Highlights
- Memory management for caching vastly improved by more accurately tracking the size of cache entries
- Postgres datastore rewritten with massive improvements to write performance
- Experimental caveats support
- Massive performance improvement for LookupResources
- GemFury DEB & RPM repositories are now available for SpiceDB releases
Upgrade Notes
Warning
This is release includes migrations for all datastores, but a more complex migration for Postgres.
You must have already upgraded to v1.13.0 before upgrading to v1.14.0.
To learn more about migrations, see the migration documentation.
To automate migrations, Kubernetes users can run the SpiceDB Operator.
CockroachDB, Spanner, MySQL
CockroachDB, Spanner, MySQL datastore users can run the command spicedb migrate head from a SpiceDB v1.14 binary to migrate a v1.13 cluster. This may result in a brief latency spike, but will otherwise cause no downtime. After the migration is complete, v1.13 processes can be replaced with v1.14 ones.
Postgres
PostgreSQL users have two options: zero downtime or not.
Downtime
- Ensure SpiceDB v1.13.0 was running
- Shut off SpiceDB in all clusters
- Run
spicedb migrate headusing SpiceDB v1.14 - Rollout v1.14 to your cluster(s)
Zero-downtime
- Ensure SpiceDB v1.13.0 is currently running
- Run
spicedb migrate add-xid-columnsusing SpiceDB v1.14 - Rollout v1.14 to your cluster(s) with the following flag:
--datastore-migration-phase=write-both-read-old - Once the rollout is fully complete, run
spicedb migrate add-xid-constraintsusing SpiceDB v1.14 - Rollout v1.14 to your cluster(s) with the following flag:
--datastore-migration-phase=write-both-read-new - Once the rollout is fully complete, run
spicedb migrate drop-id-constraintsusing SpiceDB v1.14 - Rollout v1.14 to your cluster(s) with the
--datastore-migration-phaseflag removed
What's Changed
- Improves Postgres write performance by @jakedt in #852
- streamline logging by @vroldanbet in #844
- Implement structured errors for all user facing errors by @josephschorr in #858
- disable async logging by @vroldanbet in #888
- adds tests to demonstrate various caveat use-cases by @vroldanbet in #878
- fix datastore integration tests not running by @vroldanbet in #893
- Incremental migrations by @jakedt in #891
- Enable goreleaser pro, push linux packages to gemfury by @jzelinskie in #897
- add caveat support to postgres datastore by @vroldanbet in #890
- refactoring of caveat datastore methods by @vroldanbet in #899
- fix calls to logger that are not being sent by @vroldanbet in #904
- Batch check for lookup by @josephschorr in #843
- Add a lint check for zerolog expression statements without Send or Msg calls by @josephschorr in #907
- integrates caveat context in PermissionService API methods by @vroldanbet in #886
- more follow ups to caveats in datastore by @vroldanbet in #906
- Fix stack overflow on error marshalling for zerolog by @ecordell in #909
- Tech Debt cleanup: move LogOnError into common datastore package by @josephschorr in #912
- internal: store serialized protos in caches by @jzelinskie in #900
- Add a namespace proxy cache test suite using a real datastore by @josephschorr in #919
- Add caveat references to schema and full type checking by @josephschorr in #896
- fix more instances of zerolog marshall recursion by @vroldanbet in #922
- add missing caveat test, update caveat example by @vroldanbet in #924
- Sever namespace read context by @ecordell in #925
- introduce caveat support in CockroachDB by @vroldanbet in #921
- Encode xmin in postgres revisions to respect zedtoken order by @jakedt in #930
- implement caveat support for spanner by @ecordell in #929
- Add support for defining caveats in schema, and associated type checks by @josephschorr in #926
- include sboms in release by @ecordell in #927
- Elide updates of namespaces which have not changed at all by @josephschorr in #913
- datastore/postgres: stop casting xid in queries altogether by @jakedt in #942
- Don't return the caveat key in the ObjectDefinitionNames in v1alpha1 … by @josephschorr in #944
- Mark devtools gRPC endpoint enabled by default for the serve-devtools command by @josephschorr in #945
- Breakout the integration test suite from unit tests by @josephschorr in #947
- refactor: add context to write methods within a datastore transaction by @jakedt in #948
- parallelize consistent hashring test by @ecordell in #949
- Faster CI Feedback Loop by @vroldanbet in #950
- introduce caveat support in MySQL by @vroldanbet in #936
- fixes caching of loop variable in the wrong place by @vroldanbet in #951
- internal/datastore: add observable proxy by @jzelinskie in #952
- Add datastore proxy for separating context by @jzelinskie in #953
- Update authzed-go for the additional validation rules by @josephschorr in #957
- specifies cache-dependency-path to prevent poisoning by @vroldanbet in #960
- pg: move column defaults to backfill migration by @ecordell in #955
- do not run CRDB migration in transaction by @vroldanbet in #956
- Change experimental caveats flag to be handled at the service level by @josephschorr in #962
- datastore: DeleteNamespace => DeleteNamespaces by @jzelinskie in #940
- Add shorter timeouts and better config to gRPC dialing in tests by @josephschorr in #965
- Depbot updates for Nov 1, 2022 by @josephschorr in #972
Full Changelog: v1.13.0...v1.14.0
Docker Images
This release is available at authzed/spicedb:v1.14.0, quay.io/authzed/spicedb:v1.14.0, ghcr.io/authzed/spicedb:v1.14.0