Open Source Google Zanzibar

Security

• Prevent cache poisoning. The dispatch Check cache key now incorporates check hints. See https://github.com/authzed/spicedb/security/advisories/GHSA-4vrg-r928-h5vv

Added

• Query Planner: fast serialize/deserialize for query plans (https://github.com/authzed/spicedb/pull/3122)

Changed

• Cache: switch to otter as the primary cache implementation (https://github.com/authzed/spicedb/pull/3112)
• Server handles: GRPCDialContext as a handle on the server used deprecated gRPC methods. We modernized it and renamed it to NewClient (https://github.com/authzed/spicedb/pull/3147)

Fixed

• The watching schema cache (--enable-experimental-watchable-schema-cache) no longer enters permanent fallback on transient watch errors. A new supervisor restarts the watch cycle with bounded exponential backoff and only treats caller-driven cancellation or unsupported-watch as terminal (https://github.com/authzed/spicedb/pull/3134)
• Watch consumers that request WatchCheckpoints now eventually observe every revision returned by WriteRelationships as a checkpoint. MemDB regressed this in https://github.com/authzed/spicedb/pull/2578 for no-op writes and MySQL never emitted checkpoints at all prior to now. Both now emit a checkpoint at the new revision. (https://github.com/authzed/spicedb/pull/3114)
• When Query Planner evaluates a union, short-circuit if one of the branches yields a positive un-caveated result (https://github.com/authzed/spicedb/pull/3120)
• DispatchQueryPlan previously did not try to use the singleflight middleware for check calls. (https://github.com/authzed/spicedb/pull/3119)
• Fixed regression introduced in 1.53.0. Postgres HeadRevision no longer allocates a new transaction ID on every call (https://github.com/authzed/spicedb/pull/3127)
• Fixed regression introduced in 1.53.0 for MySQL migration scripts (https://github.com/authzed/spicedb/pull/3129)
• Query Planner: LookupSubjects no longer returns a subject excluded from a wildcard (e.g. viewer:* - banned) when the exclusion feeds an intersection (experimental --experimental-query-plan ls) (https://github.com/authzed/spicedb/pull/3136)
• Tracing: When server is shutting down, flush traces. Also, elide the need for setting OTEL_EXPORTER_OTLP_ENDPOINT. (https://github.com/authzed/spicedb/pull/3108)
• Fixed a LookupSubjects issue in the query planner around the handling of wildcards in compound permissions (https://github.com/authzed/spicedb/pull/3140)
• MySQL: identifiers (object/subject IDs and relationship counter names) are now stored with a case-sensitive (binary) collation, matching the Postgres, CockroachDB, and Spanner datastores. Previously, identifiers differing only in letter case (e.g. Foo and foo) incorrectly collided in unique indexes and lookups. ⚠️ The migration rebuilds the relation_tuple table in place via ALTER TABLE, which can hold a metadata/table lock for a long time on large datasets — run the upgrade in a low-traffic window, or apply it with an online schema-change tool (e.g. gh-ost). (https://github.com/authzed/spicedb/pull/3161)
• server.NewConfigWithOptionsAndDefaults now populates Config and its embedded structs with the same defaults as the CLI flags, fixing zero-value behavior when embedding SpiceDB as a library. (https://github.com/authzed/spicedb/pull/3156)

What's Changed

• feat: add prometheus metrics for DispatchQueryPlan by @barakmich in https://github.com/authzed/spicedb/pull/3109
• chore: bump grpc-health-probe by @miparnisari in https://github.com/authzed/spicedb/pull/3111
• docs: fix changelog by @miparnisari in https://github.com/authzed/spicedb/pull/3113
• fix: Watch checkpointing in memdb and mysql by @miparnisari in https://github.com/authzed/spicedb/pull/3114
• chore: use otter as the primary cache implementation and get rid of alternative implementations by @tstirrat15 in https://github.com/authzed/spicedb/pull/3112
• fix(QP): short-circuit unions where applicable by @miparnisari in https://github.com/authzed/spicedb/pull/3121
• feat: registry for the iterators by @barakmich in https://github.com/authzed/spicedb/pull/3118
• testing: add benchmarking to compare LocalExecutor vs DispatchExecutor by @barakmich in https://github.com/authzed/spicedb/pull/3117
• fix: route query plan dispatch checks through singleflight by @barakmich in https://github.com/authzed/spicedb/pull/3119
• chore: clarify --termination-log-path flag description by @ivanauth in https://github.com/authzed/spicedb/pull/3126
• fix: postgres implementation of HeadRevision by @miparnisari in https://github.com/authzed/spicedb/pull/3127
• feat: introduce a hand-written serialize/deserialize for iterators by @barakmich in https://github.com/authzed/spicedb/pull/3122
• test: include migration scripts for coverage by @miparnisari in https://github.com/authzed/spicedb/pull/3128
• fix: mysql migrations by @miparnisari in https://github.com/authzed/spicedb/pull/3129
• refactor: carry schema hash inside ZedTokens by @josephschorr in https://github.com/authzed/spicedb/pull/3125
• chore: bump go packages for cve by @miparnisari in https://github.com/authzed/spicedb/pull/3132
• test: Improve code coverage of tests by @josephschorr in https://github.com/authzed/spicedb/pull/3063
• fix(schemacache): supervisor recovers from transient watch errors by @vroldanbet in https://github.com/authzed/spicedb/pull/3134
• otel: replace cobraotel with native lifecycle management by @Jdepp007004 in https://github.com/authzed/spicedb/pull/3108
• refactor(schemacache): post-#3134 cleanup and race fix by @vroldanbet in https://github.com/authzed/spicedb/pull/3138
• fix(query): respect wildcard ExcludedSubjects in LookupSubjects intersection by @matte1782 in https://github.com/authzed/spicedb/pull/3136
• feat: use serialized plans in dispatch by @barakmich in https://github.com/authzed/spicedb/pull/3130
• fix: three correctness bugs surfaced by GRPC consistency cross-check by @barakmich in https://github.com/authzed/spicedb/pull/3140
• chore: use StopAllGoroutines for otter by @tstirrat15 in https://github.com/authzed/spicedb/pull/3145
• chore(deps): bump github.com/quic-go/quic-go from 0.59.0 to 0.59.1 in /magefiles by @dependabot[bot] in https://github.com/authzed/spicedb/pull/3153
• refactor: schema watching cache by @miparnisari in https://github.com/authzed/spicedb/pull/3144
• chore: more spans in datastore proxies by @miparnisari in https://github.com/authzed/spicedb/pull/3154
• chore: rework handles for gRPC tests by @tstirrat15 in https://github.com/authzed/spicedb/pull/3147
• fix(mysql): store identifiers with a case-sensitive (binary) collation by @josephschorr in https://github.com/authzed/spicedb/pull/3161
• docs(cache): clarify Cache interface semantics by @ivanauth in https://github.com/authzed/spicedb/pull/3152
• refactor: remove global caches object by @miparnisari in https://github.com/authzed/spicedb/pull/3167
• fix: set library-friendly defaults on server Config by @ivanauth in https://github.com/authzed/spicedb/pull/3156
• chore: add buffnet authority to connection by @tstirrat15 in https://github.com/authzed/spicedb/pull/3168
• test: flaky TestLookupResources by @miparnisari in https://github.com/authzed/spicedb/pull/3171
• test: address flake in HeadRevisionDoesNotConsumeXID by @tstirrat15 in https://github.com/authzed/spicedb/pull/3163
• test: add more goleak checks by @miparnisari in https://github.com/authzed/spicedb/pull/3175
• test(certtest): make TestCertRotation actually verify hot cert reload by @ivanauth in https://github.com/authzed/spicedb/pull/3169
• chore: Changed AuthZed Cloud Link in readme by @sohanmaheshwar in https://github.com/authzed/spicedb/pull/3177
• feat(datalayer): schema caching for write transactions by @ecordell in https://github.com/authzed/spicedb/pull/3160
• chore: make crdb.Pool code unit-testable by @miparnisari in https://github.com/authzed/spicedb/pull/3180
• fix: #3179 by @miparnisari in https://github.com/authzed/spicedb/pull/3181
• fix(lsp): resolve hover on the right side of arrow expressions by @ivanauth in https://github.com/authzed/spicedb/pull/3157
• refactor: create a new prometheus registry for every server by @miparnisari in https://github.com/authzed/spicedb/pull/3170

New Contributors

• @Jdepp007004 made their first contribution in https://github.com/authzed/spicedb/pull/3108
• @matte1782 made their first contribution in https://github.com/authzed/spicedb/pull/3136

Full Changelog: https://github.com/authzed/spicedb/compare/v1.53.0...v1.54.0

Docker Images

This release is available at authzed/spicedb:v1.54.0, quay.io/authzed/spicedb:v1.54.0, ghcr.io/authzed/spicedb:v1.54.0

What's Changed

• feat: add prometheus metrics for DispatchQueryPlan by @barakmich in https://github.com/authzed/spicedb/pull/3109
• chore: bump grpc-health-probe by @miparnisari in https://github.com/authzed/spicedb/pull/3111
• docs: fix changelog by @miparnisari in https://github.com/authzed/spicedb/pull/3113
• fix: Watch checkpointing in memdb and mysql by @miparnisari in https://github.com/authzed/spicedb/pull/3114
• chore: use otter as the primary cache implementation and get rid of alternative implementations by @tstirrat15 in https://github.com/authzed/spicedb/pull/3112
• fix(QP): short-circuit unions where applicable by @miparnisari in https://github.com/authzed/spicedb/pull/3121
• feat: registry for the iterators by @barakmich in https://github.com/authzed/spicedb/pull/3118
• testing: add benchmarking to compare LocalExecutor vs DispatchExecutor by @barakmich in https://github.com/authzed/spicedb/pull/3117
• fix: route query plan dispatch checks through singleflight by @barakmich in https://github.com/authzed/spicedb/pull/3119
• chore: clarify --termination-log-path flag description by @ivanauth in https://github.com/authzed/spicedb/pull/3126
• fix: postgres implementation of HeadRevision by @miparnisari in https://github.com/authzed/spicedb/pull/3127
• feat: introduce a hand-written serialize/deserialize for iterators by @barakmich in https://github.com/authzed/spicedb/pull/3122
• test: include migration scripts for coverage by @miparnisari in https://github.com/authzed/spicedb/pull/3128
• fix: mysql migrations by @miparnisari in https://github.com/authzed/spicedb/pull/3129
• refactor: carry schema hash inside ZedTokens by @josephschorr in https://github.com/authzed/spicedb/pull/3125
• chore: bump go packages for cve by @miparnisari in https://github.com/authzed/spicedb/pull/3132
• test: Improve code coverage of tests by @josephschorr in https://github.com/authzed/spicedb/pull/3063
• fix(schemacache): supervisor recovers from transient watch errors by @vroldanbet in https://github.com/authzed/spicedb/pull/3134
• otel: replace cobraotel with native lifecycle management by @Jdepp007004 in https://github.com/authzed/spicedb/pull/3108
• refactor(schemacache): post-#3134 cleanup and race fix by @vroldanbet in https://github.com/authzed/spicedb/pull/3138
• fix(query): respect wildcard ExcludedSubjects in LookupSubjects intersection by @matte1782 in https://github.com/authzed/spicedb/pull/3136
• feat: use serialized plans in dispatch by @barakmich in https://github.com/authzed/spicedb/pull/3130
• fix: three correctness bugs surfaced by GRPC consistency cross-check by @barakmich in https://github.com/authzed/spicedb/pull/3140
• chore: use StopAllGoroutines for otter by @tstirrat15 in https://github.com/authzed/spicedb/pull/3145
• chore(deps): bump github.com/quic-go/quic-go from 0.59.0 to 0.59.1 in /magefiles by @dependabot[bot] in https://github.com/authzed/spicedb/pull/3153
• refactor: schema watching cache by @miparnisari in https://github.com/authzed/spicedb/pull/3144
• chore: more spans in datastore proxies by @miparnisari in https://github.com/authzed/spicedb/pull/3154
• chore: rework handles for gRPC tests by @tstirrat15 in https://github.com/authzed/spicedb/pull/3147
• fix(mysql): store identifiers with a case-sensitive (binary) collation by @josephschorr in https://github.com/authzed/spicedb/pull/3161
• docs(cache): clarify Cache interface semantics by @ivanauth in https://github.com/authzed/spicedb/pull/3152
• refactor: remove global caches object by @miparnisari in https://github.com/authzed/spicedb/pull/3167
• fix: set library-friendly defaults on server Config by @ivanauth in https://github.com/authzed/spicedb/pull/3156
• chore: add buffnet authority to connection by @tstirrat15 in https://github.com/authzed/spicedb/pull/3168
• test: flaky TestLookupResources by @miparnisari in https://github.com/authzed/spicedb/pull/3171
• test: address flake in HeadRevisionDoesNotConsumeXID by @tstirrat15 in https://github.com/authzed/spicedb/pull/3163
• test: add more goleak checks by @miparnisari in https://github.com/authzed/spicedb/pull/3175
• test(certtest): make TestCertRotation actually verify hot cert reload by @ivanauth in https://github.com/authzed/spicedb/pull/3169
• chore: Changed AuthZed Cloud Link in readme by @sohanmaheshwar in https://github.com/authzed/spicedb/pull/3177
• feat(datalayer): schema caching for write transactions by @ecordell in https://github.com/authzed/spicedb/pull/3160
• chore: make crdb.Pool code unit-testable by @miparnisari in https://github.com/authzed/spicedb/pull/3180
• fix: #3179 by @miparnisari in https://github.com/authzed/spicedb/pull/3181
• fix(lsp): resolve hover on the right side of arrow expressions by @ivanauth in https://github.com/authzed/spicedb/pull/3157
• refactor: create a new prometheus registry for every server by @miparnisari in https://github.com/authzed/spicedb/pull/3170

New Contributors

• @Jdepp007004 made their first contribution in https://github.com/authzed/spicedb/pull/3108
• @matte1782 made their first contribution in https://github.com/authzed/spicedb/pull/3136

Full Changelog: https://github.com/authzed/spicedb/compare/v1.53.0...v1.54.0

Docker Images

This release is available at authzed/spicedb:v1.54.0, quay.io/authzed/spicedb:v1.54.0, ghcr.io/authzed/spicedb:v1.54.0