search

authzed / spicedb

Open Source, Google Zanzibar-inspired permissions database to enable fine-grained authorization for customer applications
https://authzed.com/docs
Apache License 2.0
4.95k stars 266 forks source link

--datastore-bootstrap-overwrite is additive, not overwriting previous namespaces #1982

Closed OumaimaBenGhedifa closed 2 months ago

OumaimaBenGhedifa commented 2 months ago

When using the --datastore-bootstrap-overwrite flag, the expected behavior is that the datastore should be completely overwritten with the new data from the bootstrap file. However, the current behavior is additive, meaning it leaves the previous namespaces intact and adds the new ones from the bootstrap file. This can lead to unexpected results and potential conflicts. Example Initial Schema (Before Overwrite) : 

Definition user {}

Definition document {
    relation writer: user

    permission write = writer
}

Bootstrap File (For Overwrite)

Definition user {}

Definition article {
    relation reader: user

    permission read = reader 
}

Expected Behavior The datastore should be entirely overwritten with the namespaces from the bootstrap file, and previous namespaces should be removed.

Definition user {}

Definition article {
    relation reader: user

    permission read = reader 
}

Actual Behavior The datastore retains the previous namespaces and adds the new ones from the bootstrap file, resulting in an additive behavior.

Definition user {}

Definition document {
    relation writer: user

    permission write = writer
}

Definition article {
    relation reader: user

    permission read = reader 
}
ecordell commented 2 months ago

I suspect the flag is not being passed through correctly, though it would help to see your SpiceDBCluster yaml if you can provide it.

Are you setting datastoreBoostrapOverwrite: true or datastoreBootstrapOverwrite: "true"? It should be the latter.

If you look at the env vars on the deployment the operator creates, that should show you if that field is being set correctly.

OumaimaBenGhedifa commented 2 months ago

Hello @ecordell first of all, thank you so much for your response. I'm correctly setting the datastoreBootstrapOverwrite: "true", i looked at the env vars on the deployment the operator creates and it showed me that the field is being set correctly too. this is my spiceDBCluster yaml: 

apiVersion: authzed.com/v1alpha1
kind: SpiceDBCluster
metadata:
  name: dev
spec:
  config:
    replicas: 1
    datastoreEngine: postgres
    datastoreBootstrapFiles: /etc/bootstrap/init.yaml
  patches:
  - kind: Deployment
    patch:
      spec:
        template:
          spec:
            volumes:
            - name:  bootstrap
              configMap:
                name: spicedb-bootstrap
            containers:
            - name: spicedb
              env:
              - name: SPICEDB_DATASTORE_BOOTSTRAP_OVERWRITE
                value: "true"
              volumeMounts:
              - name: bootstrap
                mountPath: /etc/bootstrap
ecordell commented 2 months ago

Thanks for the info @OumaimaBenGhedifa! That all looks right to my eyes.

I think this should be an issue on spicedb then. I can move the issue over there, or you can open a new one if you want to keep this conversation here.

OumaimaBenGhedifa commented 2 months ago

@ecordell yes sure you can move the issue to spicedb and thank you

ecordell commented 2 months ago

I suspect that the bootstrap schema writer is using the old (v1apha1) schema write instead of the new (v1) schema write.