Releases: authzed/spicedb
Releases · authzed/spicedb
v1.13.0
v1.13.0
This tag was signed with the committer’s verified signature.
jzelinskie
Jimmy Zelinskie
Highlights
- Dispatched checks are now batched performed improving performance
- Protobuf serialization is now much faster by using vtprotobuf to avoid reflection
- Dispatch API is now compressed with Snappy
- Cache sizes can now be configured with percentages of free memory
Warning
This release contains a change to the internaldispatchAPI, which means that v1.13.0 and v1.12.0 can not dispatch to each other during a rolling upgrade. To upgrade without downtime, run these as separate Kubernetes services, or disable dispatch before upgrading.
What's Changed
- Add an error case for redefining a type in schema by @josephschorr in #810
- Add govulncheck to the linters by @josephschorr in #813
- don't generate nsswitch.conf (base images have it now) by @ecordell in #815
- Fix fallback for MySQL stats to fix test flake by @josephschorr in #812
- replace custom pgxpool collector with opensource module by @vroldanbet in #809
- dispatch: use Snappy S2 compression and vtprotobuf by @jzelinskie in #821
- gomod: bump compress to v1.15.10 by @jzelinskie in #822
- Disable GC in datastore drivers when in read-only mode by @josephschorr in #811
- bump kuberesolver to pick up serviceaccount token refresh by @ecordell in #817
- Ensure that internal errors are returned before dev errors by @josephschorr in #823
- Use MarshalVT() and UnmarshalVT() everywhere by @jzelinskie in #824
- internal/datastore: use proto.Marshal by @jzelinskie in #825
- Add a test for writing and reading back a serialized namespace in the datastores by @josephschorr in #826
- caveat in MemDB datastore by @vroldanbet in #807
- forward cli flags GCMaxOperationTime and SplitAtUsersetCount to MySQL datastore by @vroldanbet in #829
- Change all user-visible type errors into proper wrapped error structs by @josephschorr in #831
- reduce e2e flakes by @ecordell in #834
- Batch check improvements by @josephschorr in #777
- Fix performance for large schema writes in V1Alpha1 by @josephschorr in #837
- Fix chunking util to never call for an empty chunk by @josephschorr in #840
- Change caching to sort order resource and subject IDs by @josephschorr in #841
- Improve the WASM developer package interface by @josephschorr in #828
- internal/dispatch: gofumpt 4.0 by @jzelinskie in #845
- update cobrautil to latest commit by @vroldanbet in #842
- pkg/cmd: support cache sizes in percentages of free memory by @jzelinskie in #827
- Add building of WASM developer binary to releases by @samkim in #833
- pkg/cache: implement metrics for noop cache by @jzelinskie in #848
- introduce caveat support in WriteRelationships/ReadRelationships by @vroldanbet in #838
- Start work for dispatch for caveats by adding MembershipSet by @josephschorr in #849
- internal: add docker build tag to transitives by @jzelinskie in #854
- docker: switch to chainguard base images by @jzelinskie in #857
- Switch check dispatch to use the new MembershipSet by @josephschorr in #855
- Dependabot updates for Oct 2022 by @josephschorr in #867
- Dependabot updates for Oct 2022, Part 2 by @josephschorr in #873
- Change check dispatching to support caveat expr evaluation by @josephschorr in #865
- Dependabot updates for Oct 2022, Part 3 by @josephschorr in #876
- Add caveats flag to disable writing by default on all datastores by @josephschorr in #866
Full Changelog: v1.12.0...v1.13.0
Docker Images
This release is available at authzed/spicedb:v1.13.0, quay.io/authzed/spicedb:v1.13.0, ghcr.io/authzed/spicedb:v1.13.0
Contributors
ecordell, samkim, and 3 other contributors
Assets 15
v1.12.0
Highlights
- new
lookupsubjectsRPC answers the question "which subjects have a given permission over a specific resource?" - CRDB Store now exposes prometheus metrics for the connection pool
- new
debugcontainers now being published, which includesbusybox. This is convenient for development environments that require a shell - PGX driver no longer logs on debug by default, cleaning up SpiceDB's
infolevel - CRDB datastore now properly supports connection draining procedures
- added configurable limits for write and delete relationship APIs
- leaner and more secure docker images based on distroless.dev
What's Changed
- hack: mv install-tools into hack dir by @jzelinskie in #737
- fix panic on cached optimized revisions by @vroldanbet in #740
- README: add OpenSSF best practices badge by @jzelinskie in #742
- bump crdb in tests to 22.1.5 by @ecordell in #745
- update spanner emulator logs by @ecordell in #746
- more resilient CRDB datastore on connection draining by @vroldanbet in #744
- Use distroless.dev/static base, add debug variants by @imjasonh in #750
- adds trivy security scanner to lint CI job by @vroldanbet in #751
- Begin work on LookupSubjects by @josephschorr in #736
- Add a nightly build for spicedb by @ecordell in #762
- Revert "Add a nightly build for spicedb" by @ecordell in #763
- fixes link to go-memdb by @vroldanbet in #766
- Fix various error references by @josephschorr in #769
- removes v1.RelationshipUpdate from datastore.ReadWriteTransaction by @vroldanbet in #771
- Fully implement the LookupSubjects API by @josephschorr in #770
- add datastore metrics to CockroachDB datastore by @vroldanbet in #774
- Begin implementation of a library for processing caveat expressions by @josephschorr in #760
- newly added lookup subject metrics weren't being unregistered by @vroldanbet in #778
- Add configurable limits for write and delete relationship APIs by @josephschorr in #775
- Dependabot Updates for Sept 1 by @josephschorr in #785
- Dependabot Updates for Sept 1, part 2 by @josephschorr in #792
- Dependabot updates for Sept 1, part 3 by @josephschorr in #795
- Handle duplicate writes in a nicer way by @josephschorr in #796
- remove dupe validation in WriteRelationships by @vroldanbet in #799
- map pgx info logging level to debug by @vroldanbet in #798
- Change v1alpha1 WriteSchema to only read namespaces it needs by @josephschorr in #805
- Update authzed-go client by @samkim in #806
- Improve write constraint failures by @josephschorr in #801
- reduce differences between release and dev dockerfiles by @vroldanbet in #797
- Remove checks on configurable PermissionService limits and rely upon defaults by @josephschorr in #808
Docker Images
This release is available at:
authzed/spicedb:v1.12.0quay.io/authzed/spicedb:v1.12.0ghcr.io/authzed/spicedb:v1.12.0authzed/spicedb:v1.12.0-debugquay.io/authzed/spicedb:v1.12.0-debugghcr.io/authzed/spicedb:v1.12.0-debug
New Contributors
Full Changelog: v1.11.0...v1.12.0
Contributors
ecordell, imjasonh, and 4 other contributors
Assets 15
v1.11.0
Warning
This release contains a change to the internaldispatchAPI, which means that v1.10.0 and v1.11.0 can not dispatch to each other during a rolling upgrade. To upgrade without downtime, run these as separate Kubernetes services, or disable dispatch before upgrading.
Highlights
- Check requests can now be traced using the zed CLI using
zed permission check --explain serve-testingnow supports HTTP- Performance improvements for LookupResources, WriteSchemas, and dispatch in general
- The Watch API is disabled automatically if CRDB datatstores don't support Change Feeds
What's Changed
- Have WASM development package return updated validation YAML by @josephschorr in #710
- Add a flag for disabling stat writes by @ecordell in #711
- Add ability to trace a check request by @josephschorr in #703
- Implement support for batch reachability by @josephschorr in #691
- Add issue links to readme by @samkim in #694
- Concurrency limit by @jakedt in #713
- Add ability to enable the REST gateway for the test server by @josephschorr in #714
- remove rangefeed config from crdb migrations by @ecordell in #707
- Depbot updates for Aug 1 by @josephschorr in #721
- Depbot updates for Aug 1 - part 2 by @josephschorr in #727
- Depbot updates for Aug 1 - part 3 by @josephschorr in #732
- Fix bounds on check test by @josephschorr in #728
- switch crdb watch feature detection to only require CONTROLCHANGEFEED by @ecordell in #722
- Skip checking of permissions for relationships in WriteSchema by @josephschorr in #734
Full Changelog: v1.10.0...v1.11.0
Docker Images
This release is available at authzed/spicedb:v1.11.0, quay.io/authzed/spicedb:v1.11.0, ghcr.io/authzed/spicedb:v1.11.0
Contributors
ecordell, samkim, and 2 other contributors
Assets 15
v1.10.0
Upgrade Notes
Warning
This is release includes migrations for Postgres and MySQL datastores that adds a column to the namespace table.
Highlights
- Enabled the ability to safely use Postgres read replicas
- Added a webassembly interface for devtools
- Fixed namespaces not being garbage collected for Postgres & MySQL datastores
- Added health checking and Watch service to HTTP API
- Added seamless TLS certificate rotation
What's Changed
- Return an error instead of calling panic() when debug.ReadBuildInfo() is unavailable by @lmt-swallow in #658
- watch TLS certs for changes by @ecordell in #656
- expose /healthz endpoint when using the http gateway by @ecordell in #661
- *: add NOTICE by @jzelinskie in #662
- examples: move k8s deployment into examples by @jzelinskie in #667
- Add log of the connection state for dispatcher IsReady check by @josephschorr in #664
- Depbot updates for July 5 by @josephschorr in #676
- Depbot updates for July 5, part 2 by @josephschorr in #682
- Bump cloud.google.com/go/spanner from 1.33.0 to 1.34.0 by @dependabot in #678
- Bump github.com/aws/aws-sdk-go from 1.44.47 to 1.44.48 by @dependabot in #683
- fix cert rotation test flake by @ecordell in #685
- Postgres datastore: make read tx REPEATABLE_READ by @williamdclt in #674
- Enable Watch API in REST gateway by @josephschorr in #686
- Add a WebAssembly interface for invoking the SpiceDB dev package by @josephschorr in #663
- Add retries to MySQL stats test, which can occasionally get back empty stats by @josephschorr in #689
- pkg/cmd: document use of application default credentials with spanner by @kirbyquerby in #690
- Prevent release version errors from blocking SpiceDB startup by @josephschorr in #697
- examples: mv https://github.com/authzed/examples by @jzelinskie in #698
- Increase the testing timeout to 30m by @josephschorr in #702
- Add a fallback into the MySQL driver for rel count by @josephschorr in #701
- Garbage collect namespaces by @jzelinskie in #673
- Add a dispatch test that verifies delete preconditions across datastores by @josephschorr in #704
- Further fixes to memdb to not panic post-close by @josephschorr in #708
New Contributors
- @lmt-swallow made their first contribution in #658
- @williamdclt made their first contribution in #674
- @kirbyquerby made their first contribution in #690
Full Changelog: v1.9.0...v1.10.0
Docker Images
This release is available at authzed/spicedb:v1.10.0, quay.io/authzed/spicedb:v1.10.0, ghcr.io/authzed/spicedb:v1.10.0
Contributors
ecordell, jzelinskie, and 5 other contributors
Assets 15
v1.9.0
Warning
This release contains a change to the internaldispatchAPI, which means that v1.8.0 and v1.9.0 can not dispatch to each other during a rolling upgrade. To upgrade without downtime, run these as separate Kubernetes services, or disable dispatch before upgrading.
What's Changed
- Fully remove support for the V0 ACL and Schema API by @josephschorr in #618
- Add dispatch ready, health check integration by @samkim in #615
- Depbot updates for June 1 by @josephschorr in #629
- Depbot Updates for June 1 - part 2 by @josephschorr in #635
- Handle case where memdb is closed before a transaction completes by @josephschorr in #637
- Bump google.golang.org/api from 0.78.0 to 0.82.0 by @dependabot in #634
- Shorten the prefixes on cache keys to save some memory by @josephschorr in #641
- postgres: rename migration variable to reduce confusion by @jakedt in #643
- Remove remaining references to v0 API (except developer API) by @josephschorr in #645
- Abstract health status management into a helper package and add datastore status by @josephschorr in #642
- Skip checking and redispatch in reachability when seeing duplicates by @josephschorr in #638
- propagate context to migration functions by @vroldanbet in #646
- Add tools for genproto to tools.go by @josephschorr in #649
- Start moving from the externally-defined developer API to an internally defined set of types by @josephschorr in #647
- Ensure the released version appears with a staring
vprefix by @josephschorr in #650 - introduce support to run migrations atomically by @jakedt in #655
- Cleanup the core messages now that v0 is gone by @josephschorr in #652
Full Changelog: v1.8.0...v1.9.0
Docker Images
This release is available at authzed/spicedb:v1.9.0, quay.io/authzed/spicedb:v1.9.0, ghcr.io/authzed/spicedb:v1.9.0
Contributors
samkim, jakedt, and 3 other contributors
Assets 15
v1.8.0
Highlights
- New, speedier
LookupResourcesimplementation - New datastore interface improves performance for all datastores
- MySQL driver now has feature parity with the Postgres driver
What's Changed
- Dependabot for May 3 by @josephschorr in #583
- disable renovatebot by @ecordell in #585
- crdb: detect broken pipe as resettable error by @ecordell in #591
- Add spanner emulator env var detection by @samkim in #574
- Add a custom analyzers package for custom lint checks by @josephschorr in #563
- Dependabot changes for May 4 by @josephschorr in #593
- Implement revision quantization for MySQL by @bryanhuhta in #582
- Add middleware to return the server version when requested, unless disabled by @josephschorr in #572
- pg: set timezone to utc for revision selection by @ecordell in #592
- Upgrade CI crdb version to v21.2.10 by @samkim in #602
- Update NewEnemy test for datastore v2 by @ecordell in #607
- log successful telemetry attempts by @jakedt in #524
- Datastore v2 by @jakedt in #581
- prevent crdb from crashing in e2e tests by @ecordell in #611
- Implement a reachability graph and use for lookup by @josephschorr in #517
- caching dispatch: unregister prometheus metrics on close by @ecordell in #617
- support xDS as a dispatch resolver option by @ecordell in #612
- Propagate context in migrations by @nbarbey in #596
- Some small reachable resources and lookup improvements by @josephschorr in #620
- refactor(schemadsl): remove unused field by @fearlessfe in #622
- Move the cache implementation behind an interface by @josephschorr in #614
- Add quickstart examples by @bryanhuhta in #616
New Contributors
- @fearlessfe made their first contribution in #622
Full Changelog: v1.7.1...v1.8.0
Docker Images
This release is available at authzed/spicedb:v1.8.0, quay.io/authzed/spicedb:v1.8.0, ghcr.io/authzed/spicedb:v1.8.0
Contributors
ecordell, samkim, and 5 other contributors
Assets 15
v1.7.1
This is a bugfix release for 1.7.0
What's Changed
- Fix
datastore-enginehelp text by @bryanhuhta in #569 - pkg/cmd: catch nil registry initialization by @jzelinskie in #568
- postgres: handle negative relationhip count estimates by @jakedt in #570
- Switch to using Engines for the engine parameter by @josephschorr in #571
- addresses server panic when malformed authorization header is sent by @vroldanbet in #573
- k8s: add dispatch enabled comment by @jzelinskie in #575
Full Changelog: v1.7.0...v1.7.1
Docker Images
This release is available at authzed/spicedb:v1.7.1, quay.io/authzed/spicedb:v1.7.1, ghcr.io/authzed/spicedb:v1.7.1
Contributors
jzelinskie, jakedt, and 3 other contributors
Assets 15
v1.7.0
Highlights
- MySQL Datastore introduced!
- Two major performance improvments
- MemDB & Postgres now support quantized revisions
- Cache keys are now canonicalized and reused across various RPCs
- Telemetry reporting added. For more info see TELEMETRY.md
- Support for specifying multiple preshared keys
What's Changed
- Telemetry stats by @jakedt in #515
- .github: grant github token package write by @jzelinskie in #520
- .github: add back contents permission on release by @jzelinskie in #521
- crdb: coalesce relationship estimate to handle 0 relationship case by @ecordell in #523
- create spanner changelog entries client side by @jakedt in #522
- k8s: add RBAC and flesh out example by @jzelinskie in #526
- Have the GC index for Postgres be created concurrently by @josephschorr in #501
- introduces mysql datastore by @vroldanbet in #525
- CODEOWNERS: init by @jzelinskie in #531
- Switch MySQL tests to explicitly specify amd64 by @josephschorr in #533
- Cache canonicalization by @josephschorr in #485
- Quantize revisions for memdb, postgres datastores by @jakedt in #527
- mysql: refactor tests to share builders by @jakedt in #536
- Only run MySQL tests in CI by @josephschorr in #535
- Have the Docker-image based test suite run solely those tests by @josephschorr in #540
- gomod: bump cobrautil by @jzelinskie in #543
- Add support for multiple preshared keys by @josephschorr in #537
- mysql: run ANALYZE TABLE before Statistics in tests by @jakedt in #548
- mysql: wire up the mysql datastore engine to the CLI by @sbryant in #532
- makes cli application return non-zero error code on errors by @vroldanbet in #541
- gomod: bump xxhash, go by @jzelinskie in #545
- sets mysql manager singleton by @vroldanbet in #550
- moves seeding to the initialization of the datastore by @vroldanbet in #539
- Add integration testing for the migrate command by @josephschorr in #551
- Fix revive lint warnings by @nbarbey in #556
- Postgres optimized revision caching by @jakedt in #555
- update to a version of rudd that doesn't race by @ecordell in #557
- mysql: use a stable unique ID for stats by @jakedt in #546
- Combine unit and integration jobs by @ecordell in #559
- README: refresh features, make CTAs scannable by @jzelinskie in #554
- README: adjust feature wording and links by @jzelinskie in #560
- internal/telemetry: report go version, git commit by @jzelinskie in #553
- Dispatch tests and metrics flag by @josephschorr in #561
- dispatch: fix NPE possibility from nil check response by @jakedt in #562
- Add a check on startup for the last released version of SpiceDB by @josephschorr in #564
- remove remaining references to revision fuzzing by @jakedt in #566
New Contributors
Full Changelog: v1.6.0...v1.7.0
Docker Images
This release is available at authzed/spicedb:v1.7.0, quay.io/authzed/spicedb:v1.7.0, ghcr.io/authzed/spicedb:v1.7.0
Contributors
sbryant, ecordell, and 5 other contributors
Assets 15
v1.6.0
Highlights
- Support for
nilwhen writing permissions, to allow for placeholders during development - Developer API bug-fixes and improved error messaging
- Container images now pushed to Docker Hub
- Metrics bug-fixes and stats added to datastores
- Enforce UTC on timestamp column in Postgres (database migration for Postgres users)
- Various resiliency improvements for the CockroachDB datastore
What's Changed
- Add core proto message and replace v0 usage by @samkim in #449
- add prefixes to lookup metrics by @ecordell in #477
- configure dispatch for tests by @ecordell in #438
- README: add ports to docker, add config section by @jzelinskie in #478
- protect prom metric registration with a lock by @ecordell in #480
- Add clock skew error as resetable by @samkim in #483
- .github: push to dockerhub, use in readme by @jzelinskie in #479
- bump crdb to 21.2.7 by @ecordell in #484
- expose usagemetric read middleware by @ecordell in #487
- Fix handling of REST gateway options and add an integration test by @josephschorr in #493
- Use non-prepared statement for revision range query by @samkim in #496
- Default transaction row timestamp to UTC by @samkim in #495
- Add additional error context onto schema errors by @josephschorr in #481
- Add support for
nilin schema by @josephschorr in #494 - Add index and fix limit on Postgres GC by @josephschorr in #500
- pkg/cmd: use cobrautil version command by @jzelinskie in #491
- Fix nil access issue in developer API when missing an expected subject by @josephschorr in #503
- Consolidate crdb tx retry and reset by @samkim in #472
- .github: migrate to authzed/actions by @jzelinskie in #492
- .github: fix passing of secrets to shared actions by @jzelinskie in #507
- update all dependencies by @jakedt in #513
- update straggler dependencies by @jakedt in #514
- Datastore stats interface by @jakedt in #506
- Rename
anytounionto fix conflict with new any name in Go 1.18 by @josephschorr in #516 - Add more detail to the max depth error and handle as a dev error by @josephschorr in #488
Full Changelog: v1.5.0...v1.6.0
Docker Images
This release is available at authzed/spicedb:v1.6.0, quay.io/authzed/spicedb:v1.6.0, ghcr.io/authzed/spicedb:v1.6.0
Contributors
ecordell, samkim, and 3 other contributors
Assets 15
v1.5.0
Highlights
- Cloud Spanner is now supported as a backend datastore (beta) 🎉
- Better error messages for invalid schemas
- Several performance and resource usage improvements
- An edge case that caused
LookupResourcesto return incomplete results for certain schemas was diagnosed and fixed (big thanks to @NickyHeuperman for reporting!)
What's Changed
- Fix deletion of empty namespaces in CRDB datastore by @josephschorr in #377
- .github: add CodeQL lint workflow by @jzelinskie in #378
- Better usage metrics on non-permissions endpoints by @jakedt in #381
- Attempt to avoid failed crdb range splits in e2e by @ecordell in #380
- internal/middleware: add tests for usagemetrics by @jzelinskie in #382
- introduce gRPC health-check for serve-testing by @vroldanbet in #383
- allow gateway backend to be overridden by @jakedt in #384
- Fix parsing of assertions YAML to handle all errors by @josephschorr in #387
- Add a config object for spicedb servers, control graceful stop of all services by @ecordell in #376
- increase max offset for crdb cluster in e2e tests by @ecordell in #389
- spicedb config: pluggable authentication by @ecordell in #390
- bump dependencies by @ecordell in #402
- Avoid logging with testing.T after test has finished by @ecordell in #395
- support buffconn for grpc server config by @ecordell in #392
- add universal consistency middleware by @ecordell in #391
- Move the bulk of the dev API impl into its own package by @josephschorr in #406
- Add more context to schema parse errors by @josephschorr in #408
- Validation file package improvements by @josephschorr in #409
- Update authzed-go to bring in the API validation regex fixes by @josephschorr in #410
- testserver: use middleware to inject the correct per-token datastore by @ecordell in #404
- Change validationfile parsing to be YAML based by @josephschorr in #413
- Ensure development package works without context changes by @josephschorr in #416
- Small error fixes and improvements in validationfile by @josephschorr in #415
- build(deps): bump golang.org/x/tools from 0.1.8 to 0.1.9 by @dependabot in #403
- Add line and column info to expected relations validation errors by @josephschorr in #418
- Fix version command by @bryanhuhta in #420
- Add retries with a newly acquired connection by @samkim in #298
- Implement Cloud Spanner datastore by @jakedt in #414
- internal/datastore: singlefight revision updates by @jzelinskie in #426
- Add a non-caching namespace manager by @ecordell in #423
- Add command line flags for setting the sizes of caches by @josephschorr in #428
- Fix handling of removing allowed wildcards on relations by @josephschorr in #431
- don't allocate max_int length slices by @ecordell in #430
- build(deps): bump github.com/aws/aws-sdk-go from 1.42.44 to 1.43.8 by @dependabot in #433
- build(deps): bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc from 0.28.0 to 0.29.0 by @dependabot in #437
- build(deps): bump go.opentelemetry.io/otel/trace from 1.3.0 to 1.4.1 by @dependabot in #436
- export function to get head revision for a datastore engine by @ecordell in #444
- Fix support for pipes in object IDs by @josephschorr in #446
- Have errors raised by the type system from schema construction in the devcontext be properly contextualized by @josephschorr in #448
- Dependabot March 4, 2022 by @josephschorr in #450
- Dependabot March 4, 2022 part 2 by @josephschorr in #456
- README updates by @josephschorr in #445
- Allow renovatebot by @ecordell in #460
- bump gofumpt to 1.3.0 and fix new formatting issues by @ecordell in #462
- Configure Renovate by @renovate in #459
- Update renovate.json by @ecordell in #466
- Add warnings for namespaces definitions using v0-only constructs by @josephschorr in #461
- lookup: fall back to a slow path (list all + check) when necessary by @ecordell in #471
- Remove Clone call on metadata filtering on namespaces by @josephschorr in #468
- Add test for writing empty schemas by @josephschorr in #473
- Add trace log for auth interceptor used by @josephschorr in #474
- Have the check warning only apply to relations, not permissions by @josephschorr in #475
New Contributors
- @vroldanbet made their first contribution in #383
- @renovate made their first contribution in #459
Full Changelog: v1.4.0...v1.5.0
Docker Images
This release is available at quay.io/authzed/spicedb:v1.5.0 and ghcr.io/authzed/spicedb:v1.5.0
Contributors
ecordell, samkim, and 8 other contributors