Releases: authzed/spicedb
v1.7.0
Highlights
- MySQL Datastore introduced!
- Two major performance improvments
- MemDB & Postgres now support quantized revisions
- Cache keys are now canonicalized and reused across various RPCs
- Telemetry reporting added. For more info see TELEMETRY.md
- Support for specifying multiple preshared keys
What's Changed
- Telemetry stats by @jakedt in #515
- .github: grant github token package write by @jzelinskie in #520
- .github: add back contents permission on release by @jzelinskie in #521
- crdb: coalesce relationship estimate to handle 0 relationship case by @ecordell in #523
- create spanner changelog entries client side by @jakedt in #522
- k8s: add RBAC and flesh out example by @jzelinskie in #526
- Have the GC index for Postgres be created concurrently by @josephschorr in #501
- introduces mysql datastore by @vroldanbet in #525
- CODEOWNERS: init by @jzelinskie in #531
- Switch MySQL tests to explicitly specify amd64 by @josephschorr in #533
- Cache canonicalization by @josephschorr in #485
- Quantize revisions for memdb, postgres datastores by @jakedt in #527
- mysql: refactor tests to share builders by @jakedt in #536
- Only run MySQL tests in CI by @josephschorr in #535
- Have the Docker-image based test suite run solely those tests by @josephschorr in #540
- gomod: bump cobrautil by @jzelinskie in #543
- Add support for multiple preshared keys by @josephschorr in #537
- mysql: run ANALYZE TABLE before Statistics in tests by @jakedt in #548
- mysql: wire up the mysql datastore engine to the CLI by @sbryant in #532
- makes cli application return non-zero error code on errors by @vroldanbet in #541
- gomod: bump xxhash, go by @jzelinskie in #545
- sets mysql manager singleton by @vroldanbet in #550
- moves seeding to the initialization of the datastore by @vroldanbet in #539
- Add integration testing for the migrate command by @josephschorr in #551
- Fix revive lint warnings by @nbarbey in #556
- Postgres optimized revision caching by @jakedt in #555
- update to a version of rudd that doesn't race by @ecordell in #557
- mysql: use a stable unique ID for stats by @jakedt in #546
- Combine unit and integration jobs by @ecordell in #559
- README: refresh features, make CTAs scannable by @jzelinskie in #554
- README: adjust feature wording and links by @jzelinskie in #560
- internal/telemetry: report go version, git commit by @jzelinskie in #553
- Dispatch tests and metrics flag by @josephschorr in #561
- dispatch: fix NPE possibility from nil check response by @jakedt in #562
- Add a check on startup for the last released version of SpiceDB by @josephschorr in #564
- remove remaining references to revision fuzzing by @jakedt in #566
New Contributors
Full Changelog: v1.6.0...v1.7.0
Docker Images
This release is available at authzed/spicedb:v1.7.0, quay.io/authzed/spicedb:v1.7.0, ghcr.io/authzed/spicedb:v1.7.0
Contributors
Assets 15
v1.6.0
Highlights
- Support for
nilwhen writing permissions, to allow for placeholders during development - Developer API bug-fixes and improved error messaging
- Container images now pushed to Docker Hub
- Metrics bug-fixes and stats added to datastores
- Enforce UTC on timestamp column in Postgres (database migration for Postgres users)
- Various resiliency improvements for the CockroachDB datastore
What's Changed
- Add core proto message and replace v0 usage by @samkim in #449
- add prefixes to lookup metrics by @ecordell in #477
- configure dispatch for tests by @ecordell in #438
- README: add ports to docker, add config section by @jzelinskie in #478
- protect prom metric registration with a lock by @ecordell in #480
- Add clock skew error as resetable by @samkim in #483
- .github: push to dockerhub, use in readme by @jzelinskie in #479
- bump crdb to 21.2.7 by @ecordell in #484
- expose usagemetric read middleware by @ecordell in #487
- Fix handling of REST gateway options and add an integration test by @josephschorr in #493
- Use non-prepared statement for revision range query by @samkim in #496
- Default transaction row timestamp to UTC by @samkim in #495
- Add additional error context onto schema errors by @josephschorr in #481
- Add support for
nilin schema by @josephschorr in #494 - Add index and fix limit on Postgres GC by @josephschorr in #500
- pkg/cmd: use cobrautil version command by @jzelinskie in #491
- Fix nil access issue in developer API when missing an expected subject by @josephschorr in #503
- Consolidate crdb tx retry and reset by @samkim in #472
- .github: migrate to authzed/actions by @jzelinskie in #492
- .github: fix passing of secrets to shared actions by @jzelinskie in #507
- update all dependencies by @jakedt in #513
- update straggler dependencies by @jakedt in #514
- Datastore stats interface by @jakedt in #506
- Rename
anytounionto fix conflict with new any name in Go 1.18 by @josephschorr in #516 - Add more detail to the max depth error and handle as a dev error by @josephschorr in #488
Full Changelog: v1.5.0...v1.6.0
Docker Images
This release is available at authzed/spicedb:v1.6.0, quay.io/authzed/spicedb:v1.6.0, ghcr.io/authzed/spicedb:v1.6.0
Contributors
Assets 15
v1.5.0
Highlights
- Cloud Spanner is now supported as a backend datastore (beta) 🎉
- Better error messages for invalid schemas
- Several performance and resource usage improvements
- An edge case that caused
LookupResourcesto return incomplete results for certain schemas was diagnosed and fixed (big thanks to @NickyHeuperman for reporting!)
What's Changed
- Fix deletion of empty namespaces in CRDB datastore by @josephschorr in #377
- .github: add CodeQL lint workflow by @jzelinskie in #378
- Better usage metrics on non-permissions endpoints by @jakedt in #381
- Attempt to avoid failed crdb range splits in e2e by @ecordell in #380
- internal/middleware: add tests for usagemetrics by @jzelinskie in #382
- introduce gRPC health-check for serve-testing by @vroldanbet in #383
- allow gateway backend to be overridden by @jakedt in #384
- Fix parsing of assertions YAML to handle all errors by @josephschorr in #387
- Add a config object for spicedb servers, control graceful stop of all services by @ecordell in #376
- increase max offset for crdb cluster in e2e tests by @ecordell in #389
- spicedb config: pluggable authentication by @ecordell in #390
- bump dependencies by @ecordell in #402
- Avoid logging with testing.T after test has finished by @ecordell in #395
- support buffconn for grpc server config by @ecordell in #392
- add universal consistency middleware by @ecordell in #391
- Move the bulk of the dev API impl into its own package by @josephschorr in #406
- Add more context to schema parse errors by @josephschorr in #408
- Validation file package improvements by @josephschorr in #409
- Update authzed-go to bring in the API validation regex fixes by @josephschorr in #410
- testserver: use middleware to inject the correct per-token datastore by @ecordell in #404
- Change validationfile parsing to be YAML based by @josephschorr in #413
- Ensure development package works without context changes by @josephschorr in #416
- Small error fixes and improvements in validationfile by @josephschorr in #415
- build(deps): bump golang.org/x/tools from 0.1.8 to 0.1.9 by @dependabot in #403
- Add line and column info to expected relations validation errors by @josephschorr in #418
- Fix version command by @bryanhuhta in #420
- Add retries with a newly acquired connection by @samkim in #298
- Implement Cloud Spanner datastore by @jakedt in #414
- internal/datastore: singlefight revision updates by @jzelinskie in #426
- Add a non-caching namespace manager by @ecordell in #423
- Add command line flags for setting the sizes of caches by @josephschorr in #428
- Fix handling of removing allowed wildcards on relations by @josephschorr in #431
- don't allocate max_int length slices by @ecordell in #430
- build(deps): bump github.com/aws/aws-sdk-go from 1.42.44 to 1.43.8 by @dependabot in #433
- build(deps): bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc from 0.28.0 to 0.29.0 by @dependabot in #437
- build(deps): bump go.opentelemetry.io/otel/trace from 1.3.0 to 1.4.1 by @dependabot in #436
- export function to get head revision for a datastore engine by @ecordell in #444
- Fix support for pipes in object IDs by @josephschorr in #446
- Have errors raised by the type system from schema construction in the devcontext be properly contextualized by @josephschorr in #448
- Dependabot March 4, 2022 by @josephschorr in #450
- Dependabot March 4, 2022 part 2 by @josephschorr in #456
- README updates by @josephschorr in #445
- Allow renovatebot by @ecordell in #460
- bump gofumpt to 1.3.0 and fix new formatting issues by @ecordell in #462
- Configure Renovate by @renovate in #459
- Update renovate.json by @ecordell in #466
- Add warnings for namespaces definitions using v0-only constructs by @josephschorr in #461
- lookup: fall back to a slow path (list all + check) when necessary by @ecordell in #471
- Remove Clone call on metadata filtering on namespaces by @josephschorr in #468
- Add test for writing empty schemas by @josephschorr in #473
- Add trace log for auth interceptor used by @josephschorr in #474
- Have the check warning only apply to relations, not permissions by @josephschorr in #475
New Contributors
- @vroldanbet made their first contribution in #383
- @renovate made their first contribution in #459
Full Changelog: v1.4.0...v1.5.0
Docker Images
This release is available at quay.io/authzed/spicedb:v1.5.0 and ghcr.io/authzed/spicedb:v1.5.0
Contributors
Assets 15
v1.4.0
Highlights
Warning
This change includes a security fix for a vulnerability introduced in v1.3.0. All users of v1.3.0 should update to this version.
See the security advisory for more information.
Changelog
Full Changelog: v1.3.0...v1.4.0
- Fixes for security advisory: 15bba2e
- Fix formatting by @josephschorr in #374
- Fix linter for many packages by @jzelinskie in #352
- Report CLI configurations errors to
RunEby @bryanhuhta in #351 - Update to the latest branched version of ristretto by @josephschorr in #354
What's Changed
- balancer: protect rand source with a mutex by @ecordell in #353
- bump authzed-go to 0.4.1 by @ecordell in #371
- bump dependencies by @ecordell in #364
- bump dependencies by @ecordell in #368
- crdb: touch overlap key on namespace write by @ecordell in #357
- e2e: fill schema with many namespaces to span ranges by @ecordell in #349
- fix head command: flag named inconsistently by @ecordell in #369
- pkg/testutil: ensure types in RequireEqualEmptyNil by @jzelinskie in #355
Docker Images
This release is available at quay.io/authzed/spicedb:v1.4.0 and ghcr.io/authzed/spicedb:v1.4.0
Contributors
Assets 15
v1.3.0
WARNING: This release contains a security issue as described in the security advisory. All users are requested to update to at least version v1.4.0 to remediate.
Feature Highlights
- Namespaces are now versioned internally, guaranteeing consistency during schema upgrades
- A wildcard can be specified to allow any object to have a relationship
What's Changed
- goreleaser: fix tag in docker release notes by @jzelinskie in #316
- Pin version of watchmaker in e2e tests by @ecordell in #322
- internal/dispatch: extract combined dispatcher by @jzelinskie in #321
- Memdb datastore MVCC improvements by @jakedt in #319
- Simplify datastore construction by @ecordell in #317
- Export CLI commands as a library by @jzelinskie in #325
- Remove e2e timeout by @ecordell in #328
- pkg/cmd: root programName and share ExampleServe by @jzelinskie in #327
- Log revision skew values by @samkim in #324
- internal/dispatch: return cachingRedispatch by @jzelinskie in #333
- fix: copy max lifetime when passing options to the datastore by @ecordell in #334
- Versioned namespaces by @jakedt in #332
- fix: skip comments when loading test relationships by @bryanhuhta in #335
- Add rebase squash to contributing guidelines by @josephschorr in #337
- Disable e2e github step by @samkim in #341
- optimize reading of namespaces by @jakedt in #342
- test v0 preconditions in parallel by @jakedt in #343
- Backport some datastore changes from datastore-v2 by @jakedt in #340
- Implement support for the public proposal by @josephschorr in #336
- pkg/cmd: extract signal handling with grace period by @jzelinskie in #345
- Fix data races and enable race detector in CI by @ecordell in #330
New Contributors
- @bryanhuhta made their first contribution in #335
Full Changelog: v1.2.0...v1.3.0
Docker Images
This release is available at quay.io/authzed/spicedb:v1.3.0 and ghcr.io/authzed/spicedb:v1.3.0
Contributors
Assets 15
v1.2.0
Feature Highlights
- Startup flags have been simplified
- V1 Watch API added by @jonwhitty
- Servok no longer required for dispatch
- Follower read support added to the CockroachDB driver
Docker Images
This release is available at quay.io/authzed/spicedb:v1.2.0 and ghcr.io/authzed/spicedb:v1.2.0
What's Changed
- Add serve-testing option to README by @samkim in #222
- Docker image v prefix by @ecordell in #221
- Add an http download api to devtools by @ecordell in #208
- .github: add goreleaser key by @jzelinskie in #223
- docs: fix typo in dashboard landing page by @jonwhitty in #231
- Handle the case where RELEASE SAVEPOINT fails with a retry by @ecordell in #227
- Add caching to Lookup dispatcher by @josephschorr in #217
- update builder image name to make it more unique by @jakedt in #234
- Improve Docker docs by @alessandromr in #210
- docs: remove all by @jzelinskie in #220
- proxy: use buffered channels and only let one subrequest write a result by @ecordell in #242
- update cla worfklow to allow dependabot by @ecordell in #250
- allow dependabot by @ecordell in #251
- really allow dependabot by @ecordell in #252
- use the grpc_health_probe binary from the official images by @ecordell in #257
- cmd: consistent flags for http/grpc servers by @jzelinskie in #254
- Use buffered channels for lookup results by @ecordell in #259
- support https in download API by @ecordell in #243
- Add github container registry release by @samkim in #260
- cmd/serve: revert dispatch-cluster flags changes by @jzelinskie in #262
- support UDS listening on grpc servers by @ecordell in #267
- Request ID propagation by @jakedt in #272
- .github: pin gofumports version by @jzelinskie in #276
- .github: add 5m timeout to golangci-lint by @jzelinskie in #277
- Prevent memdb duplicate relationships by @jakedt in #275
- services/v1: fix intersection tree conversion by @jzelinskie in #281
- Add docker login action for ghcr by @samkim in #274
- Move golangci-lint timeout into config by @jzelinskie in #278
- use consistent-hash load balancer with kubernetes resolver for dispatch by @ecordell in #284
- Additional expansion testing by @josephschorr in #283
- Add log warning to emphasize persistence/scale issues in memdb by @buraksekili in #285
- .github: add more automatic labeling patterns by @jzelinskie in #287
- README: fix flags, links, and project description by @jzelinskie in #273
- feat: add v1 Watch API implementation by @jonwhitty in #263
- Multi level caching and Lookup caching fixes by @josephschorr in #268
- Add revision support to v1alpha1 schema API by @josephschorr in #271
- Add proper dispatch and cached dispatch tracking by @josephschorr in #289
- Properly calculate virtualnode ids for uint16 replicationFactor by @ecordell in #294
- Add follower read delay option by @samkim in #297
- Add dispatch and cached dispatch counts to response trailer metadata and prometheus by @josephschorr in #295
Dependencies
- Bump golang from 1.17.1-alpine3.13 to 1.17.2-alpine3.13 by @dependabot in #236
- Bump dependencies by @ecordell in #244
- bump dependencies by @ecordell in #249
- Bump golang from 1.17.2-alpine3.13 to 1.17.3-alpine3.13 by @dependabot in #300
- Bump github.com/Masterminds/squirrel from 1.5.1 to 1.5.2 by @dependabot in #306
- Bump github.com/grpc-ecosystem/grpc-gateway/v2 from 2.6.0 to 2.7.0 by @dependabot in #305
- Bump alpine from 3.14.2 to 3.15.0 by @dependabot in #301
- Bump github.com/aws/aws-sdk-go from 1.41.15 to 1.42.16 by @dependabot in #303
- Bump github.com/jackc/pgtype from 1.8.1 to 1.9.1 by @dependabot in #304
- Bump github.com/lib/pq from 1.10.3 to 1.10.4 by @dependabot in #308
- Bump go.opentelemetry.io/otel/trace from 1.1.0 to 1.2.0 by @dependabot in #302
- Bump github.com/jackc/pgx/v4 from 4.13.0 to 4.14.1 by @dependabot in #309
- Bump github.com/benbjohnson/clock from 1.2.0 to 1.3.0 by @dependabot in #314
- Bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc from 0.26.0 to 0.27.0 by @dependabot in #313
- Bump github.com/ory/dockertest/v3 from 3.8.0 to 3.8.1 by @dependabot in #307
- Bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp from 0.26.0 to 0.27.0 by @dependabot in #310
New Contributors
- @jonwhitty made their first contribution in #231
- @alessandromr made their first contribution in #210
- @buraksekili made their first contribution in #285
Full Changelog: v1.1.0...v1.2.0
Contributors
Assets 15
v1.1.0
Feature Highlights
- SpiceDB now hedges requests internally to improve reliability and performance
- Postgres datastore now supports garbage collection
- Postgres datastore added an index that improves performance
spicedb servenow has serves an HTTP/JSON API on port 8443
Docker Images
This release is available at quay.io/authzed/spicedb:v1.1.0
Changelog
Expand the Changelog
45c8c7d .github: add CLA workflow
82d63c1 .github: add kubeval linting
ac135ea .github: disable flaky caching in golangci action
09686bd .github: label hidden files as tooling
c30113c .github: split linting and building actions
b906977 Add Dispose method on datastore in prep for GC worker for postgres
061db12 Add Must* methods for any methods that can panic in tuple pkg
daf7807 Add a selecting a datastore document
72d3901 Add additional docs on ZedTokens and LookupResources
d841e87 Add an integration test for the test server
708dab5 Add background garbage collection to Postgres data store
51ef755 Add documentation about ZedTokens/Zookies and consistency
21e1b85 Add gauges for transaction and relationship count removed by GC
75b5a6f Add prometheus metric for postgres GC duration
42019c0 Adds index on transations table timestamp
1458362 Cleanup the CachingDispatcher when binary shuts down
359afaa Fix ordering of zed arguments in the dashboard
dcdae72 Fix: small error
fd4749a Follow same name convention as exixting indexes
968a8b7 Make sure to cleanup goroutine generated by the namespace manager and the parser
df88351 Make sure to use the checked possibly-nil pointer in memdb
56f3feb Merge pull request #115 from authzed/testserver-test
4f18a6b Merge pull request #151 from jzelinskie/dashboard-fix
3740c6c Merge pull request #152 from ecordell/fix-brew-head
79a9682 Merge pull request #155 from mterron/dockerfile-improvementes
9068372 Merge pull request #157 from ecordell/brew-completion
a34ab44 Merge pull request #159 from authzed/dependabot/go_modules/github.com/aws/aws-sdk-go-1.40.53
ec097e4 Merge pull request #160 from authzed/dependabot/go_modules/google.golang.org/grpc-1.41.0
9df7471 Merge pull request #162 from NickUfer/fix_spelling
8931d76 Merge pull request #164 from ecordell/e2e-timeout
72fd40a Merge pull request #165 from ecordell/fix-bad-zookie-flake
baa854d Merge pull request #166 from ecordell/ds-timeout
ddeee97 Merge pull request #168 from authzed/postgres-gc
39b64ef Merge pull request #169 from jzelinskie/simple-k8s
5fcd7ff Merge pull request #172 from authzed/selecting-a-datastore
f82f5c4 Merge pull request #173 from jzelinskie/separate-lint
e264e9c Merge pull request #174 from authzed/zedtoken-docs
713a97c Merge pull request #175 from ecordell/badzookie-flake
424037a Merge pull request #176 from authzed/must-tuple
ed2e4d5 Merge pull request #178 from ecordell/transaction-ttl
d926ca4 Merge pull request #181 from authzed/further-cleanup
00d2cf6 Merge pull request #184 from 0xflotus/patch-1
ca82b60 Merge pull request #187 from authzed/request-hedging
4e70dde Merge pull request #188 from jzelinskie/gateway
1347927 Merge pull request #190 from authzed/zed-args
6a69f8d Merge pull request #193 from jzelinskie/fix-golangci
f8122b9 Merge pull request #194 from josephschorr/memdb-nil-guards
2ff33fc Merge pull request #195 from ecordell/multiarch
2ea1f2e Merge pull request #197 from authzed/postgres-prom
f2cfaf9 Merge pull request #198 from josephschorr/update-dockertest
ec71855 Merge pull request #201 from jzelinskie/bump-grpcutil
1d52699 Merge pull request #206 from jzelinskie/cla
5b5ace0 Merge pull request #211 from costap/main
eff4d2f Merge pull request #212 from jzelinskie/distroless
9af26b2 Merge pull request #213 from ecordell/fix-dockerrelease
b15bb9c Merge pull request #214 from ecordell/rm-nsswitch
bc40650 Merge pull request #215 from josephschorr/cleanup-dispatcher-cache
eab6524 Merge pull request #216 from josephschorr/zedtoken-lookup
833a3d4 Merge pull request #218 from ecordell/release-dockerfile-simplify
cb5a345 Merge pull request #219 from ecordell/multiplatform
49a1105 Switch to use the temporary branch of Ristretto until dgraph-io/ristretto#286 is merged
bc195ca Typo fix
5ced015 Update handling of datastore Close to disconnect connections and change to use an errgroup to clean up Postgres GC worker
b370632 Update the dockertest version
fd1cfe0 Use Docker entrypoint instead of CMD. Enables using spicedb from docker directly. docker run quay.io/authzed/spicedb serve --grpc-preshared-key "somerandomkeyhere" --grpc-no-tls
bbc2c05 add JSON/HTTP API server via gRPC gateway
0bc713b add a datastore proxy which does request hedging
0dcfe48 add prometheus metrics to the heding datastore
2756965 add request hedging as an option to the serve command
ad7e1fd allow head install from brew
58b8c69 build(deps): bump github.com/aws/aws-sdk-go from 1.40.47 to 1.40.53
56b4198 build(deps): bump google.golang.org/grpc from 1.40.0 to 1.41.0
bf75774 bump testreadbadzookie timeout
06fee34 cmd: add TLS flags for gateway server
e9b164a cmd: default HTTP server to 8443
89576ad cmd: expand all string input
c1e10de dashboard: correct zed usage
0b66478 docs: fixes minor spelling mistakes
7edfd0c e2e: plumb http server flags
e0fee1e ensure e2e doesn't time out when it would have succeeded
2089465 fix TestReadBadZookieFlake
6472d7a fix docker release images
5750c29 fix the postgres prom GC metrics to respect enable prom option
fddec6b gateway: add config docstrings
699c683 gateway: appease the linter
f42234a gateway: extract into package and add metrics
c36faef gateway: serve OpenAPI Schema at /openapi.json
377c53a gomod: bump grpcutil
5532b44 gomod: bump to authzed-go v0.3.0
e103240 increase gc window for revision expiration
fd42ad4 install completions when installing via brew
536b4a2 internal/auth: remove authn annotator
f119e2a internal/gateway: add otel middleware
4e604f5 internal/gateway: test tracing propagation
66372f8 internal/gateway: use prom namespace & subsystem
5405258 k8s: init basic deployment
c682e67 lint: lint all markdown files
b1eb53a multiarch docker image releases
321077d release: support additional platforms
1e6d62e remove nsswitch file from release image
5f3e1ad set a very short ttl in the crdb e2e tests
b3a6931 simplify release dockerfile
3250215 track original and hedged datastore request durations separately
364708f use mocked time for testing request hedging
v1.0.0
For Authzed's first birthday, our gift isn't for us, but the community.
Today, we're as excited as we've ever been.
Today, the database powering the core of Authzed, SpiceDB, is now open source!
SpiceDB is the most faithful implementation of Google's Zanzibar paper outside of the original system at Google.
Developers create a schema that models their permissions requirements and use a client library to apply the schema to the database, insert data into the database, and query the data to efficiently check permissions in their applications. Leveraging a system like SpiceDB has become an industry best-practice and is being used to great success at companies large (Google, GitHub, Airbnb) and small (Carta, Authzed).
As we develop SpiceDB, we will not only maintain compatibility with the original paper, but continue to introduce innovations that improve overall user experience. An example of this is our Schema Language, which compiles to Zanzibar's Namespace Configs, but adds far more intuitive syntax and type-safety. However, these types of features cannot be created in a vacuum, thus all future development on SpiceDB will be done entirely in the open.
We invite everyone to collaborate with us on GitHub and join our discussions on the Zanzibar Discord.
Initial features included in SpiceDB that distinguish it from other systems include:
- Expressive APIs for checking permissions, listing access, and powering devtools
- An architecture faithful to the Google Zanzibar paper, including resistance to the New Enemy Problem
- An intuitive and expressive schema language complete with a playground dev environment
- A powerful graph engine that supports distributed, parallel evaluation
- Pluggable storage that supports in-memory, PostgreSQL, and CockroachDB
- Deep observability with Prometheus metrics, structured logging, and distributed tracing
Getting Started
Get a taste of the schema language
- Follow the guide for developing a schema
- Watch a video of us modeling GitHub
- Read the schema language design documentation
- Jump into the playground, load up some examples, and mess around
Learn how to integrate an application
- Learn the latest best practice by following the Protecting Your First App guide
- Explore the gRPC API documentation on the Buf Registry
- Install zed and interact with a live database
Installation
Installing SpiceDB
SpiceDB is currently packaged by Homebrew for both macOS and Linux.
Individual releases and other formats are also available on the releases page.
brew install authzed/tap/spicedbSpiceDB is also available as a container image:
docker pull quay.io/authzed/spicedb:latestFor production usage, we highly recommend using a tag that corresponds to the latest release, rather than latest.
Running SpiceDB locally
spicedb serve --grpc-preshared-key "somerandomkeyhere" --grpc-no-tlsVisit http://localhost:8080 to see next steps, including loading the schema
Changelog
Expand the Changelog
f9fa9a2 *.yaml: lint all YAML files
af8a479 *: migrate to new v1.RelationshipFilter
871436b *: use grpc health packages
6711fad .github: add API labels
f61bf2d .github: add step for diffing go generate output
3defadd .github: add yamllint
6dfed06 .github: auto label tests
24d226b .github: enforce linting with whitelisted TODOs
eb52959 .github: fix buf push action
6963abc .github: fix go mod tidy check
cbaee60 .github: init
f16d042 .github: properly set release as output
936992a .github: tag container with release output
6393c87 Add ExpandPermissionTree to the V1 API
3a1d882 Add Limit support to tuple queries and set Limit(1) on WriteConfig checks
e98407b Add ListNamespaces and remove IsEmpty
c6f8d90 Add Lookup in zed-testserver
6518be1 Add ONR serialization and use it everywhere possible.
b35f569 Add REDACTED example and fix loading issues associated with it
63c3120 Add a benchmark for check operations.
d4e5ba5 Add a better first run experience that shows the command to run when no other arguments are specified
021d2cc Add a call to verify the test server is properly stripped
55dc464 Add a check dispatcher and implementation.
a49fb56 Add a concurrent graph expander.
63735c7 Add a datastore Revision method.
18884a0 Add a datastore proxy that validates all calls
b190dd2 Add a flexible postgres config system.
67f7026 Add a jaeger service and the ability to report stats to it.
c1ae3c3 Add a maximum recursion depth.
7345b1e Add a namespace cache to graph evaluations.
0e8d30a Add a postgres database query benchmark.
8a3c21e Add a secrets package which mimicks python's.
f149da2 Add a test for datastore write preconditions.
7b42d15 Add a test for namespace delete. Refactor memdb tests to a separate package.
5135d29 Add a test for updating a schema and its checks on relationships
9bdeca1 Add a zed-test binary tool for writing unit tests against
ac37782 Add a zookie encoding/decoding library.
6fb5dad Add additional comments and some cleanup to the validationfile pkg
a4423dc Add additional tests for typesystem and lookup and fix some smaller items as per code review
d7f50e6 Add arch suffix to released zed-testserver binaries
e96a676 Add auto-release of zed-testserver on any releases in monorepo
a43a814 Add automatic query splitting when the SQL query grows beyond a defined boundary in size
7521fd9 Add basic dashboard for guidance to new users
c707af5 Add basic lexer and parser for the Schema DSL
f54dbd7 Add basic proto -> DSL generator
d7ef928 Add basic tracing to SpiceDB
241aad8 Add better tracing to first party services.
7b6670f Add consistency tests and fix bugs discovered as a result
527593a Add context to datastore interface and thread everywhere.
a18dd55 Add datastore attr to tracing span
48ab5de Add datastore tuple query tests for reverse queries, and add limits for faster verification in WriteConfig
a11df78 Add datastore url config for postgres support.
f854f5a Add datastore watch and the watch RPC.
9aea9e4 Add developer CI and remove REDACTED CI
22d5d71 Add developer-service subcommand
fa2ff18 Add error test cases to Lookup test in ACL tests
33305ed Add format button to Playground
ced742e Add full consistency testing of the developer API
99501d9 Add go generate to CI
c7d958c Add grpc server metrics to spicedb.
cb044e7 Add initial support for lookup across intersection and exclusion
d0ca4e1 Add latency simulator to the memdb datastore.
e73cd23 Add log tracer
ef5c296 Add logging to lookup shared issues
f8beaaf Add migration with new reverse lookup indexes for Postgres
432fead Add namespace and relation identifier validation.
6798707 Add namespace diff system
99251c4 Add namespace validator.
bdb50ab Add ok status to DSL generator indicating whether the generation had any legacy issues
9ad5c99 Add packaging to run spicedb service.
13ad9cd Add pgx timezone comment
2bdf6cd Add pgxpool stat collector for prometheus
c04621d Add pkg for tuple serialization and deserialization.
e772729 Add position information to parsed assertions
634d94c Add preshared key auth to spicedb.
e05d378 Add proto validation rules for all requests. Validate request messages for all handlers. Remove the old namespace definition validation code.
6abf320 Add readonly port to zed-testserver
f54d70e Add relation type to the metadata on construction
42f317a Add revision fuzzing and test.
dd84050 Add schema service to zed-testserver
dac9fdb Add shared errors interfaces and use the new types in the services
e1ba314 Add source position mapper for use once we read source files
ca9d6f8 Add support for cross-tenant references and have generator always produce the fully cross-tenanted defs
dee7b5c Add support for loading in schema and Relationships string list from the validation file format
8707d34 Add support for metadata on namespaces and relations
ae58bd8 Add support for recursive expansion
3cf04a0 Add...