AuthZed Blog

Learn how AuthZed scaled SpiceDB on CockroachDB to 1 million authorization events per second with our now open-sourced advanced connection pooler, crdbpool. Discover the challenges we faced and how we solved them in our journey to maximizing CockroachDB performance.

The authorization team at Netflix recently sponsored work to add Attribute Based Access Control (ABAC) support to AuthZed’s open source Google Zanzibar inspired authorization system, SpiceDB. Netflix required attribute support in SpiceDB to support core Netflix application identity constructs. This post discusses why Netflix wanted ABAC support in SpiceDB, how Netflix collaborated with AuthZed, the end result–SpiceDB Caveats, and how Netflix may leverage this new feature.

The systems we build at AuthZed are the direct result of feedback from our community and customers. Because security is the core of our flagship product, SpiceDB, we take feedback on this topic very seriously. We’ve heard you, and today we’re proud to introduce a better way to secure AuthZed customers’ client applications accessing the SpiceDB API: **Fine-Grained Access Management** (FGAM).

At AuthZed, we believe there’s a time and place for every piece of technology; the tricky part is determining if your use case actually is the time and place. For many years, there’s been a strong argument by domain experts against using JWTs for web sessions. While this campaign has succeeded to help improve the security of the web frontend, there hasn’t been an equivalent campaign for the backend. While building [SpiceDB](https://github.com/authzed/spicedb), we’ve surveyed many backend developers only to find that many don’t know the pitfalls of JWTs or even that alternatives exist. SpiceDB is an open source project that implements one such alternative called _centralized authorization_. Because of this, I’ll be sure to include exactly how a centralized strategy accounts for the pitfalls with JWTs, too!

The top-3 most used caveats we've seen out in the wild

SpiceDB is a fairly unique database when it comes to consistency. Most databases implement a pattern called MVCC. Without going too deeply, when a query is made to an MVCC database, it runs that query against a snapshot of the data it manages. SpiceDB not only implements MVCC, but also supports the ability to specify the desired consistency on each request.

We often get asked about how you would model Infrastructure as a Service (IaaS) permissions in our SpiceDB Schema Language. Since we know that Google Cloud IAM uses Zanzibar internally, it should be possible to use relationship based access control to get the desired effect.

Understanding Google's Zanzibar paper the way the Authzed team does.

Our journey adding ABAC-like policies to SpiceDB

An intro to database connection draining

Product Updates for July & August

We're open sourcing SpiceDB Operator!

Running the SpiceDB development system within the browser via WebAssembly

The engineering behind notifying users about updates to SpiceDB and zed

This blog post challenges your preconceived notions while subtly re-affirming that you were right all along

A quick guide to configure and try the Authzed HTTP API

Walking the graph to resolve permissions answers

And why we’d be happy to replace it.

A deep-dive into our elevated latency last week

A tale of writing to two databases

How to perform online schema migrations with SpiceDB or Authzed.

Part 2 of an unexpected series on our development environment.

Creating a formal process for handling security vulnerabilities using GitHub

Details on one of SpiceDB's largest deviations from Zanzibar

A public display of development

Extending grpc-go with a custom resolver and loadbalancer implementations.

The architecture and code of SpiceDB.

Learn how to bootstrap SpiceDB from playground or PostgreSQL.

Modeling user-defined roles in Authzed schema.

Why we're building our company on Go in 2021

How We Reproduce and Prevent the New Enemy problem in SpiceDB.

Semantic highlighting in Monaco

Authzed's new configuration language

Reviewing the current landscape of Zanzibar implementations.

How Authzed enables filtering of objects by subject

How we're avoiding breaking users without compromising developer UX

Why names matter regardless of how technically sophistocated a product is.

My experience starting at Authzed during the pandemic.

A story of how a seemingly simple feature can lead down a permissions rabbit-hole.

Understanding the Google Zanzibar paper.

Building the animated code example

My experience starting at Authzed and setting up an M1 MacBook Pro.

Walking the graph to resolve permissions answers

Authentication systems are insufficient for authorization.

Building the Authzed Playground

Solving the new enemy problem.

Our Journey to Permissions as a Service.