SpiceDB is a Zanzibar-inspired database that stores, computes, and validates application permissions.



Container Image GoDoc License Build Status Mailing List Discord Server Twitter

SpiceDB is a Zanzibar-inspired database that stores, computes, and validates application permissions.

Developers create a schema that models their permissions requirements and use a client library to apply the schema to the database, insert data into the database, and query the data to efficiently check permissions in their applications.

Features that distinguish SpiceDB from other systems include:

See CONTRIBUTING.md for instructions on how to contribute and perform common tasks like building the project and running tests.

Why SpiceDB?

Verifiable Correctness

The data used to calculate permissions have the most critical correctness requirements in the entirety a software system. Despite that, developers continue to build their own ad-hoc solutions coupled to the internal code of each new project. By developing a SpiceDB schema, you can iterate far more quickly and exhaustively test designs before altering any application code. This becomes especially important as you introduce backwards-compatible changes to the schema and want to ensure that the system remains secure.

Optimal Flexibility

The SpiceDB schema langauge is built on top of the concept of a graph of relationships between objects. This ReBAC design is capable of efficiently supporting all popular access control models (such as RBAC and ABAC) and custom models that contain hybrid behavior.

Modern solutions to developing permission systems all have a similar goal: to decouple policy from the application. Using a dedicated database like SpiceDB not only accomplishes this, but takes this idea a step further by also decoupling the data that policies operate on. SpiceDB is designed to share a single unified view of permissions across as many applications as your organization has. This has strategy has become an industry best-practice and is being used to great success at companies large (Google, GitHub, Airbnb) and small (Carta, Authzed).

Getting Started

Installing SpiceDB

SpiceDB is currently packaged by Homebrew for both macOS and Linux. Individual releases and other formats are also available on the releases page.

brew install authzed/tap/spicedb

SpiceDB is also available as a container image:

docker pull quay.io/authzed/spicedb:latest

For production usage, we highly recommend using a tag that corresponds to the latest release, rather than latest.

Running SpiceDB locally

spicedb serve --grpc-preshared-key "somerandomkeyhere" --grpc-no-tls

Visit http://localhost:8080 to see next steps, including loading the schema

Developing your own schema

Integrating with your application

  • Add

    Add "public" keyword/type

    The Zanzibar implementation at Google uses a special-case userset to represent the set of all users "aka public".

    As per one of their public presentations: 103707706-21b5c900-4f7d-11eb-8184-ed57ae6cb002

    Because SpiceDB's schema language is more expressive, we have some better options than introducing this concept as a special-cased tuple:

    • A keyword could be used to embellish relations/permissions that are public.
    • We could introduce a type to represent public, but it might be surprising if a user unintentionally unions a relation/permission with public by accident.
    area/api v0 priority/2 medium area/schema area/api v1 area/dispatch 
    opened by jzelinskie 13
  • ZedToken increasing latency instead of reducing it

    ZedToken increasing latency instead of reducing it

    We've been using SpiceDB in production for a few months now at https://www.veed.io/ and have gradually been migrating our authorization data to it. We've attached a Postgres datasource, which now has a size of about 7GB and we've run into a bit of an unexpected problem.

    The easiest way to explain it is by showing some metrics. Screen_Shot_2022-09-06_at_13 38 34

    As our data size grew from about 2-3 million data points to >10 million, we started noticing significant slowdowns on some user accounts, but not on others. Following the documentation, we had implemented ZedToken caching and use atLeastAsFresh consistency for a number of our users - which we found to be the exact users having issues with significant slowdowns. Our investigation into the issue resulted in the discovery that making use of ZedTokens actually slowed down requests by a factor of 100. We've now set everything to be fully consistent - and the results speak for themselves: Screen_Shot_2022-09-06_at_13 39 36

    Slowdowns have completely stopped and latency dropped down to 300ms, but this isn't the behaviour I'd expect. Considering we expect our data set to grow significantly over the coming months, I do believe we are going to need to rely on ZedTokens to ensure our latency doesn't grow again - especially since the solution wouldn't be as straightforward as it was now when fully consistent calls become problematic.

    priority/2 medium area/perf state/needs discussion 
    opened by sjaakiejj 11
  • Fix revive lint warnings

    Fix revive lint warnings

    This is related to issue https://github.com/authzed/spicedb/issues/36

    All issues involve renaming function to drop a prefix corresponding to the package name. The fix has been done automatically with a refactoring tool.

    This creates a change in the public API as namespace.NamespaceWithComment is renamed to namespace.WithComment.

    area/schema area/tooling 
    opened by nbarbey 11
  • Better Caching Cost & Density

    Better Caching Cost & Density

    Improve Cache Density and Cost Estimate

    Hi Authzed folks - apologies in advance for this wall of text. ūüôā

    I noticed a few weeks ago that the cache cost functions are not accurate if the cost represents bytes (which I believe it does). For example, the cost of a checkResultEntry is set to just 8 bytes, the cost of that struct when empty. But that cost doesn't include the memory pointed to by checkResultEntry.response, which could be much more.

    As I worked to improve the cache cost functions, I found a way to fit 2x more cache items into the same amount of memory: instead of caching the Go structs, cache the protobuf-marshaled bytes.

    The improved cache cost functions help keep the physical memory used by the cache much closer to the configured max cost.

    I'd be happy to open some PRs for these changes, but wanted to post my findings here and see which of the changes you'd like (if any).

    Cache Density

    I experimented with storing the marshaled bytes of protobuf messages rather than the Go objects directly.

    There are two main advantages to this:

    • Calculating the cost of a []byte is quite simple. Most importantly, the cost function does not need to change as the protobuf message changes: protobuf takes care of those details.
    • Second, the cache can store more items per MB of space used. In one test (below), the cache fit 212% more items per MB! However, later tests with more accurate cost functions improved cache density by a more modest 50-70%. All tests were on a single local instance of spicedb, so a load test at scale is warranted.

    Below are the results for two tests run on a single spicedb instance serving check requests. Total profiled space is for the whole application, while cache profiled space includes just the stacks related to caching. In this test, the cost function was still poor, but it does show that using marshaled bytes significantly improves cache density. | test | total profiled space | cache profiled space | cache calculated cost | key count | keys/ cache profiled MB | | --- | --- | --- | --- | --- | --- | | protobuf structs | 69.16 MB | 54.85 MB | 32 MB | 142,857 | 2,605 | | marshaled []byte | 77.02 MB | 61.0 MB | 30.1 MB | 337,311 | 5,529 |

    Of course, marshaling isn't free. However, existing code already calls proto.Clone() on every cache write, and as that is replaced with the call to proto.Marshal(), the relative cost may not be significant. Still, a test to check impact on CPU during a load test is warranted.

    Cache Cost Function

    Now, the long story.


    As stated above, the cache was using more memory than the 'max cost' setting because the cost of each cached item was being set to the size of a pointer (8 bytes) rather than the size of the memory referenced by a pointer.

    The first attempt at improving the cost function made the situation better, but there was still a substantial difference between the configured cache size and the total memory used. Below are flamegraphs for in-use space for a local spicedb instance, taken after running a 15 minute load test of check requests. Between 0 and 32 MB cache, the memory increased 59MB, 184% the increase in cache size. Between 32 and 64 MB cache, the memory increased 70MB, 219% the increase in cache size.

    1 byte Cache (single instance, local) image

    32 MB Cache (single instance, local) image

    64 MB Cache (single instance, local) image

    Aside on Profiling

    In the flamegraphs above, the in-use bytes within ristretto.(*Cache).processItems are very close to the allocated cache size. Also, the bytes allocated within caching.(#Dispatcher).DispatchCheck grow proportionally with the cache size.

    Initially I thought this meant the DispatchCheck() function was responsible for leaking memory. However, I no longer think that is the case.

    Heap profiles work by sampling allocations. When a sample is taken, the stack responsible for the allocation is added to the profile. So, seeing DispatchCheck() in the flamegraph doesn't mean that DispatchCheck() is responsible for keeping bytes from GC, only that it was responsible for originally allocating those bytes.

    Reviewing the spiceDB code, this makes sense - DispatchCheck() creates the object that is stored in the cache (via proto.Clone()), but then it is the cache that keeps that object from GC. When ristretto stores an item, it allocates a wrapper struct, which explains why it is also in the profile.

    Given this, the best way to measure memory used by the cache is to sum ristretto.(*Cache).processItems and proto.Clone. Doing so for the examples above gives 113MB for the 64MB cache (176% larger) and 59MB for the 32MB cache (184% larger).

    Size Classes

    One of the main breakthroughs I had was learning about class sizes in Go. Class sizes are predefined object sizes (8, 16, 24, 32, 48, etc). When allocating a 'small' object, Go takes the number of required bytes and then allocates the next size class larger than what is required. This is done to make GC tracking more efficient for small objects. See 'One more thing' section.

    So, a cost function that returns only the bytes required for an object will systematically under-report the actual cost in memory!

    This article indicates that append() is aware of class sizes and can be used to find them at run time. This code demonstrates: https://go.dev/play/p/lRaSqzunZ73

    After accounting for class sizes, I was able to write a cost function that exactly matched the allocated bytes, as reported by memstats.TotalAlloc.

    Keys Count Too

    Still, even accounting for size classes, the cost function was not controlling memory like I wanted. How could my tests show a perfect match to the reported allocated memory, but still allow the cache to grow beyond max cost? The answer is fairly simple: cache keys are stored too, and take up memory. After including keys in the cost function, I got the following results (caching []byte):

    | test | total profiled space | cache profiled space | cache computed space | key count | keys/cache profiled MB | | --- | --- | --- | --- | --- | --- | | 8MB cache | 33.1 MB | 16.2 MB | 8 MB | 42,094 | 2,598 | | 16MB cache | 40.4 MB | 24.3 MB | 16 MB | 84,097 | 3,460 | | 32MB cache | 63.8 MB | 44.4 MB | 32 MB | 168,152 | 3,787 |

    The difference in cache size between 8MB and 16MB max cost was 8.1MB! Between 16MB and 32MB, 20.1 MB, which is off by about 26%.

    Final Cost Function (protobuf structs, not bytes)

    This test was run with a cost function that accounted for keys and size classes. No changes were made to the objects stored in the cache for this test.

    | test | total profiled space | cache profiled space | cache computed space | key count | keys/cache profiled MB | | --- | --- | --- | --- | --- | --- | | no cache (1 byte) | 15.6 MB | 0 MB | 0 MB | 0 | 0 | | 16MB cache | 34.8 MB | 21.5 MB | 16 MB | 46,916 | 2,182 | | 32MB cache | 55.2 MB | 37.8 MB | 32 MB | 93,825 | 2,482 |

    This shows there is still some overhead for the cache, since going from a cache with only 1 byte max cost (effectively, no cache) to 16 MB cost added 21.5 MB to memory used by the cache. But, going from 16MB to 32MB added 16.3MB, off by ~2%.

    Compared to the test which used a similar cost function, but stored bytes instead, this also shows that storing bytes is still more efficient, although less so than in the original test. This makes sense, because now that they key is included in the cost function, the space saved on the items themselves is a smaller proportion of the total cost per entry.

    Misc Learnings

    • Are there memory leaks?
      • I don't think so. Once the cache reaches capacity and begins to evict items, memory use is stable.
    • Is protocol buffers increasing memory footprint?
      • The items stored in the cache are protobuf generated types and have some fields specific to protobuf (protoimpl.MessageState, protoimpl.SizeCache, protoimpl.UnknownFields). It is possible these fields are getting populated after the cost function runs and increasing memory footprint beyond what the cost function calculates. Running spicedb locally, I did see that this was the case - sending a message from the cache caused its size to increase significantly. However, subsequent sends shared the memory added by the first send. To further test if protobuf fields were increasing cost, I ran tests where a the cached object was never returned to callers, only deep copies. Memory use was similar enough that I don't think the protobuf fields have a significant impact.
      • 32 MB Cache (main) image
      • 32 MB Cache (clone on return) image
    area/perf area/observability area/dispatch 
    opened by benCoomes 10
  • service-discovery: Added ZooKeeper based service discovery

    service-discovery: Added ZooKeeper based service discovery

    I have implemented an alternative service discovery that can be used without kubernetes. It uses Apache ZooKeeper. It also contains the code necessary to work inside AWS ECS containers (it can get the IP from the task and instance metadata endpoint), but it falls back to the IP of the first public network interface. The address defined in dispatch-cluster-addr takes precedence in any case.

    I will use this in our deployment on ECS. The SRV record method was not reliable so I made a custom resolver that uses ZooKeeper to discover the peers, since we were already using ZooKeeper for some of our existing services.

    This is the first time I'm coding in Go, so I hope I didn't mess up anything.

    area/CLI area/dependencies 
    opened by gergof 10
  • Add quickstart examples

    Add quickstart examples

    Closes https://github.com/authzed/spicedb/issues/469

    This creates a collection of quickstart Docker Compose files to get new-comers quickly running with the datastore of their choosing. ~I also moved k8s/example.yaml under the examples/ directory, since it seemed to fit well there. Though, I'm not sure if this breaks documentation links.~ I reverted this change, things broke when that file moved.

    Most datastores were straightforward, but Cockroach and Spanner (especially Spanner) required some extra plumbing to get them operational.

    opened by bryanhuhta 7
  • introduce validate command

    introduce validate command

    Closes https://github.com/authzed/spicedb/issues/290


    The purpose of this command is to take a playground file and run the assertions and validations defined.

    The rationale is that schema development happens in the playground, but once the YAML is downloaded, there is nothing developers can do other than loading it with testserve command, or uploading it back to the playground. This attempts to reuse and run the assertions and validations as test-suite outside of the the playground, and in a programmatic way rather than only interactively. Rather than duplicating the same tests in the client application, the playground tests become the canonical representation for the business rules defined in the schema.


    1. developers introduce changes in schema via the playground
    2. YAML file is downloaded and persisted in git repository
    3. changes are pushed, PR is opened, CI runs spicedb validate, demonstrating changes are sound.


    • Introducing a new CLI command is cool, exposing new API in the go code requires more consideration
    • Version 2 of the Playground file is not really API, so instead of updating the public structures, in parsed the file in two phases: one time with the public stuff, and one with the v2 fields
    • I'm not sure I got right the versioning strategy y'all have with the API. It sounds like v0 is like "it's public, but may be broken anytime". I assumed it's OK to expose methods reusing v0 types, but would definitely appreciate some guidance here


    • accepts multiple playground files as input
    • process returns 0 if valid, non-zero if invalid
    • errors by line and message are logged (e.g. can be surfaced in the GitHub PR)


    • Planning to add tests if this is the design seems sound
    area/api v0 area/CLI 
    opened by vroldanbet 7
  • LookupSubjects API

    LookupSubjects API

    The Lookup Watch API Proposal includes the addition of the "reachability" APIs, which allow a caller to query the data-driven shape of the permissions graph.

    One of the APIs proposed is LookupSubjects which would act as a filtered, streaming form of ExpandPermission, but across an entire object type:

    message LookupSubjectsRequest {
        Consistency consistency = 1;
        ObjectReference resource = 2;
        string optional_permission = 3;
        string optional_subject_type = 4;
        string optional_subject_relation = 5;
    message LookupSubjectsResponse {
        Relationship found_relationship = 1;
        ZedToken found_at = 2;

    All fields on the request besides consistency and resource would be optional, in which case all subjects (of all kinds) would be find for the specified resource.

    Open Questions

    1. Should the LookupSubjectsResponse contain the path of all relations/permissions that were traversed to reach a subject? This could be very useful in building permissions panels or auditing systems.
    2. Should optional_subject_type (and relation) be repeated, to allow filtering to a set of allowed types, instead of a single type?
    3. Should optional_permission be repeated, to allow filtering to a set of allowed permissions/relations?
    priority/2 medium area/perf area/api v1 state/needs discussion area/dispatch 
    opened by josephschorr 7
  • Dashboard example zed usage references HEAD formula & `login` command

    Dashboard example zed usage references HEAD formula & `login` command

    Brew installation of zed fails with the Errno:ENOENT error:

    ibazulic@cyberdyne:~$ brew install --HEAD authzed/tap/zed
    ==> Tapping authzed/tap
    Cloning into '/home/linuxbrew/.linuxbrew/Homebrew/Library/Taps/authzed/homebrew-tap'...
    remote: Enumerating objects: 34, done.
    remote: Counting objects: 100% (34/34), done.
    remote: Compressing objects: 100% (25/25), done.
    remote: Total 34 (delta 15), reused 10 (delta 3), pack-reused 0
    Receiving objects: 100% (34/34), 8.73 KiB | 1.75 MiB/s, done.
    Resolving deltas: 100% (15/15), done.
    Tapped 2 formulae (16 files, 92.0KB).
    ==> Downloading https://ghcr.io/v2/linuxbrew/core/go/manifests/1.17.1
    ######################################################################## 100.0%
    ==> Downloading https://ghcr.io/v2/linuxbrew/core/go/blobs/sha256:65e57b46322ebb9957754293cc66012579d93a7795b286bd2f267758f8006d7b
    ==> Downloading from https://pkg-containers.githubusercontent.com/ghcr1/blobs/sha256:65e57b46322ebb9957754293cc66012579d93a7795b286bd2f267758f8006d7b?se=2021-09-30T17%3A50%3A00Z&sig=hB1Y%2FHG%2FMPADkzMm6M92
    ######################################################################## 100.0%
    ==> Cloning https://github.com/authzed/zed.git
    Cloning into '/home/ibazulic/.cache/Homebrew/zed--git'...
    ==> Checking out branch main
    Already on 'main'
    Your branch is up to date with 'origin/main'.
    ==> Installing zed from authzed/tap
    ==> Installing dependencies for authzed/tap/zed: go
    ==> Installing authzed/tap/zed dependency: go
    ==> Pouring go--1.17.1.x86_64_linux.bottle.tar.gz
     /home/linuxbrew/.linuxbrew/Cellar/go/1.17.1: 10,810 files, 537.4MB
    ==> Installing authzed/tap/zed --HEAD
    Error: An exception occurred within a child process:
      Errno::ENOENT: No such file or directory - zed

    Pulling zed normally via brew install authzed/tap/zed works but this binary does not have the login option needed to log into spicedb according to instructions.

    kind/bug priority/1 high area/tooling 
    opened by ibazulic 7
  • Support OpenTelemetry collectors

    Support OpenTelemetry collectors

    Everything is instrumented using OpenTelemetry, but Jaeger is the only format exposed by command-line flags. If it can be made generic enough, this could be upstreamed into cobrautil.

    hint/good first issue area/CLI priority/4 maybe area/tooling kind/tech debt 
    opened by jzelinskie 7
  • Add support for Application Default Credentials for Cloud Spanner datastore

    Add support for Application Default Credentials for Cloud Spanner datastore

    The Cloud Spanner driver currently requires a service account JSON file.

    Another way to authenticate with Google services is using Application Default Credentials, which allows one to authenticate with cloud APIs without manually supplying a service account file (one use case is when running on a GCE instance with a linked service account).

    The Go client libraries support Application Default Credentials out of the box -- they're used by default if no credentials are supplied: https://pkg.go.dev/cloud.google.com/go?utm_source=godoc#hdr-Authentication_and_Authorization

    For instance, for this line: https://github.com/authzed/spicedb/blob/42f730ab06c8b9ec90b74f2d390454083a925627/internal/datastore/spanner/spanner.go#L74

    The equivalent code using Application Default Credentials would be:

     client, err := spanner.NewClient(context.Background(), database) 

    Is it possible to add support for using Application Default Credentials to connect to Cloud Spanner? I'm willing to write the PR.

    hint/good first issue priority/3 low area/datastore 
    opened by kirbyquerby 6
  • Bump github.com/cespare/xxhash/v2 from 2.1.2 to 2.2.0

    Bump github.com/cespare/xxhash/v2 from 2.1.2 to 2.2.0

    Bumps github.com/cespare/xxhash/v2 from 2.1.2 to 2.2.0.


    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    opened by dependabot[bot] 0
  • Bump github.com/rs/cors from 1.8.2 to 1.8.3

    Bump github.com/rs/cors from 1.8.2 to 1.8.3

    Bumps github.com/rs/cors from 1.8.2 to 1.8.3.


    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    opened by dependabot[bot] 0
  • Bump golang.org/x/tools from 0.3.0 to 0.4.0

    Bump golang.org/x/tools from 0.3.0 to 0.4.0

    Bumps golang.org/x/tools from 0.3.0 to 0.4.0.

    Release notes

    Sourced from golang.org/x/tools's releases.


    • Improved support for working with modules (@‚Äčridersofrohan). A detailed walk-through of the new features can be found here. A quick summary:
      • Use the -modfile flag to suggest which modules should be added/removed from the go.mod file, rather than editing it automatically.
      • Suggest dependency upgrades in-editor and provide additional language features, such as formatting, for the go.mod file.
    • Inverse implementations (@‚Äčmuirdm). "Go to implementations" on a concrete type will show the interfaces it implements.
    • Completion improvements (@‚Äčmuirdm). Specifically, improved completion for keywords. Also, offer if err != nil { return err } as a completion item.
    • Jumping to definition on an import statement returns all files as definition locations (@‚Äčdanishprakash).
    • Support for running go generate through the editor, via a code lens (@‚Äčmarwan-at-work).
    • Command-line support for workspace symbols (@‚Äčdaisuzu).


    • Code actions suggesting gofmt -s-style simplifications (@‚Äčridersofrohan). To get these on-save, add the following setting:
    "[go]": {
    	"editor.codeActionsOnSave": {
    		"source.fixAll": true,
    • Code actions suggesting fixes for type errors, such as missing return values (goreturns-style), undeclared names, unused parameters, and assignment statements that should be converted from := to = (@‚Äčridersofrohan). Add the following to your gopls settings to opt-in to these analyzers. In the future, they will be on by default and high-confidence suggested fixes may be applied on save. See additional documentation on analyzers here.
    "gopls": {
    	"analyses": {
    		"fillreturns": true,
                    "undeclaredname": true,
                    "unusedparams": true,
                    "nonewvars": true,
    • Further improvements in the support for multiple concurrent clients (@‚Äčfindleyr). See #34111 for all details.

    For a complete list of the issues resolved, see the gopls/v0.4.0 milestone.



    • Support for workspace symbols. (@‚Äčdaisuzu)
    • Various completion improvements, including fixes for completion in code that doesn't parse. (@‚Äčmuirdm)
    • Limit diagnostic concurrency, preventing huge spikes in memory usage that some users encountered. (@‚Äčheschik)
    • Improved handling for URIs containing escaped characters. (@‚Äčheschik)
    • Module versions from "go list" in pkg.go.dev links. (@‚Äčridersofrohan)

    ... (truncated)

    • aee3994 gopls/internal/lsp/fake: in (*Workdir).RenameFile, fall back to read + write
    • fe60148 go.mod: update golang.org/x dependencies
    • c9ea9a7 gopls/internal/regtest: add a test for the case when the renaming package's p...
    • bf5db81 gopls/internal/lsp/cache: improve ad-hoc warning for nested modules
    • aa9f4b2 go/analysis: document that facts are gob encoded in one gulp
    • bdcd082 internal/gcimporter: skip tests earlier when 'go build' is not available
    • 2ad6325 gopls/internal/lsp/cache: expand ImportPath!=PackagePath comment
    • 52c7b88 gopls/internal/robustio: only define ERROR_SHARING_VIOLATION on Windows
    • 4f69bf3 gopls/internal/lsp/cache: narrow reloadOrphanedFiles to open files
    • 6002d6e gopls/internal/regtest/misc: test Implementations + vendor
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    opened by dependabot[bot] 0
  • Bump cloud.google.com/go/spanner from 1.39.0 to 1.42.0

    Bump cloud.google.com/go/spanner from 1.39.0 to 1.42.0

    Bumps cloud.google.com/go/spanner from 1.39.0 to 1.42.0.

    Release notes

    Sourced from cloud.google.com/go/spanner's releases.

    spanner: v1.42.0

    1.42.0 (2022-12-14)


    • spanner: Add database roles (#5701) (6bb95ef)
    • spanner: Rewrite signatures and type in terms of new location (620e6d8)

    Bug Fixes

    • spanner: Fallback to check grpc error message if ResourceType is nil for checking sessionNotFound errors (#7163) (2552e09)

    spanner: v1.41.0

    1.41.0 (2022-12-01)


    spanner: v1.40.0

    1.40.0 (2022-11-03)


    • spanner/spansql: Add support for interval arg of some date/timestamp functions (#6950) (1ce0f7d)
    • spanner: Configurable logger (#6958) (bd85442), refs #6957
    • spanner: PG JSONB support (#6874) (5b14658)
    • spanner: Update result_set.proto to return undeclared parameters in ExecuteSql API (de4e16a)
    • spanner: Update transaction.proto to include different lock modes (caf4afa)
    • 22e90d9 chore(main): release spanner 1.42.0 (#7130)
    • 2552e09 fix(spanner): fallback to check grpc error message if ResourceType is nil for...
    • 6bb95ef feat(spanner): add database roles (#5701)
    • f2b1f1b chore(bigquery/storage/managedwriter): internal refactor (flow controller, id...
    • bcc9fcd test(bigtable): expand integration tests for read stats (#7143)
    • ab332ce fix(internal/gapicgen): disable rest for non-rest APIs (#7157)
    • dc89409 chore(main): release pubsublite 1.6.0 (#7129)
    • 5fa8555 feat(pubsublite): create/update export subscriptions (#6885)
    • 176f533 feat(pubsublite): unload idle partition publishers (#7105)
    • 28f3572 feat(all): enable REGAPIC and REST numeric enums (#6999)
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    opened by dependabot[bot] 0
  • Bump github.com/envoyproxy/protoc-gen-validate from 0.6.13 to 0.9.1

    Bump github.com/envoyproxy/protoc-gen-validate from 0.6.13 to 0.9.1

    Bumps github.com/envoyproxy/protoc-gen-validate from 0.6.13 to 0.9.1.

    Release notes

    Sourced from github.com/envoyproxy/protoc-gen-validate's releases.


    What's Changed

    New Contributors

    Full Changelog: https://github.com/bufbuild/protoc-gen-validate/compare/v0.9.0...v0.9.1


    What's Changed

    Full Changelog: https://github.com/bufbuild/protoc-gen-validate/compare/v0.8.0...v0.9.0


    What's Changed

    ... (truncated)

    • 8ed4f9c Bump proto-google-common-protos from 2.10.0 to 2.11.0 in /java (#748) #patch
    • f154818 Bump google.protobuf.version from 3.21.9 to 3.21.10 in /java (#747) #patch
    • 0c04917 Bump golang.org/x/tools from 0.2.0 to 0.3.0 (#734) #patch
    • 7d84560 Bump grpc-bom from 1.50.2 to 1.51.0 in /java (#742) #patch
    • 967d85d Bump golang.org/x/net from 0.1.0 to 0.2.0 (#732) #patch
    • 31388c3 Bump os-maven-plugin from 1.7.0 to 1.7.1 in /java (#731) #patch
    • 774e011 Removing more from the no-op proto-gen-validate build (#738)
    • 2682ad0 GH-728 Fix typo in readme (#729) #patch
    • 5e042b7 attach linux arm64 artifact (#725)
    • ae855fa Bump proto-google-common-protos from 2.9.6 to 2.10.0 in /java (#722) #patch
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    opened by dependabot[bot] 0
  • Make Playground available on Docker also

    Make Playground available on Docker also

    The only thing lacking compared to OpenFGA is the capability to have the nice Playground UI on top of you own instance of the SpiceDB Docker. Please build the https://github.com/authzed/spicedb/tree/main/pkg/development/wasm and included it in the Docker as a http port.

    opened by danmunteanuevo 0
  • v1.15.0(Nov 22, 2022)

    Upgrade Notes

    Warning This is release includes changes for dispatching, which can result in an increased error rate during rollout. To avoid, deploy as a distinct cluster and switch over your load balancer(s)

    CockroachDB, Spanner, MySQL, Postgres

    (no migrations from v1.14.1)

    What's Changed

    • Update BaseSubjectSet to support caveat expressions by @josephschorr in https://github.com/authzed/spicedb/pull/932
    • Add support in LookupResources for caveats by @josephschorr in https://github.com/authzed/spicedb/pull/938
    • Remove support for the v1alpha1 API by @josephschorr in https://github.com/authzed/spicedb/pull/976
    • Fix observable proxy to use the more efficient namespace lookup by @josephschorr in https://github.com/authzed/spicedb/pull/989
    • Refactor the datastore testfixtures for better code reuse by @josephschorr in https://github.com/authzed/spicedb/pull/988
    • Provide additional capabilities around schema writing by @josephschorr in https://github.com/authzed/spicedb/pull/990
    • logging and error handling improvements by @vroldanbet in https://github.com/authzed/spicedb/pull/986
    • Fix test flake in loader by sorting the expected tuples by @josephschorr in https://github.com/authzed/spicedb/pull/991
    • Add support for caveats in LookupSubjects API by @josephschorr in https://github.com/authzed/spicedb/pull/987
    • address some caveat TODOs by @vroldanbet in https://github.com/authzed/spicedb/pull/995
    • Make sure ReadSchema returns caveats as well by @josephschorr in https://github.com/authzed/spicedb/pull/997
    • Add testutil packages and clean up copy-pasted code by @josephschorr in https://github.com/authzed/spicedb/pull/996
    • fixes broken docker compose link by @vroldanbet in https://github.com/authzed/spicedb/pull/999
    • datastore/postgres: remove the compensation code for migration phases by @jakedt in https://github.com/authzed/spicedb/pull/992
    • Add validation of relationships to file loader by @josephschorr in https://github.com/authzed/spicedb/pull/981
    • Fix for PG when schema is specified in the db url by @jvassev in https://github.com/authzed/spicedb/pull/994
    • Improve the error message for duplicate rels within a single WriteRel‚Ķ by @josephschorr in https://github.com/authzed/spicedb/pull/1003
    • Return InvalidArgument if caveats are disabled in WriteRels call by @josephschorr in https://github.com/authzed/spicedb/pull/1004
    • Add context and default timeout for validationfile loading by @josephschorr in https://github.com/authzed/spicedb/pull/1002
    • Add len checks to WriteCaveats before attempting to write nothing by @peterfoldes in https://github.com/authzed/spicedb/pull/1006
    • Catch nil values for FoundSubjectsByResourceID map and return as errors by @josephschorr in https://github.com/authzed/spicedb/pull/1008

    Docker Images

    This release is available at:

    • authzed/spicedb:v1.15.0
    • quay.io/authzed/spicedb:v1.15.0
    • ghcr.io/authzed/spicedb:v1.15.0
    • authzed/spicedb:v1.15.0-debug
    • quay.io/authzed/spicedb:v1.15.0-debug
    • ghcr.io/authzed/spicedb:v1.15.0-debug

    New Contributors

    • @jvassev made their first contribution in https://github.com/authzed/spicedb/pull/994
    • @peterfoldes made their first contribution in https://github.com/authzed/spicedb/pull/1006

    Full Changelog: https://github.com/authzed/spicedb/compare/v1.14.1...v1.15.0

    Source code(tar.gz)
    Source code(zip)
    checksums.txt(1.16 KB)
    spicedb_1.15.0_darwin_amd64.tar.gz(16.24 MB)
    spicedb_1.15.0_darwin_arm64.tar.gz(15.80 MB)
    spicedb_1.15.0_linux_amd64.apk(16.06 MB)
    spicedb_1.15.0_linux_amd64.deb(16.06 MB)
    spicedb_1.15.0_linux_amd64.rpm(16.06 MB)
    spicedb_1.15.0_linux_amd64.tar.gz(15.36 MB)
    spicedb_1.15.0_linux_arm64.apk(14.59 MB)
    spicedb_1.15.0_linux_arm64.deb(14.59 MB)
    spicedb_1.15.0_linux_arm64.rpm(14.62 MB)
    spicedb_1.15.0_linux_arm64.tar.gz(14.03 MB)
    spicedb_1.15.0_windows_amd64.tar.gz(15.51 MB)
    spicedb_1.15.0_windows_arm64.tar.gz(14.17 MB)
  • v1.14.1(Nov 7, 2022)

    What's Changed

    • prevent poisoning via build job by @vroldanbet in https://github.com/authzed/spicedb/pull/961
    • Fix panic in validationfile loader when no schema is specified by @josephschorr in https://github.com/authzed/spicedb/pull/979
    • datastore/cache: clear the RWT namespace cache when writing namespaces by @jakedt in https://github.com/authzed/spicedb/pull/982
    • Dispatch goleak checking by @josephschorr in https://github.com/authzed/spicedb/pull/983
    • cmd/serve: fix deprecated usage of jaeger by @jzelinskie in https://github.com/authzed/spicedb/pull/984

    Full Changelog: https://github.com/authzed/spicedb/compare/v1.14.0...v1.14.1

    Docker Images

    This release is available at authzed/spicedb:v1.14.1, quay.io/authzed/spicedb:v1.14.1, ghcr.io/authzed/spicedb:v1.14.1

    Source code(tar.gz)
    Source code(zip)
    checksums.txt(1.16 KB)
    development.wasm(38.92 MB)
    spicedb_1.14.1_darwin_amd64.tar.gz(16.23 MB)
    spicedb_1.14.1_darwin_arm64.tar.gz(15.78 MB)
    spicedb_1.14.1_linux_amd64.apk(16.06 MB)
    spicedb_1.14.1_linux_amd64.deb(16.06 MB)
    spicedb_1.14.1_linux_amd64.rpm(16.08 MB)
    spicedb_1.14.1_linux_amd64.tar.gz(15.35 MB)
    spicedb_1.14.1_linux_arm64.apk(14.59 MB)
    spicedb_1.14.1_linux_arm64.deb(14.59 MB)
    spicedb_1.14.1_linux_arm64.rpm(14.59 MB)
    spicedb_1.14.1_linux_arm64.tar.gz(14.01 MB)
    spicedb_1.14.1_windows_amd64.tar.gz(15.50 MB)
    spicedb_1.14.1_windows_arm64.tar.gz(14.16 MB)
  • v1.14.0(Nov 3, 2022)


    • Memory management for caching vastly improved by more accurately tracking the size of cache entries
    • Postgres datastore rewritten with massive improvements to write performance
    • Experimental caveats support
    • Massive performance improvement for LookupResources
    • GemFury DEB & RPM repositories are now available for SpiceDB releases

    Upgrade Notes

    Warning This is release includes migrations for all datastores, but a more complex migration for Postgres. You must have already upgraded to v1.13.0 before upgrading to v1.14.0. To learn more about migrations, see the migration documentation. To automate migrations, Kubernetes users can run the SpiceDB Operator.

    CockroachDB, Spanner, MySQL

    CockroachDB, Spanner, MySQL datastore users can run the command spicedb migrate head from a SpiceDB v1.14 binary to migrate a v1.13 cluster. This may result in a brief latency spike, but will otherwise cause no downtime. After the migration is complete, v1.13 processes can be replaced with v1.14 ones.


    PostgreSQL users have two options: zero downtime or not.


    1. Ensure SpiceDB v1.13.0 was running
    2. Shut off SpiceDB in all clusters
    3. Run spicedb migrate head using SpiceDB v1.14
    4. Rollout v1.14 to your cluster(s)


    1. Ensure SpiceDB v1.13.0 is currently running
    2. Run spicedb migrate add-xid-columns using SpiceDB v1.14
    3. Rollout v1.14 to your cluster(s) with the following flag: --datastore-migration-phase=write-both-read-old
    4. Once the rollout is fully complete, run spicedb migrate add-xid-constraints using SpiceDB v1.14
    5. Rollout v1.14 to your cluster(s) with the following flag: --datastore-migration-phase=write-both-read-new
    6. Once the rollout is fully complete, run spicedb migrate drop-id-constraints using SpiceDB v1.14
    7. Rollout v1.14 to your cluster(s) with the --datastore-migration-phase flag removed

    What's Changed

    • Improves Postgres write performance by @jakedt in https://github.com/authzed/spicedb/pull/852
    • streamline logging by @vroldanbet in https://github.com/authzed/spicedb/pull/844
    • Implement structured errors for all user facing errors by @josephschorr in https://github.com/authzed/spicedb/pull/858
    • disable async logging by @vroldanbet in https://github.com/authzed/spicedb/pull/888
    • adds tests to demonstrate various caveat use-cases by @vroldanbet in https://github.com/authzed/spicedb/pull/878
    • fix datastore integration tests not running by @vroldanbet in https://github.com/authzed/spicedb/pull/893
    • Incremental migrations by @jakedt in https://github.com/authzed/spicedb/pull/891
    • Enable goreleaser pro, push linux packages to gemfury by @jzelinskie in https://github.com/authzed/spicedb/pull/897
    • add caveat support to postgres datastore by @vroldanbet in https://github.com/authzed/spicedb/pull/890
    • refactoring of caveat datastore methods by @vroldanbet in https://github.com/authzed/spicedb/pull/899
    • fix calls to logger that are not being sent by @vroldanbet in https://github.com/authzed/spicedb/pull/904
    • Batch check for lookup by @josephschorr in https://github.com/authzed/spicedb/pull/843
    • Add a lint check for zerolog expression statements without Send or Msg calls by @josephschorr in https://github.com/authzed/spicedb/pull/907
    • integrates caveat context in PermissionService API methods by @vroldanbet in https://github.com/authzed/spicedb/pull/886
    • more follow ups to caveats in datastore by @vroldanbet in https://github.com/authzed/spicedb/pull/906
    • Fix stack overflow on error marshalling for zerolog by @ecordell in https://github.com/authzed/spicedb/pull/909
    • Tech Debt cleanup: move LogOnError into common datastore package by @josephschorr in https://github.com/authzed/spicedb/pull/912
    • internal: store serialized protos in caches by @jzelinskie in https://github.com/authzed/spicedb/pull/900
    • Add a namespace proxy cache test suite using a real datastore by @josephschorr in https://github.com/authzed/spicedb/pull/919
    • Add caveat references to schema and full type checking by @josephschorr in https://github.com/authzed/spicedb/pull/896
    • fix more instances of zerolog marshall recursion by @vroldanbet in https://github.com/authzed/spicedb/pull/922
    • add missing caveat test, update caveat example by @vroldanbet in https://github.com/authzed/spicedb/pull/924
    • Sever namespace read context by @ecordell in https://github.com/authzed/spicedb/pull/925
    • introduce caveat support in CockroachDB by @vroldanbet in https://github.com/authzed/spicedb/pull/921
    • Encode xmin in postgres revisions to respect zedtoken order by @jakedt in https://github.com/authzed/spicedb/pull/930
    • implement caveat support for spanner by @ecordell in https://github.com/authzed/spicedb/pull/929
    • Add support for defining caveats in schema, and associated type checks by @josephschorr in https://github.com/authzed/spicedb/pull/926
    • include sboms in release by @ecordell in https://github.com/authzed/spicedb/pull/927
    • Elide updates of namespaces which have not changed at all by @josephschorr in https://github.com/authzed/spicedb/pull/913
    • datastore/postgres: stop casting xid in queries altogether by @jakedt in https://github.com/authzed/spicedb/pull/942
    • Don't return the caveat key in the ObjectDefinitionNames in v1alpha1 ‚Ķ by @josephschorr in https://github.com/authzed/spicedb/pull/944
    • Mark devtools gRPC endpoint enabled by default for the serve-devtools command by @josephschorr in https://github.com/authzed/spicedb/pull/945
    • Breakout the integration test suite from unit tests by @josephschorr in https://github.com/authzed/spicedb/pull/947
    • refactor: add context to write methods within a datastore transaction by @jakedt in https://github.com/authzed/spicedb/pull/948
    • parallelize consistent hashring test by @ecordell in https://github.com/authzed/spicedb/pull/949
    • Faster CI Feedback Loop by @vroldanbet in https://github.com/authzed/spicedb/pull/950
    • introduce caveat support in MySQL by @vroldanbet in https://github.com/authzed/spicedb/pull/936
    • fixes caching of loop variable in the wrong place by @vroldanbet in https://github.com/authzed/spicedb/pull/951
    • internal/datastore: add observable proxy by @jzelinskie in https://github.com/authzed/spicedb/pull/952
    • Add datastore proxy for separating context by @jzelinskie in https://github.com/authzed/spicedb/pull/953
    • Update authzed-go for the additional validation rules by @josephschorr in https://github.com/authzed/spicedb/pull/957
    • specifies cache-dependency-path to prevent poisoning by @vroldanbet in https://github.com/authzed/spicedb/pull/960
    • pg: move column defaults to backfill migration by @ecordell in https://github.com/authzed/spicedb/pull/955
    • do not run CRDB migration in transaction by @vroldanbet in https://github.com/authzed/spicedb/pull/956
    • Change experimental caveats flag to be handled at the service level by @josephschorr in https://github.com/authzed/spicedb/pull/962
    • datastore: DeleteNamespace => DeleteNamespaces by @jzelinskie in https://github.com/authzed/spicedb/pull/940
    • Add shorter timeouts and better config to gRPC dialing in tests by @josephschorr in https://github.com/authzed/spicedb/pull/965
    • Depbot updates for Nov 1, 2022 by @josephschorr in https://github.com/authzed/spicedb/pull/972

    Full Changelog: https://github.com/authzed/spicedb/compare/v1.13.0...v1.14.0

    Docker Images

    This release is available at authzed/spicedb:v1.14.0, quay.io/authzed/spicedb:v1.14.0, ghcr.io/authzed/spicedb:v1.14.0

    Source code(tar.gz)
    Source code(zip)
    checksums.txt(1.16 KB)
    development.wasm(38.92 MB)
    spicedb_1.14.0_darwin_amd64.tar.gz(16.22 MB)
    spicedb_1.14.0_darwin_arm64.tar.gz(15.76 MB)
    spicedb_1.14.0_linux_amd64.apk(16.02 MB)
    spicedb_1.14.0_linux_amd64.deb(16.04 MB)
    spicedb_1.14.0_linux_amd64.rpm(16.06 MB)
    spicedb_1.14.0_linux_amd64.tar.gz(15.35 MB)
    spicedb_1.14.0_linux_arm64.apk(14.58 MB)
    spicedb_1.14.0_linux_arm64.deb(14.55 MB)
    spicedb_1.14.0_linux_arm64.rpm(14.56 MB)
    spicedb_1.14.0_linux_arm64.tar.gz(14.01 MB)
    spicedb_1.14.0_windows_amd64.tar.gz(15.48 MB)
    spicedb_1.14.0_windows_arm64.tar.gz(14.15 MB)
  • v1.13.0(Oct 4, 2022)


    • Dispatched checks are now batched performed improving performance
    • Protobuf serialization is now much faster by using vtprotobuf to avoid reflection
    • Dispatch API is now compressed with Snappy
    • Cache sizes can now be configured with percentages of free memory

    Warning This release contains a change to the internal dispatch API, which means that v1.13.0 and v1.12.0 can not dispatch to each other during a rolling upgrade. To upgrade without downtime, run these as separate Kubernetes services, or disable dispatch before upgrading.

    What's Changed

    • Add an error case for redefining a type in schema by @josephschorr in https://github.com/authzed/spicedb/pull/810
    • Add govulncheck to the linters by @josephschorr in https://github.com/authzed/spicedb/pull/813
    • don't generate nsswitch.conf (base images have it now) by @ecordell in https://github.com/authzed/spicedb/pull/815
    • Fix fallback for MySQL stats to fix test flake by @josephschorr in https://github.com/authzed/spicedb/pull/812
    • replace custom pgxpool collector with opensource module by @vroldanbet in https://github.com/authzed/spicedb/pull/809
    • dispatch: use Snappy S2 compression and vtprotobuf by @jzelinskie in https://github.com/authzed/spicedb/pull/821
    • gomod: bump compress to v1.15.10 by @jzelinskie in https://github.com/authzed/spicedb/pull/822
    • Disable GC in datastore drivers when in read-only mode by @josephschorr in https://github.com/authzed/spicedb/pull/811
    • bump kuberesolver to pick up serviceaccount token refresh by @ecordell in https://github.com/authzed/spicedb/pull/817
    • Ensure that internal errors are returned before dev errors by @josephschorr in https://github.com/authzed/spicedb/pull/823
    • Use MarshalVT() and UnmarshalVT() everywhere by @jzelinskie in https://github.com/authzed/spicedb/pull/824
    • internal/datastore: use proto.Marshal by @jzelinskie in https://github.com/authzed/spicedb/pull/825
    • Add a test for writing and reading back a serialized namespace in the datastores by @josephschorr in https://github.com/authzed/spicedb/pull/826
    • caveat in MemDB datastore by @vroldanbet in https://github.com/authzed/spicedb/pull/807
    • forward cli flags GCMaxOperationTime and SplitAtUsersetCount to MySQL datastore by @vroldanbet in https://github.com/authzed/spicedb/pull/829
    • Change all user-visible type errors into proper wrapped error structs by @josephschorr in https://github.com/authzed/spicedb/pull/831
    • reduce e2e flakes by @ecordell in https://github.com/authzed/spicedb/pull/834
    • Batch check improvements by @josephschorr in https://github.com/authzed/spicedb/pull/777
    • Fix performance for large schema writes in V1Alpha1 by @josephschorr in https://github.com/authzed/spicedb/pull/837
    • Fix chunking util to never call for an empty chunk by @josephschorr in https://github.com/authzed/spicedb/pull/840
    • Change caching to sort order resource and subject IDs by @josephschorr in https://github.com/authzed/spicedb/pull/841
    • Improve the WASM developer package interface by @josephschorr in https://github.com/authzed/spicedb/pull/828
    • internal/dispatch: gofumpt 4.0 by @jzelinskie in https://github.com/authzed/spicedb/pull/845
    • update cobrautil to latest commit by @vroldanbet in https://github.com/authzed/spicedb/pull/842
    • pkg/cmd: support cache sizes in percentages of free memory by @jzelinskie in https://github.com/authzed/spicedb/pull/827
    • Add building of WASM developer binary to releases by @samkim in https://github.com/authzed/spicedb/pull/833
    • pkg/cache: implement metrics for noop cache by @jzelinskie in https://github.com/authzed/spicedb/pull/848
    • introduce caveat support in WriteRelationships/ReadRelationships by @vroldanbet in https://github.com/authzed/spicedb/pull/838
    • Start work for dispatch for caveats by adding MembershipSet by @josephschorr in https://github.com/authzed/spicedb/pull/849
    • internal: add docker build tag to transitives by @jzelinskie in https://github.com/authzed/spicedb/pull/854
    • docker: switch to chainguard base images by @jzelinskie in https://github.com/authzed/spicedb/pull/857
    • Switch check dispatch to use the new MembershipSet by @josephschorr in https://github.com/authzed/spicedb/pull/855
    • Dependabot updates for Oct 2022 by @josephschorr in https://github.com/authzed/spicedb/pull/867
    • Dependabot updates for Oct 2022, Part 2 by @josephschorr in https://github.com/authzed/spicedb/pull/873
    • Change check dispatching to support caveat expr evaluation by @josephschorr in https://github.com/authzed/spicedb/pull/865
    • Dependabot updates for Oct 2022, Part 3 by @josephschorr in https://github.com/authzed/spicedb/pull/876
    • Add caveats flag to disable writing by default on all datastores by @josephschorr in https://github.com/authzed/spicedb/pull/866

    Full Changelog: https://github.com/authzed/spicedb/compare/v1.12.0...v1.13.0

    Docker Images

    This release is available at authzed/spicedb:v1.13.0, quay.io/authzed/spicedb:v1.13.0, ghcr.io/authzed/spicedb:v1.13.0

    Source code(tar.gz)
    Source code(zip)
    checksums.txt(1.16 KB)
    spicedb_1.13.0_darwin_amd64.tar.gz(16.02 MB)
    spicedb_1.13.0_darwin_arm64.tar.gz(15.58 MB)
    spicedb_1.13.0_linux_amd64.apk(15.89 MB)
    spicedb_1.13.0_linux_amd64.deb(15.89 MB)
    spicedb_1.13.0_linux_amd64.rpm(15.92 MB)
    spicedb_1.13.0_linux_amd64.tar.gz(15.15 MB)
    spicedb_1.13.0_linux_arm64.apk(14.46 MB)
    spicedb_1.13.0_linux_arm64.deb(14.46 MB)
    spicedb_1.13.0_linux_arm64.rpm(14.49 MB)
    spicedb_1.13.0_linux_arm64.tar.gz(13.84 MB)
    spicedb_1.13.0_windows_amd64.tar.gz(15.29 MB)
    spicedb_1.13.0_windows_arm64.tar.gz(13.98 MB)
  • v1.12.0(Sep 9, 2022)


    • new lookupsubjects RPC answers the question "which subjects have a given permission over a specific resource?"
    • CRDB Store now exposes prometheus metrics for the connection pool
    • new debug containers now being published, which includes busybox. This is convenient for development environments that require a shell
    • PGX driver no longer logs on debug by default, cleaning up SpiceDB's info level
    • CRDB datastore now properly supports connection draining procedures
    • added configurable limits for write and delete relationship APIs
    • leaner and more secure docker images based on distroless.dev

    What's Changed

    • hack: mv install-tools into hack dir by @jzelinskie in https://github.com/authzed/spicedb/pull/737
    • fix panic on cached optimized revisions by @vroldanbet in https://github.com/authzed/spicedb/pull/740
    • README: add OpenSSF best practices badge by @jzelinskie in https://github.com/authzed/spicedb/pull/742
    • bump crdb in tests to 22.1.5 by @ecordell in https://github.com/authzed/spicedb/pull/745
    • update spanner emulator logs by @ecordell in https://github.com/authzed/spicedb/pull/746
    • more resilient CRDB datastore on connection draining by @vroldanbet in https://github.com/authzed/spicedb/pull/744
    • Use distroless.dev/static base, add debug variants by @imjasonh in https://github.com/authzed/spicedb/pull/750
    • adds trivy security scanner to lint CI job by @vroldanbet in https://github.com/authzed/spicedb/pull/751
    • Begin work on LookupSubjects by @josephschorr in https://github.com/authzed/spicedb/pull/736
    • Add a nightly build for spicedb by @ecordell in https://github.com/authzed/spicedb/pull/762
    • Revert "Add a nightly build for spicedb" by @ecordell in https://github.com/authzed/spicedb/pull/763
    • fixes link to go-memdb by @vroldanbet in https://github.com/authzed/spicedb/pull/766
    • Fix various error references by @josephschorr in https://github.com/authzed/spicedb/pull/769
    • removes v1.RelationshipUpdate from datastore.ReadWriteTransaction by @vroldanbet in https://github.com/authzed/spicedb/pull/771
    • Fully implement the LookupSubjects API by @josephschorr in https://github.com/authzed/spicedb/pull/770
    • add datastore metrics to CockroachDB datastore by @vroldanbet in https://github.com/authzed/spicedb/pull/774
    • Begin implementation of a library for processing caveat expressions by @josephschorr in https://github.com/authzed/spicedb/pull/760
    • newly added lookup subject metrics weren't being unregistered by @vroldanbet in https://github.com/authzed/spicedb/pull/778
    • Add configurable limits for write and delete relationship APIs by @josephschorr in https://github.com/authzed/spicedb/pull/775
    • Dependabot Updates for Sept 1 by @josephschorr in https://github.com/authzed/spicedb/pull/785
    • Dependabot Updates for Sept 1, part 2 by @josephschorr in https://github.com/authzed/spicedb/pull/792
    • Dependabot updates for Sept 1, part 3 by @josephschorr in https://github.com/authzed/spicedb/pull/795
    • Handle duplicate writes in a nicer way by @josephschorr in https://github.com/authzed/spicedb/pull/796
    • remove dupe validation in WriteRelationships by @vroldanbet in https://github.com/authzed/spicedb/pull/799
    • map pgx info logging level to debug by @vroldanbet in https://github.com/authzed/spicedb/pull/798
    • Change v1alpha1 WriteSchema to only read namespaces it needs by @josephschorr in https://github.com/authzed/spicedb/pull/805
    • Update authzed-go client by @samkim in https://github.com/authzed/spicedb/pull/806
    • Improve write constraint failures by @josephschorr in https://github.com/authzed/spicedb/pull/801
    • reduce differences between release and dev dockerfiles by @vroldanbet in https://github.com/authzed/spicedb/pull/797
    • Remove checks on configurable PermissionService limits and rely upon defaults by @josephschorr in https://github.com/authzed/spicedb/pull/808

    Docker Images

    This release is available at:

    • authzed/spicedb:v1.12.0
    • quay.io/authzed/spicedb:v1.12.0
    • ghcr.io/authzed/spicedb:v1.12.0
    • authzed/spicedb:v1.12.0-debug
    • quay.io/authzed/spicedb:v1.12.0-debug
    • ghcr.io/authzed/spicedb:v1.12.0-debug

    New Contributors

    • @imjasonh made their first contribution in https://github.com/authzed/spicedb/pull/750

    Full Changelog: https://github.com/authzed/spicedb/compare/v1.11.0...v1.12.0

    Source code(tar.gz)
    Source code(zip)
    checksums.txt(1.16 KB)
    spicedb_1.12.0_darwin_amd64.tar.gz(15.69 MB)
    spicedb_1.12.0_darwin_arm64.tar.gz(15.27 MB)
    spicedb_1.12.0_linux_amd64.apk(15.48 MB)
    spicedb_1.12.0_linux_amd64.deb(15.53 MB)
    spicedb_1.12.0_linux_amd64.rpm(15.50 MB)
    spicedb_1.12.0_linux_amd64.tar.gz(14.85 MB)
    spicedb_1.12.0_linux_arm64.apk(14.18 MB)
    spicedb_1.12.0_linux_arm64.deb(14.17 MB)
    spicedb_1.12.0_linux_arm64.rpm(14.18 MB)
    spicedb_1.12.0_linux_arm64.tar.gz(13.58 MB)
    spicedb_1.12.0_windows_amd64.tar.gz(14.99 MB)
    spicedb_1.12.0_windows_arm64.tar.gz(13.72 MB)
  • v1.11.0(Aug 4, 2022)

    Warning This release contains a change to the internal dispatch API, which means that v1.10.0 and v1.11.0 can not dispatch to each other during a rolling upgrade. To upgrade without downtime, run these as separate Kubernetes services, or disable dispatch before upgrading.


    • Check requests can now be traced using the zed CLI using zed permission check --explain
    • serve-testing now supports HTTP
    • Performance improvements for LookupResources, WriteSchemas, and dispatch in general
    • The Watch API is disabled automatically if CRDB datatstores don't support Change Feeds

    What's Changed

    • Have WASM development package return updated validation YAML by @josephschorr in https://github.com/authzed/spicedb/pull/710
    • Add a flag for disabling stat writes by @ecordell in https://github.com/authzed/spicedb/pull/711
    • Add ability to trace a check request by @josephschorr in https://github.com/authzed/spicedb/pull/703
    • Implement support for batch reachability by @josephschorr in https://github.com/authzed/spicedb/pull/691
    • Add issue links to readme by @samkim in https://github.com/authzed/spicedb/pull/694
    • Concurrency limit by @jakedt in https://github.com/authzed/spicedb/pull/713
    • Add ability to enable the REST gateway for the test server by @josephschorr in https://github.com/authzed/spicedb/pull/714
    • remove rangefeed config from crdb migrations by @ecordell in https://github.com/authzed/spicedb/pull/707
    • Depbot updates for Aug 1 by @josephschorr in https://github.com/authzed/spicedb/pull/721
    • Depbot updates for Aug 1 - part 2 by @josephschorr in https://github.com/authzed/spicedb/pull/727
    • Depbot updates for Aug 1 - part 3 by @josephschorr in https://github.com/authzed/spicedb/pull/732
    • Fix bounds on check test by @josephschorr in https://github.com/authzed/spicedb/pull/728
    • switch crdb watch feature detection to only require CONTROLCHANGEFEED by @ecordell in https://github.com/authzed/spicedb/pull/722
    • Skip checking of permissions for relationships in WriteSchema by @josephschorr in https://github.com/authzed/spicedb/pull/734

    Full Changelog: https://github.com/authzed/spicedb/compare/v1.10.0...v1.11.0

    Docker Images

    This release is available at authzed/spicedb:v1.11.0, quay.io/authzed/spicedb:v1.11.0, ghcr.io/authzed/spicedb:v1.11.0

    Source code(tar.gz)
    Source code(zip)
    checksums.txt(1.16 KB)
    spicedb_1.11.0_darwin_amd64.tar.gz(15.16 MB)
    spicedb_1.11.0_darwin_arm64.tar.gz(14.82 MB)
    spicedb_1.11.0_linux_amd64.apk(15.01 MB)
    spicedb_1.11.0_linux_amd64.deb(15.01 MB)
    spicedb_1.11.0_linux_amd64.rpm(15.00 MB)
    spicedb_1.11.0_linux_amd64.tar.gz(14.34 MB)
    spicedb_1.11.0_linux_arm64.apk(13.72 MB)
    spicedb_1.11.0_linux_arm64.deb(13.70 MB)
    spicedb_1.11.0_linux_arm64.rpm(13.74 MB)
    spicedb_1.11.0_linux_arm64.tar.gz(13.14 MB)
    spicedb_1.11.0_windows_amd64.tar.gz(14.42 MB)
    spicedb_1.11.0_windows_arm64.tar.gz(13.22 MB)
  • v1.10.0(Jul 27, 2022)


    • Enabled the ability to safely use Postgres read replicas
    • Added a webassembly interface for devtools
    • Fixed namespaces not being garbage collected for Postgres & MySQL datastores
    • Added health checking and Watch service to HTTP API
    • Added seamless TLS certificate rotation

    What's Changed

    • Return an error instead of calling panic() when debug.ReadBuildInfo() is unavailable by @lmt-swallow in https://github.com/authzed/spicedb/pull/658
    • watch TLS certs for changes by @ecordell in https://github.com/authzed/spicedb/pull/656
    • expose /healthz endpoint when using the http gateway by @ecordell in https://github.com/authzed/spicedb/pull/661
    • *: add NOTICE by @jzelinskie in https://github.com/authzed/spicedb/pull/662
    • examples: move k8s deployment into examples by @jzelinskie in https://github.com/authzed/spicedb/pull/667
    • Add log of the connection state for dispatcher IsReady check by @josephschorr in https://github.com/authzed/spicedb/pull/664
    • Depbot updates for July 5 by @josephschorr in https://github.com/authzed/spicedb/pull/676
    • Depbot updates for July 5, part 2 by @josephschorr in https://github.com/authzed/spicedb/pull/682
    • Bump cloud.google.com/go/spanner from 1.33.0 to 1.34.0 by @dependabot in https://github.com/authzed/spicedb/pull/678
    • Bump github.com/aws/aws-sdk-go from 1.44.47 to 1.44.48 by @dependabot in https://github.com/authzed/spicedb/pull/683
    • fix cert rotation test flake by @ecordell in https://github.com/authzed/spicedb/pull/685
    • Postgres datastore: make read tx REPEATABLE_READ by @williamdclt in https://github.com/authzed/spicedb/pull/674
    • Enable Watch API in REST gateway by @josephschorr in https://github.com/authzed/spicedb/pull/686
    • Add a WebAssembly interface for invoking the SpiceDB dev package by @josephschorr in https://github.com/authzed/spicedb/pull/663
    • Add retries to MySQL stats test, which can occasionally get back empty stats by @josephschorr in https://github.com/authzed/spicedb/pull/689
    • pkg/cmd: document use of application default credentials with spanner by @kirbyquerby in https://github.com/authzed/spicedb/pull/690
    • Prevent release version errors from blocking SpiceDB startup by @josephschorr in https://github.com/authzed/spicedb/pull/697
    • examples: mv https://github.com/authzed/examples by @jzelinskie in https://github.com/authzed/spicedb/pull/698
    • Increase the testing timeout to 30m by @josephschorr in https://github.com/authzed/spicedb/pull/702
    • Add a fallback into the MySQL driver for rel count by @josephschorr in https://github.com/authzed/spicedb/pull/701
    • Garbage collect namespaces by @jzelinskie in https://github.com/authzed/spicedb/pull/673
    • Add a dispatch test that verifies delete preconditions across datastores by @josephschorr in https://github.com/authzed/spicedb/pull/704
    • Further fixes to memdb to not panic post-close by @josephschorr in https://github.com/authzed/spicedb/pull/708

    New Contributors

    • @lmt-swallow made their first contribution in https://github.com/authzed/spicedb/pull/658
    • @williamdclt made their first contribution in https://github.com/authzed/spicedb/pull/674
    • @kirbyquerby made their first contribution in https://github.com/authzed/spicedb/pull/690

    Full Changelog: https://github.com/authzed/spicedb/compare/v1.9.0...v1.10.0

    Docker Images

    This release is available at authzed/spicedb:v1.10.0, quay.io/authzed/spicedb:v1.10.0, ghcr.io/authzed/spicedb:v1.10.0

    Source code(tar.gz)
    Source code(zip)
    checksums.txt(1.16 KB)
    spicedb_1.10.0_darwin_amd64.tar.gz(15.09 MB)
    spicedb_1.10.0_darwin_arm64.tar.gz(14.76 MB)
    spicedb_1.10.0_linux_amd64.apk(14.94 MB)
    spicedb_1.10.0_linux_amd64.deb(14.96 MB)
    spicedb_1.10.0_linux_amd64.rpm(14.93 MB)
    spicedb_1.10.0_linux_amd64.tar.gz(14.27 MB)
    spicedb_1.10.0_linux_arm64.apk(13.67 MB)
    spicedb_1.10.0_linux_arm64.deb(13.65 MB)
    spicedb_1.10.0_linux_arm64.rpm(13.65 MB)
    spicedb_1.10.0_linux_arm64.tar.gz(13.08 MB)
    spicedb_1.10.0_windows_amd64.tar.gz(14.36 MB)
    spicedb_1.10.0_windows_arm64.tar.gz(13.16 MB)
  • v1.9.0(Jun 21, 2022)

    Warning This release contains a change to the internal dispatch API, which means that v1.8.0 and v1.9.0 can not dispatch to each other during a rolling upgrade. To upgrade without downtime, run these as separate Kubernetes services, or disable dispatch before upgrading.

    What's Changed

    • Fully remove support for the V0 ACL and Schema API by @josephschorr in https://github.com/authzed/spicedb/pull/618
    • Add dispatch ready, health check integration by @samkim in https://github.com/authzed/spicedb/pull/615
    • Depbot updates for June 1 by @josephschorr in https://github.com/authzed/spicedb/pull/629
    • Depbot Updates for June 1 - part 2 by @josephschorr in https://github.com/authzed/spicedb/pull/635
    • Handle case where memdb is closed before a transaction completes by @josephschorr in https://github.com/authzed/spicedb/pull/637
    • Bump google.golang.org/api from 0.78.0 to 0.82.0 by @dependabot in https://github.com/authzed/spicedb/pull/634
    • Shorten the prefixes on cache keys to save some memory by @josephschorr in https://github.com/authzed/spicedb/pull/641
    • postgres: rename migration variable to reduce confusion by @jakedt in https://github.com/authzed/spicedb/pull/643
    • Remove remaining references to v0 API (except developer API) by @josephschorr in https://github.com/authzed/spicedb/pull/645
    • Abstract health status management into a helper package and add datastore status by @josephschorr in https://github.com/authzed/spicedb/pull/642
    • Skip checking and redispatch in reachability when seeing duplicates by @josephschorr in https://github.com/authzed/spicedb/pull/638
    • propagate context to migration functions by @vroldanbet in https://github.com/authzed/spicedb/pull/646
    • Add tools for genproto to tools.go by @josephschorr in https://github.com/authzed/spicedb/pull/649
    • Start moving from the externally-defined developer API to an internally defined set of types by @josephschorr in https://github.com/authzed/spicedb/pull/647
    • Ensure the released version appears with a staring v prefix by @josephschorr in https://github.com/authzed/spicedb/pull/650
    • introduce support to run migrations atomically by @jakedt in https://github.com/authzed/spicedb/pull/655
    • Cleanup the core messages now that v0 is gone by @josephschorr in https://github.com/authzed/spicedb/pull/652

    Full Changelog: https://github.com/authzed/spicedb/compare/v1.8.0...v1.9.0

    Docker Images

    This release is available at authzed/spicedb:v1.9.0, quay.io/authzed/spicedb:v1.9.0, ghcr.io/authzed/spicedb:v1.9.0

    Source code(tar.gz)
    Source code(zip)
    checksums.txt(1.14 KB)
    spicedb_1.9.0_darwin_amd64.tar.gz(14.11 MB)
    spicedb_1.9.0_darwin_arm64.tar.gz(13.80 MB)
    spicedb_1.9.0_linux_amd64.apk(13.96 MB)
    spicedb_1.9.0_linux_amd64.deb(13.97 MB)
    spicedb_1.9.0_linux_amd64.rpm(13.96 MB)
    spicedb_1.9.0_linux_amd64.tar.gz(13.35 MB)
    spicedb_1.9.0_linux_arm64.apk(12.76 MB)
    spicedb_1.9.0_linux_arm64.deb(12.78 MB)
    spicedb_1.9.0_linux_arm64.rpm(12.78 MB)
    spicedb_1.9.0_linux_arm64.tar.gz(12.24 MB)
    spicedb_1.9.0_windows_amd64.tar.gz(13.42 MB)
    spicedb_1.9.0_windows_arm64.tar.gz(12.32 MB)
  • v1.8.0(Jun 1, 2022)


    • New, speedier LookupResources implementation
    • New datastore interface improves performance for all datastores
    • MySQL driver now has feature parity with the Postgres driver

    What's Changed

    • Dependabot for May 3 by @josephschorr in https://github.com/authzed/spicedb/pull/583
    • disable renovatebot by @ecordell in https://github.com/authzed/spicedb/pull/585
    • crdb: detect broken pipe as resettable error by @ecordell in https://github.com/authzed/spicedb/pull/591
    • Add spanner emulator env var detection by @samkim in https://github.com/authzed/spicedb/pull/574
    • Add a custom analyzers package for custom lint checks by @josephschorr in https://github.com/authzed/spicedb/pull/563
    • Dependabot changes for May 4 by @josephschorr in https://github.com/authzed/spicedb/pull/593
    • Implement revision quantization for MySQL by @bryanhuhta in https://github.com/authzed/spicedb/pull/582
    • Add middleware to return the server version when requested, unless disabled by @josephschorr in https://github.com/authzed/spicedb/pull/572
    • pg: set timezone to utc for revision selection by @ecordell in https://github.com/authzed/spicedb/pull/592
    • Upgrade CI crdb version to v21.2.10 by @samkim in https://github.com/authzed/spicedb/pull/602
    • Update NewEnemy test for datastore v2 by @ecordell in https://github.com/authzed/spicedb/pull/607
    • log successful telemetry attempts by @jakedt in https://github.com/authzed/spicedb/pull/524
    • Datastore v2 by @jakedt in https://github.com/authzed/spicedb/pull/581
    • prevent crdb from crashing in e2e tests by @ecordell in https://github.com/authzed/spicedb/pull/611
    • Implement a reachability graph and use for lookup by @josephschorr in https://github.com/authzed/spicedb/pull/517
    • caching dispatch: unregister prometheus metrics on close by @ecordell in https://github.com/authzed/spicedb/pull/617
    • support xDS as a dispatch resolver option by @ecordell in https://github.com/authzed/spicedb/pull/612
    • Propagate context in migrations by @nbarbey in https://github.com/authzed/spicedb/pull/596
    • Some small reachable resources and lookup improvements by @josephschorr in https://github.com/authzed/spicedb/pull/620
    • refactor(schemadsl): remove unused field by @fearlessfe in https://github.com/authzed/spicedb/pull/622
    • Move the cache implementation behind an interface by @josephschorr in https://github.com/authzed/spicedb/pull/614
    • Add quickstart examples by @bryanhuhta in https://github.com/authzed/spicedb/pull/616

    New Contributors

    • @fearlessfe made their first contribution in https://github.com/authzed/spicedb/pull/622

    Full Changelog: https://github.com/authzed/spicedb/compare/v1.7.1...v1.8.0

    Docker Images

    This release is available at authzed/spicedb:v1.8.0, quay.io/authzed/spicedb:v1.8.0, ghcr.io/authzed/spicedb:v1.8.0

    Source code(tar.gz)
    Source code(zip)
    checksums.txt(1.14 KB)
    spicedb_1.8.0_darwin_amd64.tar.gz(14.13 MB)
    spicedb_1.8.0_darwin_arm64.tar.gz(13.84 MB)
    spicedb_1.8.0_linux_amd64.apk(13.98 MB)
    spicedb_1.8.0_linux_amd64.deb(14.01 MB)
    spicedb_1.8.0_linux_amd64.rpm(13.95 MB)
    spicedb_1.8.0_linux_amd64.tar.gz(13.37 MB)
    spicedb_1.8.0_linux_arm64.apk(12.80 MB)
    spicedb_1.8.0_linux_arm64.deb(12.80 MB)
    spicedb_1.8.0_linux_arm64.rpm(12.80 MB)
    spicedb_1.8.0_linux_arm64.tar.gz(12.27 MB)
    spicedb_1.8.0_windows_amd64.tar.gz(13.44 MB)
    spicedb_1.8.0_windows_arm64.tar.gz(12.34 MB)
  • v1.7.1(May 3, 2022)

    This is a bugfix release for 1.7.0

    What's Changed

    • Fix datastore-engine help text by @bryanhuhta in https://github.com/authzed/spicedb/pull/569
    • pkg/cmd: catch nil registry initialization by @jzelinskie in https://github.com/authzed/spicedb/pull/568
    • postgres: handle negative relationhip count estimates by @jakedt in https://github.com/authzed/spicedb/pull/570
    • Switch to using Engines for the engine parameter by @josephschorr in https://github.com/authzed/spicedb/pull/571
    • addresses server panic when malformed authorization header is sent by @vroldanbet in https://github.com/authzed/spicedb/pull/573
    • k8s: add dispatch enabled comment by @jzelinskie in https://github.com/authzed/spicedb/pull/575

    Full Changelog: https://github.com/authzed/spicedb/compare/v1.7.0...v1.7.1

    Docker Images

    This release is available at authzed/spicedb:v1.7.1, quay.io/authzed/spicedb:v1.7.1, ghcr.io/authzed/spicedb:v1.7.1

    Source code(tar.gz)
    Source code(zip)
    checksums.txt(1.14 KB)
    spicedb_1.7.1_darwin_amd64.tar.gz(11.22 MB)
    spicedb_1.7.1_darwin_arm64.tar.gz(10.92 MB)
    spicedb_1.7.1_linux_amd64.apk(11.22 MB)
    spicedb_1.7.1_linux_amd64.deb(11.19 MB)
    spicedb_1.7.1_linux_amd64.rpm(11.19 MB)
    spicedb_1.7.1_linux_amd64.tar.gz(10.72 MB)
    spicedb_1.7.1_linux_arm64.apk(10.26 MB)
    spicedb_1.7.1_linux_arm64.deb(10.25 MB)
    spicedb_1.7.1_linux_arm64.rpm(10.25 MB)
    spicedb_1.7.1_linux_arm64.tar.gz(9.86 MB)
    spicedb_1.7.1_windows_amd64.tar.gz(10.80 MB)
    spicedb_1.7.1_windows_arm64.tar.gz(9.93 MB)
  • v1.7.0(Apr 27, 2022)


    • MySQL Datastore introduced!
    • Two major performance improvments
      • MemDB & Postgres now support quantized revisions
      • Cache keys are now canonicalized and reused across various RPCs
    • Telemetry reporting added. For more info see TELEMETRY.md
    • Support for specifying multiple preshared keys

    What's Changed

    • Telemetry stats by @jakedt in https://github.com/authzed/spicedb/pull/515
    • .github: grant github token package write by @jzelinskie in https://github.com/authzed/spicedb/pull/520
    • .github: add back contents permission on release by @jzelinskie in https://github.com/authzed/spicedb/pull/521
    • crdb: coalesce relationship estimate to handle 0 relationship case by @ecordell in https://github.com/authzed/spicedb/pull/523
    • create spanner changelog entries client side by @jakedt in https://github.com/authzed/spicedb/pull/522
    • k8s: add RBAC and flesh out example by @jzelinskie in https://github.com/authzed/spicedb/pull/526
    • Have the GC index for Postgres be created concurrently by @josephschorr in https://github.com/authzed/spicedb/pull/501
    • introduces mysql datastore by @vroldanbet in https://github.com/authzed/spicedb/pull/525
    • CODEOWNERS: init by @jzelinskie in https://github.com/authzed/spicedb/pull/531
    • Switch MySQL tests to explicitly specify amd64 by @josephschorr in https://github.com/authzed/spicedb/pull/533
    • Cache canonicalization by @josephschorr in https://github.com/authzed/spicedb/pull/485
    • Quantize revisions for memdb, postgres datastores by @jakedt in https://github.com/authzed/spicedb/pull/527
    • mysql: refactor tests to share builders by @jakedt in https://github.com/authzed/spicedb/pull/536
    • Only run MySQL tests in CI by @josephschorr in https://github.com/authzed/spicedb/pull/535
    • Have the Docker-image based test suite run solely those tests by @josephschorr in https://github.com/authzed/spicedb/pull/540
    • gomod: bump cobrautil by @jzelinskie in https://github.com/authzed/spicedb/pull/543
    • Add support for multiple preshared keys by @josephschorr in https://github.com/authzed/spicedb/pull/537
    • mysql: run ANALYZE TABLE before Statistics in tests by @jakedt in https://github.com/authzed/spicedb/pull/548
    • mysql: wire up the mysql datastore engine to the CLI by @sbryant in https://github.com/authzed/spicedb/pull/532
    • makes cli application return non-zero error code on errors by @vroldanbet in https://github.com/authzed/spicedb/pull/541
    • gomod: bump xxhash, go by @jzelinskie in https://github.com/authzed/spicedb/pull/545
    • sets mysql manager singleton by @vroldanbet in https://github.com/authzed/spicedb/pull/550
    • moves seeding to the initialization of the datastore by @vroldanbet in https://github.com/authzed/spicedb/pull/539
    • Add integration testing for the migrate command by @josephschorr in https://github.com/authzed/spicedb/pull/551
    • Fix revive lint warnings by @nbarbey in https://github.com/authzed/spicedb/pull/556
    • Postgres optimized revision caching by @jakedt in https://github.com/authzed/spicedb/pull/555
    • update to a version of rudd that doesn't race by @ecordell in https://github.com/authzed/spicedb/pull/557
    • mysql: use a stable unique ID for stats by @jakedt in https://github.com/authzed/spicedb/pull/546
    • Combine unit and integration jobs by @ecordell in https://github.com/authzed/spicedb/pull/559
    • README: refresh features, make CTAs scannable by @jzelinskie in https://github.com/authzed/spicedb/pull/554
    • README: adjust feature wording and links by @jzelinskie in https://github.com/authzed/spicedb/pull/560
    • internal/telemetry: report go version, git commit by @jzelinskie in https://github.com/authzed/spicedb/pull/553
    • Dispatch tests and metrics flag by @josephschorr in https://github.com/authzed/spicedb/pull/561
    • dispatch: fix NPE possibility from nil check response by @jakedt in https://github.com/authzed/spicedb/pull/562
    • Add a check on startup for the last released version of SpiceDB by @josephschorr in https://github.com/authzed/spicedb/pull/564
    • remove remaining references to revision fuzzing by @jakedt in https://github.com/authzed/spicedb/pull/566

    New Contributors

    • @sbryant made their first contribution in https://github.com/authzed/spicedb/pull/532
    • @nbarbey made their first contribution in https://github.com/authzed/spicedb/pull/556

    Full Changelog: https://github.com/authzed/spicedb/compare/v1.6.0...v1.7.0

    Docker Images

    This release is available at authzed/spicedb:v1.7.0, quay.io/authzed/spicedb:v1.7.0, ghcr.io/authzed/spicedb:v1.7.0

    Source code(tar.gz)
    Source code(zip)
    checksums.txt(1.14 KB)
    spicedb_1.7.0_darwin_amd64.tar.gz(11.22 MB)
    spicedb_1.7.0_darwin_arm64.tar.gz(10.92 MB)
    spicedb_1.7.0_linux_amd64.apk(11.19 MB)
    spicedb_1.7.0_linux_amd64.deb(11.19 MB)
    spicedb_1.7.0_linux_amd64.rpm(11.19 MB)
    spicedb_1.7.0_linux_amd64.tar.gz(10.72 MB)
    spicedb_1.7.0_linux_arm64.apk(10.22 MB)
    spicedb_1.7.0_linux_arm64.deb(10.23 MB)
    spicedb_1.7.0_linux_arm64.rpm(10.25 MB)
    spicedb_1.7.0_linux_arm64.tar.gz(9.86 MB)
    spicedb_1.7.0_windows_amd64.tar.gz(10.80 MB)
    spicedb_1.7.0_windows_arm64.tar.gz(9.93 MB)
  • v1.6.0(Apr 11, 2022)


    • Support for nil when writing permissions, to allow for placeholders during development
    • Developer API bug-fixes and improved error messaging
    • Container images now pushed to Docker Hub
    • Metrics bug-fixes and stats added to datastores
    • Enforce UTC on timestamp column in Postgres (database migration for Postgres users)
    • Various resiliency improvements for the CockroachDB datastore

    What's Changed

    • Add core proto message and replace v0 usage by @samkim in https://github.com/authzed/spicedb/pull/449
    • add prefixes to lookup metrics by @ecordell in https://github.com/authzed/spicedb/pull/477
    • configure dispatch for tests by @ecordell in https://github.com/authzed/spicedb/pull/438
    • README: add ports to docker, add config section by @jzelinskie in https://github.com/authzed/spicedb/pull/478
    • protect prom metric registration with a lock by @ecordell in https://github.com/authzed/spicedb/pull/480
    • Add clock skew error as resetable by @samkim in https://github.com/authzed/spicedb/pull/483
    • .github: push to dockerhub, use in readme by @jzelinskie in https://github.com/authzed/spicedb/pull/479
    • bump crdb to 21.2.7 by @ecordell in https://github.com/authzed/spicedb/pull/484
    • expose usagemetric read middleware by @ecordell in https://github.com/authzed/spicedb/pull/487
    • Fix handling of REST gateway options and add an integration test by @josephschorr in https://github.com/authzed/spicedb/pull/493
    • Use non-prepared statement for revision range query by @samkim in https://github.com/authzed/spicedb/pull/496
    • Default transaction row timestamp to UTC by @samkim in https://github.com/authzed/spicedb/pull/495
    • Add additional error context onto schema errors by @josephschorr in https://github.com/authzed/spicedb/pull/481
    • Add support for nil in schema by @josephschorr in https://github.com/authzed/spicedb/pull/494
    • Add index and fix limit on Postgres GC by @josephschorr in https://github.com/authzed/spicedb/pull/500
    • pkg/cmd: use cobrautil version command by @jzelinskie in https://github.com/authzed/spicedb/pull/491
    • Fix nil access issue in developer API when missing an expected subject by @josephschorr in https://github.com/authzed/spicedb/pull/503
    • Consolidate crdb tx retry and reset by @samkim in https://github.com/authzed/spicedb/pull/472
    • .github: migrate to authzed/actions by @jzelinskie in https://github.com/authzed/spicedb/pull/492
    • .github: fix passing of secrets to shared actions by @jzelinskie in https://github.com/authzed/spicedb/pull/507
    • update all dependencies by @jakedt in https://github.com/authzed/spicedb/pull/513
    • update straggler dependencies by @jakedt in https://github.com/authzed/spicedb/pull/514
    • Datastore stats interface by @jakedt in https://github.com/authzed/spicedb/pull/506
    • Rename any to union to fix conflict with new any name in Go 1.18 by @josephschorr in https://github.com/authzed/spicedb/pull/516
    • Add more detail to the max depth error and handle as a dev error by @josephschorr in https://github.com/authzed/spicedb/pull/488

    Full Changelog: https://github.com/authzed/spicedb/compare/v1.5.0...v1.6.0

    Docker Images

    This release is available at authzed/spicedb:v1.6.0, quay.io/authzed/spicedb:v1.6.0, ghcr.io/authzed/spicedb:v1.6.0

    Source code(tar.gz)
    Source code(zip)
    checksums.txt(1.14 KB)
    spicedb_1.6.0_darwin_amd64.tar.gz(10.87 MB)
    spicedb_1.6.0_darwin_arm64.tar.gz(10.57 MB)
    spicedb_1.6.0_linux_amd64.apk(10.84 MB)
    spicedb_1.6.0_linux_amd64.deb(10.83 MB)
    spicedb_1.6.0_linux_amd64.rpm(10.84 MB)
    spicedb_1.6.0_linux_amd64.tar.gz(10.39 MB)
    spicedb_1.6.0_linux_arm64.apk(9.93 MB)
    spicedb_1.6.0_linux_arm64.deb(9.93 MB)
    spicedb_1.6.0_linux_arm64.rpm(9.96 MB)
    spicedb_1.6.0_linux_arm64.tar.gz(9.55 MB)
    spicedb_1.6.0_windows_amd64.tar.gz(10.46 MB)
    spicedb_1.6.0_windows_arm64.tar.gz(9.62 MB)
  • v1.5.0(Mar 11, 2022)


    • Cloud Spanner is now supported as a backend datastore (beta) ūüéČ
    • Better error messages for invalid schemas
    • Several performance and resource usage improvements
    • An edge case that caused LookupResources to return incomplete results for certain schemas was diagnosed and fixed (big thanks to @NickyHeuperman for reporting!)

    What's Changed

    • Fix deletion of empty namespaces in CRDB datastore by @josephschorr in https://github.com/authzed/spicedb/pull/377
    • .github: add CodeQL lint workflow by @jzelinskie in https://github.com/authzed/spicedb/pull/378
    • Better usage metrics on non-permissions endpoints by @jakedt in https://github.com/authzed/spicedb/pull/381
    • Attempt to avoid failed crdb range splits in e2e by @ecordell in https://github.com/authzed/spicedb/pull/380
    • internal/middleware: add tests for usagemetrics by @jzelinskie in https://github.com/authzed/spicedb/pull/382
    • introduce gRPC health-check for serve-testing by @vroldanbet in https://github.com/authzed/spicedb/pull/383
    • allow gateway backend to be overridden by @jakedt in https://github.com/authzed/spicedb/pull/384
    • Fix parsing of assertions YAML to handle all errors by @josephschorr in https://github.com/authzed/spicedb/pull/387
    • Add a config object for spicedb servers, control graceful stop of all services by @ecordell in https://github.com/authzed/spicedb/pull/376
    • increase max offset for crdb cluster in e2e tests by @ecordell in https://github.com/authzed/spicedb/pull/389
    • spicedb config: pluggable authentication by @ecordell in https://github.com/authzed/spicedb/pull/390
    • bump dependencies by @ecordell in https://github.com/authzed/spicedb/pull/402
    • Avoid logging with testing.T after test has finished by @ecordell in https://github.com/authzed/spicedb/pull/395
    • support buffconn for grpc server config by @ecordell in https://github.com/authzed/spicedb/pull/392
    • add universal consistency middleware by @ecordell in https://github.com/authzed/spicedb/pull/391
    • Move the bulk of the dev API impl into its own package by @josephschorr in https://github.com/authzed/spicedb/pull/406
    • Add more context to schema parse errors by @josephschorr in https://github.com/authzed/spicedb/pull/408
    • Validation file package improvements by @josephschorr in https://github.com/authzed/spicedb/pull/409
    • Update authzed-go to bring in the API validation regex fixes by @josephschorr in https://github.com/authzed/spicedb/pull/410
    • testserver: use middleware to inject the correct per-token datastore by @ecordell in https://github.com/authzed/spicedb/pull/404
    • Change validationfile parsing to be YAML based by @josephschorr in https://github.com/authzed/spicedb/pull/413
    • Ensure development package works without context changes by @josephschorr in https://github.com/authzed/spicedb/pull/416
    • Small error fixes and improvements in validationfile by @josephschorr in https://github.com/authzed/spicedb/pull/415
    • build(deps): bump golang.org/x/tools from 0.1.8 to 0.1.9 by @dependabot in https://github.com/authzed/spicedb/pull/403
    • Add line and column info to expected relations validation errors by @josephschorr in https://github.com/authzed/spicedb/pull/418
    • Fix version command by @bryanhuhta in https://github.com/authzed/spicedb/pull/420
    • Add retries with a newly acquired connection by @samkim in https://github.com/authzed/spicedb/pull/298
    • Implement Cloud Spanner datastore by @jakedt in https://github.com/authzed/spicedb/pull/414
    • internal/datastore: singlefight revision updates by @jzelinskie in https://github.com/authzed/spicedb/pull/426
    • Add a non-caching namespace manager by @ecordell in https://github.com/authzed/spicedb/pull/423
    • Add command line flags for setting the sizes of caches by @josephschorr in https://github.com/authzed/spicedb/pull/428
    • Fix handling of removing allowed wildcards on relations by @josephschorr in https://github.com/authzed/spicedb/pull/431
    • don't allocate max_int length slices by @ecordell in https://github.com/authzed/spicedb/pull/430
    • build(deps): bump github.com/aws/aws-sdk-go from 1.42.44 to 1.43.8 by @dependabot in https://github.com/authzed/spicedb/pull/433
    • build(deps): bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc from 0.28.0 to 0.29.0 by @dependabot in https://github.com/authzed/spicedb/pull/437
    • build(deps): bump go.opentelemetry.io/otel/trace from 1.3.0 to 1.4.1 by @dependabot in https://github.com/authzed/spicedb/pull/436
    • export function to get head revision for a datastore engine by @ecordell in https://github.com/authzed/spicedb/pull/444
    • Fix support for pipes in object IDs by @josephschorr in https://github.com/authzed/spicedb/pull/446
    • Have errors raised by the type system from schema construction in the devcontext be properly contextualized by @josephschorr in https://github.com/authzed/spicedb/pull/448
    • Dependabot March 4, 2022 by @josephschorr in https://github.com/authzed/spicedb/pull/450
    • Dependabot March 4, 2022 part 2 by @josephschorr in https://github.com/authzed/spicedb/pull/456
    • README updates by @josephschorr in https://github.com/authzed/spicedb/pull/445
    • Allow renovatebot by @ecordell in https://github.com/authzed/spicedb/pull/460
    • bump gofumpt to 1.3.0 and fix new formatting issues by @ecordell in https://github.com/authzed/spicedb/pull/462
    • Configure Renovate by @renovate in https://github.com/authzed/spicedb/pull/459
    • Update renovate.json by @ecordell in https://github.com/authzed/spicedb/pull/466
    • Add warnings for namespaces definitions using v0-only constructs by @josephschorr in https://github.com/authzed/spicedb/pull/461
    • lookup: fall back to a slow path (list all + check) when necessary by @ecordell in https://github.com/authzed/spicedb/pull/471
    • Remove Clone call on metadata filtering on namespaces by @josephschorr in https://github.com/authzed/spicedb/pull/468
    • Add test for writing empty schemas by @josephschorr in https://github.com/authzed/spicedb/pull/473
    • Add trace log for auth interceptor used by @josephschorr in https://github.com/authzed/spicedb/pull/474
    • Have the check warning only apply to relations, not permissions by @josephschorr in https://github.com/authzed/spicedb/pull/475

    New Contributors

    • @vroldanbet made their first contribution in https://github.com/authzed/spicedb/pull/383
    • @renovate made their first contribution in https://github.com/authzed/spicedb/pull/459

    Full Changelog: https://github.com/authzed/spicedb/compare/v1.4.0...v1.5.0

    Docker Images

    This release is available at quay.io/authzed/spicedb:v1.5.0 and ghcr.io/authzed/spicedb:v1.5.0

    Source code(tar.gz)
    Source code(zip)
    checksums.txt(1.14 KB)
    spicedb_1.5.0_darwin_amd64.tar.gz(10.34 MB)
    spicedb_1.5.0_darwin_arm64.tar.gz(10.34 MB)
    spicedb_1.5.0_linux_amd64.apk(10.26 MB)
    spicedb_1.5.0_linux_amd64.deb(10.26 MB)
    spicedb_1.5.0_linux_amd64.rpm(9.88 MB)
    spicedb_1.5.0_linux_amd64.tar.gz(9.86 MB)
    spicedb_1.5.0_linux_arm64.apk(9.46 MB)
    spicedb_1.5.0_linux_arm64.deb(9.46 MB)
    spicedb_1.5.0_linux_arm64.rpm(9.13 MB)
    spicedb_1.5.0_linux_arm64.tar.gz(9.11 MB)
    spicedb_1.5.0_windows_amd64.tar.gz(10.00 MB)
    spicedb_1.5.0_windows_arm64.tar.gz(9.24 MB)
  • v1.4.0(Jan 11, 2022)


    Warning This change includes a security fix for a vulnerability introduced in v1.3.0. All users of v1.3.0 should update to this version. See the security advisory for more information.


    Full Changelog: https://github.com/authzed/spicedb/compare/v1.3.0...v1.4.0

    • Fixes for security advisory: https://github.com/authzed/spicedb/commit/15bba2e2d2a4bda336a37a7fe8ef8a35028cd970
    • Fix formatting by @josephschorr in https://github.com/authzed/spicedb/pull/374
    • Fix linter for many packages by @jzelinskie in https://github.com/authzed/spicedb/pull/352
    • Report CLI configurations errors to RunE by @bryanhuhta in https://github.com/authzed/spicedb/pull/351
    • Update to the latest branched version of ristretto by @josephschorr in https://github.com/authzed/spicedb/pull/354

    What's Changed

    • balancer: protect rand source with a mutex by @ecordell in https://github.com/authzed/spicedb/pull/353
    • bump authzed-go to 0.4.1 by @ecordell in https://github.com/authzed/spicedb/pull/371
    • bump dependencies by @ecordell in https://github.com/authzed/spicedb/pull/364
    • bump dependencies by @ecordell in https://github.com/authzed/spicedb/pull/368
    • crdb: touch overlap key on namespace write by @ecordell in https://github.com/authzed/spicedb/pull/357
    • e2e: fill schema with many namespaces to span ranges by @ecordell in https://github.com/authzed/spicedb/pull/349
    • fix head command: flag named inconsistently by @ecordell in https://github.com/authzed/spicedb/pull/369
    • pkg/testutil: ensure types in RequireEqualEmptyNil by @jzelinskie in https://github.com/authzed/spicedb/pull/355

    Docker Images

    This release is available at quay.io/authzed/spicedb:v1.4.0 and ghcr.io/authzed/spicedb:v1.4.0

    Source code(tar.gz)
    Source code(zip)
    checksums.txt(1.14 KB)
    spicedb_1.4.0_darwin_amd64.tar.gz(9.32 MB)
    spicedb_1.4.0_darwin_arm64.tar.gz(9.29 MB)
    spicedb_1.4.0_linux_amd64.apk(8.92 MB)
    spicedb_1.4.0_linux_amd64.deb(8.92 MB)
    spicedb_1.4.0_linux_amd64.rpm(8.90 MB)
    spicedb_1.4.0_linux_amd64.tar.gz(8.90 MB)
    spicedb_1.4.0_linux_arm64.apk(8.23 MB)
    spicedb_1.4.0_linux_arm64.deb(8.23 MB)
    spicedb_1.4.0_linux_arm64.rpm(8.21 MB)
    spicedb_1.4.0_linux_arm64.tar.gz(8.21 MB)
    spicedb_1.4.0_windows_amd64.tar.gz(9.03 MB)
    spicedb_1.4.0_windows_arm64.tar.gz(8.34 MB)
  • v1.3.0(Dec 23, 2021)

    WARNING: This release contains a security issue as described in the security advisory. All users are requested to update to at least version v1.4.0 to remediate.

    Feature Highlights

    • Namespaces are now versioned internally, guaranteeing consistency during schema upgrades
    • A wildcard can be specified to allow any object to have a relationship

    What's Changed

    • goreleaser: fix tag in docker release notes by @jzelinskie in https://github.com/authzed/spicedb/pull/316
    • Pin version of watchmaker in e2e tests by @ecordell in https://github.com/authzed/spicedb/pull/322
    • internal/dispatch: extract combined dispatcher by @jzelinskie in https://github.com/authzed/spicedb/pull/321
    • Memdb datastore MVCC improvements by @jakedt in https://github.com/authzed/spicedb/pull/319
    • Simplify datastore construction by @ecordell in https://github.com/authzed/spicedb/pull/317
    • Export CLI commands as a library by @jzelinskie in https://github.com/authzed/spicedb/pull/325
    • Remove e2e timeout by @ecordell in https://github.com/authzed/spicedb/pull/328
    • pkg/cmd: root programName and share ExampleServe by @jzelinskie in https://github.com/authzed/spicedb/pull/327
    • Log revision skew values by @samkim in https://github.com/authzed/spicedb/pull/324
    • internal/dispatch: return cachingRedispatch by @jzelinskie in https://github.com/authzed/spicedb/pull/333
    • fix: copy max lifetime when passing options to the datastore by @ecordell in https://github.com/authzed/spicedb/pull/334
    • Versioned namespaces by @jakedt in https://github.com/authzed/spicedb/pull/332
    • fix: skip comments when loading test relationships by @bryanhuhta in https://github.com/authzed/spicedb/pull/335
    • Add rebase squash to contributing guidelines by @josephschorr in https://github.com/authzed/spicedb/pull/337
    • Disable e2e github step by @samkim in https://github.com/authzed/spicedb/pull/341
    • optimize reading of namespaces by @jakedt in https://github.com/authzed/spicedb/pull/342
    • test v0 preconditions in parallel by @jakedt in https://github.com/authzed/spicedb/pull/343
    • Backport some datastore changes from datastore-v2 by @jakedt in https://github.com/authzed/spicedb/pull/340
    • Implement support for the public proposal by @josephschorr in https://github.com/authzed/spicedb/pull/336
    • pkg/cmd: extract signal handling with grace period by @jzelinskie in https://github.com/authzed/spicedb/pull/345
    • Fix data races and enable race detector in CI by @ecordell in https://github.com/authzed/spicedb/pull/330

    New Contributors

    • @bryanhuhta made their first contribution in https://github.com/authzed/spicedb/pull/335

    Full Changelog: https://github.com/authzed/spicedb/compare/v1.2.0...v1.3.0

    Docker Images

    This release is available at quay.io/authzed/spicedb:v1.3.0 and ghcr.io/authzed/spicedb:v1.3.0

    Source code(tar.gz)
    Source code(zip)
    checksums.txt(1.14 KB)
    spicedb_1.3.0_darwin_amd64.tar.gz(9.28 MB)
    spicedb_1.3.0_darwin_arm64.tar.gz(9.25 MB)
    spicedb_1.3.0_linux_amd64.apk(8.88 MB)
    spicedb_1.3.0_linux_amd64.deb(8.88 MB)
    spicedb_1.3.0_linux_amd64.rpm(8.86 MB)
    spicedb_1.3.0_linux_amd64.tar.gz(8.86 MB)
    spicedb_1.3.0_linux_arm64.apk(8.20 MB)
    spicedb_1.3.0_linux_arm64.deb(8.20 MB)
    spicedb_1.3.0_linux_arm64.rpm(8.17 MB)
    spicedb_1.3.0_linux_arm64.tar.gz(8.18 MB)
    spicedb_1.3.0_windows_amd64.tar.gz(8.99 MB)
    spicedb_1.3.0_windows_arm64.tar.gz(8.30 MB)
  • v1.2.0(Dec 2, 2021)

    Feature Highlights

    • Startup flags have been simplified
    • V1 Watch API added by @jonwhitty
    • Servok no longer required for dispatch
    • Follower read support added to the CockroachDB driver

    Docker Images

    This release is available at quay.io/authzed/spicedb:v1.2.0 and ghcr.io/authzed/spicedb:v1.2.0

    What's Changed

    • Add serve-testing option to README by @samkim in https://github.com/authzed/spicedb/pull/222
    • Docker image v prefix by @ecordell in https://github.com/authzed/spicedb/pull/221
    • Add an http download api to devtools by @ecordell in https://github.com/authzed/spicedb/pull/208
    • .github: add goreleaser key by @jzelinskie in https://github.com/authzed/spicedb/pull/223
    • docs: fix typo in dashboard landing page by @jonwhitty in https://github.com/authzed/spicedb/pull/231
    • Handle the case where RELEASE SAVEPOINT fails with a retry by @ecordell in https://github.com/authzed/spicedb/pull/227
    • Add caching to Lookup dispatcher by @josephschorr in https://github.com/authzed/spicedb/pull/217
    • update builder image name to make it more unique by @jakedt in https://github.com/authzed/spicedb/pull/234
    • Improve Docker docs by @alessandromr in https://github.com/authzed/spicedb/pull/210
    • docs: remove all by @jzelinskie in https://github.com/authzed/spicedb/pull/220
    • proxy: use buffered channels and only let one subrequest write a result by @ecordell in https://github.com/authzed/spicedb/pull/242
    • update cla worfklow to allow dependabot by @ecordell in https://github.com/authzed/spicedb/pull/250
    • allow dependabot by @ecordell in https://github.com/authzed/spicedb/pull/251
    • really allow dependabot by @ecordell in https://github.com/authzed/spicedb/pull/252
    • use the grpc_health_probe binary from the official images by @ecordell in https://github.com/authzed/spicedb/pull/257
    • cmd: consistent flags for http/grpc servers by @jzelinskie in https://github.com/authzed/spicedb/pull/254
    • Use buffered channels for lookup results by @ecordell in https://github.com/authzed/spicedb/pull/259
    • support https in download API by @ecordell in https://github.com/authzed/spicedb/pull/243
    • Add github container registry release by @samkim in https://github.com/authzed/spicedb/pull/260
    • cmd/serve: revert dispatch-cluster flags changes by @jzelinskie in https://github.com/authzed/spicedb/pull/262
    • support UDS listening on grpc servers by @ecordell in https://github.com/authzed/spicedb/pull/267
    • Request ID propagation by @jakedt in https://github.com/authzed/spicedb/pull/272
    • .github: pin gofumports version by @jzelinskie in https://github.com/authzed/spicedb/pull/276
    • .github: add 5m timeout to golangci-lint by @jzelinskie in https://github.com/authzed/spicedb/pull/277
    • Prevent memdb duplicate relationships by @jakedt in https://github.com/authzed/spicedb/pull/275
    • services/v1: fix intersection tree conversion by @jzelinskie in https://github.com/authzed/spicedb/pull/281
    • Add docker login action for ghcr by @samkim in https://github.com/authzed/spicedb/pull/274
    • Move golangci-lint timeout into config by @jzelinskie in https://github.com/authzed/spicedb/pull/278
    • use consistent-hash load balancer with kubernetes resolver for dispatch by @ecordell in https://github.com/authzed/spicedb/pull/284
    • Additional expansion testing by @josephschorr in https://github.com/authzed/spicedb/pull/283
    • Add log warning to emphasize persistence/scale issues in memdb by @buraksekili in https://github.com/authzed/spicedb/pull/285
    • .github: add more automatic labeling patterns by @jzelinskie in https://github.com/authzed/spicedb/pull/287
    • README: fix flags, links, and project description by @jzelinskie in https://github.com/authzed/spicedb/pull/273
    • feat: add v1 Watch API implementation by @jonwhitty in https://github.com/authzed/spicedb/pull/263
    • Multi level caching and Lookup caching fixes by @josephschorr in https://github.com/authzed/spicedb/pull/268
    • Add revision support to v1alpha1 schema API by @josephschorr in https://github.com/authzed/spicedb/pull/271
    • Add proper dispatch and cached dispatch tracking by @josephschorr in https://github.com/authzed/spicedb/pull/289
    • Properly calculate virtualnode ids for uint16 replicationFactor by @ecordell in https://github.com/authzed/spicedb/pull/294
    • Add follower read delay option by @samkim in https://github.com/authzed/spicedb/pull/297
    • Add dispatch and cached dispatch counts to response trailer metadata and prometheus by @josephschorr in https://github.com/authzed/spicedb/pull/295


    • Bump golang from 1.17.1-alpine3.13 to 1.17.2-alpine3.13 by @dependabot in https://github.com/authzed/spicedb/pull/236
    • Bump dependencies by @ecordell in https://github.com/authzed/spicedb/pull/244
    • bump dependencies by @ecordell in https://github.com/authzed/spicedb/pull/249
    • Bump golang from 1.17.2-alpine3.13 to 1.17.3-alpine3.13 by @dependabot in https://github.com/authzed/spicedb/pull/300
    • Bump github.com/Masterminds/squirrel from 1.5.1 to 1.5.2 by @dependabot in https://github.com/authzed/spicedb/pull/306
    • Bump github.com/grpc-ecosystem/grpc-gateway/v2 from 2.6.0 to 2.7.0 by @dependabot in https://github.com/authzed/spicedb/pull/305
    • Bump alpine from 3.14.2 to 3.15.0 by @dependabot in https://github.com/authzed/spicedb/pull/301
    • Bump github.com/aws/aws-sdk-go from 1.41.15 to 1.42.16 by @dependabot in https://github.com/authzed/spicedb/pull/303
    • Bump github.com/jackc/pgtype from 1.8.1 to 1.9.1 by @dependabot in https://github.com/authzed/spicedb/pull/304
    • Bump github.com/lib/pq from 1.10.3 to 1.10.4 by @dependabot in https://github.com/authzed/spicedb/pull/308
    • Bump go.opentelemetry.io/otel/trace from 1.1.0 to 1.2.0 by @dependabot in https://github.com/authzed/spicedb/pull/302
    • Bump github.com/jackc/pgx/v4 from 4.13.0 to 4.14.1 by @dependabot in https://github.com/authzed/spicedb/pull/309
    • Bump github.com/benbjohnson/clock from 1.2.0 to 1.3.0 by @dependabot in https://github.com/authzed/spicedb/pull/314
    • Bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc from 0.26.0 to 0.27.0 by @dependabot in https://github.com/authzed/spicedb/pull/313
    • Bump github.com/ory/dockertest/v3 from 3.8.0 to 3.8.1 by @dependabot in https://github.com/authzed/spicedb/pull/307
    • Bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp from 0.26.0 to 0.27.0 by @dependabot in https://github.com/authzed/spicedb/pull/310

    New Contributors

    • @jonwhitty made their first contribution in https://github.com/authzed/spicedb/pull/231
    • @alessandromr made their first contribution in https://github.com/authzed/spicedb/pull/210
    • @buraksekili made their first contribution in https://github.com/authzed/spicedb/pull/285

    Full Changelog: https://github.com/authzed/spicedb/compare/v1.1.0...v1.2.0

    Source code(tar.gz)
    Source code(zip)
    checksums.txt(1.14 KB)
    spicedb_1.2.0_darwin_amd64.tar.gz(9.26 MB)
    spicedb_1.2.0_darwin_arm64.tar.gz(9.22 MB)
    spicedb_1.2.0_linux_amd64.apk(8.86 MB)
    spicedb_1.2.0_linux_amd64.deb(8.86 MB)
    spicedb_1.2.0_linux_amd64.rpm(8.83 MB)
    spicedb_1.2.0_linux_amd64.tar.gz(8.84 MB)
    spicedb_1.2.0_linux_arm64.apk(8.18 MB)
    spicedb_1.2.0_linux_arm64.deb(8.18 MB)
    spicedb_1.2.0_linux_arm64.rpm(8.15 MB)
    spicedb_1.2.0_linux_arm64.tar.gz(8.16 MB)
    spicedb_1.2.0_windows_amd64.tar.gz(8.97 MB)
    spicedb_1.2.0_windows_arm64.tar.gz(8.28 MB)
  • v1.1.0(Oct 26, 2021)

    Feature Highlights

    • SpiceDB now hedges requests internally to improve reliability and performance
    • Postgres datastore now supports garbage collection
    • Postgres datastore added an index that improves performance
    • spicedb serve now has serves an HTTP/JSON API on port 8443

    Docker Images

    This release is available at quay.io/authzed/spicedb:v1.1.0


    Expand the Changelog

    45c8c7d .github: add CLA workflow 82d63c1 .github: add kubeval linting ac135ea .github: disable flaky caching in golangci action 09686bd .github: label hidden files as tooling c30113c .github: split linting and building actions b906977 Add Dispose method on datastore in prep for GC worker for postgres 061db12 Add Must* methods for any methods that can panic in tuple pkg daf7807 Add a selecting a datastore document 72d3901 Add additional docs on ZedTokens and LookupResources d841e87 Add an integration test for the test server 708dab5 Add background garbage collection to Postgres data store 51ef755 Add documentation about ZedTokens/Zookies and consistency 21e1b85 Add gauges for transaction and relationship count removed by GC 75b5a6f Add prometheus metric for postgres GC duration 42019c0 Adds index on transations table timestamp 1458362 Cleanup the CachingDispatcher when binary shuts down 359afaa Fix ordering of zed arguments in the dashboard dcdae72 Fix: small error fd4749a Follow same name convention as exixting indexes 968a8b7 Make sure to cleanup goroutine generated by the namespace manager and the parser df88351 Make sure to use the checked possibly-nil pointer in memdb 56f3feb Merge pull request #115 from authzed/testserver-test 4f18a6b Merge pull request #151 from jzelinskie/dashboard-fix 3740c6c Merge pull request #152 from ecordell/fix-brew-head 79a9682 Merge pull request #155 from mterron/dockerfile-improvementes 9068372 Merge pull request #157 from ecordell/brew-completion a34ab44 Merge pull request #159 from authzed/dependabot/go_modules/github.com/aws/aws-sdk-go-1.40.53 ec097e4 Merge pull request #160 from authzed/dependabot/go_modules/google.golang.org/grpc-1.41.0 9df7471 Merge pull request #162 from NickUfer/fix_spelling 8931d76 Merge pull request #164 from ecordell/e2e-timeout 72fd40a Merge pull request #165 from ecordell/fix-bad-zookie-flake baa854d Merge pull request #166 from ecordell/ds-timeout ddeee97 Merge pull request #168 from authzed/postgres-gc 39b64ef Merge pull request #169 from jzelinskie/simple-k8s 5fcd7ff Merge pull request #172 from authzed/selecting-a-datastore f82f5c4 Merge pull request #173 from jzelinskie/separate-lint e264e9c Merge pull request #174 from authzed/zedtoken-docs 713a97c Merge pull request #175 from ecordell/badzookie-flake 424037a Merge pull request #176 from authzed/must-tuple ed2e4d5 Merge pull request #178 from ecordell/transaction-ttl d926ca4 Merge pull request #181 from authzed/further-cleanup 00d2cf6 Merge pull request #184 from 0xflotus/patch-1 ca82b60 Merge pull request #187 from authzed/request-hedging 4e70dde Merge pull request #188 from jzelinskie/gateway 1347927 Merge pull request #190 from authzed/zed-args 6a69f8d Merge pull request #193 from jzelinskie/fix-golangci f8122b9 Merge pull request #194 from josephschorr/memdb-nil-guards 2ff33fc Merge pull request #195 from ecordell/multiarch 2ea1f2e Merge pull request #197 from authzed/postgres-prom f2cfaf9 Merge pull request #198 from josephschorr/update-dockertest ec71855 Merge pull request #201 from jzelinskie/bump-grpcutil 1d52699 Merge pull request #206 from jzelinskie/cla 5b5ace0 Merge pull request #211 from costap/main eff4d2f Merge pull request #212 from jzelinskie/distroless 9af26b2 Merge pull request #213 from ecordell/fix-dockerrelease b15bb9c Merge pull request #214 from ecordell/rm-nsswitch bc40650 Merge pull request #215 from josephschorr/cleanup-dispatcher-cache eab6524 Merge pull request #216 from josephschorr/zedtoken-lookup 833a3d4 Merge pull request #218 from ecordell/release-dockerfile-simplify cb5a345 Merge pull request #219 from ecordell/multiplatform 49a1105 Switch to use the temporary branch of Ristretto until https://github.com/dgraph-io/ristretto/pull/286 is merged bc195ca Typo fix 5ced015 Update handling of datastore Close to disconnect connections and change to use an errgroup to clean up Postgres GC worker b370632 Update the dockertest version fd1cfe0 Use Docker entrypoint instead of CMD. Enables using spicedb from docker directly. docker run quay.io/authzed/spicedb serve --grpc-preshared-key "somerandomkeyhere" --grpc-no-tls bbc2c05 add JSON/HTTP API server via gRPC gateway 0bc713b add a datastore proxy which does request hedging 0dcfe48 add prometheus metrics to the heding datastore 2756965 add request hedging as an option to the serve command ad7e1fd allow head install from brew 58b8c69 build(deps): bump github.com/aws/aws-sdk-go from 1.40.47 to 1.40.53 56b4198 build(deps): bump google.golang.org/grpc from 1.40.0 to 1.41.0 bf75774 bump testreadbadzookie timeout 06fee34 cmd: add TLS flags for gateway server e9b164a cmd: default HTTP server to 8443 89576ad cmd: expand all string input c1e10de dashboard: correct zed usage 0b66478 docs: fixes minor spelling mistakes 7edfd0c e2e: plumb http server flags e0fee1e ensure e2e doesn't time out when it would have succeeded 2089465 fix TestReadBadZookieFlake 6472d7a fix docker release images 5750c29 fix the postgres prom GC metrics to respect enable prom option fddec6b gateway: add config docstrings 699c683 gateway: appease the linter f42234a gateway: extract into package and add metrics c36faef gateway: serve OpenAPI Schema at /openapi.json 377c53a gomod: bump grpcutil 5532b44 gomod: bump to authzed-go v0.3.0 e103240 increase gc window for revision expiration fd42ad4 install completions when installing via brew 536b4a2 internal/auth: remove authn annotator f119e2a internal/gateway: add otel middleware 4e604f5 internal/gateway: test tracing propagation 66372f8 internal/gateway: use prom namespace & subsystem 5405258 k8s: init basic deployment c682e67 lint: lint all markdown files b1eb53a multiarch docker image releases 321077d release: support additional platforms 1e6d62e remove nsswitch file from release image 5f3e1ad set a very short ttl in the crdb e2e tests b3a6931 simplify release dockerfile 3250215 track original and hedged datastore request durations separately 364708f use mocked time for testing request hedging

    Source code(tar.gz)
    Source code(zip)
    checksums.txt(1.14 KB)
    spicedb_1.1.0_darwin_amd64.tar.gz(8.96 MB)
    spicedb_1.1.0_darwin_arm64.tar.gz(8.90 MB)
    spicedb_1.1.0_linux_amd64.apk(8.58 MB)
    spicedb_1.1.0_linux_amd64.deb(8.58 MB)
    spicedb_1.1.0_linux_amd64.rpm(8.55 MB)
    spicedb_1.1.0_linux_amd64.tar.gz(8.56 MB)
    spicedb_1.1.0_linux_arm64.apk(7.90 MB)
    spicedb_1.1.0_linux_arm64.deb(7.90 MB)
    spicedb_1.1.0_linux_arm64.rpm(7.88 MB)
    spicedb_1.1.0_linux_arm64.tar.gz(7.88 MB)
    spicedb_1.1.0_windows_amd64.tar.gz(8.68 MB)
    spicedb_1.1.0_windows_arm64.tar.gz(8.00 MB)
  • v1.0.0(Sep 30, 2021)

    For Authzed's first birthday, our gift isn't for us, but the community.

    Today, we're as excited as we've ever been.

    Today, the database powering the core of Authzed, SpiceDB, is now open source!

    SpiceDB is the most faithful implementation of Google's Zanzibar paper outside of the original system at Google.

    Developers create a schema that models their permissions requirements and use a client library to apply the schema to the database, insert data into the database, and query the data to efficiently check permissions in their applications. Leveraging a system like SpiceDB has become an industry best-practice and is being used to great success at companies large (Google, GitHub, Airbnb) and small (Carta, Authzed).

    As we develop SpiceDB, we will not only maintain compatibility with the original paper, but continue to introduce innovations that improve overall user experience. An example of this is our Schema Language, which compiles to Zanzibar's Namespace Configs, but adds far more intuitive syntax and type-safety. However, these types of features cannot be created in a vacuum, thus all future development on SpiceDB will be done entirely in the open.

    We invite everyone to collaborate with us on GitHub and join our discussions on the Zanzibar Discord.

    Initial features included in SpiceDB that distinguish it from other systems include:

    Getting Started

    Get a taste of the schema language

    Learn how to integrate an application


    Installing SpiceDB

    SpiceDB is currently packaged by Homebrew for both macOS and Linux. Individual releases and other formats are also available on the releases page.

    brew install authzed/tap/spicedb

    SpiceDB is also available as a container image:

    docker pull quay.io/authzed/spicedb:latest

    For production usage, we highly recommend using a tag that corresponds to the latest release, rather than latest.

    Running SpiceDB locally

    spicedb serve --grpc-preshared-key "somerandomkeyhere" --grpc-no-tls

    Visit http://localhost:8080 to see next steps, including loading the schema


    Expand the Changelog

    f9fa9a2 *.yaml: lint all YAML files af8a479 *: migrate to new v1.RelationshipFilter 871436b *: use grpc health packages 6711fad .github: add API labels f61bf2d .github: add step for diffing go generate output 3defadd .github: add yamllint 6dfed06 .github: auto label tests 24d226b .github: enforce linting with whitelisted TODOs eb52959 .github: fix buf push action 6963abc .github: fix go mod tidy check cbaee60 .github: init f16d042 .github: properly set release as output 936992a .github: tag container with release output 6393c87 Add ExpandPermissionTree to the V1 API 3a1d882 Add Limit support to tuple queries and set Limit(1) on WriteConfig checks e98407b Add ListNamespaces and remove IsEmpty c6f8d90 Add Lookup in zed-testserver 6518be1 Add ONR serialization and use it everywhere possible. b35f569 Add REDACTED example and fix loading issues associated with it 63c3120 Add a benchmark for check operations. d4e5ba5 Add a better first run experience that shows the command to run when no other arguments are specified 021d2cc Add a call to verify the test server is properly stripped 55dc464 Add a check dispatcher and implementation. a49fb56 Add a concurrent graph expander. 63735c7 Add a datastore Revision method. 18884a0 Add a datastore proxy that validates all calls b190dd2 Add a flexible postgres config system. 67f7026 Add a jaeger service and the ability to report stats to it. c1ae3c3 Add a maximum recursion depth. 7345b1e Add a namespace cache to graph evaluations. 0e8d30a Add a postgres database query benchmark. 8a3c21e Add a secrets package which mimicks python's. f149da2 Add a test for datastore write preconditions. 7b42d15 Add a test for namespace delete. Refactor memdb tests to a separate package. 5135d29 Add a test for updating a schema and its checks on relationships 9bdeca1 Add a zed-test binary tool for writing unit tests against ac37782 Add a zookie encoding/decoding library. 6fb5dad Add additional comments and some cleanup to the validationfile pkg a4423dc Add additional tests for typesystem and lookup and fix some smaller items as per code review d7f50e6 Add arch suffix to released zed-testserver binaries e96a676 Add auto-release of zed-testserver on any releases in monorepo a43a814 Add automatic query splitting when the SQL query grows beyond a defined boundary in size 7521fd9 Add basic dashboard for guidance to new users c707af5 Add basic lexer and parser for the Schema DSL f54dbd7 Add basic proto -> DSL generator d7ef928 Add basic tracing to SpiceDB 241aad8 Add better tracing to first party services. 7b6670f Add consistency tests and fix bugs discovered as a result 527593a Add context to datastore interface and thread everywhere. a18dd55 Add datastore attr to tracing span 48ab5de Add datastore tuple query tests for reverse queries, and add limits for faster verification in WriteConfig a11df78 Add datastore url config for postgres support. f854f5a Add datastore watch and the watch RPC. 9aea9e4 Add developer CI and remove REDACTED CI 22d5d71 Add developer-service subcommand fa2ff18 Add error test cases to Lookup test in ACL tests 33305ed Add format button to Playground ced742e Add full consistency testing of the developer API 99501d9 Add go generate to CI c7d958c Add grpc server metrics to spicedb. cb044e7 Add initial support for lookup across intersection and exclusion d0ca4e1 Add latency simulator to the memdb datastore. e73cd23 Add log tracer ef5c296 Add logging to lookup shared issues f8beaaf Add migration with new reverse lookup indexes for Postgres 432fead Add namespace and relation identifier validation. 6798707 Add namespace diff system 99251c4 Add namespace validator. bdb50ab Add ok status to DSL generator indicating whether the generation had any legacy issues 9ad5c99 Add packaging to run spicedb service. 13ad9cd Add pgx timezone comment 2bdf6cd Add pgxpool stat collector for prometheus c04621d Add pkg for tuple serialization and deserialization. e772729 Add position information to parsed assertions 634d94c Add preshared key auth to spicedb. e05d378 Add proto validation rules for all requests. Validate request messages for all handlers. Remove the old namespace definition validation code. 6abf320 Add readonly port to zed-testserver f54d70e Add relation type to the metadata on construction 42f317a Add revision fuzzing and test. dd84050 Add schema service to zed-testserver dac9fdb Add shared errors interfaces and use the new types in the services e1ba314 Add source position mapper for use once we read source files ca9d6f8 Add support for cross-tenant references and have generator always produce the fully cross-tenanted defs dee7b5c Add support for loading in schema and Relationships string list from the validation file format 8707d34 Add support for metadata on namespaces and relations ae58bd8 Add support for recursive expansion 3cf04a0 Add tenancy definitions to consistency test 3e6c6e2 Add the basic local start command to the README.md 216c5c5 Add tracing to sql driver internals. 6ee74ab Add tuple queries. 84b63ac Add tuple writes. 622b512 Add type system failure for use of permissions on the left hand side of an arrow 5dec8f7 Add validation of relationships in the developer API context 7804d2a Add zerolog marshaling to error types with information 6677737 Adjust the terms in our errors to match the new terminology d55309b Allow for single character object IDs 1722118 Allow underscores at the beginning of object IDs d504f5b Bootstrap file support 8e02dfd Change Playground to be based on DSL 276b89b Change ReadSchema to always return a schema on upgrade 98268ca Change V1 schema write to delete any unreferenced object types 3ec63cf Change all legacy tuple string formats to ellide ellipsis ef1bc02 Change developer API to use the DSL 1788bc7 Change entrypoint to use and configure zerolog. 74197cb Change identifiers in tests to be valid. 0635cb3 Change panics into errors 773afcb Change start inclusion to an enum for clarity. e269342 Check revisions on read requests. e8b7912 Cleanup tests a bit 9b212c5 Cleanup the consistency tests a bit before adding dev tests 2474518 Consistency middleware for V1 API 6d1c9dc Create a reduced datastore interface just for loading tuples. 344be27 Create a testfixtures package. 1d91c58 Datastore compliance tester should run subtests. 3d0272d Decode and respect request zookies. Better error handling for grpc handlers. Tests for ACL and namespace services. 3e12385 Deleteing a nonexistent tuple no longer errors. 22afdcd Disallow relationship writes on permissions add5a74 Downgrade pq to 1.9.0 0a04909 Enable better reporting of schema errors 4eb8282 Export prometheus stats from sql driver. f2b4aa4 Extract namespace builder to its own package. d180ac4 Extract out errorIfTupleIteratorReturnsTuples 93706dc Fix SSL server initialization. 67456ee Fix arrow dispatch issue in expand as well and add an addition test 9934ea5 Fix bug in exclusion check a971b5d Fix bug where nil iterator could be closed. fc8b958 Fix concurrency errors in postgres Watch. 192e209 Fix defer statement ordering d1ce892 Fix handling of intersection and exclusion in the membership set 15cbc52 Fix ns relation denormalization in memdb. 242aeea Fix read and write schema in REDACTED 81b25d4 Fix synthetic semicolon insertion for right parens 94a6512 Fix test for recent permissions check PR bd9489d Generate server latency metrics for REDACTED and spicedb. 26386a5 Handle comments in DSL compiler and generator 412ce5e Have Checks return true if the start and goal relations are the same, or if we get to the same relation via a computed userset caa9c1b Have checkComputedUserset verify that the target relation exists before dispatching 940db9d Have dashboard take the migration status of the datastore into account 98e8271 Have edit check errors placed under each check eb6fdfc Have namespace config writes check for breaks in tuple relations 384479c Have smaller comments format to a single line 0415110 Implement ACL expand handler. 95030e0 Implement ContentChangeCheck handler. d046bc0 Implement V0 DeleteConfigs API 9711f45 Implement V1 LookupResources API 9e255a8 Implement basic DSL -> proto compiler c50347c Implement check handler. 069766b Implement consistency testing for written V1 endpoints d729033 Implement developer API 33cb010 Implement health check handler. 01f1336 Implement namespace delete. 785d123 Implement postgres datastore for spicedb. a2d6366 Implement the V1 schema service 4d4d935 Implement the read tuple method. def2f9c Implement top-down structural lookup 8b6c480 Initial check-in of spicedb. 886fdea Loosen the objectID validation to fit existing data requirements. c9ec958 Make jaeger tracing endpoint configurable. f322b89 Make revision fuzzing configurable with a default. 88a3500 Make sure to strip the binary before release to remove ALL symbols 0e62048 Make the datastore test suite neutral. b536e91 Make the prefix requirement optional by default in SpiceDB 10e2b93 Merge pull request #100 from authzed/goreleaser-init d1c4fa5 Merge pull request #1029 from REDACTED/readonly-testing d420148 Merge pull request #103 from authzed/yamllint cfb2cc6 Merge pull request #1034 from REDACTED/lookup-logging a31cb0b Merge pull request #1040 from REDACTED/s3-auto-region 8479899 Merge pull request #1041 from REDACTED/s3-content-type b5dc304 Merge pull request #1042 from REDACTED/underscores 61ee10a Merge pull request #1047 from REDACTED/migration-fallout 91f649b Merge pull request #105 from authzed/dependabot/docker/golang-1.17.1-alpine3.13 eae12c0 Merge pull request #1069 from REDACTED/ttu-typecheck 6b6f3e9 Merge pull request #108 from authzed/dependabot/go_modules/github.com/lib/pq-1.10.3 5f7e9f3 Merge pull request #1080 from REDACTED/membership-set-fixes 1aa9bff Merge pull request #1082 from REDACTED/parser-fix 3517674 Merge pull request #1085 from REDACTED/dev-consistency-tests 254f5dd Merge pull request #110 from authzed/dependabot/go_modules/github.com/rs/zerolog-1.25.0 385b10e Merge pull request #1105 from REDACTED/comment-format 72dca34 Merge pull request #111 from authzed/update-otel f63a3c6 Merge pull request #112 from authzed/dependabot/go_modules/github.com/aws/aws-sdk-go-1.40.47 6f329a7 Merge pull request #113 from authzed/dependabot/go_modules/github.com/fatih/color-1.13.0 0256f66 Merge pull request #1139 from REDACTED/dependabot-go 91b3324 Merge pull request #114 from authzed/zedtoken-backcompat bad00e2 Merge pull request #116 from authzed/datastore-tests f2d4bf9 Merge pull request #1160 from REDACTED/spicedb-delete-validate 6ec17a7 Merge pull request #1161 from REDACTED/spicedb-router 6161b18 Merge pull request #1162 from REDACTED/lookup-improvements 55a8a5a Merge pull request #1166 from REDACTED/dependabot-go 5bf032e Merge pull request #117 from authzed/reorder-readme 02ccce9 Merge pull request #1186 from REDACTED/dependabot/go_modules/spicedb/github.com/aws/aws-sdk-go-1.40.16 65e6265 Merge pull request #119 from authzed/drop-crdb-migration ce8b2ec Merge pull request #1195 from REDACTED/fix-arrow-bug f7ef76c Merge pull request #120 from authzed/linting c569f93 Merge pull request #122 from authzed/gr-chglog 13a8f8b Merge pull request #1224 from REDACTED/spicedb-oss 70e663e Merge pull request #1227 from REDACTED/max-max-depth c33cc40 Merge pull request #123 from authzed/add-servicer-tests 923ce9b Merge pull request #1230 from REDACTED/spicedb-prefixes 1607a3f Merge pull request #1231 from REDACTED/flag-audit 71961e8 Merge pull request #124 from authzed/rm-extra-buf-work 547e2c0 Merge pull request #1246 from REDACTED/servok-bsr 6031872 Merge pull request #1248 from REDACTED/validationfile-cleanup 900b42b Merge pull request #125 from authzed/ellipsis-followup 8599cd2 Merge pull request #130 from authzed/v1-read-fix e9affab Merge pull request #132 from authzed/delete-tests 725f182 Merge pull request #133 from authzed/servicer-tests 55f44e7 Merge pull request #134 from authzed/e2e-constants 4e1a741 Merge pull request #135 from authzed/version 82899ac Merge pull request #136 from authzed/fix-release 43a98f7 Merge pull request #137 from authzed/migname 97e9f06 Merge pull request #138 from authzed/crdb-perf 29b03f2 Merge pull request #139 from authzed/golangci c201f6b Merge pull request #140 from authzed/readme-devtools d01fadf Merge pull request #143 from authzed/fix-retry-histogram f707760 Merge pull request #145 from authzed/fix-grpc-test b629365 Merge pull request #146 from authzed/brew a4bef05 Merge pull request #25 from authzed/github-actions e1cd108 Merge pull request #26 from authzed/dependabot/docker/alpine-3.14.1 0900760 Merge pull request #27 from authzed/dependabot/docker/golang-1.17.0-alpine3.13 fde257b Merge pull request #28 from authzed/dependabot/go_modules/github.com/aws/aws-sdk-go-1.40.27 d27b146 Merge pull request #29 from authzed/dependabot/go_modules/google.golang.org/grpc-1.40.0 3732c86 Merge pull request #30 from authzed/fix-release ab93550 Merge pull request #31 from authzed/fix-release-again 6d9e22a Merge pull request #33 from authzed/quay-link dc38699 Merge pull request #34 from authzed/upstream-grpcutil f156579 Merge pull request #35 from authzed/stringer-ci 40402c3 Merge pull request #37 from authzed/one-buf-gen 98c2540 Merge pull request #38 from authzed/bootstrap-files b7e2031 Merge pull request #39 from authzed/internal-redispatch e23c4bf Merge pull request #45 from authzed/README-fixes 6123a12 Merge pull request #46 from authzed/validate-devcontext 90babad Merge pull request #47 from authzed/no-write-permission 9158081 Merge pull request #48 from authzed/validate-mw 7072d08 Merge pull request #49 from authzed/nscheck-revision ed605c6 Merge pull request #50 from authzed/constency-test 4181a3c Merge pull request #51 from authzed/dependabot/docker/alpine-3.14.2 106305d Merge pull request #52 from authzed/dependabot/go_modules/github.com/rs/zerolog-1.24.0 79817a3 Merge pull request #53 from authzed/dependabot/go_modules/github.com/aws/aws-sdk-go-1.40.34 89845b0 Merge pull request #54 from authzed/imgbuild-gh a090d01 Merge pull request #547 from REDACTED/spicedb 8a8e5b7 Merge pull request #55 from authzed/dependabot/go_modules/github.com/aws/aws-sdk-go-1.40.35 fffa067 Merge pull request #56 from authzed/better-schema-errors e59b740 Merge pull request #57 from authzed/schema-update-test 406233d Merge pull request #570 from REDACTED/REDACTED-go dd7a5e4 Merge pull request #576 from REDACTED/spicedb 63eb7fe Merge pull request #578 from REDACTED/postgres 640ede2 Merge pull request #60 from authzed/nsswitch d6c8bb3 Merge pull request #609 from REDACTED/spicedb-perf 9a62142 Merge pull request #610 from REDACTED/pg-conns 55f4c64 Merge pull request #612 from REDACTED/spicedb-tracing 5f92727 Merge pull request #614 from REDACTED/observability 7ddcb87 Merge pull request #615 from REDACTED/leakfix 01d366b Merge pull request #616 from REDACTED/downgrade-pq 180a093 Merge pull request #617 from REDACTED/idempotent-delete ca3b8fc Merge pull request #62 from authzed/fix-tests db0162e Merge pull request #623 from REDACTED/buckets 27a3589 Merge pull request #63 from authzed/namespaces-by-id 49f3b3b Merge pull request #637 from REDACTED/pgx 3a3c43d Merge pull request #64 from authzed/local-protos 4426163 Merge pull request #642 from REDACTED/no-cancel-sql 4b8ffc1 Merge pull request #649 from REDACTED/omitstart c75ca23 Merge pull request #65 from authzed/error-handling cd19ab1 Merge pull request #652 from REDACTED/zed-test 2238ef8 Merge pull request #66 from authzed/better-run 21e6b78 Merge pull request #67 from authzed/v1-protos 145c0d7 Merge pull request #671 from REDACTED/trace-REDACTED 362e83c Merge pull request #68 from authzed/fix-buf-push b9b59f5 Merge pull request #688 from REDACTED/rename-zedserver 0af2961 Merge pull request #69 from authzed/v1-prep 1a57afc Merge pull request #691 from REDACTED/token-based-server c2bc99b Merge pull request #692 from REDACTED/spicedb-migration bb4b7bd Merge pull request #70 from authzed/v1-consistency-middleware b114bba Merge pull request #705 from REDACTED/migration-config 6987dbe Merge pull request #72 from authzed/prep-consistency-tests c8ca87d Merge pull request #729 from REDACTED/type-system-top-lookup 2821aae Merge pull request #73 from authzed/authless-reflection 2bf9c81 Merge pull request #74 from authzed/v1-read e1b7747 Merge pull request #741 from REDACTED/exclusion-bug cd2decc Merge pull request #75 from authzed/newenemy 21a1884 Merge pull request #779 from REDACTED/schema-dsl 9dcf187 Merge pull request #78 from authzed/datastore-for-schema 70b7660 Merge pull request #780 from REDACTED/metadata 3c63c3b Merge pull request #79 from authzed/elide-ellipsis 0bcc8a5 Merge pull request #790 from REDACTED/schema-compiler 0c83249 Merge pull request #791 from REDACTED/crdb-dev 349007b Merge pull request #798 from REDACTED/crdb-ci-len c848071 Merge pull request #799 from REDACTED/schema-proto 73ce29e Merge pull request #80 from authzed/v1-check f8698ac Merge pull request #803 from REDACTED/overwritten-ns 1419b93 Merge pull request #806 from REDACTED/developer-api 99f372b Merge pull request #807 from REDACTED/pulumi-stage 5aed0cc Merge pull request #809 from REDACTED/better-errors 44bef3f Merge pull request #81 from authzed/v1-schema-service dcfb6f7 Merge pull request #821 from REDACTED/crdb-perf b181a9a Merge pull request #826 from REDACTED/crdb-perf d2d15a2 Merge pull request #83 from authzed/v1-delete 009d84a Merge pull request #831 from REDACTED/dsl-playground 1a33f35 Merge pull request #832 from REDACTED/crdb-perf e9308cb Merge pull request #834 from REDACTED/error-terms 92837dc Merge pull request #84 from authzed/authzed-go-protos 0669d71 Merge pull request #844 from REDACTED/spicedb-read-only f3ef249 Merge pull request #85 from authzed/dispatch-relref 9463381 Merge pull request #86 from authzed/v1-lookup 193cf98 Merge pull request #87 from authzed/testserver 3e1439d Merge pull request #88 from authzed/head-migration-note 004846d Merge pull request #89 from authzed/must-revision 7103c13 Merge pull request #91 from authzed/v1-consistency-testing f4115c9 Merge pull request #92 from authzed/add-start-command fc3f953 Merge pull request #920 from REDACTED/dependabot/go_modules/spicedb/github.com/prometheus/client_golang-1.11.0 e603150 Merge pull request #921 from REDACTED/dependabot/go_modules/spicedb/github.com/envoyproxy/protoc-gen-validate-0.6.1 bbbd758 Merge pull request #923 from REDACTED/dependabot/go_modules/spicedb/github.com/grpc-ecosystem/go-grpc-middleware-1.3.0 709e1ba Merge pull request #93 from authzed/v1-expand d9b41c0 Merge pull request #930 from REDACTED/v1alpha1-schema-iter 0dd3970 Merge pull request #933 from REDACTED/assertion-positioning c55aae1 Merge pull request #935 from REDACTED/dsl-format-button 0b5795f Merge pull request #938 from REDACTED/schema-test 3ee7dca Merge pull request #94 from authzed/delete-namespace d795237 Merge pull request #940 from REDACTED/migration-script 48d8234 Merge pull request #95 from authzed/lookup-require-type bb7f65a Merge pull request #97 from authzed/single-middleware 3c2cf15 Merge pull request #974 from REDACTED/dsl-comments 915e8cd Merge pull request #98 from authzed/v1-write d23222c Merge pull request #99 from authzed/readonly-ts 29345cb Move ONRSet into the tuple package 83ad8e0 Move common package to input and other small requested fixes e41f03d Move graph walking into a common lib 9100e6f Move memdb constants to the proper files. c88c169 Move query split point to a CLI option a36bae6 Move root run to a serve subcommand fa359ce Move transaction to first parameter. 4b1d9cc Namespace cache is now namespace manager. f9424c5 Namespace typesystem and initial reverse walk ("Lookup") 322d3f6 Omit expand start when expanding _this. f3d9a86 Optimistically close rows object. ca68d73 Prepare the consistency test suite for the V1 API d3d9987 README: add custom image for container badge a9da383 README: fix badge links d7cdbf5 README: fix build instructions and add links e3ccd5b README: link Quay badge to tags tab 0e34b3d README: mention devtooling API d5a5982 README: move install into getting started d618017 REDACTED: add support for dry-run migrations 932ecbd REDACTED: fixes to use the smart client 9ba9671 REDACTED: move x509util to spicedb pkg 696397c REDACTED: use spicedb validation regex for ns fa33c48 REDACTED: valid identifiers for revision names 130bf15 Raise an error if type info is missing on a Lookup d1fdf07 Reading and writing namespaces with memdb. 5027b69 Rebase fix 387a2ef Reenable and fix lookup test and address PR feedback bac6fe8 Refactor spicedb testfixtures. a7f52f4 Refactor testfixture helpers to exported package. d30d206 Remove an extra level of indirection in expand. 0673669 Remove as many transactions on read as possible. 4a355d3 Remove mirroring of input parameters in LookupResponse 67ecdb9 Remove namespace and relation checking from the datastore. 064d850 Remove namespace manager from namespace service to ensure we never use a cached namespace 510dc95 Removed resolvedobjectset and reuse the ONR set 9460d93 Rename developer-service command 5d21ceb Rename the internal header for remaining depth. b6ef6d4 Rename the internal proto to impl. 4a8d7ad Replace sqlx with pgxpool 137655a Separate grpc ctxt from db ctxt to prevent closing. 8892dea Set "auto" region to use S3 on GCS b897e57 Set a max connection age on spicedb. a528051 Set content type of shared items in the S3 share store af869be Skip direct tuple lookup if it isn't allowed from the type system b7cfb1b Small requested fixes e122626 Speed up spicedb docker rebuild. 1a20ff8 Style fixes. 27f5b0c Style fixes. 9c16dba Suppress trace log messages in tests by default. 372fbd6 Switch Postgres and CRDB datastores to use a common tuple query e7820eb Switch memdb to always store config bytes ba42792 Switch order of context in compiler and other requested improvements d49948b Switch to a single unified TupleQuery which only allows for a single call to each builder method 5946b94 Switch to concurrent operations in lookupDirect and in lookupTTU abacc67 Switch to using a batch data loader for userset lookups 1cf234a Test revision fuzzing in servicers. ecf3851 Tuple query now uses a struct copy. ab52008 Tweak prom histogram buckets for our use case. 3eebdc7 Unify the tuple and namespace datastore interfaces. Eliminate the memdb tx ID tracker and delgate to the datastore. Verify that write tx IDs are monotonically increasing. bd0e511 Update datastore to well-typed information preserving errors 4f0b796 Update error handling for recent semantic errors change 1a0390e Update graph to well-typed information preserving errors e98d0a5 Update namespace to well-typed information preserving errors 71804c8 Update otel to v1.0.0 ee13a72 Update release notes for zed-testserver 48b4e58 Update versions of go mods based on depbot bb3fefc Upgrade to the fixed version of go-memdb. b584a36 Use the context aware database calls everywhere. e60352e Use the proper sync revision for type checking on schema/namespace changes 266aa0c Use utc for now timestamps, add pgx config caf62ac Validate namespaces before writing them. e90e0fc Verify namespace and relation on read requests. b1f1d88 Verify tuple correctness on write operations. Very expected output for check and expand operations. 015fd60 We must make sure we got an iterator before we close it. fed435b Wrapper server in zed-testserver which multiplexes to different SpiceDB services based on the incoming token c4808d0 Zookie decode must check for nil parameter. 3ab76c0 add a (failing) test for new enemy behavior a3c3b7d add a default nsswitch.conf file 4dfb496 add a gh workflow step to do a build of the container image 3be0b1b add a mapping datastore proxy implementation which encodes namespace names 5df7a56 add a note about head migrations d248829 add a prometheus bucket for zero retries 31f7f72 add a test for consistency properties to the hash ring 26d0783 add a test for v1 CheckPermission 180fb65 add a test for v1 ReadRelationships 4a7c423 add a zedtoken internal implementation 3ac63f6 add homebrew release c895e7c add test for v1 DeleteRelationships dc741e3 add the test server as a spicedb subcommand 7005e14 add v1 CheckPermission implementation 1373653 add v1 proto definitions 07def0a add version command 2c9937c allow cached quantized revisions to be used e920281 always observe the crdb retries histogram aa81414 auth: simplify preshared key func 55f01d6 better lookup request logging 57af7f0 buf: consolidate into one buf.gen.yaml ea16f29 buf: generate servok protos from BSR af88301 buf: remove non-existent authzed-api path 0bf9643 build(deps): bump alpine from 3.13 to 3.14.0 in /spicedb a64d9ce build(deps): bump alpine from 3.14.0 to 3.14.1 d40e8a8 build(deps): bump alpine from 3.14.1 to 3.14.2 8a42c81 build(deps): bump github.com/aws/aws-sdk-go from 1.40.16 to 1.40.27 1530c47 build(deps): bump github.com/aws/aws-sdk-go from 1.40.27 to 1.40.34 3c73bb6 build(deps): bump github.com/aws/aws-sdk-go from 1.40.27 to 1.40.35 41162b6 build(deps): bump github.com/aws/aws-sdk-go from 1.40.35 to 1.40.47 59ab61e build(deps): bump github.com/aws/aws-sdk-go in /spicedb e894118 build(deps): bump github.com/envoyproxy/protoc-gen-validate in /spicedb 57ba568 build(deps): bump github.com/fatih/color from 1.12.0 to 1.13.0 d2a5d35 build(deps): bump github.com/grpc-ecosystem/go-grpc-middleware fd6a556 build(deps): bump github.com/lib/pq from 1.10.2 to 1.10.3 689357c build(deps): bump github.com/prometheus/client_golang in /spicedb 8fd2d05 build(deps): bump github.com/rs/zerolog from 1.23.0 to 1.24.0 48e6f55 build(deps): bump github.com/rs/zerolog from 1.24.0 to 1.25.0 7a2480d build(deps): bump golang from 1.16-alpine3.13 to 1.17.0-alpine3.13 305b664 build(deps): bump golang from 1.17.0-alpine3.13 to 1.17.1-alpine3.13 66b4be0 build(deps): bump google.golang.org/grpc from 1.39.0 to 1.40.0 3eb96b1 bump bufbuild in gha ad3bd93 bump ci to go 1.17 4f5e813 change datastore to handle new object filters from v1 74d2ce4 change the internal grpc port bc84bb9 change zed-testserver to use reflection and real server 2fd51d7 cmd: add comments delineating flag sections 7c86974 cmd: consistent flag prefixes and cobrautil usage a8ebf79 cmd: consistent migration flags 5914a1a cmd: delete crdb migration script df9dbbb cmd: use cobrautil.CommandStack a322cb0 cmdutil: add funcs for registering dependent flags 2451fd0 datastore/crdb: pass go lint 07bfc53 datastore/memdb: pass go lint 85c1c76 datastore/proxy: pass go lint fd374a9 datastore/test: pass go lint ff7eff7 datastore: add docstrings to pass go lint 78b1c5a datastore: consistently name var relationFilter f83ed7e datastore: create type for QueryTuple filtering 13339da datastore: handle preconditions with pgx.ErrNoRows 223cb12 datastore: rename WithUserset to WithSubjectFilter 5cce586 datastores/psql: pass go lint 589ba98 deadcode: remove all unused code a7b43b2 dependencies: go mod tidy 198b898 determine transaction overlap keys from namespace prefixes da5052c dispatch: only fail on unexpected errors 1408a4c document the lookaside cache handling 89ea338 e2e: tweak constants to reduce flakes e6486cb errcheck: handle all errors explicitly 4028aa8 fix all linter errors in internal/services f717917 fix buf build 8f34ec4 fix cluster dispatch error handling 0116382 fix datastore delete implementations ca5980e fix linter build lines for go 1.17 9710aa7 fix linter errors 9d22d60 fix memdb modifying source builder state e07a59e fix package path in goreleaser 1be2b9d fix readonly test server 5008a0d fix relationship filter precondition checking 45d948e fix the error rewrite for ErrAlwaysFail da2663e fix typos in main method 466851f fix v1 ReadRelationship to save modified query 2aaeff0 generate options for crdb / spicedb test abstractions a358780 go.mod: use upstream grpcutil 182acfd goimports: fix all local/thirdparty splits 128a6b9 gomod: tidy 56a50e5 govet: fix all mutex copies d006abe grpcutil: add RequireStatus method 035670b handle crdb retries 0ae9a5c handle more error and shutdown conditions on startup 67fdfac helper function for revisions and zedtokens from context 9dc70fe ineffassign: remove all ineffective assignments 5bf98df infra: ugprade CRDB to v21.1.3 be5692a internal/datastore: add delete preconditions test 8231c02 internal/datastore: adopt v1.Precondition 4304048 internal/datastore: exercise DeleteRelationships 91fb449 internal/proto: fix reproducibility 1e2df28 internal/services/v1: init DeleteRelationships af83dbc lint: add golangci-lint 2f8f799 log whether an internal expand was recursive e926286 make consistent backend client more idiomatic e729283 make deleterelationship tests more permissive 5827290 make zedtokens binary compatible with all versions of zookie 55eed77 move generated protos back to authzed-go 5d58771 move to internal proto imports, remove smartclient 049dc12 pkg/cmdutil: upstream to cobrautil d729505 pkg/tuple: add MustParse and use it in tests e5fce8c pkg/tuple: add pretty print for sub/obj refs cfb3986 pkg/tuple: add relationship parsing cfe6947 pkg/tuple: avoid overflow on panic cbb8287 pkg/tuple: print error with all invalid panics a47973f pkg/tuple: validate in conversions edcaa69 prevent new enemy by forcing transaction overlap 18963b3 prevent newenemy with smart sleeping 031b8ce proto: consolidate protos and generate internally 6bc1f7b proto: rehome authzed API definitions 643a9b4 proto: update buf to 0.48.2 69aa398 protos: add schema API a4f622e protos: disambiguate Read/Write Schema APIs 8743e3e protos: fix go_package import path for schema 6948601 protos: make metadata internal to spicedb 0278d93 protos: move authzed-api into a subdirectory 116ff2c protos: remove implicit_permission_system 2400c5d re-enable ci tests 20c0685 remove ellipsis from remaining test cases 5bd6fd3 remove smart sleeping 7ce8610 remove the tracer code that's no longer used e91a506 remove the unnecessary short circuits f7e8eaf rename smartclient to consistent backend client caa3295 rename the prom metrics variables in caching dispatch 7e27ae1 rework service initialization to more cleanly handle required interceptors 84488e0 rework the way the consistent backend client startup works b4c258b services/v1: add write tests d6a6079 services/v1: implement WriteRelationships 15643e1 services/v1: test error messages ed83812 services/v1: verify updates' types & subject 4edf9c4 servok: take the DNS name to resolve as a request parameter 8350b97 servok: use fully-qualified SRV record locators 1f28d61 set fetch depth for goreleaser 0576b25 show the contents of the git diff for protos 78e9257 small cleanups 136d2d0 spicedb/REDACTED: bump deps 6716384 spicedb/REDACTED: migrate to open telemetry v1 fcf2b0e spicedb/infra/servok: bump deps c4f659d spicedb: Add a pure go migration framework. 78f77e8 spicedb: InvalidArgument bad namespace conversions db03bbd spicedb: add CRDB tracing 2d946f5 spicedb: add W3C propagation to tracing 80d9d57 spicedb: add a crdb driver skeleton 9126a60 spicedb: add a crdb migration tool 49faa51 spicedb: add a head subcommand to calculate database head revision 9f6e3f0 spicedb: add a migrate subcommand 926c9c6 spicedb: add a service level cache for check 459f43e spicedb: add a shutdown grace period 84d98d8 spicedb: add an internal API smartclient 544bd55 spicedb: add an internal redispatch API 200e95a spicedb: add client that routes using request hashing d6065b0 spicedb: add dockerfile 2d1d08d spicedb: add error to migration failure 8b90539 spicedb: add generic tuple iterator for a materialized slice of tuples cbe3551 spicedb: add opentelemetry interceptor 0af4b59 spicedb: add readme, license, etc.. 7076dc3 spicedb: add support for CRDB to main.go 1d36a30 spicedb: allow for duplicate watch events in tests dc3b530 spicedb: buf.gen.yaml is executable ea42319 spicedb: build zed-testserver in container image f54ea94 spicedb: bump stringz c32ccf5 spicedb: change CRDB test version to match stage cluster 305ebd1 spicedb: change CRDB watch to use resolved revisions f0eb6a4 spicedb: clean up compiler and errors in schema 078abef spicedb: clean-up comments 251b596 spicedb: convert existing test migrations to new framework 8a578ef spicedb: create services/v0 package 18c8c46 spicedb: datastore revisions uint64 -> decimal.Decimal c79711c spicedb: deduplicate tuples in CRDB migration script 4980c22 spicedb: delete unused validate protos 4211a42 spicedb: do not recompute revision on redispatch d2ccedb spicedb: eliminate spurious delete events from touches 5638d4e spicedb: ensure CRDB cluster gc TTL is large enough to support requested TTL 0059465 spicedb: export logging/tracing PreRuns 5e268e7 spicedb: expose flags for pg connection pool dedb2f7 spicedb: fix CRDB revision quantization for zero, add a default 6e78673 spicedb: fix change batching in CRDB and add test. d05e723 spicedb: fix postgres driver prefix check eb17d46 spicedb: fix tests 0c93328 spicedb: generate servok protos 226f59f spicedb: get CRDB hlc from insert queries to save round trips 64a4ac4 spicedb: gofumpt d3238e4 spicedb: handle error conditino in watch endpoint 2cb5c6b spicedb: implement CRDB reverse tuple query 8bd6d0a spicedb: implement read-only mode d05c262 spicedb: implement v1alpha1.SchemaService 45075bc spicedb: increase smartclient max backoff for resolver 2e58495 spicedb: initial implementation of native CRDB datastore 4679a7b spicedb: initialize memdb with an empty transaction 4ddb612 spicedb: limit the acceptable incoming depth remaining b90ba23 spicedb: main with zap/cobra/metrics/signals f1c59a0 spicedb: make CRDB code simpler and more idiomatic 0a9bc8a spicedb: make CRDB connection pooling configurable 18860b3 spicedb: make code more readable, fix typos 0bf5824 spicedb: make gc window configurable in tests cd8a05f spicedb: make protobuf generation reproducible bee17ec spicedb: mark CRDB queries as read only transactions 27c1199 spicedb: mark overwritten namespaces as deleted ddd76bd spicedb: migrate impl to internal protos f1e7aa7 spicedb: migrate to authzed/api/v0 e85b89a spicedb: move flags/commands under command file c70e226 spicedb: mv grpchealth grpcutil, add auth mixin 10e1d94 spicedb: name conflict fix in proto package 0addd20 spicedb: no implicit permission system in schema 7bae771 spicedb: refactor reverse tuple queries 7946de7 spicedb: regenerate protobufs 5fc6aaf spicedb: remove golang-migrate 5f6778b spicedb: remove unused CRDB prometheus stats option 584a283 spicedb: replace consistent hash impl 052b835 spicedb: rm spans injected by gRPC interceptor a7a7cc3 spicedb: run metrics server on developer mode 458eb4a spicedb: scope migrations to application context f44e7e8 spicedb: sever grpc and datastore context for CRDB b424f4f spicedb: smartclient retry and improved constructor 5e90f17 spicedb: surface rows.Scan error to caller 4bed0ac spicedb: test postgres datastore impl against cockroachdb 9887289 spicedb: use an extended error type for read-only c32da1f spicedb: use buf to generate protos 6947fb8 spicedb: use local cluster redispatch b393874 spicedb: use read only transaction everywhere eb7e945 spicedb: use the authzed-go api protos aabd3ea spicedb: use the internal API everywhere 463146a split and refactor graph and dispatch b2a09c0 start test process locally 5d09aaa staticcheck: rm deprecated calls 772d6f7 statistically determine new enemy invulnerability 3c4dc6c structcheck: remove all unused fields e086f85 switch to validation middleware 82d716c test that crdb is vulnerable to newenemy if protections are disabled 52bf8fd unused: remove unused funcs 4a69b3f unwrap cockroach retry logic on read methods 1bc21af update go Dockerfiles to only build required binary 0d5132f update migration name 63d33de update readme for homebrew e7a6991 use authless reflection implementation from grpcutil f8319c8 use goreleaser to build binaries and packages 875aa84 use relationreference instead of onr for lookup dispatch a06b81d use the iterations it took to reproduce the newenemy problem to inform the number of times we test for invulnerability 0cd8b95 v1: add the read method 7ea8db7 v1alpha1: add schema tests

    Source code(tar.gz)
    Source code(zip)
    checksums.txt(1.14 KB)
    spicedb_1.0.0_darwin_amd64.tar.gz(8.61 MB)
    spicedb_1.0.0_darwin_arm64.tar.gz(8.54 MB)
    spicedb_1.0.0_linux_amd64.apk(8.25 MB)
    spicedb_1.0.0_linux_amd64.deb(8.25 MB)
    spicedb_1.0.0_linux_amd64.rpm(8.22 MB)
    spicedb_1.0.0_linux_amd64.tar.gz(8.23 MB)
    spicedb_1.0.0_linux_arm64.apk(7.59 MB)
    spicedb_1.0.0_linux_arm64.deb(7.59 MB)
    spicedb_1.0.0_linux_arm64.rpm(7.57 MB)
    spicedb_1.0.0_linux_arm64.tar.gz(7.58 MB)
    spicedb_1.0.0_windows_amd64.tar.gz(8.35 MB)
    spicedb_1.0.0_windows_arm64.tar.gz(7.69 MB)
A Zanzibar-inspired database platform that stores, computes, and validates application permissions.
This is a simple graph database in SQLite, inspired by "SQLite as a document database".

About This is a simple graph database in SQLite, inspired by "SQLite as a document database". Structure The schema consists of just two structures: No

Denis Papathanasiou 1.2k Jan 3, 2023
A simple golang api generator that stores struct fields in key/value based databases

Backgen A simple golang API generator that uses key/value based databases. It does not provide the database itself, only uses a interface to access se

null 0 Feb 4, 2022
Owl is a db manager platform,committed to standardizing the data, index in the database and operations to the database, to avoid risks and failures.

Owl is a db manager platform,committed to standardizing the data, index in the database and operations to the database, to avoid risks and failures. capabilities which owl provides include Process approval„ÄĀsql Audit„ÄĀsql execute and execute as crontab„ÄĀdata backup and recover .

null 34 Nov 9, 2022
Beerus-DB: a database operation framework, currently only supports Mysql, Use [go-sql-driver/mysql] to do database connection and basic operations

Beerus-DB · Beerus-DB is a database operation framework, currently only supports Mysql, Use [go-sql-driver/mysql] to do database connection and basic

Beerus 7 Oct 29, 2022
Hard Disk Database based on a former database

Hard Disk Database based on a former database

null 0 Nov 1, 2021
Simple key value database that use json files to store the database

KValDB Simple key value database that use json files to store the database, the key and the respective value. This simple database have two gRPC metho

Francisco Santos 0 Nov 13, 2021
This is a simple Golang application that executes SQL commands to clean up a mirror node's database.

This is a simple Golang application that executes SQL commands to clean up a mirror node's database.

Tom 1 Jan 24, 2022
Nipo is a powerful, fast, multi-thread, clustered and in-memory key-value database, with ability to configure token and acl on commands and key-regexes written by GO

Welcome to NIPO Nipo is a powerful, fast, multi-thread, clustered and in-memory key-value database, with ability to configure token and acl on command

Morteza Bashsiz 17 Dec 28, 2022
BuntDB is an embeddable, in-memory key/value database for Go with custom indexing and geospatial support

BuntDB is a low-level, in-memory, key/value store in pure Go. It persists to disk, is ACID compliant, and uses locking for multiple readers and a sing

Josh Baker 4k Dec 30, 2022
The Prometheus monitoring system and time series database.

Prometheus Visit prometheus.io for the full documentation, examples and guides. Prometheus, a Cloud Native Computing Foundation project, is a systems

Prometheus 46.1k Dec 31, 2022
Fast specialized time-series database for IoT, real-time internet connected devices and AI analytics.

unitdb Unitdb is blazing fast specialized time-series database for microservices, IoT, and realtime internet connected devices. As Unitdb satisfy the

Saffat Technologies 100 Jan 1, 2023
VictoriaMetrics: fast, cost-effective monitoring solution and time series database

VictoriaMetrics VictoriaMetrics is a fast, cost-effective and scalable monitoring solution and time series database. It is available in binary release

VictoriaMetrics 7.6k Jan 8, 2023
LinDB is an open-source Time Series Database which provides high performance, high availability and horizontal scalability.

LinDB is an open-source Time Series Database which provides high performance, high availability and horizontal scalability. LinDB stores all monitoring data of ELEME Inc, there is 88TB incremental writes per day and 2.7PB total raw data.

LinDB 2.3k Jan 1, 2023
‚ėĄ The golang convenient converter supports Database to Struct, SQL to Struct, and JSON to Struct.

Gormat - Cross platform gopher tool The golang convenient converter supports Database to Struct, SQL to Struct, and JSON to Struct. šł≠śĖáŤĮīśėé Features Data

śįłśěó 289 Dec 20, 2022
TalariaDB is a distributed, highly available, and low latency time-series database for Presto

TalariaDB is a distributed, highly available, and low latency time-series database that stores real-time data. It's built on top of Badger DB.

Grab 104 Nov 16, 2022
Dolt is a SQL database that you can fork, clone, branch, merge, push and pull just like a git repository.

Dolt is a SQL database that you can fork, clone, branch, merge, push and pull just like a git repository. Connect to Dolt just like any MySQL database to run queries or update the data using SQL commands. Use the command line interface to import CSV files, commit your changes, push them to a remote, or merge your teammate's changes.

DoltHub 13.8k Dec 31, 2022
rosedb is an embedded and fast k-v database based on LSM + WAL

A simple k-v database in pure Golang, supports string, list, hash, set, sorted set.

roseduan 3.4k Dec 30, 2022
DonutDB: A SQL database implemented on DynamoDB and SQLite

DonutDB: A SQL database implemented on DynamoDB and SQLite

Peter Sanford 128 Dec 21, 2022
Export output from pg_stat_activity and pg_stat_statements from Postgres into a time-series database that supports the Influx Line Protocol (ILP).

pgstat2ilp pgstat2ilp is a command-line program for exporting output from pg_stat_activity and pg_stat_statements (if the extension is installed/enabl

Zikani Nyirenda Mwase 4 Dec 15, 2021