Blog

Introduction We often get asked about how you would model Infrastructure as a Service (IaaS) permissions in our SpiceDB Schema Language.

You can skip ahead and read the paper here In the past I have written and spoken quite frequently about how incredible I find Google’s Zanzibar paper.

Every day, thousands of developers design and build permissions systems into their software.

Authzed builds SpiceDB, an open source fine-grained permissions database inspired by Google’s Zanzibar paper.

July and August have been busy months for everyone at Authzed!

Today we’re announcing the open sourcing of spicedb-operator - a Kubernetes operator for installing, upgrading, and maintaining SpiceDB clusters on Kubernetes.

In this post, we’ll go into detail about each of these steps to highlight the work behind the newly improved Authzed Playground experience and perhaps inspire others to experiment with WebAssembly.

Keeping infrastructure software up to date has traditionally been a manual process: it was often part of somone’s job description to check whether a new version of the software was available, verify its compatibility and deploy the update.

You’ve heard of topic before, right? Of course you have. Who hasn’t?

SpiceDB is best known for being a Zanzibar-inspired open-source database system for managing security-critical application permissions, but did you know that the spicedb binary has additional commands and configurable features?

This post is the second in a series of posts about how SpiceDB and the Authzed platform resolve permissions decisions.

On February 16th 2022, while rolling out new metrics for the billing section of permission systems on Authzed, we noticed consistently higher API latency with occasionally large spikes into the hundreds of milliseconds.

SpiceDB is Authzed’s open source, Zanzibar-inspired permissions system. Like any permissions system, the primary goal of SpiceDB and Authzed’s hosted platform is the ability to answers questions of the form:

Data migrations are a fact of life for any application. Requirements change, features are added or removed, services are merged together or split apart.

Previously on… In the Onboarding with an M1 post, I documented my experience being the guinea pig for getting our applications and development environment running on the then newly released M1 MacBook Pro (2020).

The calm before the storm The support ticket that came in seemed innocent enough: a user reported that a new feature recently released on your open source project was not working 100% as expected.

SpiceDB is an open source database system for managing application permissions.

SpiceDB is the open source, Zanzibar-inspired permissions system. Want to learn how you can contribute or get started?

When you send a query to SpiceDB, our distributed authorization database, it will often choose to dispatch to other nodes in the cluster that are more likely to have results for subqueries already cached.

SpiceDB is the most comprehensive open source implementation of Google’s Zanzibar paper outside of Google itself.

SpiceDB is a database designed to store relationships and compute authorization decisions.

We’ve all interacted with applications and products that have a role editor that’s spiritually similar to the one above.

At Authzed, we’re building a platform to manage the permissions built into applications.

SpiceDB is the open-source Zanzibar implementation that drives Authzed, and it’s important that it provide all the guarantees that are described by the Zanzibar paper - one such property (oft overlooked by other descriptions or implementations of Zanzibar) is protection against the New Enemy problem.

In a previous blog post we discussed how the Authzed Playground was originally built, including its support via the Monaco editor for the various custom languages used in configuring Authzed.

Any complex system is only useful if it can be configured and maintained in a reasonable manner by those using it.

A high-level “view” of the problem In our previous blog post we discussed a scenario that is common when building modern multi-user or multi-tenant applications: How to provide each user with their own “view” of the resources found within the system in a performant and safe manner.

This is a cross-post originally written for the Buf blog.

Have you ever participated in an engineering design session at one of the FAANG companies?

In my previous post, I shared my technical onboarding experience with an M1 MacBook Pro.

Setting the scene It’s a crisp Monday morning, err – 11AM – close enough.

Update Jul 29, 2021: I gave a talk on Google Zanzibar for Papers We Love and the video is now available:

Human beings innately react to movement: Our eyes are finely tuned to changes in the environment around us, immediately focusing our attention on differences and making the details of the moving objects far more memorable.

NOTE: After the open sourcing of SpiceDB, this blog post has been updated to match current SpiceDB/Authzed terms and schema configuration This is part 1 of a multi-part blog series.

Have you ever chatted with a fellow developer about an application’s permission system and quickly realized you’re also talking about its login system?

NOTE: This blog post makes use of Zanzibar terminology and namespace configuration.

NOTE: This blog post makes use of Zanzibar terminology and namespace configuration.

I Didn’t Know I Couldn’t Do That “IAM is great!” said nobody ever.

“Failed Open” or “Fail Closed” are common concepts that come up while speaking with software engineers.