For Authzed's first birthday, our gift isn't for us, but the community.
Today, we're as excited as we've ever been.
Today, the database powering the core of Authzed, SpiceDB, is now open source!
SpiceDB is the most faithful implementation of Google's Zanzibar paper outside of the original system at Google.
Developers create a schema that models their permissions requirements and use a client library to apply the schema to the database, insert data into the database, and query the data to efficiently check permissions in their applications. Leveraging a system like SpiceDB has become an industry best-practice and is being used to great success at companies large (Google, GitHub, Airbnb) and small (Carta, Authzed).
As we develop SpiceDB, we will not only maintain compatibility with the original paper, but continue to introduce innovations that improve overall user experience. An example of this is our Schema Language, which compiles to Zanzibar's Namespace Configs, but adds far more intuitive syntax and type-safety. However, these types of features cannot be created in a vacuum, thus all future development on SpiceDB will be done entirely in the open.
We invite everyone to collaborate with us on GitHub and join our discussions on the Zanzibar Discord.
Initial features included in SpiceDB that distinguish it from other systems include:
- Expressive APIs for checking permissions, listing access, and powering devtools
- An architecture faithful to the Google Zanzibar paper, including resistance to the New Enemy Problem
- An intuitive and expressive schema language complete with a playground dev environment
- A powerful graph engine that supports distributed, parallel evaluation
- Pluggable storage that supports in-memory, PostgreSQL, and CockroachDB
- Deep observability with Prometheus metrics, structured logging, and distributed tracing
Getting Started
Get a taste of the schema language
- Follow the guide for developing a schema
- Watch a video of us modeling GitHub
- Read the schema language design documentation
- Jump into the playground, load up some examples, and mess around
Learn how to integrate an application
- Learn the latest best practice by following the Protecting Your First App guide
- Explore the gRPC API documentation on the Buf Registry
- Install zed and interact with a live database
Installation
Installing SpiceDB
SpiceDB is currently packaged by Homebrew for both macOS and Linux.
Individual releases and other formats are also available on the releases page.
brew install authzed/tap/spicedb
SpiceDB is also available as a container image:
docker pull quay.io/authzed/spicedb:latest
For production usage, we highly recommend using a tag that corresponds to the latest release, rather than latest
.
Running SpiceDB locally
spicedb serve --grpc-preshared-key "somerandomkeyhere" --grpc-no-tls
Visit http://localhost:8080 to see next steps, including loading the schema
Changelog
Expand the Changelog
f9fa9a2 *.yaml: lint all YAML files
af8a479 *: migrate to new v1.RelationshipFilter
871436b *: use grpc health packages
6711fad .github: add API labels
f61bf2d .github: add step for diffing go generate output
3defadd .github: add yamllint
6dfed06 .github: auto label tests
24d226b .github: enforce linting with whitelisted TODOs
eb52959 .github: fix buf push action
6963abc .github: fix go mod tidy check
cbaee60 .github: init
f16d042 .github: properly set release as output
936992a .github: tag container with release output
6393c87 Add ExpandPermissionTree to the V1 API
3a1d882 Add Limit support to tuple queries and set Limit(1) on WriteConfig checks
e98407b Add ListNamespaces and remove IsEmpty
c6f8d90 Add Lookup in zed-testserver
6518be1 Add ONR serialization and use it everywhere possible.
b35f569 Add REDACTED example and fix loading issues associated with it
63c3120 Add a benchmark for check operations.
d4e5ba5 Add a better first run experience that shows the command to run when no other arguments are specified
021d2cc Add a call to verify the test server is properly stripped
55dc464 Add a check dispatcher and implementation.
a49fb56 Add a concurrent graph expander.
63735c7 Add a datastore Revision method.
18884a0 Add a datastore proxy that validates all calls
b190dd2 Add a flexible postgres config system.
67f7026 Add a jaeger service and the ability to report stats to it.
c1ae3c3 Add a maximum recursion depth.
7345b1e Add a namespace cache to graph evaluations.
0e8d30a Add a postgres database query benchmark.
8a3c21e Add a secrets package which mimicks python's.
f149da2 Add a test for datastore write preconditions.
7b42d15 Add a test for namespace delete. Refactor memdb tests to a separate package.
5135d29 Add a test for updating a schema and its checks on relationships
9bdeca1 Add a zed-test binary tool for writing unit tests against
ac37782 Add a zookie encoding/decoding library.
6fb5dad Add additional comments and some cleanup to the validationfile pkg
a4423dc Add additional tests for typesystem and lookup and fix some smaller items as per code review
d7f50e6 Add arch suffix to released zed-testserver binaries
e96a676 Add auto-release of zed-testserver on any releases in monorepo
a43a814 Add automatic query splitting when the SQL query grows beyond a defined boundary in size
7521fd9 Add basic dashboard for guidance to new users
c707af5 Add basic lexer and parser for the Schema DSL
f54dbd7 Add basic proto -> DSL generator
d7ef928 Add basic tracing to SpiceDB
241aad8 Add better tracing to first party services.
7b6670f Add consistency tests and fix bugs discovered as a result
527593a Add context to datastore interface and thread everywhere.
a18dd55 Add datastore attr to tracing span
48ab5de Add datastore tuple query tests for reverse queries, and add limits for faster verification in WriteConfig
a11df78 Add datastore url config for postgres support.
f854f5a Add datastore watch and the watch RPC.
9aea9e4 Add developer CI and remove REDACTED CI
22d5d71 Add developer-service subcommand
fa2ff18 Add error test cases to Lookup test in ACL tests
33305ed Add format button to Playground
ced742e Add full consistency testing of the developer API
99501d9 Add go generate to CI
c7d958c Add grpc server metrics to spicedb.
cb044e7 Add initial support for lookup across intersection and exclusion
d0ca4e1 Add latency simulator to the memdb datastore.
e73cd23 Add log tracer
ef5c296 Add logging to lookup shared issues
f8beaaf Add migration with new reverse lookup indexes for Postgres
432fead Add namespace and relation identifier validation.
6798707 Add namespace diff system
99251c4 Add namespace validator.
bdb50ab Add ok status to DSL generator indicating whether the generation had any legacy issues
9ad5c99 Add packaging to run spicedb service.
13ad9cd Add pgx timezone comment
2bdf6cd Add pgxpool stat collector for prometheus
c04621d Add pkg for tuple serialization and deserialization.
e772729 Add position information to parsed assertions
634d94c Add preshared key auth to spicedb.
e05d378 Add proto validation rules for all requests. Validate request messages for all handlers. Remove the old namespace definition validation code.
6abf320 Add readonly port to zed-testserver
f54d70e Add relation type to the metadata on construction
42f317a Add revision fuzzing and test.
dd84050 Add schema service to zed-testserver
dac9fdb Add shared errors interfaces and use the new types in the services
e1ba314 Add source position mapper for use once we read source files
ca9d6f8 Add support for cross-tenant references and have generator always produce the fully cross-tenanted defs
dee7b5c Add support for loading in schema and Relationships string list from the validation file format
8707d34 Add support for metadata on namespaces and relations
ae58bd8 Add support for recursive expansion
3cf04a0 Add tenancy definitions to consistency test
3e6c6e2 Add the basic local start command to the README.md
216c5c5 Add tracing to sql driver internals.
6ee74ab Add tuple queries.
84b63ac Add tuple writes.
622b512 Add type system failure for use of permissions on the left hand side of an arrow
5dec8f7 Add validation of relationships in the developer API context
7804d2a Add zerolog marshaling to error types with information
6677737 Adjust the terms in our errors to match the new terminology
d55309b Allow for single character object IDs
1722118 Allow underscores at the beginning of object IDs
d504f5b Bootstrap file support
8e02dfd Change Playground to be based on DSL
276b89b Change ReadSchema to always return a schema on upgrade
98268ca Change V1 schema write to delete any unreferenced object types
3ec63cf Change all legacy tuple string formats to ellide ellipsis
ef1bc02 Change developer API to use the DSL
1788bc7 Change entrypoint to use and configure zerolog.
74197cb Change identifiers in tests to be valid.
0635cb3 Change panics into errors
773afcb Change start inclusion to an enum for clarity.
e269342 Check revisions on read requests.
e8b7912 Cleanup tests a bit
9b212c5 Cleanup the consistency tests a bit before adding dev tests
2474518 Consistency middleware for V1 API
6d1c9dc Create a reduced datastore interface just for loading tuples.
344be27 Create a testfixtures package.
1d91c58 Datastore compliance tester should run subtests.
3d0272d Decode and respect request zookies. Better error handling for grpc handlers. Tests for ACL and namespace services.
3e12385 Deleteing a nonexistent tuple no longer errors.
22afdcd Disallow relationship writes on permissions
add5a74 Downgrade pq to 1.9.0
0a04909 Enable better reporting of schema errors
4eb8282 Export prometheus stats from sql driver.
f2b4aa4 Extract namespace builder to its own package.
d180ac4 Extract out errorIfTupleIteratorReturnsTuples
93706dc Fix SSL server initialization.
67456ee Fix arrow dispatch issue in expand as well and add an addition test
9934ea5 Fix bug in exclusion check
a971b5d Fix bug where nil iterator could be closed.
fc8b958 Fix concurrency errors in postgres Watch.
192e209 Fix defer statement ordering
d1ce892 Fix handling of intersection and exclusion in the membership set
15cbc52 Fix ns relation denormalization in memdb.
242aeea Fix read and write schema in REDACTED
81b25d4 Fix synthetic semicolon insertion for right parens
94a6512 Fix test for recent permissions check PR
bd9489d Generate server latency metrics for REDACTED and spicedb.
26386a5 Handle comments in DSL compiler and generator
412ce5e Have Checks return true if the start and goal relations are the same, or if we get to the same relation via a computed userset
caa9c1b Have checkComputedUserset verify that the target relation exists before dispatching
940db9d Have dashboard take the migration status of the datastore into account
98e8271 Have edit check errors placed under each check
eb6fdfc Have namespace config writes check for breaks in tuple relations
384479c Have smaller comments format to a single line
0415110 Implement ACL expand handler.
95030e0 Implement ContentChangeCheck handler.
d046bc0 Implement V0 DeleteConfigs API
9711f45 Implement V1 LookupResources API
9e255a8 Implement basic DSL -> proto compiler
c50347c Implement check handler.
069766b Implement consistency testing for written V1 endpoints
d729033 Implement developer API
33cb010 Implement health check handler.
01f1336 Implement namespace delete.
785d123 Implement postgres datastore for spicedb.
a2d6366 Implement the V1 schema service
4d4d935 Implement the read tuple method.
def2f9c Implement top-down structural lookup
8b6c480 Initial check-in of spicedb.
886fdea Loosen the objectID validation to fit existing data requirements.
c9ec958 Make jaeger tracing endpoint configurable.
f322b89 Make revision fuzzing configurable with a default.
88a3500 Make sure to strip the binary before release to remove ALL symbols
0e62048 Make the datastore test suite neutral.
b536e91 Make the prefix requirement optional by default in SpiceDB
10e2b93 Merge pull request #100 from authzed/goreleaser-init
d1c4fa5 Merge pull request #1029 from REDACTED/readonly-testing
d420148 Merge pull request #103 from authzed/yamllint
cfb2cc6 Merge pull request #1034 from REDACTED/lookup-logging
a31cb0b Merge pull request #1040 from REDACTED/s3-auto-region
8479899 Merge pull request #1041 from REDACTED/s3-content-type
b5dc304 Merge pull request #1042 from REDACTED/underscores
61ee10a Merge pull request #1047 from REDACTED/migration-fallout
91f649b Merge pull request #105 from authzed/dependabot/docker/golang-1.17.1-alpine3.13
eae12c0 Merge pull request #1069 from REDACTED/ttu-typecheck
6b6f3e9 Merge pull request #108 from authzed/dependabot/go_modules/github.com/lib/pq-1.10.3
5f7e9f3 Merge pull request #1080 from REDACTED/membership-set-fixes
1aa9bff Merge pull request #1082 from REDACTED/parser-fix
3517674 Merge pull request #1085 from REDACTED/dev-consistency-tests
254f5dd Merge pull request #110 from authzed/dependabot/go_modules/github.com/rs/zerolog-1.25.0
385b10e Merge pull request #1105 from REDACTED/comment-format
72dca34 Merge pull request #111 from authzed/update-otel
f63a3c6 Merge pull request #112 from authzed/dependabot/go_modules/github.com/aws/aws-sdk-go-1.40.47
6f329a7 Merge pull request #113 from authzed/dependabot/go_modules/github.com/fatih/color-1.13.0
0256f66 Merge pull request #1139 from REDACTED/dependabot-go
91b3324 Merge pull request #114 from authzed/zedtoken-backcompat
bad00e2 Merge pull request #116 from authzed/datastore-tests
f2d4bf9 Merge pull request #1160 from REDACTED/spicedb-delete-validate
6ec17a7 Merge pull request #1161 from REDACTED/spicedb-router
6161b18 Merge pull request #1162 from REDACTED/lookup-improvements
55a8a5a Merge pull request #1166 from REDACTED/dependabot-go
5bf032e Merge pull request #117 from authzed/reorder-readme
02ccce9 Merge pull request #1186 from REDACTED/dependabot/go_modules/spicedb/github.com/aws/aws-sdk-go-1.40.16
65e6265 Merge pull request #119 from authzed/drop-crdb-migration
ce8b2ec Merge pull request #1195 from REDACTED/fix-arrow-bug
f7ef76c Merge pull request #120 from authzed/linting
c569f93 Merge pull request #122 from authzed/gr-chglog
13a8f8b Merge pull request #1224 from REDACTED/spicedb-oss
70e663e Merge pull request #1227 from REDACTED/max-max-depth
c33cc40 Merge pull request #123 from authzed/add-servicer-tests
923ce9b Merge pull request #1230 from REDACTED/spicedb-prefixes
1607a3f Merge pull request #1231 from REDACTED/flag-audit
71961e8 Merge pull request #124 from authzed/rm-extra-buf-work
547e2c0 Merge pull request #1246 from REDACTED/servok-bsr
6031872 Merge pull request #1248 from REDACTED/validationfile-cleanup
900b42b Merge pull request #125 from authzed/ellipsis-followup
8599cd2 Merge pull request #130 from authzed/v1-read-fix
e9affab Merge pull request #132 from authzed/delete-tests
725f182 Merge pull request #133 from authzed/servicer-tests
55f44e7 Merge pull request #134 from authzed/e2e-constants
4e1a741 Merge pull request #135 from authzed/version
82899ac Merge pull request #136 from authzed/fix-release
43a98f7 Merge pull request #137 from authzed/migname
97e9f06 Merge pull request #138 from authzed/crdb-perf
29b03f2 Merge pull request #139 from authzed/golangci
c201f6b Merge pull request #140 from authzed/readme-devtools
d01fadf Merge pull request #143 from authzed/fix-retry-histogram
f707760 Merge pull request #145 from authzed/fix-grpc-test
b629365 Merge pull request #146 from authzed/brew
a4bef05 Merge pull request #25 from authzed/github-actions
e1cd108 Merge pull request #26 from authzed/dependabot/docker/alpine-3.14.1
0900760 Merge pull request #27 from authzed/dependabot/docker/golang-1.17.0-alpine3.13
fde257b Merge pull request #28 from authzed/dependabot/go_modules/github.com/aws/aws-sdk-go-1.40.27
d27b146 Merge pull request #29 from authzed/dependabot/go_modules/google.golang.org/grpc-1.40.0
3732c86 Merge pull request #30 from authzed/fix-release
ab93550 Merge pull request #31 from authzed/fix-release-again
6d9e22a Merge pull request #33 from authzed/quay-link
dc38699 Merge pull request #34 from authzed/upstream-grpcutil
f156579 Merge pull request #35 from authzed/stringer-ci
40402c3 Merge pull request #37 from authzed/one-buf-gen
98c2540 Merge pull request #38 from authzed/bootstrap-files
b7e2031 Merge pull request #39 from authzed/internal-redispatch
e23c4bf Merge pull request #45 from authzed/README-fixes
6123a12 Merge pull request #46 from authzed/validate-devcontext
90babad Merge pull request #47 from authzed/no-write-permission
9158081 Merge pull request #48 from authzed/validate-mw
7072d08 Merge pull request #49 from authzed/nscheck-revision
ed605c6 Merge pull request #50 from authzed/constency-test
4181a3c Merge pull request #51 from authzed/dependabot/docker/alpine-3.14.2
106305d Merge pull request #52 from authzed/dependabot/go_modules/github.com/rs/zerolog-1.24.0
79817a3 Merge pull request #53 from authzed/dependabot/go_modules/github.com/aws/aws-sdk-go-1.40.34
89845b0 Merge pull request #54 from authzed/imgbuild-gh
a090d01 Merge pull request #547 from REDACTED/spicedb
8a8e5b7 Merge pull request #55 from authzed/dependabot/go_modules/github.com/aws/aws-sdk-go-1.40.35
fffa067 Merge pull request #56 from authzed/better-schema-errors
e59b740 Merge pull request #57 from authzed/schema-update-test
406233d Merge pull request #570 from REDACTED/REDACTED-go
dd7a5e4 Merge pull request #576 from REDACTED/spicedb
63eb7fe Merge pull request #578 from REDACTED/postgres
640ede2 Merge pull request #60 from authzed/nsswitch
d6c8bb3 Merge pull request #609 from REDACTED/spicedb-perf
9a62142 Merge pull request #610 from REDACTED/pg-conns
55f4c64 Merge pull request #612 from REDACTED/spicedb-tracing
5f92727 Merge pull request #614 from REDACTED/observability
7ddcb87 Merge pull request #615 from REDACTED/leakfix
01d366b Merge pull request #616 from REDACTED/downgrade-pq
180a093 Merge pull request #617 from REDACTED/idempotent-delete
ca3b8fc Merge pull request #62 from authzed/fix-tests
db0162e Merge pull request #623 from REDACTED/buckets
27a3589 Merge pull request #63 from authzed/namespaces-by-id
49f3b3b Merge pull request #637 from REDACTED/pgx
3a3c43d Merge pull request #64 from authzed/local-protos
4426163 Merge pull request #642 from REDACTED/no-cancel-sql
4b8ffc1 Merge pull request #649 from REDACTED/omitstart
c75ca23 Merge pull request #65 from authzed/error-handling
cd19ab1 Merge pull request #652 from REDACTED/zed-test
2238ef8 Merge pull request #66 from authzed/better-run
21e6b78 Merge pull request #67 from authzed/v1-protos
145c0d7 Merge pull request #671 from REDACTED/trace-REDACTED
362e83c Merge pull request #68 from authzed/fix-buf-push
b9b59f5 Merge pull request #688 from REDACTED/rename-zedserver
0af2961 Merge pull request #69 from authzed/v1-prep
1a57afc Merge pull request #691 from REDACTED/token-based-server
c2bc99b Merge pull request #692 from REDACTED/spicedb-migration
bb4b7bd Merge pull request #70 from authzed/v1-consistency-middleware
b114bba Merge pull request #705 from REDACTED/migration-config
6987dbe Merge pull request #72 from authzed/prep-consistency-tests
c8ca87d Merge pull request #729 from REDACTED/type-system-top-lookup
2821aae Merge pull request #73 from authzed/authless-reflection
2bf9c81 Merge pull request #74 from authzed/v1-read
e1b7747 Merge pull request #741 from REDACTED/exclusion-bug
cd2decc Merge pull request #75 from authzed/newenemy
21a1884 Merge pull request #779 from REDACTED/schema-dsl
9dcf187 Merge pull request #78 from authzed/datastore-for-schema
70b7660 Merge pull request #780 from REDACTED/metadata
3c63c3b Merge pull request #79 from authzed/elide-ellipsis
0bcc8a5 Merge pull request #790 from REDACTED/schema-compiler
0c83249 Merge pull request #791 from REDACTED/crdb-dev
349007b Merge pull request #798 from REDACTED/crdb-ci-len
c848071 Merge pull request #799 from REDACTED/schema-proto
73ce29e Merge pull request #80 from authzed/v1-check
f8698ac Merge pull request #803 from REDACTED/overwritten-ns
1419b93 Merge pull request #806 from REDACTED/developer-api
99f372b Merge pull request #807 from REDACTED/pulumi-stage
5aed0cc Merge pull request #809 from REDACTED/better-errors
44bef3f Merge pull request #81 from authzed/v1-schema-service
dcfb6f7 Merge pull request #821 from REDACTED/crdb-perf
b181a9a Merge pull request #826 from REDACTED/crdb-perf
d2d15a2 Merge pull request #83 from authzed/v1-delete
009d84a Merge pull request #831 from REDACTED/dsl-playground
1a33f35 Merge pull request #832 from REDACTED/crdb-perf
e9308cb Merge pull request #834 from REDACTED/error-terms
92837dc Merge pull request #84 from authzed/authzed-go-protos
0669d71 Merge pull request #844 from REDACTED/spicedb-read-only
f3ef249 Merge pull request #85 from authzed/dispatch-relref
9463381 Merge pull request #86 from authzed/v1-lookup
193cf98 Merge pull request #87 from authzed/testserver
3e1439d Merge pull request #88 from authzed/head-migration-note
004846d Merge pull request #89 from authzed/must-revision
7103c13 Merge pull request #91 from authzed/v1-consistency-testing
f4115c9 Merge pull request #92 from authzed/add-start-command
fc3f953 Merge pull request #920 from REDACTED/dependabot/go_modules/spicedb/github.com/prometheus/client_golang-1.11.0
e603150 Merge pull request #921 from REDACTED/dependabot/go_modules/spicedb/github.com/envoyproxy/protoc-gen-validate-0.6.1
bbbd758 Merge pull request #923 from REDACTED/dependabot/go_modules/spicedb/github.com/grpc-ecosystem/go-grpc-middleware-1.3.0
709e1ba Merge pull request #93 from authzed/v1-expand
d9b41c0 Merge pull request #930 from REDACTED/v1alpha1-schema-iter
0dd3970 Merge pull request #933 from REDACTED/assertion-positioning
c55aae1 Merge pull request #935 from REDACTED/dsl-format-button
0b5795f Merge pull request #938 from REDACTED/schema-test
3ee7dca Merge pull request #94 from authzed/delete-namespace
d795237 Merge pull request #940 from REDACTED/migration-script
48d8234 Merge pull request #95 from authzed/lookup-require-type
bb7f65a Merge pull request #97 from authzed/single-middleware
3c2cf15 Merge pull request #974 from REDACTED/dsl-comments
915e8cd Merge pull request #98 from authzed/v1-write
d23222c Merge pull request #99 from authzed/readonly-ts
29345cb Move ONRSet into the tuple package
83ad8e0 Move common package to input and other small requested fixes
e41f03d Move graph walking into a common lib
9100e6f Move memdb constants to the proper files.
c88c169 Move query split point to a CLI option
a36bae6 Move root run to a serve
subcommand
fa359ce Move transaction to first parameter.
4b1d9cc Namespace cache is now namespace manager.
f9424c5 Namespace typesystem and initial reverse walk ("Lookup")
322d3f6 Omit expand start when expanding _this.
f3d9a86 Optimistically close rows object.
ca68d73 Prepare the consistency test suite for the V1 API
d3d9987 README: add custom image for container badge
a9da383 README: fix badge links
d7cdbf5 README: fix build instructions and add links
e3ccd5b README: link Quay badge to tags tab
0e34b3d README: mention devtooling API
d5a5982 README: move install into getting started
d618017 REDACTED: add support for dry-run migrations
932ecbd REDACTED: fixes to use the smart client
9ba9671 REDACTED: move x509util to spicedb pkg
696397c REDACTED: use spicedb validation regex for ns
fa33c48 REDACTED: valid identifiers for revision names
130bf15 Raise an error if type info is missing on a Lookup
d1fdf07 Reading and writing namespaces with memdb.
5027b69 Rebase fix
387a2ef Reenable and fix lookup test and address PR feedback
bac6fe8 Refactor spicedb testfixtures.
a7f52f4 Refactor testfixture helpers to exported package.
d30d206 Remove an extra level of indirection in expand.
0673669 Remove as many transactions on read as possible.
4a355d3 Remove mirroring of input parameters in LookupResponse
67ecdb9 Remove namespace and relation checking from the datastore.
064d850 Remove namespace manager from namespace service to ensure we never use a cached namespace
510dc95 Removed resolvedobjectset and reuse the ONR set
9460d93 Rename developer-service command
5d21ceb Rename the internal header for remaining depth.
b6ef6d4 Rename the internal proto to impl.
4a8d7ad Replace sqlx with pgxpool
137655a Separate grpc ctxt from db ctxt to prevent closing.
8892dea Set "auto" region to use S3 on GCS
b897e57 Set a max connection age on spicedb.
a528051 Set content type of shared items in the S3 share store
af869be Skip direct tuple lookup if it isn't allowed from the type system
b7cfb1b Small requested fixes
e122626 Speed up spicedb docker rebuild.
1a20ff8 Style fixes.
27f5b0c Style fixes.
9c16dba Suppress trace log messages in tests by default.
372fbd6 Switch Postgres and CRDB datastores to use a common tuple query
e7820eb Switch memdb to always store config bytes
ba42792 Switch order of context in compiler and other requested improvements
d49948b Switch to a single unified TupleQuery which only allows for a single call to each builder method
5946b94 Switch to concurrent operations in lookupDirect and in lookupTTU
abacc67 Switch to using a batch data loader for userset lookups
1cf234a Test revision fuzzing in servicers.
ecf3851 Tuple query now uses a struct copy.
ab52008 Tweak prom histogram buckets for our use case.
3eebdc7 Unify the tuple and namespace datastore interfaces. Eliminate the memdb tx ID tracker and delgate to the datastore. Verify that write tx IDs are monotonically increasing.
bd0e511 Update datastore to well-typed information preserving errors
4f0b796 Update error handling for recent semantic errors change
1a0390e Update graph to well-typed information preserving errors
e98d0a5 Update namespace to well-typed information preserving errors
71804c8 Update otel to v1.0.0
ee13a72 Update release notes for zed-testserver
48b4e58 Update versions of go mods based on depbot
bb3fefc Upgrade to the fixed version of go-memdb.
b584a36 Use the context aware database calls everywhere.
e60352e Use the proper sync revision for type checking on schema/namespace changes
266aa0c Use utc for now timestamps, add pgx config
caf62ac Validate namespaces before writing them.
e90e0fc Verify namespace and relation on read requests.
b1f1d88 Verify tuple correctness on write operations. Very expected output for check and expand operations.
015fd60 We must make sure we got an iterator before we close it.
fed435b Wrapper server in zed-testserver which multiplexes to different SpiceDB services based on the incoming token
c4808d0 Zookie decode must check for nil parameter.
3ab76c0 add a (failing) test for new enemy behavior
a3c3b7d add a default nsswitch.conf file
4dfb496 add a gh workflow step to do a build of the container image
3be0b1b add a mapping datastore proxy implementation which encodes namespace names
5df7a56 add a note about head migrations
d248829 add a prometheus bucket for zero retries
31f7f72 add a test for consistency properties to the hash ring
26d0783 add a test for v1 CheckPermission
180fb65 add a test for v1 ReadRelationships
4a7c423 add a zedtoken internal implementation
3ac63f6 add homebrew release
c895e7c add test for v1 DeleteRelationships
dc741e3 add the test server as a spicedb subcommand
7005e14 add v1 CheckPermission implementation
1373653 add v1 proto definitions
07def0a add version command
2c9937c allow cached quantized revisions to be used
e920281 always observe the crdb retries histogram
aa81414 auth: simplify preshared key func
55f01d6 better lookup request logging
57af7f0 buf: consolidate into one buf.gen.yaml
ea16f29 buf: generate servok protos from BSR
af88301 buf: remove non-existent authzed-api path
0bf9643 build(deps): bump alpine from 3.13 to 3.14.0 in /spicedb
a64d9ce build(deps): bump alpine from 3.14.0 to 3.14.1
d40e8a8 build(deps): bump alpine from 3.14.1 to 3.14.2
8a42c81 build(deps): bump github.com/aws/aws-sdk-go from 1.40.16 to 1.40.27
1530c47 build(deps): bump github.com/aws/aws-sdk-go from 1.40.27 to 1.40.34
3c73bb6 build(deps): bump github.com/aws/aws-sdk-go from 1.40.27 to 1.40.35
41162b6 build(deps): bump github.com/aws/aws-sdk-go from 1.40.35 to 1.40.47
59ab61e build(deps): bump github.com/aws/aws-sdk-go in /spicedb
e894118 build(deps): bump github.com/envoyproxy/protoc-gen-validate in /spicedb
57ba568 build(deps): bump github.com/fatih/color from 1.12.0 to 1.13.0
d2a5d35 build(deps): bump github.com/grpc-ecosystem/go-grpc-middleware
fd6a556 build(deps): bump github.com/lib/pq from 1.10.2 to 1.10.3
689357c build(deps): bump github.com/prometheus/client_golang in /spicedb
8fd2d05 build(deps): bump github.com/rs/zerolog from 1.23.0 to 1.24.0
48e6f55 build(deps): bump github.com/rs/zerolog from 1.24.0 to 1.25.0
7a2480d build(deps): bump golang from 1.16-alpine3.13 to 1.17.0-alpine3.13
305b664 build(deps): bump golang from 1.17.0-alpine3.13 to 1.17.1-alpine3.13
66b4be0 build(deps): bump google.golang.org/grpc from 1.39.0 to 1.40.0
3eb96b1 bump bufbuild in gha
ad3bd93 bump ci to go 1.17
4f5e813 change datastore to handle new object filters from v1
74d2ce4 change the internal grpc port
bc84bb9 change zed-testserver to use reflection and real server
2fd51d7 cmd: add comments delineating flag sections
7c86974 cmd: consistent flag prefixes and cobrautil usage
a8ebf79 cmd: consistent migration flags
5914a1a cmd: delete crdb migration script
df9dbbb cmd: use cobrautil.CommandStack
a322cb0 cmdutil: add funcs for registering dependent flags
2451fd0 datastore/crdb: pass go lint
07bfc53 datastore/memdb: pass go lint
85c1c76 datastore/proxy: pass go lint
fd374a9 datastore/test: pass go lint
ff7eff7 datastore: add docstrings to pass go lint
78b1c5a datastore: consistently name var relationFilter
f83ed7e datastore: create type for QueryTuple filtering
13339da datastore: handle preconditions with pgx.ErrNoRows
223cb12 datastore: rename WithUserset to WithSubjectFilter
5cce586 datastores/psql: pass go lint
589ba98 deadcode: remove all unused code
a7b43b2 dependencies: go mod tidy
198b898 determine transaction overlap keys from namespace prefixes
da5052c dispatch: only fail on unexpected errors
1408a4c document the lookaside cache handling
89ea338 e2e: tweak constants to reduce flakes
e6486cb errcheck: handle all errors explicitly
4028aa8 fix all linter errors in internal/services
f717917 fix buf build
8f34ec4 fix cluster dispatch error handling
0116382 fix datastore delete implementations
ca5980e fix linter build lines for go 1.17
9710aa7 fix linter errors
9d22d60 fix memdb modifying source builder state
e07a59e fix package path in goreleaser
1be2b9d fix readonly test server
5008a0d fix relationship filter precondition checking
45d948e fix the error rewrite for ErrAlwaysFail
da2663e fix typos in main method
466851f fix v1 ReadRelationship to save modified query
2aaeff0 generate options for crdb / spicedb test abstractions
a358780 go.mod: use upstream grpcutil
182acfd goimports: fix all local/thirdparty splits
128a6b9 gomod: tidy
56a50e5 govet: fix all mutex copies
d006abe grpcutil: add RequireStatus method
035670b handle crdb retries
0ae9a5c handle more error and shutdown conditions on startup
67fdfac helper function for revisions and zedtokens from context
9dc70fe ineffassign: remove all ineffective assignments
5bf98df infra: ugprade CRDB to v21.1.3
be5692a internal/datastore: add delete preconditions test
8231c02 internal/datastore: adopt v1.Precondition
4304048 internal/datastore: exercise DeleteRelationships
91fb449 internal/proto: fix reproducibility
1e2df28 internal/services/v1: init DeleteRelationships
af83dbc lint: add golangci-lint
2f8f799 log whether an internal expand was recursive
e926286 make consistent backend client more idiomatic
e729283 make deleterelationship tests more permissive
5827290 make zedtokens binary compatible with all versions of zookie
55eed77 move generated protos back to authzed-go
5d58771 move to internal proto imports, remove smartclient
049dc12 pkg/cmdutil: upstream to cobrautil
d729505 pkg/tuple: add MustParse and use it in tests
e5fce8c pkg/tuple: add pretty print for sub/obj refs
cfb3986 pkg/tuple: add relationship parsing
cfe6947 pkg/tuple: avoid overflow on panic
cbb8287 pkg/tuple: print error with all invalid panics
a47973f pkg/tuple: validate in conversions
edcaa69 prevent new enemy by forcing transaction overlap
18963b3 prevent newenemy with smart sleeping
031b8ce proto: consolidate protos and generate internally
6bc1f7b proto: rehome authzed API definitions
643a9b4 proto: update buf to 0.48.2
69aa398 protos: add schema API
a4f622e protos: disambiguate Read/Write Schema APIs
8743e3e protos: fix go_package import path for schema
6948601 protos: make metadata internal to spicedb
0278d93 protos: move authzed-api into a subdirectory
116ff2c protos: remove implicit_permission_system
2400c5d re-enable ci tests
20c0685 remove ellipsis from remaining test cases
5bd6fd3 remove smart sleeping
7ce8610 remove the tracer code that's no longer used
e91a506 remove the unnecessary short circuits
f7e8eaf rename smartclient to consistent backend client
caa3295 rename the prom metrics variables in caching dispatch
7e27ae1 rework service initialization to more cleanly handle required interceptors
84488e0 rework the way the consistent backend client startup works
b4c258b services/v1: add write tests
d6a6079 services/v1: implement WriteRelationships
15643e1 services/v1: test error messages
ed83812 services/v1: verify updates' types & subject
4edf9c4 servok: take the DNS name to resolve as a request parameter
8350b97 servok: use fully-qualified SRV record locators
1f28d61 set fetch depth for goreleaser
0576b25 show the contents of the git diff for protos
78e9257 small cleanups
136d2d0 spicedb/REDACTED: bump deps
6716384 spicedb/REDACTED: migrate to open telemetry v1
fcf2b0e spicedb/infra/servok: bump deps
c4f659d spicedb: Add a pure go migration framework.
78f77e8 spicedb: InvalidArgument bad namespace conversions
db03bbd spicedb: add CRDB tracing
2d946f5 spicedb: add W3C propagation to tracing
80d9d57 spicedb: add a crdb driver skeleton
9126a60 spicedb: add a crdb migration tool
49faa51 spicedb: add a head subcommand to calculate database head revision
9f6e3f0 spicedb: add a migrate subcommand
926c9c6 spicedb: add a service level cache for check
459f43e spicedb: add a shutdown grace period
84d98d8 spicedb: add an internal API smartclient
544bd55 spicedb: add an internal redispatch API
200e95a spicedb: add client that routes using request hashing
d6065b0 spicedb: add dockerfile
2d1d08d spicedb: add error to migration failure
8b90539 spicedb: add generic tuple iterator for a materialized slice of tuples
cbe3551 spicedb: add opentelemetry interceptor
0af4b59 spicedb: add readme, license, etc..
7076dc3 spicedb: add support for CRDB to main.go
1d36a30 spicedb: allow for duplicate watch events in tests
dc3b530 spicedb: buf.gen.yaml is executable
ea42319 spicedb: build zed-testserver in container image
f54ea94 spicedb: bump stringz
c32ccf5 spicedb: change CRDB test version to match stage cluster
305ebd1 spicedb: change CRDB watch to use resolved revisions
f0eb6a4 spicedb: clean up compiler and errors in schema
078abef spicedb: clean-up comments
251b596 spicedb: convert existing test migrations to new framework
8a578ef spicedb: create services/v0 package
18c8c46 spicedb: datastore revisions uint64 -> decimal.Decimal
c79711c spicedb: deduplicate tuples in CRDB migration script
4980c22 spicedb: delete unused validate protos
4211a42 spicedb: do not recompute revision on redispatch
d2ccedb spicedb: eliminate spurious delete events from touches
5638d4e spicedb: ensure CRDB cluster gc TTL is large enough to support requested TTL
0059465 spicedb: export logging/tracing PreRuns
5e268e7 spicedb: expose flags for pg connection pool
dedb2f7 spicedb: fix CRDB revision quantization for zero, add a default
6e78673 spicedb: fix change batching in CRDB and add test.
d05e723 spicedb: fix postgres driver prefix check
eb17d46 spicedb: fix tests
0c93328 spicedb: generate servok protos
226f59f spicedb: get CRDB hlc from insert queries to save round trips
64a4ac4 spicedb: gofumpt
d3238e4 spicedb: handle error conditino in watch endpoint
2cb5c6b spicedb: implement CRDB reverse tuple query
8bd6d0a spicedb: implement read-only mode
d05c262 spicedb: implement v1alpha1.SchemaService
45075bc spicedb: increase smartclient max backoff for resolver
2e58495 spicedb: initial implementation of native CRDB datastore
4679a7b spicedb: initialize memdb with an empty transaction
4ddb612 spicedb: limit the acceptable incoming depth remaining
b90ba23 spicedb: main with zap/cobra/metrics/signals
f1c59a0 spicedb: make CRDB code simpler and more idiomatic
0a9bc8a spicedb: make CRDB connection pooling configurable
18860b3 spicedb: make code more readable, fix typos
0bf5824 spicedb: make gc window configurable in tests
cd8a05f spicedb: make protobuf generation reproducible
bee17ec spicedb: mark CRDB queries as read only transactions
27c1199 spicedb: mark overwritten namespaces as deleted
ddd76bd spicedb: migrate impl
to internal protos
f1e7aa7 spicedb: migrate to authzed/api/v0
e85b89a spicedb: move flags/commands under command file
c70e226 spicedb: mv grpchealth grpcutil, add auth mixin
10e1d94 spicedb: name conflict fix in proto package
0addd20 spicedb: no implicit permission system in schema
7bae771 spicedb: refactor reverse tuple queries
7946de7 spicedb: regenerate protobufs
5fc6aaf spicedb: remove golang-migrate
5f6778b spicedb: remove unused CRDB prometheus stats option
584a283 spicedb: replace consistent hash impl
052b835 spicedb: rm spans injected by gRPC interceptor
a7a7cc3 spicedb: run metrics server on developer mode
458eb4a spicedb: scope migrations to application context
f44e7e8 spicedb: sever grpc and datastore context for CRDB
b424f4f spicedb: smartclient retry and improved constructor
5e90f17 spicedb: surface rows.Scan error to caller
4bed0ac spicedb: test postgres datastore impl against cockroachdb
9887289 spicedb: use an extended error type for read-only
c32da1f spicedb: use buf to generate protos
6947fb8 spicedb: use local cluster redispatch
b393874 spicedb: use read only transaction everywhere
eb7e945 spicedb: use the authzed-go api protos
aabd3ea spicedb: use the internal API everywhere
463146a split and refactor graph and dispatch
b2a09c0 start test process locally
5d09aaa staticcheck: rm deprecated calls
772d6f7 statistically determine new enemy invulnerability
3c4dc6c structcheck: remove all unused fields
e086f85 switch to validation middleware
82d716c test that crdb is vulnerable to newenemy if protections are disabled
52bf8fd unused: remove unused funcs
4a69b3f unwrap cockroach retry logic on read methods
1bc21af update go Dockerfiles to only build required binary
0d5132f update migration name
63d33de update readme for homebrew
e7a6991 use authless reflection implementation from grpcutil
f8319c8 use goreleaser to build binaries and packages
875aa84 use relationreference instead of onr for lookup dispatch
a06b81d use the iterations it took to reproduce the newenemy problem to inform the number of times we test for invulnerability
0cd8b95 v1: add the read method
7ea8db7 v1alpha1: add schema tests