstorm
No response
The text was updated successfully, but these errors were encountered: