SpiceDB is a Zanzibar-inspired database that stores, computes, and validates application permissions.

Overview

SpiceDB

Container Image GoDoc License Build Status Mailing List Discord Server Twitter

SpiceDB is a Zanzibar-inspired database that stores, computes, and validates application permissions.

Developers create a schema that models their permissions requirements and use a client library to apply the schema to the database, insert data into the database, and query the data to efficiently check permissions in their applications.

Features that distinguish SpiceDB from other systems include:

See CONTRIBUTING.md for instructions on how to contribute and perform common tasks like building the project and running tests.

Why SpiceDB?

Verifiable Correctness

The data used to calculate permissions have the most critical correctness requirements in the entirety a software system. Despite that, developers continue to build their own ad-hoc solutions coupled to the internal code of each new project. By developing a SpiceDB schema, you can iterate far more quickly and exhaustively test designs before altering any application code. This becomes especially important as you introduce backwards-compatible changes to the schema and want to ensure that the system remains secure.

Optimal Flexibility

The SpiceDB schema langauge is built on top of the concept of a graph of relationships between objects. This ReBAC design is capable of efficiently supporting all popular access control models (such as RBAC and ABAC) and custom models that contain hybrid behavior.

Modern solutions to developing permission systems all have a similar goal: to decouple policy from the application. Using a dedicated database like SpiceDB not only accomplishes this, but takes this idea a step further by also decoupling the data that policies operate on. SpiceDB is designed to share a single unified view of permissions across as many applications as your organization has. This has strategy has become an industry best-practice and is being used to great success at companies large (Google, GitHub, Airbnb) and small (Carta, Authzed).

Getting Started

Installing SpiceDB

SpiceDB is currently packaged by Homebrew for both macOS and Linux. Individual releases and other formats are also available on the releases page.

brew install authzed/tap/spicedb

SpiceDB is also available as a container image:

docker pull quay.io/authzed/spicedb:latest

For production usage, we highly recommend using a tag that corresponds to the latest release, rather than latest.

Running SpiceDB locally

spicedb serve --grpc-preshared-key "somerandomkeyhere" --grpc-no-tls

Visit http://localhost:8080 to see next steps, including loading the schema

Developing your own schema

Integrating with your application

Issues
  • Add

    Add "public" keyword/type

    The Zanzibar implementation at Google uses a special-case userset to represent the set of all users "aka public".

    As per one of their public presentations: 103707706-21b5c900-4f7d-11eb-8184-ed57ae6cb002

    Because SpiceDB's schema language is more expressive, we have some better options than introducing this concept as a special-cased tuple:

    • A keyword could be used to embellish relations/permissions that are public.
    • We could introduce a type to represent public, but it might be surprising if a user unintentionally unions a relation/permission with public by accident.
    area/api v0 priority/2 medium area/schema area/api v1 area/dispatch 
    opened by jzelinskie 13
  • Fix revive lint warnings

    Fix revive lint warnings

    This is related to issue https://github.com/authzed/spicedb/issues/36

    All issues involve renaming function to drop a prefix corresponding to the package name. The fix has been done automatically with a refactoring tool.

    This creates a change in the public API as namespace.NamespaceWithComment is renamed to namespace.WithComment.

    area/schema area/tooling 
    opened by nbarbey 11
  • service-discovery: Added ZooKeeper based service discovery

    service-discovery: Added ZooKeeper based service discovery

    I have implemented an alternative service discovery that can be used without kubernetes. It uses Apache ZooKeeper. It also contains the code necessary to work inside AWS ECS containers (it can get the IP from the task and instance metadata endpoint), but it falls back to the IP of the first public network interface. The address defined in dispatch-cluster-addr takes precedence in any case.

    I will use this in our deployment on ECS. The SRV record method was not reliable so I made a custom resolver that uses ZooKeeper to discover the peers, since we were already using ZooKeeper for some of our existing services.

    This is the first time I'm coding in Go, so I hope I didn't mess up anything.

    area/CLI area/dependencies 
    opened by gergof 10
  • introduce validate command

    introduce validate command

    Closes https://github.com/authzed/spicedb/issues/290

    What

    The purpose of this command is to take a playground file and run the assertions and validations defined.

    The rationale is that schema development happens in the playground, but once the YAML is downloaded, there is nothing developers can do other than loading it with testserve command, or uploading it back to the playground. This attempts to reuse and run the assertions and validations as test-suite outside of the the playground, and in a programmatic way rather than only interactively. Rather than duplicating the same tests in the client application, the playground tests become the canonical representation for the business rules defined in the schema.

    Example:

    1. developers introduce changes in schema via the playground
    2. YAML file is downloaded and persisted in git repository
    3. changes are pushed, PR is opened, CI runs spicedb validate, demonstrating changes are sound.

    Assumptions

    • Introducing a new CLI command is cool, exposing new API in the go code requires more consideration
    • Version 2 of the Playground file is not really API, so instead of updating the public structures, in parsed the file in two phases: one time with the public stuff, and one with the v2 fields
    • I'm not sure I got right the versioning strategy y'all have with the API. It sounds like v0 is like "it's public, but may be broken anytime". I assumed it's OK to expose methods reusing v0 types, but would definitely appreciate some guidance here

    Features

    • accepts multiple playground files as input
    • process returns 0 if valid, non-zero if invalid
    • errors by line and message are logged (e.g. can be surfaced in the GitHub PR)

    TODO

    • Planning to add tests if this is the design seems sound
    area/api v0 area/CLI 
    opened by vroldanbet 7
  • Dashboard example zed usage references HEAD formula & `login` command

    Dashboard example zed usage references HEAD formula & `login` command

    Brew installation of zed fails with the Errno:ENOENT error:

    [email protected]:~$ brew install --HEAD authzed/tap/zed
    ==> Tapping authzed/tap
    Cloning into '/home/linuxbrew/.linuxbrew/Homebrew/Library/Taps/authzed/homebrew-tap'...
    remote: Enumerating objects: 34, done.
    remote: Counting objects: 100% (34/34), done.
    remote: Compressing objects: 100% (25/25), done.
    remote: Total 34 (delta 15), reused 10 (delta 3), pack-reused 0
    Receiving objects: 100% (34/34), 8.73 KiB | 1.75 MiB/s, done.
    Resolving deltas: 100% (15/15), done.
    Tapped 2 formulae (16 files, 92.0KB).
    ==> Downloading https://ghcr.io/v2/linuxbrew/core/go/manifests/1.17.1
    ######################################################################## 100.0%
    ==> Downloading https://ghcr.io/v2/linuxbrew/core/go/blobs/sha256:65e57b46322ebb9957754293cc66012579d93a7795b286bd2f267758f8006d7b
    ==> Downloading from https://pkg-containers.githubusercontent.com/ghcr1/blobs/sha256:65e57b46322ebb9957754293cc66012579d93a7795b286bd2f267758f8006d7b?se=2021-09-30T17%3A50%3A00Z&sig=hB1Y%2FHG%2FMPADkzMm6M92
    ######################################################################## 100.0%
    ==> Cloning https://github.com/authzed/zed.git
    Cloning into '/home/ibazulic/.cache/Homebrew/zed--git'...
    ==> Checking out branch main
    Already on 'main'
    Your branch is up to date with 'origin/main'.
    ==> Installing zed from authzed/tap
    ==> Installing dependencies for authzed/tap/zed: go
    ==> Installing authzed/tap/zed dependency: go
    ==> Pouring go--1.17.1.x86_64_linux.bottle.tar.gz
     /home/linuxbrew/.linuxbrew/Cellar/go/1.17.1: 10,810 files, 537.4MB
    ==> Installing authzed/tap/zed --HEAD
    Error: An exception occurred within a child process:
      Errno::ENOENT: No such file or directory - zed
    

    Pulling zed normally via brew install authzed/tap/zed works but this binary does not have the login option needed to log into spicedb according to instructions.

    kind/bug priority/1 high area/tooling 
    opened by ibazulic 7
  • Support OpenTelemetry collectors

    Support OpenTelemetry collectors

    Everything is instrumented using OpenTelemetry, but Jaeger is the only format exposed by command-line flags. If it can be made generic enough, this could be upstreamed into cobrautil.

    hint/good first issue area/CLI priority/4 maybe area/tooling kind/tech debt 
    opened by jzelinskie 7
  • Add quickstart examples

    Add quickstart examples

    Closes https://github.com/authzed/spicedb/issues/469

    This creates a collection of quickstart Docker Compose files to get new-comers quickly running with the datastore of their choosing. ~I also moved k8s/example.yaml under the examples/ directory, since it seemed to fit well there. Though, I'm not sure if this breaks documentation links.~ I reverted this change, things broke when that file moved.

    Most datastores were straightforward, but Cockroach and Spanner (especially Spanner) required some extra plumbing to get them operational.

    opened by bryanhuhta 6
  • A confusing place in module lexer

    A confusing place in module lexer

    in the module lexer, the lastNonWhitespaceToken in struct Lexer means "The last token returned that is non-whitespace"

    the only space that used lastNonWhitespaceToken in code is below assign a TokenTypeWhitespace to lastNonWhitespaceToken

    if t == TokenTypeWhitespace {
    	l.lastNonWhitespaceToken = currentToken
    }
    

    should be like this?

    if t != TokenTypeWhitespace {
    	l.lastNonWhitespaceToken = currentToken
    }
    
    opened by fearlessfe 5
  • fix: skip comments when loading test relationships

    fix: skip comments when loading test relationships

    Fixes https://github.com/authzed/spicedb/issues/329

    From a brief test in the playground, comments in the Test Relationships are only of the format // my comment and not /** my comment */. This may need to be fact check though 😁

    area/tooling 
    opened by bryanhuhta 5
  • Bump golang from 1.17.1-alpine3.13 to 1.17.2-alpine3.13

    Bump golang from 1.17.1-alpine3.13 to 1.17.2-alpine3.13

    Bumps golang from 1.17.1-alpine3.13 to 1.17.2-alpine3.13.

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    area/dependencies area/tooling 
    opened by dependabot[bot] 5
  • Proposal: SpiceDB telemetry

    Proposal: SpiceDB telemetry

    Telemetry Proposal

    As a small team developing very high performance software, we're constantly prioritizing between improving features, stability, performance, and user experience. While we obviously have metrics from our hosted SpiceDB instances on Authzed.com, our last product taught us that open-source and enterprise users often use the software in surprisingly different ways. In order to develop a tight feedback loop with our users, we would like to add some opt-out telemetry information to SpiceDB. As big fans of open source, and as heavy users ourselves, we understand that users can be sensitive to data collection and exfiltration efforts by the software they run. That's why it is our goal to be as open and transparent about this process as possible.

    Philosophical Goals

    • [ ] Put a file called TELEMETRY.md in the root of the repository that includes the final form of this proposal and easy instructions for disabling telemetry
    • [ ] Users will be able to see the exact data that is collected and shipped at all times
    • [ ] It will be simple to disable telemetry, although it will remain opt-out to reduce response bias in the results.
    • [ ] Users will be notified at the INFO log level every time an instance of SpiceDB starts that telemetry is enabled
    • [ ] A notification will be written at the INFO log level every time telemetry data is sent
    • [ ] Metrics collection should not impact the performance of latency sensitive operations
    • [ ] Metrics will be anonymous and aggregate, we will not be able to track them back to a specific user.

    Proposed Data Collection

    Each of the following metrics includes the justification and the specific way in which we will use the data to measure and improve the software.

    Running SpiceDB instances per installation

    Knowing average cluster size will help us to direct resources to service discovery, clustering, and remote re-dispatch.

    Distributed cache hit ratio

    The Zanzibar model lives and dies by how effectively it utilizes the distributed cache. While we have our own tests and metrics, one or more user clusters underperforming would be an indicator that something is awry with our consistent hashing or data access assumptions.

    Number of object definitions

    In the Zanzibar paper, Google gave metrics about average schema size. A histogram would have been better! Schema complexity directly correlates to resolution complexity, and knowing that open-source uses are using more or less complex schemas than anticipated would help us direct resources toward nested query complexity.

    Number of relationships

    Similarly to schema complexity, the amount of data also controls the re-dispatch fan-out and resolution complexity. If schemas rely heavily on the arrow -> operator on very large datasets, this would lead us to invest in improvements in resolution order and heuristics.

    Number of redispatches/subproblems per operation

    A metrics that is the unification of data and schema, this is a direct, hardware-independent measurement of resolution complexity, and would direct investments similarly to schema and data complexity.

    Number of calls (but not latencies) to specific APIs

    The Zanzibar paper gives the call frequencies for certain operations, but does not tell the complete story. In the Zanzibar paper, Read is used more than Check, and Zanzibar does not support Lookup at all. In order to make sure we're investing in improvements to each method appropriately, it is important to understand the call-frequency usage patterns.

    Considered and Rejected

    It is often as important to know what was considered and rejected as it is to know what was included in the final proposal.

    Rejected: Collecting API latency metrics

    This is extremely infrastructure dependent, and no useful information could be gleaned from it in aggregate. Hardware independent complexity measures are preferred as a result.

    Rejected: User driven redaction of specific metrics

    While this sounds interesting at the outset, having an incomplete picture of the metrics from each SpiceDB installation could be statistically misleading. For example, knowing the cache hit ratio but not the schema complexity would make it hard to know if there is a data issue or schema issue.

    Rejected: Opt-in metrics

    While this is obviously very user-friendly, we're all aware of the problems of response bias in statistics. We may end up with an entirely different class of user choosing to report metrics than the average. This may skew efforts in the wrong direction. For example, if only enterprises opt-in to the data collection, we may completely overlook problems with the software that arise during the small-scale development phase.

    Open Questions

    • What data pipeline should we use to collect metrics? We use Prometheus for everything else, but this almost necessarily needs to be push-centric, which Prometheus cautions against.
    • Are users comfortable with us enlisting the help of a sub-processor, such as Mixpanel, Amplitude, Google Analytics, etc. for tracking and reporting the data that we collect?
    priority/2 medium state/needs discussion area/observability 
    opened by jakedt 5
  • Add GC to the namespace_config table

    Add GC to the namespace_config table

    Currently, when a docker image is started with a bootstrap file and the flag --datastore-bootstrap-overwrite=true, the namespace_config table expands with every restart of the docker image. The deleted rows are not cleanup up by the GC, like it does for the relation_tuple and relation_tuple_transaction tables. The GC should also clean the namespace_config table.

    hint/good first issue priority/2 medium area/perf area/datastore 
    opened by rolevinks 0
  • Support IAM database authentication for Postgres datastore

    Support IAM database authentication for Postgres datastore

    As of now, there is only support for username:password in the connection string for Postgres. For those who use an AWS's hosted Postgres, it's preferable to use IAM database authentication.

    priority/3 low area/datastore state/needs discussion 
    opened by jhalleeupgrade 3
  • PoC: Export model as JSON

    PoC: Export model as JSON

    As discussed on Discord, here an quick proof of concept to generate schema information in a machine-readable fashion for code generation. This information would allow to at least generate the string constants that otherwise clutter client libraries.

    In a next step one could add type-information and permission predicates.

    Example Output:

    [
      {
        "name": "user",
        "namespace": "default",
        "relations": [],
        "permissions": []
      },
      {
        "name": "platform",
        "namespace": "default",
        "relations": [
          {
            "name": "administrator"
          }
        ],
        "permissions": [
          {
            "name": "super_admin"
          },
          {
            "name": "create_tenant"
          }
        ]
      },
      {
        "name": "tenant",
        "namespace": "default",
        "relations": [
          {
            "name": "platform"
          },
          {
            "name": "parent"
          },
          {
            "name": "administrator"
          },
          {
            "name": "agent"
          },
          {
            "name": "tenant_administrator"
          },
          {
            "name": "admin_administrator"
          }
        ],
        "permissions": [
          {
            "name": "administer_user"
          },
          {
            "name": "create_admin"
          }
        ]
      },
      {
        "name": "administrator",
        "namespace": "default",
        "relations": [
          {
            "name": "self"
          },
          {
            "name": "tenant"
          }
        ],
        "permissions": [
          {
            "name": "write"
          },
          {
            "name": "read"
          }
        ]
      }
    ]
    
    
    area/schema area/tooling 
    opened by thomasrichner-oviva 2
  • Add revision fuzzing for picking optimized revisions

    Add revision fuzzing for picking optimized revisions

    Right now when a new optimized revision becomes the de-facto choice, the entire existing cache is (practically) simultaneously invalidated. In order to decrease the effect of this cutover, we should probably phase between the outgoing optimized revision and the incoming optimized revision over some period of time. Other revision picking logic, such as AtLeastAsFresh consistency happens after the optimized revision picking and should therefore be unaffected.

    priority/3 low area/perf area/datastore 
    opened by jakedt 0
  • Better Caching Cost & Density

    Better Caching Cost & Density

    Improve Cache Density and Cost Estimate

    Hi Authzed folks - apologies in advance for this wall of text. 🙂

    I noticed a few weeks ago that the cache cost functions are not accurate if the cost represents bytes (which I believe it does). For example, the cost of a checkResultEntry is set to just 8 bytes, the cost of that struct when empty. But that cost doesn't include the memory pointed to by checkResultEntry.response, which could be much more.

    As I worked to improve the cache cost functions, I found a way to fit 2x more cache items into the same amount of memory: instead of caching the Go structs, cache the protobuf-marshaled bytes.

    The improved cache cost functions help keep the physical memory used by the cache much closer to the configured max cost.

    I'd be happy to open some PRs for these changes, but wanted to post my findings here and see which of the changes you'd like (if any).

    Cache Density

    I experimented with storing the marshaled bytes of protobuf messages rather than the Go objects directly.

    There are two main advantages to this:

    • Calculating the cost of a []byte is quite simple. Most importantly, the cost function does not need to change as the protobuf message changes: protobuf takes care of those details.
    • Second, the cache can store more items per MB of space used. In one test (below), the cache fit 212% more items per MB! However, later tests with more accurate cost functions improved cache density by a more modest 50-70%. All tests were on a single local instance of spicedb, so a load test at scale is warranted.

    Below are the results for two tests run on a single spicedb instance serving check requests. Total profiled space is for the whole application, while cache profiled space includes just the stacks related to caching. In this test, the cost function was still poor, but it does show that using marshaled bytes significantly improves cache density. | test | total profiled space | cache profiled space | cache calculated cost | key count | keys/ cache profiled MB | | --- | --- | --- | --- | --- | --- | | protobuf structs | 69.16 MB | 54.85 MB | 32 MB | 142,857 | 2,605 | | marshaled []byte | 77.02 MB | 61.0 MB | 30.1 MB | 337,311 | 5,529 |

    Of course, marshaling isn't free. However, existing code already calls proto.Clone() on every cache write, and as that is replaced with the call to proto.Marshal(), the relative cost may not be significant. Still, a test to check impact on CPU during a load test is warranted.

    Cache Cost Function

    Now, the long story.

    Background

    As stated above, the cache was using more memory than the 'max cost' setting because the cost of each cached item was being set to the size of a pointer (8 bytes) rather than the size of the memory referenced by a pointer.

    The first attempt at improving the cost function made the situation better, but there was still a substantial difference between the configured cache size and the total memory used. Below are flamegraphs for in-use space for a local spicedb instance, taken after running a 15 minute load test of check requests. Between 0 and 32 MB cache, the memory increased 59MB, 184% the increase in cache size. Between 32 and 64 MB cache, the memory increased 70MB, 219% the increase in cache size.

    1 byte Cache (single instance, local) image

    32 MB Cache (single instance, local) image

    64 MB Cache (single instance, local) image

    Aside on Profiling

    In the flamegraphs above, the in-use bytes within ristretto.(*Cache).processItems are very close to the allocated cache size. Also, the bytes allocated within caching.(#Dispatcher).DispatchCheck grow proportionally with the cache size.

    Initially I thought this meant the DispatchCheck() function was responsible for leaking memory. However, I no longer think that is the case.

    Heap profiles work by sampling allocations. When a sample is taken, the stack responsible for the allocation is added to the profile. So, seeing DispatchCheck() in the flamegraph doesn't mean that DispatchCheck() is responsible for keeping bytes from GC, only that it was responsible for originally allocating those bytes.

    Reviewing the spiceDB code, this makes sense - DispatchCheck() creates the object that is stored in the cache (via proto.Clone()), but then it is the cache that keeps that object from GC. When ristretto stores an item, it allocates a wrapper struct, which explains why it is also in the profile.

    Given this, the best way to measure memory used by the cache is to sum ristretto.(*Cache).processItems and proto.Clone. Doing so for the examples above gives 113MB for the 64MB cache (176% larger) and 59MB for the 32MB cache (184% larger).

    Size Classes

    One of the main breakthroughs I had was learning about class sizes in Go. Class sizes are predefined object sizes (8, 16, 24, 32, 48, etc). When allocating a 'small' object, Go takes the number of required bytes and then allocates the next size class larger than what is required. This is done to make GC tracking more efficient for small objects. See 'One more thing' section.

    So, a cost function that returns only the bytes required for an object will systematically under-report the actual cost in memory!

    This article indicates that append() is aware of class sizes and can be used to find them at run time. This code demonstrates: https://go.dev/play/p/lRaSqzunZ73

    After accounting for class sizes, I was able to write a cost function that exactly matched the allocated bytes, as reported by memstats.TotalAlloc.

    Keys Count Too

    Still, even accounting for size classes, the cost function was not controlling memory like I wanted. How could my tests show a perfect match to the reported allocated memory, but still allow the cache to grow beyond max cost? The answer is fairly simple: cache keys are stored too, and take up memory. After including keys in the cost function, I got the following results (caching []byte):

    | test | total profiled space | cache profiled space | cache computed space | key count | keys/cache profiled MB | | --- | --- | --- | --- | --- | --- | | 8MB cache | 33.1 MB | 16.2 MB | 8 MB | 42,094 | 2,598 | | 16MB cache | 40.4 MB | 24.3 MB | 16 MB | 84,097 | 3,460 | | 32MB cache | 63.8 MB | 44.4 MB | 32 MB | 168,152 | 3,787 |

    The difference in cache size between 8MB and 16MB max cost was 8.1MB! Between 16MB and 32MB, 20.1 MB, which is off by about 26%.

    Final Cost Function (protobuf structs, not bytes)

    This test was run with a cost function that accounted for keys and size classes. No changes were made to the objects stored in the cache for this test.

    | test | total profiled space | cache profiled space | cache computed space | key count | keys/cache profiled MB | | --- | --- | --- | --- | --- | --- | | no cache (1 byte) | 15.6 MB | 0 MB | 0 MB | 0 | 0 | | 16MB cache | 34.8 MB | 21.5 MB | 16 MB | 46,916 | 2,182 | | 32MB cache | 55.2 MB | 37.8 MB | 32 MB | 93,825 | 2,482 |

    This shows there is still some overhead for the cache, since going from a cache with only 1 byte max cost (effectively, no cache) to 16 MB cost added 21.5 MB to memory used by the cache. But, going from 16MB to 32MB added 16.3MB, off by ~2%.

    Compared to the test which used a similar cost function, but stored bytes instead, this also shows that storing bytes is still more efficient, although less so than in the original test. This makes sense, because now that they key is included in the cost function, the space saved on the items themselves is a smaller proportion of the total cost per entry.

    Misc Learnings

    • Are there memory leaks?
      • I don't think so. Once the cache reaches capacity and begins to evict items, memory use is stable.
    • Is protocol buffers increasing memory footprint?
      • The items stored in the cache are protobuf generated types and have some fields specific to protobuf (protoimpl.MessageState, protoimpl.SizeCache, protoimpl.UnknownFields). It is possible these fields are getting populated after the cost function runs and increasing memory footprint beyond what the cost function calculates. Running spicedb locally, I did see that this was the case - sending a message from the cache caused its size to increase significantly. However, subsequent sends shared the memory added by the first send. To further test if protobuf fields were increasing cost, I ran tests where a the cached object was never returned to callers, only deep copies. Memory use was similar enough that I don't think the protobuf fields have a significant impact.
      • 32 MB Cache (main) image
      • 32 MB Cache (clone on return) image
    area/perf area/observability area/dispatch 
    opened by benCoomes 9
  • add more CLI options to mysql datastore.

    add more CLI options to mysql datastore.

    Sorry, I borked the rebase..

    This is a Follow-up PR from the MySQL Datastore implementation.

    It updates the SplitQueryCount because that is what is being fetched from cobra.

    The following CLI options are now supported by the MySQL Datastore:

    • SplitAtUsersetCount
    • GCMaxOperationTime

    Co-authored-by: Bryan Huhta [email protected] Co-authored-by: Craig Steinberger [email protected]

    area/datastore 
    opened by christroger 1
Releases(v1.9.0)
  • v1.9.0(Jun 21, 2022)

    Note: This release contains a change to the internal dispatch API, which means that v1.8.0 and v1.9.0 can not dispatch to each other during a rolling upgrade. To upgrade without downtime, run these as separate Kubernetes services, or disable dispatch before upgrading.

    What's Changed

    • Fully remove support for the V0 ACL and Schema API by @josephschorr in https://github.com/authzed/spicedb/pull/618
    • Add dispatch ready, health check integration by @samkim in https://github.com/authzed/spicedb/pull/615
    • Depbot updates for June 1 by @josephschorr in https://github.com/authzed/spicedb/pull/629
    • Depbot Updates for June 1 - part 2 by @josephschorr in https://github.com/authzed/spicedb/pull/635
    • Handle case where memdb is closed before a transaction completes by @josephschorr in https://github.com/authzed/spicedb/pull/637
    • Bump google.golang.org/api from 0.78.0 to 0.82.0 by @dependabot in https://github.com/authzed/spicedb/pull/634
    • Shorten the prefixes on cache keys to save some memory by @josephschorr in https://github.com/authzed/spicedb/pull/641
    • postgres: rename migration variable to reduce confusion by @jakedt in https://github.com/authzed/spicedb/pull/643
    • Remove remaining references to v0 API (except developer API) by @josephschorr in https://github.com/authzed/spicedb/pull/645
    • Abstract health status management into a helper package and add datastore status by @josephschorr in https://github.com/authzed/spicedb/pull/642
    • Skip checking and redispatch in reachability when seeing duplicates by @josephschorr in https://github.com/authzed/spicedb/pull/638
    • propagate context to migration functions by @vroldanbet in https://github.com/authzed/spicedb/pull/646
    • Add tools for genproto to tools.go by @josephschorr in https://github.com/authzed/spicedb/pull/649
    • Start moving from the externally-defined developer API to an internally defined set of types by @josephschorr in https://github.com/authzed/spicedb/pull/647
    • Ensure the released version appears with a staring v prefix by @josephschorr in https://github.com/authzed/spicedb/pull/650
    • introduce support to run migrations atomically by @jakedt in https://github.com/authzed/spicedb/pull/655
    • Cleanup the core messages now that v0 is gone by @josephschorr in https://github.com/authzed/spicedb/pull/652

    Full Changelog: https://github.com/authzed/spicedb/compare/v1.8.0...v1.9.0

    Docker Images

    This release is available at authzed/spicedb:v1.9.0, quay.io/authzed/spicedb:v1.9.0, ghcr.io/authzed/spicedb:v1.9.0

    Source code(tar.gz)
    Source code(zip)
    checksums.txt(1.14 KB)
    spicedb_1.9.0_darwin_amd64.tar.gz(14.11 MB)
    spicedb_1.9.0_darwin_arm64.tar.gz(13.80 MB)
    spicedb_1.9.0_linux_amd64.apk(13.96 MB)
    spicedb_1.9.0_linux_amd64.deb(13.97 MB)
    spicedb_1.9.0_linux_amd64.rpm(13.96 MB)
    spicedb_1.9.0_linux_amd64.tar.gz(13.35 MB)
    spicedb_1.9.0_linux_arm64.apk(12.76 MB)
    spicedb_1.9.0_linux_arm64.deb(12.78 MB)
    spicedb_1.9.0_linux_arm64.rpm(12.78 MB)
    spicedb_1.9.0_linux_arm64.tar.gz(12.24 MB)
    spicedb_1.9.0_windows_amd64.tar.gz(13.42 MB)
    spicedb_1.9.0_windows_arm64.tar.gz(12.32 MB)
  • v1.8.0(Jun 1, 2022)

    Highlights

    • New, speedier LookupResources implementation
    • New datastore interface improves performance for all datastores
    • MySQL driver now has feature parity with the Postgres driver

    What's Changed

    • Dependabot for May 3 by @josephschorr in https://github.com/authzed/spicedb/pull/583
    • disable renovatebot by @ecordell in https://github.com/authzed/spicedb/pull/585
    • crdb: detect broken pipe as resettable error by @ecordell in https://github.com/authzed/spicedb/pull/591
    • Add spanner emulator env var detection by @samkim in https://github.com/authzed/spicedb/pull/574
    • Add a custom analyzers package for custom lint checks by @josephschorr in https://github.com/authzed/spicedb/pull/563
    • Dependabot changes for May 4 by @josephschorr in https://github.com/authzed/spicedb/pull/593
    • Implement revision quantization for MySQL by @bryanhuhta in https://github.com/authzed/spicedb/pull/582
    • Add middleware to return the server version when requested, unless disabled by @josephschorr in https://github.com/authzed/spicedb/pull/572
    • pg: set timezone to utc for revision selection by @ecordell in https://github.com/authzed/spicedb/pull/592
    • Upgrade CI crdb version to v21.2.10 by @samkim in https://github.com/authzed/spicedb/pull/602
    • Update NewEnemy test for datastore v2 by @ecordell in https://github.com/authzed/spicedb/pull/607
    • log successful telemetry attempts by @jakedt in https://github.com/authzed/spicedb/pull/524
    • Datastore v2 by @jakedt in https://github.com/authzed/spicedb/pull/581
    • prevent crdb from crashing in e2e tests by @ecordell in https://github.com/authzed/spicedb/pull/611
    • Implement a reachability graph and use for lookup by @josephschorr in https://github.com/authzed/spicedb/pull/517
    • caching dispatch: unregister prometheus metrics on close by @ecordell in https://github.com/authzed/spicedb/pull/617
    • support xDS as a dispatch resolver option by @ecordell in https://github.com/authzed/spicedb/pull/612
    • Propagate context in migrations by @nbarbey in https://github.com/authzed/spicedb/pull/596
    • Some small reachable resources and lookup improvements by @josephschorr in https://github.com/authzed/spicedb/pull/620
    • refactor(schemadsl): remove unused field by @fearlessfe in https://github.com/authzed/spicedb/pull/622
    • Move the cache implementation behind an interface by @josephschorr in https://github.com/authzed/spicedb/pull/614
    • Add quickstart examples by @bryanhuhta in https://github.com/authzed/spicedb/pull/616

    New Contributors

    • @fearlessfe made their first contribution in https://github.com/authzed/spicedb/pull/622

    Full Changelog: https://github.com/authzed/spicedb/compare/v1.7.1...v1.8.0

    Docker Images

    This release is available at authzed/spicedb:v1.8.0, quay.io/authzed/spicedb:v1.8.0, ghcr.io/authzed/spicedb:v1.8.0

    Source code(tar.gz)
    Source code(zip)
    checksums.txt(1.14 KB)
    spicedb_1.8.0_darwin_amd64.tar.gz(14.13 MB)
    spicedb_1.8.0_darwin_arm64.tar.gz(13.84 MB)
    spicedb_1.8.0_linux_amd64.apk(13.98 MB)
    spicedb_1.8.0_linux_amd64.deb(14.01 MB)
    spicedb_1.8.0_linux_amd64.rpm(13.95 MB)
    spicedb_1.8.0_linux_amd64.tar.gz(13.37 MB)
    spicedb_1.8.0_linux_arm64.apk(12.80 MB)
    spicedb_1.8.0_linux_arm64.deb(12.80 MB)
    spicedb_1.8.0_linux_arm64.rpm(12.80 MB)
    spicedb_1.8.0_linux_arm64.tar.gz(12.27 MB)
    spicedb_1.8.0_windows_amd64.tar.gz(13.44 MB)
    spicedb_1.8.0_windows_arm64.tar.gz(12.34 MB)
  • v1.7.1(May 3, 2022)

    This is a bugfix release for 1.7.0

    What's Changed

    • Fix datastore-engine help text by @bryanhuhta in https://github.com/authzed/spicedb/pull/569
    • pkg/cmd: catch nil registry initialization by @jzelinskie in https://github.com/authzed/spicedb/pull/568
    • postgres: handle negative relationhip count estimates by @jakedt in https://github.com/authzed/spicedb/pull/570
    • Switch to using Engines for the engine parameter by @josephschorr in https://github.com/authzed/spicedb/pull/571
    • addresses server panic when malformed authorization header is sent by @vroldanbet in https://github.com/authzed/spicedb/pull/573
    • k8s: add dispatch enabled comment by @jzelinskie in https://github.com/authzed/spicedb/pull/575

    Full Changelog: https://github.com/authzed/spicedb/compare/v1.7.0...v1.7.1

    Docker Images

    This release is available at authzed/spicedb:v1.7.1, quay.io/authzed/spicedb:v1.7.1, ghcr.io/authzed/spicedb:v1.7.1

    Source code(tar.gz)
    Source code(zip)
    checksums.txt(1.14 KB)
    spicedb_1.7.1_darwin_amd64.tar.gz(11.22 MB)
    spicedb_1.7.1_darwin_arm64.tar.gz(10.92 MB)
    spicedb_1.7.1_linux_amd64.apk(11.22 MB)
    spicedb_1.7.1_linux_amd64.deb(11.19 MB)
    spicedb_1.7.1_linux_amd64.rpm(11.19 MB)
    spicedb_1.7.1_linux_amd64.tar.gz(10.72 MB)
    spicedb_1.7.1_linux_arm64.apk(10.26 MB)
    spicedb_1.7.1_linux_arm64.deb(10.25 MB)
    spicedb_1.7.1_linux_arm64.rpm(10.25 MB)
    spicedb_1.7.1_linux_arm64.tar.gz(9.86 MB)
    spicedb_1.7.1_windows_amd64.tar.gz(10.80 MB)
    spicedb_1.7.1_windows_arm64.tar.gz(9.93 MB)
  • v1.7.0(Apr 27, 2022)

    Highlights

    • MySQL Datastore introduced!
    • Two major performance improvments
      • MemDB & Postgres now support quantized revisions
      • Cache keys are now canonicalized and reused across various RPCs
    • Telemetry reporting added. For more info see TELEMETRY.md
    • Support for specifying multiple preshared keys

    What's Changed

    • Telemetry stats by @jakedt in https://github.com/authzed/spicedb/pull/515
    • .github: grant github token package write by @jzelinskie in https://github.com/authzed/spicedb/pull/520
    • .github: add back contents permission on release by @jzelinskie in https://github.com/authzed/spicedb/pull/521
    • crdb: coalesce relationship estimate to handle 0 relationship case by @ecordell in https://github.com/authzed/spicedb/pull/523
    • create spanner changelog entries client side by @jakedt in https://github.com/authzed/spicedb/pull/522
    • k8s: add RBAC and flesh out example by @jzelinskie in https://github.com/authzed/spicedb/pull/526
    • Have the GC index for Postgres be created concurrently by @josephschorr in https://github.com/authzed/spicedb/pull/501
    • introduces mysql datastore by @vroldanbet in https://github.com/authzed/spicedb/pull/525
    • CODEOWNERS: init by @jzelinskie in https://github.com/authzed/spicedb/pull/531
    • Switch MySQL tests to explicitly specify amd64 by @josephschorr in https://github.com/authzed/spicedb/pull/533
    • Cache canonicalization by @josephschorr in https://github.com/authzed/spicedb/pull/485
    • Quantize revisions for memdb, postgres datastores by @jakedt in https://github.com/authzed/spicedb/pull/527
    • mysql: refactor tests to share builders by @jakedt in https://github.com/authzed/spicedb/pull/536
    • Only run MySQL tests in CI by @josephschorr in https://github.com/authzed/spicedb/pull/535
    • Have the Docker-image based test suite run solely those tests by @josephschorr in https://github.com/authzed/spicedb/pull/540
    • gomod: bump cobrautil by @jzelinskie in https://github.com/authzed/spicedb/pull/543
    • Add support for multiple preshared keys by @josephschorr in https://github.com/authzed/spicedb/pull/537
    • mysql: run ANALYZE TABLE before Statistics in tests by @jakedt in https://github.com/authzed/spicedb/pull/548
    • mysql: wire up the mysql datastore engine to the CLI by @sbryant in https://github.com/authzed/spicedb/pull/532
    • makes cli application return non-zero error code on errors by @vroldanbet in https://github.com/authzed/spicedb/pull/541
    • gomod: bump xxhash, go by @jzelinskie in https://github.com/authzed/spicedb/pull/545
    • sets mysql manager singleton by @vroldanbet in https://github.com/authzed/spicedb/pull/550
    • moves seeding to the initialization of the datastore by @vroldanbet in https://github.com/authzed/spicedb/pull/539
    • Add integration testing for the migrate command by @josephschorr in https://github.com/authzed/spicedb/pull/551
    • Fix revive lint warnings by @nbarbey in https://github.com/authzed/spicedb/pull/556
    • Postgres optimized revision caching by @jakedt in https://github.com/authzed/spicedb/pull/555
    • update to a version of rudd that doesn't race by @ecordell in https://github.com/authzed/spicedb/pull/557
    • mysql: use a stable unique ID for stats by @jakedt in https://github.com/authzed/spicedb/pull/546
    • Combine unit and integration jobs by @ecordell in https://github.com/authzed/spicedb/pull/559
    • README: refresh features, make CTAs scannable by @jzelinskie in https://github.com/authzed/spicedb/pull/554
    • README: adjust feature wording and links by @jzelinskie in https://github.com/authzed/spicedb/pull/560
    • internal/telemetry: report go version, git commit by @jzelinskie in https://github.com/authzed/spicedb/pull/553
    • Dispatch tests and metrics flag by @josephschorr in https://github.com/authzed/spicedb/pull/561
    • dispatch: fix NPE possibility from nil check response by @jakedt in https://github.com/authzed/spicedb/pull/562
    • Add a check on startup for the last released version of SpiceDB by @josephschorr in https://github.com/authzed/spicedb/pull/564
    • remove remaining references to revision fuzzing by @jakedt in https://github.com/authzed/spicedb/pull/566

    New Contributors

    • @sbryant made their first contribution in https://github.com/authzed/spicedb/pull/532
    • @nbarbey made their first contribution in https://github.com/authzed/spicedb/pull/556

    Full Changelog: https://github.com/authzed/spicedb/compare/v1.6.0...v1.7.0

    Docker Images

    This release is available at authzed/spicedb:v1.7.0, quay.io/authzed/spicedb:v1.7.0, ghcr.io/authzed/spicedb:v1.7.0

    Source code(tar.gz)
    Source code(zip)
    checksums.txt(1.14 KB)
    spicedb_1.7.0_darwin_amd64.tar.gz(11.22 MB)
    spicedb_1.7.0_darwin_arm64.tar.gz(10.92 MB)
    spicedb_1.7.0_linux_amd64.apk(11.19 MB)
    spicedb_1.7.0_linux_amd64.deb(11.19 MB)
    spicedb_1.7.0_linux_amd64.rpm(11.19 MB)
    spicedb_1.7.0_linux_amd64.tar.gz(10.72 MB)
    spicedb_1.7.0_linux_arm64.apk(10.22 MB)
    spicedb_1.7.0_linux_arm64.deb(10.23 MB)
    spicedb_1.7.0_linux_arm64.rpm(10.25 MB)
    spicedb_1.7.0_linux_arm64.tar.gz(9.86 MB)
    spicedb_1.7.0_windows_amd64.tar.gz(10.80 MB)
    spicedb_1.7.0_windows_arm64.tar.gz(9.93 MB)
  • v1.6.0(Apr 11, 2022)

    Highlights

    • Support for nil when writing permissions, to allow for placeholders during development
    • Developer API bug-fixes and improved error messaging
    • Container images now pushed to Docker Hub
    • Metrics bug-fixes and stats added to datastores
    • Enforce UTC on timestamp column in Postgres (database migration for Postgres users)
    • Various resiliency improvements for the CockroachDB datastore

    What's Changed

    • Add core proto message and replace v0 usage by @samkim in https://github.com/authzed/spicedb/pull/449
    • add prefixes to lookup metrics by @ecordell in https://github.com/authzed/spicedb/pull/477
    • configure dispatch for tests by @ecordell in https://github.com/authzed/spicedb/pull/438
    • README: add ports to docker, add config section by @jzelinskie in https://github.com/authzed/spicedb/pull/478
    • protect prom metric registration with a lock by @ecordell in https://github.com/authzed/spicedb/pull/480
    • Add clock skew error as resetable by @samkim in https://github.com/authzed/spicedb/pull/483
    • .github: push to dockerhub, use in readme by @jzelinskie in https://github.com/authzed/spicedb/pull/479
    • bump crdb to 21.2.7 by @ecordell in https://github.com/authzed/spicedb/pull/484
    • expose usagemetric read middleware by @ecordell in https://github.com/authzed/spicedb/pull/487
    • Fix handling of REST gateway options and add an integration test by @josephschorr in https://github.com/authzed/spicedb/pull/493
    • Use non-prepared statement for revision range query by @samkim in https://github.com/authzed/spicedb/pull/496
    • Default transaction row timestamp to UTC by @samkim in https://github.com/authzed/spicedb/pull/495
    • Add additional error context onto schema errors by @josephschorr in https://github.com/authzed/spicedb/pull/481
    • Add support for nil in schema by @josephschorr in https://github.com/authzed/spicedb/pull/494
    • Add index and fix limit on Postgres GC by @josephschorr in https://github.com/authzed/spicedb/pull/500
    • pkg/cmd: use cobrautil version command by @jzelinskie in https://github.com/authzed/spicedb/pull/491
    • Fix nil access issue in developer API when missing an expected subject by @josephschorr in https://github.com/authzed/spicedb/pull/503
    • Consolidate crdb tx retry and reset by @samkim in https://github.com/authzed/spicedb/pull/472
    • .github: migrate to authzed/actions by @jzelinskie in https://github.com/authzed/spicedb/pull/492
    • .github: fix passing of secrets to shared actions by @jzelinskie in https://github.com/authzed/spicedb/pull/507
    • update all dependencies by @jakedt in https://github.com/authzed/spicedb/pull/513
    • update straggler dependencies by @jakedt in https://github.com/authzed/spicedb/pull/514
    • Datastore stats interface by @jakedt in https://github.com/authzed/spicedb/pull/506
    • Rename any to union to fix conflict with new any name in Go 1.18 by @josephschorr in https://github.com/authzed/spicedb/pull/516
    • Add more detail to the max depth error and handle as a dev error by @josephschorr in https://github.com/authzed/spicedb/pull/488

    Full Changelog: https://github.com/authzed/spicedb/compare/v1.5.0...v1.6.0

    Docker Images

    This release is available at authzed/spicedb:v1.6.0, quay.io/authzed/spicedb:v1.6.0, ghcr.io/authzed/spicedb:v1.6.0

    Source code(tar.gz)
    Source code(zip)
    checksums.txt(1.14 KB)
    spicedb_1.6.0_darwin_amd64.tar.gz(10.87 MB)
    spicedb_1.6.0_darwin_arm64.tar.gz(10.57 MB)
    spicedb_1.6.0_linux_amd64.apk(10.84 MB)
    spicedb_1.6.0_linux_amd64.deb(10.83 MB)
    spicedb_1.6.0_linux_amd64.rpm(10.84 MB)
    spicedb_1.6.0_linux_amd64.tar.gz(10.39 MB)
    spicedb_1.6.0_linux_arm64.apk(9.93 MB)
    spicedb_1.6.0_linux_arm64.deb(9.93 MB)
    spicedb_1.6.0_linux_arm64.rpm(9.96 MB)
    spicedb_1.6.0_linux_arm64.tar.gz(9.55 MB)
    spicedb_1.6.0_windows_amd64.tar.gz(10.46 MB)
    spicedb_1.6.0_windows_arm64.tar.gz(9.62 MB)
  • v1.5.0(Mar 11, 2022)

    Highlights

    • Cloud Spanner is now supported as a backend datastore (beta) 🎉
    • Better error messages for invalid schemas
    • Several performance and resource usage improvements
    • An edge case that caused LookupResources to return incomplete results for certain schemas was diagnosed and fixed (big thanks to @NickyHeuperman for reporting!)

    What's Changed

    • Fix deletion of empty namespaces in CRDB datastore by @josephschorr in https://github.com/authzed/spicedb/pull/377
    • .github: add CodeQL lint workflow by @jzelinskie in https://github.com/authzed/spicedb/pull/378
    • Better usage metrics on non-permissions endpoints by @jakedt in https://github.com/authzed/spicedb/pull/381
    • Attempt to avoid failed crdb range splits in e2e by @ecordell in https://github.com/authzed/spicedb/pull/380
    • internal/middleware: add tests for usagemetrics by @jzelinskie in https://github.com/authzed/spicedb/pull/382
    • introduce gRPC health-check for serve-testing by @vroldanbet in https://github.com/authzed/spicedb/pull/383
    • allow gateway backend to be overridden by @jakedt in https://github.com/authzed/spicedb/pull/384
    • Fix parsing of assertions YAML to handle all errors by @josephschorr in https://github.com/authzed/spicedb/pull/387
    • Add a config object for spicedb servers, control graceful stop of all services by @ecordell in https://github.com/authzed/spicedb/pull/376
    • increase max offset for crdb cluster in e2e tests by @ecordell in https://github.com/authzed/spicedb/pull/389
    • spicedb config: pluggable authentication by @ecordell in https://github.com/authzed/spicedb/pull/390
    • bump dependencies by @ecordell in https://github.com/authzed/spicedb/pull/402
    • Avoid logging with testing.T after test has finished by @ecordell in https://github.com/authzed/spicedb/pull/395
    • support buffconn for grpc server config by @ecordell in https://github.com/authzed/spicedb/pull/392
    • add universal consistency middleware by @ecordell in https://github.com/authzed/spicedb/pull/391
    • Move the bulk of the dev API impl into its own package by @josephschorr in https://github.com/authzed/spicedb/pull/406
    • Add more context to schema parse errors by @josephschorr in https://github.com/authzed/spicedb/pull/408
    • Validation file package improvements by @josephschorr in https://github.com/authzed/spicedb/pull/409
    • Update authzed-go to bring in the API validation regex fixes by @josephschorr in https://github.com/authzed/spicedb/pull/410
    • testserver: use middleware to inject the correct per-token datastore by @ecordell in https://github.com/authzed/spicedb/pull/404
    • Change validationfile parsing to be YAML based by @josephschorr in https://github.com/authzed/spicedb/pull/413
    • Ensure development package works without context changes by @josephschorr in https://github.com/authzed/spicedb/pull/416
    • Small error fixes and improvements in validationfile by @josephschorr in https://github.com/authzed/spicedb/pull/415
    • build(deps): bump golang.org/x/tools from 0.1.8 to 0.1.9 by @dependabot in https://github.com/authzed/spicedb/pull/403
    • Add line and column info to expected relations validation errors by @josephschorr in https://github.com/authzed/spicedb/pull/418
    • Fix version command by @bryanhuhta in https://github.com/authzed/spicedb/pull/420
    • Add retries with a newly acquired connection by @samkim in https://github.com/authzed/spicedb/pull/298
    • Implement Cloud Spanner datastore by @jakedt in https://github.com/authzed/spicedb/pull/414
    • internal/datastore: singlefight revision updates by @jzelinskie in https://github.com/authzed/spicedb/pull/426
    • Add a non-caching namespace manager by @ecordell in https://github.com/authzed/spicedb/pull/423
    • Add command line flags for setting the sizes of caches by @josephschorr in https://github.com/authzed/spicedb/pull/428
    • Fix handling of removing allowed wildcards on relations by @josephschorr in https://github.com/authzed/spicedb/pull/431
    • don't allocate max_int length slices by @ecordell in https://github.com/authzed/spicedb/pull/430
    • build(deps): bump github.com/aws/aws-sdk-go from 1.42.44 to 1.43.8 by @dependabot in https://github.com/authzed/spicedb/pull/433
    • build(deps): bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc from 0.28.0 to 0.29.0 by @dependabot in https://github.com/authzed/spicedb/pull/437
    • build(deps): bump go.opentelemetry.io/otel/trace from 1.3.0 to 1.4.1 by @dependabot in https://github.com/authzed/spicedb/pull/436
    • export function to get head revision for a datastore engine by @ecordell in https://github.com/authzed/spicedb/pull/444
    • Fix support for pipes in object IDs by @josephschorr in https://github.com/authzed/spicedb/pull/446
    • Have errors raised by the type system from schema construction in the devcontext be properly contextualized by @josephschorr in https://github.com/authzed/spicedb/pull/448
    • Dependabot March 4, 2022 by @josephschorr in https://github.com/authzed/spicedb/pull/450
    • Dependabot March 4, 2022 part 2 by @josephschorr in https://github.com/authzed/spicedb/pull/456
    • README updates by @josephschorr in https://github.com/authzed/spicedb/pull/445
    • Allow renovatebot by @ecordell in https://github.com/authzed/spicedb/pull/460
    • bump gofumpt to 1.3.0 and fix new formatting issues by @ecordell in https://github.com/authzed/spicedb/pull/462
    • Configure Renovate by @renovate in https://github.com/authzed/spicedb/pull/459
    • Update renovate.json by @ecordell in https://github.com/authzed/spicedb/pull/466
    • Add warnings for namespaces definitions using v0-only constructs by @josephschorr in https://github.com/authzed/spicedb/pull/461
    • lookup: fall back to a slow path (list all + check) when necessary by @ecordell in https://github.com/authzed/spicedb/pull/471
    • Remove Clone call on metadata filtering on namespaces by @josephschorr in https://github.com/authzed/spicedb/pull/468
    • Add test for writing empty schemas by @josephschorr in https://github.com/authzed/spicedb/pull/473
    • Add trace log for auth interceptor used by @josephschorr in https://github.com/authzed/spicedb/pull/474
    • Have the check warning only apply to relations, not permissions by @josephschorr in https://github.com/authzed/spicedb/pull/475

    New Contributors

    • @vroldanbet made their first contribution in https://github.com/authzed/spicedb/pull/383
    • @renovate made their first contribution in https://github.com/authzed/spicedb/pull/459

    Full Changelog: https://github.com/authzed/spicedb/compare/v1.4.0...v1.5.0

    Docker Images

    This release is available at quay.io/authzed/spicedb:v1.5.0 and ghcr.io/authzed/spicedb:v1.5.0

    Source code(tar.gz)
    Source code(zip)
    checksums.txt(1.14 KB)
    spicedb_1.5.0_darwin_amd64.tar.gz(10.34 MB)
    spicedb_1.5.0_darwin_arm64.tar.gz(10.34 MB)
    spicedb_1.5.0_linux_amd64.apk(10.26 MB)
    spicedb_1.5.0_linux_amd64.deb(10.26 MB)
    spicedb_1.5.0_linux_amd64.rpm(9.88 MB)
    spicedb_1.5.0_linux_amd64.tar.gz(9.86 MB)
    spicedb_1.5.0_linux_arm64.apk(9.46 MB)
    spicedb_1.5.0_linux_arm64.deb(9.46 MB)
    spicedb_1.5.0_linux_arm64.rpm(9.13 MB)
    spicedb_1.5.0_linux_arm64.tar.gz(9.11 MB)
    spicedb_1.5.0_windows_amd64.tar.gz(10.00 MB)
    spicedb_1.5.0_windows_arm64.tar.gz(9.24 MB)
  • v1.4.0(Jan 11, 2022)

    Changelog

    NOTE: This change includes a security fix for a vulnerability introduced in v1.3.0. All users of v1.3.0 should update to this version. See the security advisory for more information.

    Full Changelog: https://github.com/authzed/spicedb/compare/v1.3.0...v1.4.0

    • Fixes for security advisory: https://github.com/authzed/spicedb/commit/15bba2e2d2a4bda336a37a7fe8ef8a35028cd970
    • Fix formatting by @josephschorr in https://github.com/authzed/spicedb/pull/374
    • Fix linter for many packages by @jzelinskie in https://github.com/authzed/spicedb/pull/352
    • Report CLI configurations errors to RunE by @bryanhuhta in https://github.com/authzed/spicedb/pull/351
    • Update to the latest branched version of ristretto by @josephschorr in https://github.com/authzed/spicedb/pull/354

    What's Changed

    • balancer: protect rand source with a mutex by @ecordell in https://github.com/authzed/spicedb/pull/353
    • bump authzed-go to 0.4.1 by @ecordell in https://github.com/authzed/spicedb/pull/371
    • bump dependencies by @ecordell in https://github.com/authzed/spicedb/pull/364
    • bump dependencies by @ecordell in https://github.com/authzed/spicedb/pull/368
    • crdb: touch overlap key on namespace write by @ecordell in https://github.com/authzed/spicedb/pull/357
    • e2e: fill schema with many namespaces to span ranges by @ecordell in https://github.com/authzed/spicedb/pull/349
    • fix head command: flag named inconsistently by @ecordell in https://github.com/authzed/spicedb/pull/369
    • pkg/testutil: ensure types in RequireEqualEmptyNil by @jzelinskie in https://github.com/authzed/spicedb/pull/355

    Docker Images

    This release is available at quay.io/authzed/spicedb:v1.4.0 and ghcr.io/authzed/spicedb:v1.4.0

    Source code(tar.gz)
    Source code(zip)
    checksums.txt(1.14 KB)
    spicedb_1.4.0_darwin_amd64.tar.gz(9.32 MB)
    spicedb_1.4.0_darwin_arm64.tar.gz(9.29 MB)
    spicedb_1.4.0_linux_amd64.apk(8.92 MB)
    spicedb_1.4.0_linux_amd64.deb(8.92 MB)
    spicedb_1.4.0_linux_amd64.rpm(8.90 MB)
    spicedb_1.4.0_linux_amd64.tar.gz(8.90 MB)
    spicedb_1.4.0_linux_arm64.apk(8.23 MB)
    spicedb_1.4.0_linux_arm64.deb(8.23 MB)
    spicedb_1.4.0_linux_arm64.rpm(8.21 MB)
    spicedb_1.4.0_linux_arm64.tar.gz(8.21 MB)
    spicedb_1.4.0_windows_amd64.tar.gz(9.03 MB)
    spicedb_1.4.0_windows_arm64.tar.gz(8.34 MB)
  • v1.3.0(Dec 23, 2021)

    WARNING: This release contains a security issue as described in the security advisory. All users are requested to update to at least version v1.4.0 to remediate.

    Feature Highlights

    • Namespaces are now versioned internally, guaranteeing consistency during schema upgrades
    • A wildcard can be specified to allow any object to have a relationship

    What's Changed

    • goreleaser: fix tag in docker release notes by @jzelinskie in https://github.com/authzed/spicedb/pull/316
    • Pin version of watchmaker in e2e tests by @ecordell in https://github.com/authzed/spicedb/pull/322
    • internal/dispatch: extract combined dispatcher by @jzelinskie in https://github.com/authzed/spicedb/pull/321
    • Memdb datastore MVCC improvements by @jakedt in https://github.com/authzed/spicedb/pull/319
    • Simplify datastore construction by @ecordell in https://github.com/authzed/spicedb/pull/317
    • Export CLI commands as a library by @jzelinskie in https://github.com/authzed/spicedb/pull/325
    • Remove e2e timeout by @ecordell in https://github.com/authzed/spicedb/pull/328
    • pkg/cmd: root programName and share ExampleServe by @jzelinskie in https://github.com/authzed/spicedb/pull/327
    • Log revision skew values by @samkim in https://github.com/authzed/spicedb/pull/324
    • internal/dispatch: return cachingRedispatch by @jzelinskie in https://github.com/authzed/spicedb/pull/333
    • fix: copy max lifetime when passing options to the datastore by @ecordell in https://github.com/authzed/spicedb/pull/334
    • Versioned namespaces by @jakedt in https://github.com/authzed/spicedb/pull/332
    • fix: skip comments when loading test relationships by @bryanhuhta in https://github.com/authzed/spicedb/pull/335
    • Add rebase squash to contributing guidelines by @josephschorr in https://github.com/authzed/spicedb/pull/337
    • Disable e2e github step by @samkim in https://github.com/authzed/spicedb/pull/341
    • optimize reading of namespaces by @jakedt in https://github.com/authzed/spicedb/pull/342
    • test v0 preconditions in parallel by @jakedt in https://github.com/authzed/spicedb/pull/343
    • Backport some datastore changes from datastore-v2 by @jakedt in https://github.com/authzed/spicedb/pull/340
    • Implement support for the public proposal by @josephschorr in https://github.com/authzed/spicedb/pull/336
    • pkg/cmd: extract signal handling with grace period by @jzelinskie in https://github.com/authzed/spicedb/pull/345
    • Fix data races and enable race detector in CI by @ecordell in https://github.com/authzed/spicedb/pull/330

    New Contributors

    • @bryanhuhta made their first contribution in https://github.com/authzed/spicedb/pull/335

    Full Changelog: https://github.com/authzed/spicedb/compare/v1.2.0...v1.3.0

    Docker Images

    This release is available at quay.io/authzed/spicedb:v1.3.0 and ghcr.io/authzed/spicedb:v1.3.0

    Source code(tar.gz)
    Source code(zip)
    checksums.txt(1.14 KB)
    spicedb_1.3.0_darwin_amd64.tar.gz(9.28 MB)
    spicedb_1.3.0_darwin_arm64.tar.gz(9.25 MB)
    spicedb_1.3.0_linux_amd64.apk(8.88 MB)
    spicedb_1.3.0_linux_amd64.deb(8.88 MB)
    spicedb_1.3.0_linux_amd64.rpm(8.86 MB)
    spicedb_1.3.0_linux_amd64.tar.gz(8.86 MB)
    spicedb_1.3.0_linux_arm64.apk(8.20 MB)
    spicedb_1.3.0_linux_arm64.deb(8.20 MB)
    spicedb_1.3.0_linux_arm64.rpm(8.17 MB)
    spicedb_1.3.0_linux_arm64.tar.gz(8.18 MB)
    spicedb_1.3.0_windows_amd64.tar.gz(8.99 MB)
    spicedb_1.3.0_windows_arm64.tar.gz(8.30 MB)
  • v1.2.0(Dec 2, 2021)

    Feature Highlights

    • Startup flags have been simplified
    • V1 Watch API added by @jonwhitty
    • Servok no longer required for dispatch
    • Follower read support added to the CockroachDB driver

    Docker Images

    This release is available at quay.io/authzed/spicedb:v1.2.0 and ghcr.io/authzed/spicedb:v1.2.0

    What's Changed

    • Add serve-testing option to README by @samkim in https://github.com/authzed/spicedb/pull/222
    • Docker image v prefix by @ecordell in https://github.com/authzed/spicedb/pull/221
    • Add an http download api to devtools by @ecordell in https://github.com/authzed/spicedb/pull/208
    • .github: add goreleaser key by @jzelinskie in https://github.com/authzed/spicedb/pull/223
    • docs: fix typo in dashboard landing page by @jonwhitty in https://github.com/authzed/spicedb/pull/231
    • Handle the case where RELEASE SAVEPOINT fails with a retry by @ecordell in https://github.com/authzed/spicedb/pull/227
    • Add caching to Lookup dispatcher by @josephschorr in https://github.com/authzed/spicedb/pull/217
    • update builder image name to make it more unique by @jakedt in https://github.com/authzed/spicedb/pull/234
    • Improve Docker docs by @alessandromr in https://github.com/authzed/spicedb/pull/210
    • docs: remove all by @jzelinskie in https://github.com/authzed/spicedb/pull/220
    • proxy: use buffered channels and only let one subrequest write a result by @ecordell in https://github.com/authzed/spicedb/pull/242
    • update cla worfklow to allow dependabot by @ecordell in https://github.com/authzed/spicedb/pull/250
    • allow dependabot by @ecordell in https://github.com/authzed/spicedb/pull/251
    • really allow dependabot by @ecordell in https://github.com/authzed/spicedb/pull/252
    • use the grpc_health_probe binary from the official images by @ecordell in https://github.com/authzed/spicedb/pull/257
    • cmd: consistent flags for http/grpc servers by @jzelinskie in https://github.com/authzed/spicedb/pull/254
    • Use buffered channels for lookup results by @ecordell in https://github.com/authzed/spicedb/pull/259
    • support https in download API by @ecordell in https://github.com/authzed/spicedb/pull/243
    • Add github container registry release by @samkim in https://github.com/authzed/spicedb/pull/260
    • cmd/serve: revert dispatch-cluster flags changes by @jzelinskie in https://github.com/authzed/spicedb/pull/262
    • support UDS listening on grpc servers by @ecordell in https://github.com/authzed/spicedb/pull/267
    • Request ID propagation by @jakedt in https://github.com/authzed/spicedb/pull/272
    • .github: pin gofumports version by @jzelinskie in https://github.com/authzed/spicedb/pull/276
    • .github: add 5m timeout to golangci-lint by @jzelinskie in https://github.com/authzed/spicedb/pull/277
    • Prevent memdb duplicate relationships by @jakedt in https://github.com/authzed/spicedb/pull/275
    • services/v1: fix intersection tree conversion by @jzelinskie in https://github.com/authzed/spicedb/pull/281
    • Add docker login action for ghcr by @samkim in https://github.com/authzed/spicedb/pull/274
    • Move golangci-lint timeout into config by @jzelinskie in https://github.com/authzed/spicedb/pull/278
    • use consistent-hash load balancer with kubernetes resolver for dispatch by @ecordell in https://github.com/authzed/spicedb/pull/284
    • Additional expansion testing by @josephschorr in https://github.com/authzed/spicedb/pull/283
    • Add log warning to emphasize persistence/scale issues in memdb by @buraksekili in https://github.com/authzed/spicedb/pull/285
    • .github: add more automatic labeling patterns by @jzelinskie in https://github.com/authzed/spicedb/pull/287
    • README: fix flags, links, and project description by @jzelinskie in https://github.com/authzed/spicedb/pull/273
    • feat: add v1 Watch API implementation by @jonwhitty in https://github.com/authzed/spicedb/pull/263
    • Multi level caching and Lookup caching fixes by @josephschorr in https://github.com/authzed/spicedb/pull/268
    • Add revision support to v1alpha1 schema API by @josephschorr in https://github.com/authzed/spicedb/pull/271
    • Add proper dispatch and cached dispatch tracking by @josephschorr in https://github.com/authzed/spicedb/pull/289
    • Properly calculate virtualnode ids for uint16 replicationFactor by @ecordell in https://github.com/authzed/spicedb/pull/294
    • Add follower read delay option by @samkim in https://github.com/authzed/spicedb/pull/297
    • Add dispatch and cached dispatch counts to response trailer metadata and prometheus by @josephschorr in https://github.com/authzed/spicedb/pull/295

    Dependencies

    • Bump golang from 1.17.1-alpine3.13 to 1.17.2-alpine3.13 by @dependabot in https://github.com/authzed/spicedb/pull/236
    • Bump dependencies by @ecordell in https://github.com/authzed/spicedb/pull/244
    • bump dependencies by @ecordell in https://github.com/authzed/spicedb/pull/249
    • Bump golang from 1.17.2-alpine3.13 to 1.17.3-alpine3.13 by @dependabot in https://github.com/authzed/spicedb/pull/300
    • Bump github.com/Masterminds/squirrel from 1.5.1 to 1.5.2 by @dependabot in https://github.com/authzed/spicedb/pull/306
    • Bump github.com/grpc-ecosystem/grpc-gateway/v2 from 2.6.0 to 2.7.0 by @dependabot in https://github.com/authzed/spicedb/pull/305
    • Bump alpine from 3.14.2 to 3.15.0 by @dependabot in https://github.com/authzed/spicedb/pull/301
    • Bump github.com/aws/aws-sdk-go from 1.41.15 to 1.42.16 by @dependabot in https://github.com/authzed/spicedb/pull/303
    • Bump github.com/jackc/pgtype from 1.8.1 to 1.9.1 by @dependabot in https://github.com/authzed/spicedb/pull/304
    • Bump github.com/lib/pq from 1.10.3 to 1.10.4 by @dependabot in https://github.com/authzed/spicedb/pull/308
    • Bump go.opentelemetry.io/otel/trace from 1.1.0 to 1.2.0 by @dependabot in https://github.com/authzed/spicedb/pull/302
    • Bump github.com/jackc/pgx/v4 from 4.13.0 to 4.14.1 by @dependabot in https://github.com/authzed/spicedb/pull/309
    • Bump github.com/benbjohnson/clock from 1.2.0 to 1.3.0 by @dependabot in https://github.com/authzed/spicedb/pull/314
    • Bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc from 0.26.0 to 0.27.0 by @dependabot in https://github.com/authzed/spicedb/pull/313
    • Bump github.com/ory/dockertest/v3 from 3.8.0 to 3.8.1 by @dependabot in https://github.com/authzed/spicedb/pull/307
    • Bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp from 0.26.0 to 0.27.0 by @dependabot in https://github.com/authzed/spicedb/pull/310

    New Contributors

    • @jonwhitty made their first contribution in https://github.com/authzed/spicedb/pull/231
    • @alessandromr made their first contribution in https://github.com/authzed/spicedb/pull/210
    • @buraksekili made their first contribution in https://github.com/authzed/spicedb/pull/285

    Full Changelog: https://github.com/authzed/spicedb/compare/v1.1.0...v1.2.0

    Source code(tar.gz)
    Source code(zip)
    checksums.txt(1.14 KB)
    spicedb_1.2.0_darwin_amd64.tar.gz(9.26 MB)
    spicedb_1.2.0_darwin_arm64.tar.gz(9.22 MB)
    spicedb_1.2.0_linux_amd64.apk(8.86 MB)
    spicedb_1.2.0_linux_amd64.deb(8.86 MB)
    spicedb_1.2.0_linux_amd64.rpm(8.83 MB)
    spicedb_1.2.0_linux_amd64.tar.gz(8.84 MB)
    spicedb_1.2.0_linux_arm64.apk(8.18 MB)
    spicedb_1.2.0_linux_arm64.deb(8.18 MB)
    spicedb_1.2.0_linux_arm64.rpm(8.15 MB)
    spicedb_1.2.0_linux_arm64.tar.gz(8.16 MB)
    spicedb_1.2.0_windows_amd64.tar.gz(8.97 MB)
    spicedb_1.2.0_windows_arm64.tar.gz(8.28 MB)
  • v1.1.0(Oct 26, 2021)

    Feature Highlights

    • SpiceDB now hedges requests internally to improve reliability and performance
    • Postgres datastore now supports garbage collection
    • Postgres datastore added an index that improves performance
    • spicedb serve now has serves an HTTP/JSON API on port 8443

    Docker Images

    This release is available at quay.io/authzed/spicedb:v1.1.0

    Changelog

    Expand the Changelog

    45c8c7d .github: add CLA workflow 82d63c1 .github: add kubeval linting ac135ea .github: disable flaky caching in golangci action 09686bd .github: label hidden files as tooling c30113c .github: split linting and building actions b906977 Add Dispose method on datastore in prep for GC worker for postgres 061db12 Add Must* methods for any methods that can panic in tuple pkg daf7807 Add a selecting a datastore document 72d3901 Add additional docs on ZedTokens and LookupResources d841e87 Add an integration test for the test server 708dab5 Add background garbage collection to Postgres data store 51ef755 Add documentation about ZedTokens/Zookies and consistency 21e1b85 Add gauges for transaction and relationship count removed by GC 75b5a6f Add prometheus metric for postgres GC duration 42019c0 Adds index on transations table timestamp 1458362 Cleanup the CachingDispatcher when binary shuts down 359afaa Fix ordering of zed arguments in the dashboard dcdae72 Fix: small error fd4749a Follow same name convention as exixting indexes 968a8b7 Make sure to cleanup goroutine generated by the namespace manager and the parser df88351 Make sure to use the checked possibly-nil pointer in memdb 56f3feb Merge pull request #115 from authzed/testserver-test 4f18a6b Merge pull request #151 from jzelinskie/dashboard-fix 3740c6c Merge pull request #152 from ecordell/fix-brew-head 79a9682 Merge pull request #155 from mterron/dockerfile-improvementes 9068372 Merge pull request #157 from ecordell/brew-completion a34ab44 Merge pull request #159 from authzed/dependabot/go_modules/github.com/aws/aws-sdk-go-1.40.53 ec097e4 Merge pull request #160 from authzed/dependabot/go_modules/google.golang.org/grpc-1.41.0 9df7471 Merge pull request #162 from NickUfer/fix_spelling 8931d76 Merge pull request #164 from ecordell/e2e-timeout 72fd40a Merge pull request #165 from ecordell/fix-bad-zookie-flake baa854d Merge pull request #166 from ecordell/ds-timeout ddeee97 Merge pull request #168 from authzed/postgres-gc 39b64ef Merge pull request #169 from jzelinskie/simple-k8s 5fcd7ff Merge pull request #172 from authzed/selecting-a-datastore f82f5c4 Merge pull request #173 from jzelinskie/separate-lint e264e9c Merge pull request #174 from authzed/zedtoken-docs 713a97c Merge pull request #175 from ecordell/badzookie-flake 424037a Merge pull request #176 from authzed/must-tuple ed2e4d5 Merge pull request #178 from ecordell/transaction-ttl d926ca4 Merge pull request #181 from authzed/further-cleanup 00d2cf6 Merge pull request #184 from 0xflotus/patch-1 ca82b60 Merge pull request #187 from authzed/request-hedging 4e70dde Merge pull request #188 from jzelinskie/gateway 1347927 Merge pull request #190 from authzed/zed-args 6a69f8d Merge pull request #193 from jzelinskie/fix-golangci f8122b9 Merge pull request #194 from josephschorr/memdb-nil-guards 2ff33fc Merge pull request #195 from ecordell/multiarch 2ea1f2e Merge pull request #197 from authzed/postgres-prom f2cfaf9 Merge pull request #198 from josephschorr/update-dockertest ec71855 Merge pull request #201 from jzelinskie/bump-grpcutil 1d52699 Merge pull request #206 from jzelinskie/cla 5b5ace0 Merge pull request #211 from costap/main eff4d2f Merge pull request #212 from jzelinskie/distroless 9af26b2 Merge pull request #213 from ecordell/fix-dockerrelease b15bb9c Merge pull request #214 from ecordell/rm-nsswitch bc40650 Merge pull request #215 from josephschorr/cleanup-dispatcher-cache eab6524 Merge pull request #216 from josephschorr/zedtoken-lookup 833a3d4 Merge pull request #218 from ecordell/release-dockerfile-simplify cb5a345 Merge pull request #219 from ecordell/multiplatform 49a1105 Switch to use the temporary branch of Ristretto until https://github.com/dgraph-io/ristretto/pull/286 is merged bc195ca Typo fix 5ced015 Update handling of datastore Close to disconnect connections and change to use an errgroup to clean up Postgres GC worker b370632 Update the dockertest version fd1cfe0 Use Docker entrypoint instead of CMD. Enables using spicedb from docker directly. docker run quay.io/authzed/spicedb serve --grpc-preshared-key "somerandomkeyhere" --grpc-no-tls bbc2c05 add JSON/HTTP API server via gRPC gateway 0bc713b add a datastore proxy which does request hedging 0dcfe48 add prometheus metrics to the heding datastore 2756965 add request hedging as an option to the serve command ad7e1fd allow head install from brew 58b8c69 build(deps): bump github.com/aws/aws-sdk-go from 1.40.47 to 1.40.53 56b4198 build(deps): bump google.golang.org/grpc from 1.40.0 to 1.41.0 bf75774 bump testreadbadzookie timeout 06fee34 cmd: add TLS flags for gateway server e9b164a cmd: default HTTP server to 8443 89576ad cmd: expand all string input c1e10de dashboard: correct zed usage 0b66478 docs: fixes minor spelling mistakes 7edfd0c e2e: plumb http server flags e0fee1e ensure e2e doesn't time out when it would have succeeded 2089465 fix TestReadBadZookieFlake 6472d7a fix docker release images 5750c29 fix the postgres prom GC metrics to respect enable prom option fddec6b gateway: add config docstrings 699c683 gateway: appease the linter f42234a gateway: extract into package and add metrics c36faef gateway: serve OpenAPI Schema at /openapi.json 377c53a gomod: bump grpcutil 5532b44 gomod: bump to authzed-go v0.3.0 e103240 increase gc window for revision expiration fd42ad4 install completions when installing via brew 536b4a2 internal/auth: remove authn annotator f119e2a internal/gateway: add otel middleware 4e604f5 internal/gateway: test tracing propagation 66372f8 internal/gateway: use prom namespace & subsystem 5405258 k8s: init basic deployment c682e67 lint: lint all markdown files b1eb53a multiarch docker image releases 321077d release: support additional platforms 1e6d62e remove nsswitch file from release image 5f3e1ad set a very short ttl in the crdb e2e tests b3a6931 simplify release dockerfile 3250215 track original and hedged datastore request durations separately 364708f use mocked time for testing request hedging

    Source code(tar.gz)
    Source code(zip)
    checksums.txt(1.14 KB)
    spicedb_1.1.0_darwin_amd64.tar.gz(8.96 MB)
    spicedb_1.1.0_darwin_arm64.tar.gz(8.90 MB)
    spicedb_1.1.0_linux_amd64.apk(8.58 MB)
    spicedb_1.1.0_linux_amd64.deb(8.58 MB)
    spicedb_1.1.0_linux_amd64.rpm(8.55 MB)
    spicedb_1.1.0_linux_amd64.tar.gz(8.56 MB)
    spicedb_1.1.0_linux_arm64.apk(7.90 MB)
    spicedb_1.1.0_linux_arm64.deb(7.90 MB)
    spicedb_1.1.0_linux_arm64.rpm(7.88 MB)
    spicedb_1.1.0_linux_arm64.tar.gz(7.88 MB)
    spicedb_1.1.0_windows_amd64.tar.gz(8.68 MB)
    spicedb_1.1.0_windows_arm64.tar.gz(8.00 MB)
  • v1.0.0(Sep 30, 2021)

    For Authzed's first birthday, our gift isn't for us, but the community.

    Today, we're as excited as we've ever been.

    Today, the database powering the core of Authzed, SpiceDB, is now open source!

    SpiceDB is the most faithful implementation of Google's Zanzibar paper outside of the original system at Google.

    Developers create a schema that models their permissions requirements and use a client library to apply the schema to the database, insert data into the database, and query the data to efficiently check permissions in their applications. Leveraging a system like SpiceDB has become an industry best-practice and is being used to great success at companies large (Google, GitHub, Airbnb) and small (Carta, Authzed).

    As we develop SpiceDB, we will not only maintain compatibility with the original paper, but continue to introduce innovations that improve overall user experience. An example of this is our Schema Language, which compiles to Zanzibar's Namespace Configs, but adds far more intuitive syntax and type-safety. However, these types of features cannot be created in a vacuum, thus all future development on SpiceDB will be done entirely in the open.

    We invite everyone to collaborate with us on GitHub and join our discussions on the Zanzibar Discord.

    Initial features included in SpiceDB that distinguish it from other systems include:

    Getting Started

    Get a taste of the schema language

    Learn how to integrate an application

    Installation

    Installing SpiceDB

    SpiceDB is currently packaged by Homebrew for both macOS and Linux. Individual releases and other formats are also available on the releases page.

    brew install authzed/tap/spicedb
    

    SpiceDB is also available as a container image:

    docker pull quay.io/authzed/spicedb:latest
    

    For production usage, we highly recommend using a tag that corresponds to the latest release, rather than latest.

    Running SpiceDB locally

    spicedb serve --grpc-preshared-key "somerandomkeyhere" --grpc-no-tls
    

    Visit http://localhost:8080 to see next steps, including loading the schema

    Changelog

    Expand the Changelog

    f9fa9a2 *.yaml: lint all YAML files af8a479 *: migrate to new v1.RelationshipFilter 871436b *: use grpc health packages 6711fad .github: add API labels f61bf2d .github: add step for diffing go generate output 3defadd .github: add yamllint 6dfed06 .github: auto label tests 24d226b .github: enforce linting with whitelisted TODOs eb52959 .github: fix buf push action 6963abc .github: fix go mod tidy check cbaee60 .github: init f16d042 .github: properly set release as output 936992a .github: tag container with release output 6393c87 Add ExpandPermissionTree to the V1 API 3a1d882 Add Limit support to tuple queries and set Limit(1) on WriteConfig checks e98407b Add ListNamespaces and remove IsEmpty c6f8d90 Add Lookup in zed-testserver 6518be1 Add ONR serialization and use it everywhere possible. b35f569 Add REDACTED example and fix loading issues associated with it 63c3120 Add a benchmark for check operations. d4e5ba5 Add a better first run experience that shows the command to run when no other arguments are specified 021d2cc Add a call to verify the test server is properly stripped 55dc464 Add a check dispatcher and implementation. a49fb56 Add a concurrent graph expander. 63735c7 Add a datastore Revision method. 18884a0 Add a datastore proxy that validates all calls b190dd2 Add a flexible postgres config system. 67f7026 Add a jaeger service and the ability to report stats to it. c1ae3c3 Add a maximum recursion depth. 7345b1e Add a namespace cache to graph evaluations. 0e8d30a Add a postgres database query benchmark. 8a3c21e Add a secrets package which mimicks python's. f149da2 Add a test for datastore write preconditions. 7b42d15 Add a test for namespace delete. Refactor memdb tests to a separate package. 5135d29 Add a test for updating a schema and its checks on relationships 9bdeca1 Add a zed-test binary tool for writing unit tests against ac37782 Add a zookie encoding/decoding library. 6fb5dad Add additional comments and some cleanup to the validationfile pkg a4423dc Add additional tests for typesystem and lookup and fix some smaller items as per code review d7f50e6 Add arch suffix to released zed-testserver binaries e96a676 Add auto-release of zed-testserver on any releases in monorepo a43a814 Add automatic query splitting when the SQL query grows beyond a defined boundary in size 7521fd9 Add basic dashboard for guidance to new users c707af5 Add basic lexer and parser for the Schema DSL f54dbd7 Add basic proto -> DSL generator d7ef928 Add basic tracing to SpiceDB 241aad8 Add better tracing to first party services. 7b6670f Add consistency tests and fix bugs discovered as a result 527593a Add context to datastore interface and thread everywhere. a18dd55 Add datastore attr to tracing span 48ab5de Add datastore tuple query tests for reverse queries, and add limits for faster verification in WriteConfig a11df78 Add datastore url config for postgres support. f854f5a Add datastore watch and the watch RPC. 9aea9e4 Add developer CI and remove REDACTED CI 22d5d71 Add developer-service subcommand fa2ff18 Add error test cases to Lookup test in ACL tests 33305ed Add format button to Playground ced742e Add full consistency testing of the developer API 99501d9 Add go generate to CI c7d958c Add grpc server metrics to spicedb. cb044e7 Add initial support for lookup across intersection and exclusion d0ca4e1 Add latency simulator to the memdb datastore. e73cd23 Add log tracer ef5c296 Add logging to lookup shared issues f8beaaf Add migration with new reverse lookup indexes for Postgres 432fead Add namespace and relation identifier validation. 6798707 Add namespace diff system 99251c4 Add namespace validator. bdb50ab Add ok status to DSL generator indicating whether the generation had any legacy issues 9ad5c99 Add packaging to run spicedb service. 13ad9cd Add pgx timezone comment 2bdf6cd Add pgxpool stat collector for prometheus c04621d Add pkg for tuple serialization and deserialization. e772729 Add position information to parsed assertions 634d94c Add preshared key auth to spicedb. e05d378 Add proto validation rules for all requests. Validate request messages for all handlers. Remove the old namespace definition validation code. 6abf320 Add readonly port to zed-testserver f54d70e Add relation type to the metadata on construction 42f317a Add revision fuzzing and test. dd84050 Add schema service to zed-testserver dac9fdb Add shared errors interfaces and use the new types in the services e1ba314 Add source position mapper for use once we read source files ca9d6f8 Add support for cross-tenant references and have generator always produce the fully cross-tenanted defs dee7b5c Add support for loading in schema and Relationships string list from the validation file format 8707d34 Add support for metadata on namespaces and relations ae58bd8 Add support for recursive expansion 3cf04a0 Add tenancy definitions to consistency test 3e6c6e2 Add the basic local start command to the README.md 216c5c5 Add tracing to sql driver internals. 6ee74ab Add tuple queries. 84b63ac Add tuple writes. 622b512 Add type system failure for use of permissions on the left hand side of an arrow 5dec8f7 Add validation of relationships in the developer API context 7804d2a Add zerolog marshaling to error types with information 6677737 Adjust the terms in our errors to match the new terminology d55309b Allow for single character object IDs 1722118 Allow underscores at the beginning of object IDs d504f5b Bootstrap file support 8e02dfd Change Playground to be based on DSL 276b89b Change ReadSchema to always return a schema on upgrade 98268ca Change V1 schema write to delete any unreferenced object types 3ec63cf Change all legacy tuple string formats to ellide ellipsis ef1bc02 Change developer API to use the DSL 1788bc7 Change entrypoint to use and configure zerolog. 74197cb Change identifiers in tests to be valid. 0635cb3 Change panics into errors 773afcb Change start inclusion to an enum for clarity. e269342 Check revisions on read requests. e8b7912 Cleanup tests a bit 9b212c5 Cleanup the consistency tests a bit before adding dev tests 2474518 Consistency middleware for V1 API 6d1c9dc Create a reduced datastore interface just for loading tuples. 344be27 Create a testfixtures package. 1d91c58 Datastore compliance tester should run subtests. 3d0272d Decode and respect request zookies. Better error handling for grpc handlers. Tests for ACL and namespace services. 3e12385 Deleteing a nonexistent tuple no longer errors. 22afdcd Disallow relationship writes on permissions add5a74 Downgrade pq to 1.9.0 0a04909 Enable better reporting of schema errors 4eb8282 Export prometheus stats from sql driver. f2b4aa4 Extract namespace builder to its own package. d180ac4 Extract out errorIfTupleIteratorReturnsTuples 93706dc Fix SSL server initialization. 67456ee Fix arrow dispatch issue in expand as well and add an addition test 9934ea5 Fix bug in exclusion check a971b5d Fix bug where nil iterator could be closed. fc8b958 Fix concurrency errors in postgres Watch. 192e209 Fix defer statement ordering d1ce892 Fix handling of intersection and exclusion in the membership set 15cbc52 Fix ns relation denormalization in memdb. 242aeea Fix read and write schema in REDACTED 81b25d4 Fix synthetic semicolon insertion for right parens 94a6512 Fix test for recent permissions check PR bd9489d Generate server latency metrics for REDACTED and spicedb. 26386a5 Handle comments in DSL compiler and generator 412ce5e Have Checks return true if the start and goal relations are the same, or if we get to the same relation via a computed userset caa9c1b Have checkComputedUserset verify that the target relation exists before dispatching 940db9d Have dashboard take the migration status of the datastore into account 98e8271 Have edit check errors placed under each check eb6fdfc Have namespace config writes check for breaks in tuple relations 384479c Have smaller comments format to a single line 0415110 Implement ACL expand handler. 95030e0 Implement ContentChangeCheck handler. d046bc0 Implement V0 DeleteConfigs API 9711f45 Implement V1 LookupResources API 9e255a8 Implement basic DSL -> proto compiler c50347c Implement check handler. 069766b Implement consistency testing for written V1 endpoints d729033 Implement developer API 33cb010 Implement health check handler. 01f1336 Implement namespace delete. 785d123 Implement postgres datastore for spicedb. a2d6366 Implement the V1 schema service 4d4d935 Implement the read tuple method. def2f9c Implement top-down structural lookup 8b6c480 Initial check-in of spicedb. 886fdea Loosen the objectID validation to fit existing data requirements. c9ec958 Make jaeger tracing endpoint configurable. f322b89 Make revision fuzzing configurable with a default. 88a3500 Make sure to strip the binary before release to remove ALL symbols 0e62048 Make the datastore test suite neutral. b536e91 Make the prefix requirement optional by default in SpiceDB 10e2b93 Merge pull request #100 from authzed/goreleaser-init d1c4fa5 Merge pull request #1029 from REDACTED/readonly-testing d420148 Merge pull request #103 from authzed/yamllint cfb2cc6 Merge pull request #1034 from REDACTED/lookup-logging a31cb0b Merge pull request #1040 from REDACTED/s3-auto-region 8479899 Merge pull request #1041 from REDACTED/s3-content-type b5dc304 Merge pull request #1042 from REDACTED/underscores 61ee10a Merge pull request #1047 from REDACTED/migration-fallout 91f649b Merge pull request #105 from authzed/dependabot/docker/golang-1.17.1-alpine3.13 eae12c0 Merge pull request #1069 from REDACTED/ttu-typecheck 6b6f3e9 Merge pull request #108 from authzed/dependabot/go_modules/github.com/lib/pq-1.10.3 5f7e9f3 Merge pull request #1080 from REDACTED/membership-set-fixes 1aa9bff Merge pull request #1082 from REDACTED/parser-fix 3517674 Merge pull request #1085 from REDACTED/dev-consistency-tests 254f5dd Merge pull request #110 from authzed/dependabot/go_modules/github.com/rs/zerolog-1.25.0 385b10e Merge pull request #1105 from REDACTED/comment-format 72dca34 Merge pull request #111 from authzed/update-otel f63a3c6 Merge pull request #112 from authzed/dependabot/go_modules/github.com/aws/aws-sdk-go-1.40.47 6f329a7 Merge pull request #113 from authzed/dependabot/go_modules/github.com/fatih/color-1.13.0 0256f66 Merge pull request #1139 from REDACTED/dependabot-go 91b3324 Merge pull request #114 from authzed/zedtoken-backcompat bad00e2 Merge pull request #116 from authzed/datastore-tests f2d4bf9 Merge pull request #1160 from REDACTED/spicedb-delete-validate 6ec17a7 Merge pull request #1161 from REDACTED/spicedb-router 6161b18 Merge pull request #1162 from REDACTED/lookup-improvements 55a8a5a Merge pull request #1166 from REDACTED/dependabot-go 5bf032e Merge pull request #117 from authzed/reorder-readme 02ccce9 Merge pull request #1186 from REDACTED/dependabot/go_modules/spicedb/github.com/aws/aws-sdk-go-1.40.16 65e6265 Merge pull request #119 from authzed/drop-crdb-migration ce8b2ec Merge pull request #1195 from REDACTED/fix-arrow-bug f7ef76c Merge pull request #120 from authzed/linting c569f93 Merge pull request #122 from authzed/gr-chglog 13a8f8b Merge pull request #1224 from REDACTED/spicedb-oss 70e663e Merge pull request #1227 from REDACTED/max-max-depth c33cc40 Merge pull request #123 from authzed/add-servicer-tests 923ce9b Merge pull request #1230 from REDACTED/spicedb-prefixes 1607a3f Merge pull request #1231 from REDACTED/flag-audit 71961e8 Merge pull request #124 from authzed/rm-extra-buf-work 547e2c0 Merge pull request #1246 from REDACTED/servok-bsr 6031872 Merge pull request #1248 from REDACTED/validationfile-cleanup 900b42b Merge pull request #125 from authzed/ellipsis-followup 8599cd2 Merge pull request #130 from authzed/v1-read-fix e9affab Merge pull request #132 from authzed/delete-tests 725f182 Merge pull request #133 from authzed/servicer-tests 55f44e7 Merge pull request #134 from authzed/e2e-constants 4e1a741 Merge pull request #135 from authzed/version 82899ac Merge pull request #136 from authzed/fix-release 43a98f7 Merge pull request #137 from authzed/migname 97e9f06 Merge pull request #138 from authzed/crdb-perf 29b03f2 Merge pull request #139 from authzed/golangci c201f6b Merge pull request #140 from authzed/readme-devtools d01fadf Merge pull request #143 from authzed/fix-retry-histogram f707760 Merge pull request #145 from authzed/fix-grpc-test b629365 Merge pull request #146 from authzed/brew a4bef05 Merge pull request #25 from authzed/github-actions e1cd108 Merge pull request #26 from authzed/dependabot/docker/alpine-3.14.1 0900760 Merge pull request #27 from authzed/dependabot/docker/golang-1.17.0-alpine3.13 fde257b Merge pull request #28 from authzed/dependabot/go_modules/github.com/aws/aws-sdk-go-1.40.27 d27b146 Merge pull request #29 from authzed/dependabot/go_modules/google.golang.org/grpc-1.40.0 3732c86 Merge pull request #30 from authzed/fix-release ab93550 Merge pull request #31 from authzed/fix-release-again 6d9e22a Merge pull request #33 from authzed/quay-link dc38699 Merge pull request #34 from authzed/upstream-grpcutil f156579 Merge pull request #35 from authzed/stringer-ci 40402c3 Merge pull request #37 from authzed/one-buf-gen 98c2540 Merge pull request #38 from authzed/bootstrap-files b7e2031 Merge pull request #39 from authzed/internal-redispatch e23c4bf Merge pull request #45 from authzed/README-fixes 6123a12 Merge pull request #46 from authzed/validate-devcontext 90babad Merge pull request #47 from authzed/no-write-permission 9158081 Merge pull request #48 from authzed/validate-mw 7072d08 Merge pull request #49 from authzed/nscheck-revision ed605c6 Merge pull request #50 from authzed/constency-test 4181a3c Merge pull request #51 from authzed/dependabot/docker/alpine-3.14.2 106305d Merge pull request #52 from authzed/dependabot/go_modules/github.com/rs/zerolog-1.24.0 79817a3 Merge pull request #53 from authzed/dependabot/go_modules/github.com/aws/aws-sdk-go-1.40.34 89845b0 Merge pull request #54 from authzed/imgbuild-gh a090d01 Merge pull request #547 from REDACTED/spicedb 8a8e5b7 Merge pull request #55 from authzed/dependabot/go_modules/github.com/aws/aws-sdk-go-1.40.35 fffa067 Merge pull request #56 from authzed/better-schema-errors e59b740 Merge pull request #57 from authzed/schema-update-test 406233d Merge pull request #570 from REDACTED/REDACTED-go dd7a5e4 Merge pull request #576 from REDACTED/spicedb 63eb7fe Merge pull request #578 from REDACTED/postgres 640ede2 Merge pull request #60 from authzed/nsswitch d6c8bb3 Merge pull request #609 from REDACTED/spicedb-perf 9a62142 Merge pull request #610 from REDACTED/pg-conns 55f4c64 Merge pull request #612 from REDACTED/spicedb-tracing 5f92727 Merge pull request #614 from REDACTED/observability 7ddcb87 Merge pull request #615 from REDACTED/leakfix 01d366b Merge pull request #616 from REDACTED/downgrade-pq 180a093 Merge pull request #617 from REDACTED/idempotent-delete ca3b8fc Merge pull request #62 from authzed/fix-tests db0162e Merge pull request #623 from REDACTED/buckets 27a3589 Merge pull request #63 from authzed/namespaces-by-id 49f3b3b Merge pull request #637 from REDACTED/pgx 3a3c43d Merge pull request #64 from authzed/local-protos 4426163 Merge pull request #642 from REDACTED/no-cancel-sql 4b8ffc1 Merge pull request #649 from REDACTED/omitstart c75ca23 Merge pull request #65 from authzed/error-handling cd19ab1 Merge pull request #652 from REDACTED/zed-test 2238ef8 Merge pull request #66 from authzed/better-run 21e6b78 Merge pull request #67 from authzed/v1-protos 145c0d7 Merge pull request #671 from REDACTED/trace-REDACTED 362e83c Merge pull request #68 from authzed/fix-buf-push b9b59f5 Merge pull request #688 from REDACTED/rename-zedserver 0af2961 Merge pull request #69 from authzed/v1-prep 1a57afc Merge pull request #691 from REDACTED/token-based-server c2bc99b Merge pull request #692 from REDACTED/spicedb-migration bb4b7bd Merge pull request #70 from authzed/v1-consistency-middleware b114bba Merge pull request #705 from REDACTED/migration-config 6987dbe Merge pull request #72 from authzed/prep-consistency-tests c8ca87d Merge pull request #729 from REDACTED/type-system-top-lookup 2821aae Merge pull request #73 from authzed/authless-reflection 2bf9c81 Merge pull request #74 from authzed/v1-read e1b7747 Merge pull request #741 from REDACTED/exclusion-bug cd2decc Merge pull request #75 from authzed/newenemy 21a1884 Merge pull request #779 from REDACTED/schema-dsl 9dcf187 Merge pull request #78 from authzed/datastore-for-schema 70b7660 Merge pull request #780 from REDACTED/metadata 3c63c3b Merge pull request #79 from authzed/elide-ellipsis 0bcc8a5 Merge pull request #790 from REDACTED/schema-compiler 0c83249 Merge pull request #791 from REDACTED/crdb-dev 349007b Merge pull request #798 from REDACTED/crdb-ci-len c848071 Merge pull request #799 from REDACTED/schema-proto 73ce29e Merge pull request #80 from authzed/v1-check f8698ac Merge pull request #803 from REDACTED/overwritten-ns 1419b93 Merge pull request #806 from REDACTED/developer-api 99f372b Merge pull request #807 from REDACTED/pulumi-stage 5aed0cc Merge pull request #809 from REDACTED/better-errors 44bef3f Merge pull request #81 from authzed/v1-schema-service dcfb6f7 Merge pull request #821 from REDACTED/crdb-perf b181a9a Merge pull request #826 from REDACTED/crdb-perf d2d15a2 Merge pull request #83 from authzed/v1-delete 009d84a Merge pull request #831 from REDACTED/dsl-playground 1a33f35 Merge pull request #832 from REDACTED/crdb-perf e9308cb Merge pull request #834 from REDACTED/error-terms 92837dc Merge pull request #84 from authzed/authzed-go-protos 0669d71 Merge pull request #844 from REDACTED/spicedb-read-only f3ef249 Merge pull request #85 from authzed/dispatch-relref 9463381 Merge pull request #86 from authzed/v1-lookup 193cf98 Merge pull request #87 from authzed/testserver 3e1439d Merge pull request #88 from authzed/head-migration-note 004846d Merge pull request #89 from authzed/must-revision 7103c13 Merge pull request #91 from authzed/v1-consistency-testing f4115c9 Merge pull request #92 from authzed/add-start-command fc3f953 Merge pull request #920 from REDACTED/dependabot/go_modules/spicedb/github.com/prometheus/client_golang-1.11.0 e603150 Merge pull request #921 from REDACTED/dependabot/go_modules/spicedb/github.com/envoyproxy/protoc-gen-validate-0.6.1 bbbd758 Merge pull request #923 from REDACTED/dependabot/go_modules/spicedb/github.com/grpc-ecosystem/go-grpc-middleware-1.3.0 709e1ba Merge pull request #93 from authzed/v1-expand d9b41c0 Merge pull request #930 from REDACTED/v1alpha1-schema-iter 0dd3970 Merge pull request #933 from REDACTED/assertion-positioning c55aae1 Merge pull request #935 from REDACTED/dsl-format-button 0b5795f Merge pull request #938 from REDACTED/schema-test 3ee7dca Merge pull request #94 from authzed/delete-namespace d795237 Merge pull request #940 from REDACTED/migration-script 48d8234 Merge pull request #95 from authzed/lookup-require-type bb7f65a Merge pull request #97 from authzed/single-middleware 3c2cf15 Merge pull request #974 from REDACTED/dsl-comments 915e8cd Merge pull request #98 from authzed/v1-write d23222c Merge pull request #99 from authzed/readonly-ts 29345cb Move ONRSet into the tuple package 83ad8e0 Move common package to input and other small requested fixes e41f03d Move graph walking into a common lib 9100e6f Move memdb constants to the proper files. c88c169 Move query split point to a CLI option a36bae6 Move root run to a serve subcommand fa359ce Move transaction to first parameter. 4b1d9cc Namespace cache is now namespace manager. f9424c5 Namespace typesystem and initial reverse walk ("Lookup") 322d3f6 Omit expand start when expanding _this. f3d9a86 Optimistically close rows object. ca68d73 Prepare the consistency test suite for the V1 API d3d9987 README: add custom image for container badge a9da383 README: fix badge links d7cdbf5 README: fix build instructions and add links e3ccd5b README: link Quay badge to tags tab 0e34b3d README: mention devtooling API d5a5982 README: move install into getting started d618017 REDACTED: add support for dry-run migrations 932ecbd REDACTED: fixes to use the smart client 9ba9671 REDACTED: move x509util to spicedb pkg 696397c REDACTED: use spicedb validation regex for ns fa33c48 REDACTED: valid identifiers for revision names 130bf15 Raise an error if type info is missing on a Lookup d1fdf07 Reading and writing namespaces with memdb. 5027b69 Rebase fix 387a2ef Reenable and fix lookup test and address PR feedback bac6fe8 Refactor spicedb testfixtures. a7f52f4 Refactor testfixture helpers to exported package. d30d206 Remove an extra level of indirection in expand. 0673669 Remove as many transactions on read as possible. 4a355d3 Remove mirroring of input parameters in LookupResponse 67ecdb9 Remove namespace and relation checking from the datastore. 064d850 Remove namespace manager from namespace service to ensure we never use a cached namespace 510dc95 Removed resolvedobjectset and reuse the ONR set 9460d93 Rename developer-service command 5d21ceb Rename the internal header for remaining depth. b6ef6d4 Rename the internal proto to impl. 4a8d7ad Replace sqlx with pgxpool 137655a Separate grpc ctxt from db ctxt to prevent closing. 8892dea Set "auto" region to use S3 on GCS b897e57 Set a max connection age on spicedb. a528051 Set content type of shared items in the S3 share store af869be Skip direct tuple lookup if it isn't allowed from the type system b7cfb1b Small requested fixes e122626 Speed up spicedb docker rebuild. 1a20ff8 Style fixes. 27f5b0c Style fixes. 9c16dba Suppress trace log messages in tests by default. 372fbd6 Switch Postgres and CRDB datastores to use a common tuple query e7820eb Switch memdb to always store config bytes ba42792 Switch order of context in compiler and other requested improvements d49948b Switch to a single unified TupleQuery which only allows for a single call to each builder method 5946b94 Switch to concurrent operations in lookupDirect and in lookupTTU abacc67 Switch to using a batch data loader for userset lookups 1cf234a Test revision fuzzing in servicers. ecf3851 Tuple query now uses a struct copy. ab52008 Tweak prom histogram buckets for our use case. 3eebdc7 Unify the tuple and namespace datastore interfaces. Eliminate the memdb tx ID tracker and delgate to the datastore. Verify that write tx IDs are monotonically increasing. bd0e511 Update datastore to well-typed information preserving errors 4f0b796 Update error handling for recent semantic errors change 1a0390e Update graph to well-typed information preserving errors e98d0a5 Update namespace to well-typed information preserving errors 71804c8 Update otel to v1.0.0 ee13a72 Update release notes for zed-testserver 48b4e58 Update versions of go mods based on depbot bb3fefc Upgrade to the fixed version of go-memdb. b584a36 Use the context aware database calls everywhere. e60352e Use the proper sync revision for type checking on schema/namespace changes 266aa0c Use utc for now timestamps, add pgx config caf62ac Validate namespaces before writing them. e90e0fc Verify namespace and relation on read requests. b1f1d88 Verify tuple correctness on write operations. Very expected output for check and expand operations. 015fd60 We must make sure we got an iterator before we close it. fed435b Wrapper server in zed-testserver which multiplexes to different SpiceDB services based on the incoming token c4808d0 Zookie decode must check for nil parameter. 3ab76c0 add a (failing) test for new enemy behavior a3c3b7d add a default nsswitch.conf file 4dfb496 add a gh workflow step to do a build of the container image 3be0b1b add a mapping datastore proxy implementation which encodes namespace names 5df7a56 add a note about head migrations d248829 add a prometheus bucket for zero retries 31f7f72 add a test for consistency properties to the hash ring 26d0783 add a test for v1 CheckPermission 180fb65 add a test for v1 ReadRelationships 4a7c423 add a zedtoken internal implementation 3ac63f6 add homebrew release c895e7c add test for v1 DeleteRelationships dc741e3 add the test server as a spicedb subcommand 7005e14 add v1 CheckPermission implementation 1373653 add v1 proto definitions 07def0a add version command 2c9937c allow cached quantized revisions to be used e920281 always observe the crdb retries histogram aa81414 auth: simplify preshared key func 55f01d6 better lookup request logging 57af7f0 buf: consolidate into one buf.gen.yaml ea16f29 buf: generate servok protos from BSR af88301 buf: remove non-existent authzed-api path 0bf9643 build(deps): bump alpine from 3.13 to 3.14.0 in /spicedb a64d9ce build(deps): bump alpine from 3.14.0 to 3.14.1 d40e8a8 build(deps): bump alpine from 3.14.1 to 3.14.2 8a42c81 build(deps): bump github.com/aws/aws-sdk-go from 1.40.16 to 1.40.27 1530c47 build(deps): bump github.com/aws/aws-sdk-go from 1.40.27 to 1.40.34 3c73bb6 build(deps): bump github.com/aws/aws-sdk-go from 1.40.27 to 1.40.35 41162b6 build(deps): bump github.com/aws/aws-sdk-go from 1.40.35 to 1.40.47 59ab61e build(deps): bump github.com/aws/aws-sdk-go in /spicedb e894118 build(deps): bump github.com/envoyproxy/protoc-gen-validate in /spicedb 57ba568 build(deps): bump github.com/fatih/color from 1.12.0 to 1.13.0 d2a5d35 build(deps): bump github.com/grpc-ecosystem/go-grpc-middleware fd6a556 build(deps): bump github.com/lib/pq from 1.10.2 to 1.10.3 689357c build(deps): bump github.com/prometheus/client_golang in /spicedb 8fd2d05 build(deps): bump github.com/rs/zerolog from 1.23.0 to 1.24.0 48e6f55 build(deps): bump github.com/rs/zerolog from 1.24.0 to 1.25.0 7a2480d build(deps): bump golang from 1.16-alpine3.13 to 1.17.0-alpine3.13 305b664 build(deps): bump golang from 1.17.0-alpine3.13 to 1.17.1-alpine3.13 66b4be0 build(deps): bump google.golang.org/grpc from 1.39.0 to 1.40.0 3eb96b1 bump bufbuild in gha ad3bd93 bump ci to go 1.17 4f5e813 change datastore to handle new object filters from v1 74d2ce4 change the internal grpc port bc84bb9 change zed-testserver to use reflection and real server 2fd51d7 cmd: add comments delineating flag sections 7c86974 cmd: consistent flag prefixes and cobrautil usage a8ebf79 cmd: consistent migration flags 5914a1a cmd: delete crdb migration script df9dbbb cmd: use cobrautil.CommandStack a322cb0 cmdutil: add funcs for registering dependent flags 2451fd0 datastore/crdb: pass go lint 07bfc53 datastore/memdb: pass go lint 85c1c76 datastore/proxy: pass go lint fd374a9 datastore/test: pass go lint ff7eff7 datastore: add docstrings to pass go lint 78b1c5a datastore: consistently name var relationFilter f83ed7e datastore: create type for QueryTuple filtering 13339da datastore: handle preconditions with pgx.ErrNoRows 223cb12 datastore: rename WithUserset to WithSubjectFilter 5cce586 datastores/psql: pass go lint 589ba98 deadcode: remove all unused code a7b43b2 dependencies: go mod tidy 198b898 determine transaction overlap keys from namespace prefixes da5052c dispatch: only fail on unexpected errors 1408a4c document the lookaside cache handling 89ea338 e2e: tweak constants to reduce flakes e6486cb errcheck: handle all errors explicitly 4028aa8 fix all linter errors in internal/services f717917 fix buf build 8f34ec4 fix cluster dispatch error handling 0116382 fix datastore delete implementations ca5980e fix linter build lines for go 1.17 9710aa7 fix linter errors 9d22d60 fix memdb modifying source builder state e07a59e fix package path in goreleaser 1be2b9d fix readonly test server 5008a0d fix relationship filter precondition checking 45d948e fix the error rewrite for ErrAlwaysFail da2663e fix typos in main method 466851f fix v1 ReadRelationship to save modified query 2aaeff0 generate options for crdb / spicedb test abstractions a358780 go.mod: use upstream grpcutil 182acfd goimports: fix all local/thirdparty splits 128a6b9 gomod: tidy 56a50e5 govet: fix all mutex copies d006abe grpcutil: add RequireStatus method 035670b handle crdb retries 0ae9a5c handle more error and shutdown conditions on startup 67fdfac helper function for revisions and zedtokens from context 9dc70fe ineffassign: remove all ineffective assignments 5bf98df infra: ugprade CRDB to v21.1.3 be5692a internal/datastore: add delete preconditions test 8231c02 internal/datastore: adopt v1.Precondition 4304048 internal/datastore: exercise DeleteRelationships 91fb449 internal/proto: fix reproducibility 1e2df28 internal/services/v1: init DeleteRelationships af83dbc lint: add golangci-lint 2f8f799 log whether an internal expand was recursive e926286 make consistent backend client more idiomatic e729283 make deleterelationship tests more permissive 5827290 make zedtokens binary compatible with all versions of zookie 55eed77 move generated protos back to authzed-go 5d58771 move to internal proto imports, remove smartclient 049dc12 pkg/cmdutil: upstream to cobrautil d729505 pkg/tuple: add MustParse and use it in tests e5fce8c pkg/tuple: add pretty print for sub/obj refs cfb3986 pkg/tuple: add relationship parsing cfe6947 pkg/tuple: avoid overflow on panic cbb8287 pkg/tuple: print error with all invalid panics a47973f pkg/tuple: validate in conversions edcaa69 prevent new enemy by forcing transaction overlap 18963b3 prevent newenemy with smart sleeping 031b8ce proto: consolidate protos and generate internally 6bc1f7b proto: rehome authzed API definitions 643a9b4 proto: update buf to 0.48.2 69aa398 protos: add schema API a4f622e protos: disambiguate Read/Write Schema APIs 8743e3e protos: fix go_package import path for schema 6948601 protos: make metadata internal to spicedb 0278d93 protos: move authzed-api into a subdirectory 116ff2c protos: remove implicit_permission_system 2400c5d re-enable ci tests 20c0685 remove ellipsis from remaining test cases 5bd6fd3 remove smart sleeping 7ce8610 remove the tracer code that's no longer used e91a506 remove the unnecessary short circuits f7e8eaf rename smartclient to consistent backend client caa3295 rename the prom metrics variables in caching dispatch 7e27ae1 rework service initialization to more cleanly handle required interceptors 84488e0 rework the way the consistent backend client startup works b4c258b services/v1: add write tests d6a6079 services/v1: implement WriteRelationships 15643e1 services/v1: test error messages ed83812 services/v1: verify updates' types & subject 4edf9c4 servok: take the DNS name to resolve as a request parameter 8350b97 servok: use fully-qualified SRV record locators 1f28d61 set fetch depth for goreleaser 0576b25 show the contents of the git diff for protos 78e9257 small cleanups 136d2d0 spicedb/REDACTED: bump deps 6716384 spicedb/REDACTED: migrate to open telemetry v1 fcf2b0e spicedb/infra/servok: bump deps c4f659d spicedb: Add a pure go migration framework. 78f77e8 spicedb: InvalidArgument bad namespace conversions db03bbd spicedb: add CRDB tracing 2d946f5 spicedb: add W3C propagation to tracing 80d9d57 spicedb: add a crdb driver skeleton 9126a60 spicedb: add a crdb migration tool 49faa51 spicedb: add a head subcommand to calculate database head revision 9f6e3f0 spicedb: add a migrate subcommand 926c9c6 spicedb: add a service level cache for check 459f43e spicedb: add a shutdown grace period 84d98d8 spicedb: add an internal API smartclient 544bd55 spicedb: add an internal redispatch API 200e95a spicedb: add client that routes using request hashing d6065b0 spicedb: add dockerfile 2d1d08d spicedb: add error to migration failure 8b90539 spicedb: add generic tuple iterator for a materialized slice of tuples cbe3551 spicedb: add opentelemetry interceptor 0af4b59 spicedb: add readme, license, etc.. 7076dc3 spicedb: add support for CRDB to main.go 1d36a30 spicedb: allow for duplicate watch events in tests dc3b530 spicedb: buf.gen.yaml is executable ea42319 spicedb: build zed-testserver in container image f54ea94 spicedb: bump stringz c32ccf5 spicedb: change CRDB test version to match stage cluster 305ebd1 spicedb: change CRDB watch to use resolved revisions f0eb6a4 spicedb: clean up compiler and errors in schema 078abef spicedb: clean-up comments 251b596 spicedb: convert existing test migrations to new framework 8a578ef spicedb: create services/v0 package 18c8c46 spicedb: datastore revisions uint64 -> decimal.Decimal c79711c spicedb: deduplicate tuples in CRDB migration script 4980c22 spicedb: delete unused validate protos 4211a42 spicedb: do not recompute revision on redispatch d2ccedb spicedb: eliminate spurious delete events from touches 5638d4e spicedb: ensure CRDB cluster gc TTL is large enough to support requested TTL 0059465 spicedb: export logging/tracing PreRuns 5e268e7 spicedb: expose flags for pg connection pool dedb2f7 spicedb: fix CRDB revision quantization for zero, add a default 6e78673 spicedb: fix change batching in CRDB and add test. d05e723 spicedb: fix postgres driver prefix check eb17d46 spicedb: fix tests 0c93328 spicedb: generate servok protos 226f59f spicedb: get CRDB hlc from insert queries to save round trips 64a4ac4 spicedb: gofumpt d3238e4 spicedb: handle error conditino in watch endpoint 2cb5c6b spicedb: implement CRDB reverse tuple query 8bd6d0a spicedb: implement read-only mode d05c262 spicedb: implement v1alpha1.SchemaService 45075bc spicedb: increase smartclient max backoff for resolver 2e58495 spicedb: initial implementation of native CRDB datastore 4679a7b spicedb: initialize memdb with an empty transaction 4ddb612 spicedb: limit the acceptable incoming depth remaining b90ba23 spicedb: main with zap/cobra/metrics/signals f1c59a0 spicedb: make CRDB code simpler and more idiomatic 0a9bc8a spicedb: make CRDB connection pooling configurable 18860b3 spicedb: make code more readable, fix typos 0bf5824 spicedb: make gc window configurable in tests cd8a05f spicedb: make protobuf generation reproducible bee17ec spicedb: mark CRDB queries as read only transactions 27c1199 spicedb: mark overwritten namespaces as deleted ddd76bd spicedb: migrate impl to internal protos f1e7aa7 spicedb: migrate to authzed/api/v0 e85b89a spicedb: move flags/commands under command file c70e226 spicedb: mv grpchealth grpcutil, add auth mixin 10e1d94 spicedb: name conflict fix in proto package 0addd20 spicedb: no implicit permission system in schema 7bae771 spicedb: refactor reverse tuple queries 7946de7 spicedb: regenerate protobufs 5fc6aaf spicedb: remove golang-migrate 5f6778b spicedb: remove unused CRDB prometheus stats option 584a283 spicedb: replace consistent hash impl 052b835 spicedb: rm spans injected by gRPC interceptor a7a7cc3 spicedb: run metrics server on developer mode 458eb4a spicedb: scope migrations to application context f44e7e8 spicedb: sever grpc and datastore context for CRDB b424f4f spicedb: smartclient retry and improved constructor 5e90f17 spicedb: surface rows.Scan error to caller 4bed0ac spicedb: test postgres datastore impl against cockroachdb 9887289 spicedb: use an extended error type for read-only c32da1f spicedb: use buf to generate protos 6947fb8 spicedb: use local cluster redispatch b393874 spicedb: use read only transaction everywhere eb7e945 spicedb: use the authzed-go api protos aabd3ea spicedb: use the internal API everywhere 463146a split and refactor graph and dispatch b2a09c0 start test process locally 5d09aaa staticcheck: rm deprecated calls 772d6f7 statistically determine new enemy invulnerability 3c4dc6c structcheck: remove all unused fields e086f85 switch to validation middleware 82d716c test that crdb is vulnerable to newenemy if protections are disabled 52bf8fd unused: remove unused funcs 4a69b3f unwrap cockroach retry logic on read methods 1bc21af update go Dockerfiles to only build required binary 0d5132f update migration name 63d33de update readme for homebrew e7a6991 use authless reflection implementation from grpcutil f8319c8 use goreleaser to build binaries and packages 875aa84 use relationreference instead of onr for lookup dispatch a06b81d use the iterations it took to reproduce the newenemy problem to inform the number of times we test for invulnerability 0cd8b95 v1: add the read method 7ea8db7 v1alpha1: add schema tests

    Source code(tar.gz)
    Source code(zip)
    checksums.txt(1.14 KB)
    spicedb_1.0.0_darwin_amd64.tar.gz(8.61 MB)
    spicedb_1.0.0_darwin_arm64.tar.gz(8.54 MB)
    spicedb_1.0.0_linux_amd64.apk(8.25 MB)
    spicedb_1.0.0_linux_amd64.deb(8.25 MB)
    spicedb_1.0.0_linux_amd64.rpm(8.22 MB)
    spicedb_1.0.0_linux_amd64.tar.gz(8.23 MB)
    spicedb_1.0.0_linux_arm64.apk(7.59 MB)
    spicedb_1.0.0_linux_arm64.deb(7.59 MB)
    spicedb_1.0.0_linux_arm64.rpm(7.57 MB)
    spicedb_1.0.0_linux_arm64.tar.gz(7.58 MB)
    spicedb_1.0.0_windows_amd64.tar.gz(8.35 MB)
    spicedb_1.0.0_windows_arm64.tar.gz(7.69 MB)
Owner
authzed
A Zanzibar-inspired database platform that stores, computes, and validates application permissions.
authzed
This is a simple graph database in SQLite, inspired by "SQLite as a document database".

About This is a simple graph database in SQLite, inspired by "SQLite as a document database". Structure The schema consists of just two structures: No

Denis Papathanasiou 1.1k Jun 28, 2022
A simple golang api generator that stores struct fields in key/value based databases

Backgen A simple golang API generator that uses key/value based databases. It does not provide the database itself, only uses a interface to access se

null 0 Feb 4, 2022
Owl is a db manager platform,committed to standardizing the data, index in the database and operations to the database, to avoid risks and failures.

Owl is a db manager platform,committed to standardizing the data, index in the database and operations to the database, to avoid risks and failures. capabilities which owl provides include Process approval、sql Audit、sql execute and execute as crontab、data backup and recover .

null 35 Jun 17, 2022
Beerus-DB: a database operation framework, currently only supports Mysql, Use [go-sql-driver/mysql] to do database connection and basic operations

Beerus-DB · Beerus-DB is a database operation framework, currently only supports Mysql, Use [go-sql-driver/mysql] to do database connection and basic

Beerus 6 Mar 5, 2022
Hard Disk Database based on a former database

Hard Disk Database based on a former database

null 0 Nov 1, 2021
Simple key value database that use json files to store the database

KValDB Simple key value database that use json files to store the database, the key and the respective value. This simple database have two gRPC metho

Francisco Santos 0 Nov 13, 2021
This is a simple Golang application that executes SQL commands to clean up a mirror node's database.

This is a simple Golang application that executes SQL commands to clean up a mirror node's database.

Tom 1 Jan 24, 2022
Nipo is a powerful, fast, multi-thread, clustered and in-memory key-value database, with ability to configure token and acl on commands and key-regexes written by GO

Welcome to NIPO Nipo is a powerful, fast, multi-thread, clustered and in-memory key-value database, with ability to configure token and acl on command

Morteza Bashsiz 16 Jun 13, 2022
BuntDB is an embeddable, in-memory key/value database for Go with custom indexing and geospatial support

BuntDB is a low-level, in-memory, key/value store in pure Go. It persists to disk, is ACID compliant, and uses locking for multiple readers and a sing

Josh Baker 3.8k Jun 24, 2022
The Prometheus monitoring system and time series database.

Prometheus Visit prometheus.io for the full documentation, examples and guides. Prometheus, a Cloud Native Computing Foundation project, is a systems

Prometheus 43.1k Jun 24, 2022
Fast specialized time-series database for IoT, real-time internet connected devices and AI analytics.

unitdb Unitdb is blazing fast specialized time-series database for microservices, IoT, and realtime internet connected devices. As Unitdb satisfy the

Saffat Technologies 91 Jun 9, 2022
VictoriaMetrics: fast, cost-effective monitoring solution and time series database

VictoriaMetrics VictoriaMetrics is a fast, cost-effective and scalable monitoring solution and time series database. It is available in binary release

VictoriaMetrics 6.6k Jun 24, 2022
LinDB is an open-source Time Series Database which provides high performance, high availability and horizontal scalability.

LinDB is an open-source Time Series Database which provides high performance, high availability and horizontal scalability. LinDB stores all monitoring data of ELEME Inc, there is 88TB incremental writes per day and 2.7PB total raw data.

LinDB 2.3k Jun 29, 2022
☄ The golang convenient converter supports Database to Struct, SQL to Struct, and JSON to Struct.

Gormat - Cross platform gopher tool The golang convenient converter supports Database to Struct, SQL to Struct, and JSON to Struct. 中文说明 Features Data

永林 271 Jun 21, 2022
TalariaDB is a distributed, highly available, and low latency time-series database for Presto

TalariaDB is a distributed, highly available, and low latency time-series database that stores real-time data. It's built on top of Badger DB.

Grab 97 Jun 18, 2022
Dolt is a SQL database that you can fork, clone, branch, merge, push and pull just like a git repository.

Dolt is a SQL database that you can fork, clone, branch, merge, push and pull just like a git repository. Connect to Dolt just like any MySQL database to run queries or update the data using SQL commands. Use the command line interface to import CSV files, commit your changes, push them to a remote, or merge your teammate's changes.

DoltHub 12.2k Jun 28, 2022
rosedb is an embedded and fast k-v database based on LSM + WAL

A simple k-v database in pure Golang, supports string, list, hash, set, sorted set.

roseduan 2.9k Jun 23, 2022
DonutDB: A SQL database implemented on DynamoDB and SQLite

DonutDB: A SQL database implemented on DynamoDB and SQLite

Peter Sanford 96 Jun 15, 2022
Export output from pg_stat_activity and pg_stat_statements from Postgres into a time-series database that supports the Influx Line Protocol (ILP).

pgstat2ilp pgstat2ilp is a command-line program for exporting output from pg_stat_activity and pg_stat_statements (if the extension is installed/enabl

Zikani Nyirenda Mwase 4 Dec 15, 2021