@@ -245,14 +245,63 @@ policy:
245245
246246If you want to apply a configuration to an existing SpiceDB cluster without downtime, you must conduct an upgrade process with the following steps:
247247
248- 1. Create pre-shared keys that follow the token format for each client of your SpiceDB instance.
249- You should add those to your SpiceDB instance configuration.
250- You can do this by defining multiple PSKs via the ENV or flags as comma separated values.
251- 2. Update all your clients to use those new PSKs.
252- 3. Prepare the FGAM configuration YAML.
248+ 1. Create pre-shared keys that follow the Restricted Access Token format for each client of your SpiceDB instance.
249+ Using some Bash:
250+
251+ ` ` ` sh
252+ # Generate your secret (substitute your preferred method for generating a cryptographically-secure random string here)
253+ # This will be a part of the token
254+ base64 < /dev/random | head -c64
255+ # g2l2/YjC3jFg6FdV080qiqBPvCrlLuc9GcHutgHF4WhVjsg7+AvlqLmoCrJEC68t
256+
257+ # Hash that secret using sha256sum
258+ # This will go in your FGAM configuration as the token hash
259+ # NOTE: truncate the trailing spaces and "-". You just want the alphanum characters.
260+ echo -n "g2l2/YjC3jFg6FdV080qiqBPvCrlLuc9GcHutgHF4WhVjsg7+AvlqLmoCrJEC68t" | sha256sum
261+ # 1d619ac2f5013845c5f2df93add92fc87e88ca6c57d19a77d1b189663f1ff5b0 -
262+
263+ # Add the prefix to create the token that you'll supply to your client
264+ echo "sdbst_h256_g2l2/YjC3jFg6FdV080qiqBPvCrlLuc9GcHutgHF4WhVjsg7+AvlqLmoCrJEC68t"
265+ # sdbst_h256_g2l2/YjC3jFg6FdV080qiqBPvCrlLuc9GcHutgHF4WhVjsg7+AvlqLmoCrJEC68t
266+ ```
267+
268+ 2 . Prepare the FGAM configuration YAML.
269+ You'll add the hashes that you generated in the previous step to the ` hash ` key in the ` token ` list for each respective token.
253270 This process heavily depends on what each client needs:
254271 1 . You may want to start with FGAM tokens bound to a admin-like Role, since that's what the original PSKs effectively were.
255272 This is probably lower risk, and then from there you can move to start trimming down permissions.
256273 2 . Or you may want to move directly to downscoped tokens for your individual services, creating the tokens you need.
257274 This may be simple if you have few clients, but more complex as the number of clients grow, and with a bigger blast radious of impact on rollout.
258- 4. Deploy SpiceDB with the new configuration
275+ A minimal configuration would look something like:
276+
277+ ``` yaml
278+ role :
279+ - id : " admin"
280+ permission :
281+ authzed.v1/CheckPermission : " "
282+ service_account :
283+ - id : " my_microservice"
284+ token :
285+ - id : " token_01"
286+ hash : " 1d619ac2f5013845c5f2df93add92fc87e88ca6c57d19a77d1b189663f1ff5b0"
287+ policy :
288+ - id : " microservice_with_admin"
289+ principal_id : " my_microservice"
290+ principal_type : " service_account"
291+ roles :
292+ - " admin"
293+ ` ` `
294+
295+ 3. Set the created tokens as valid preshared keys in your SpiceDB instance.
296+ You can do this by defining multiple PSKs via the ENV or flags as comma separated values:
297+
298+ ` ` ` sh
299+ spicedb serve --grpc-preshared-key="<old_preshared_key>,<new_token_1>,...,<new_token_n>"
300+ ```
301+
302+ Deploy SpiceDB with this new configuration.
303+ 4 . Update all your clients to use the new tokens that you've created, according to which token should have which permissions.
304+ 5 . Deploy SpiceDB with the new Restricted Access configuration.
305+
306+ Prior to the migration, the keys that your client sends will be treated as preshared keys.
307+ After the migration, the keys that your client sends will be treated as Restricted Access keys.
0 commit comments