SpiceDB | AuthZed

Features

SpiceDB is the most scalable and consistent Google Zanzibar-inspired database for storing and computing permissions data—use it to build global-scale fine grained authorization services.

Expressive APIs

Expressive gRPC and HTTP/JSON APIs for powering authorization logic in your client applications.

Distributed Graph

Distributed, parallel graph engine faithful to the architecture described in Google’s Zanzibar paper.

Prevents New Enemies

A flexible consistency model configurable per-request that includes resistance to the New Enemy Problem.

Configuration Language

Intuitive authorization configuration language — SpiceDB Schema — with CI/CD integrations for validation & testing.

Pluggable Storage

Support for in-memory, Spanner, CockroachDB, PostgreSQL, and MySQL relationship storage.

Deep Observability

Deep observability with Prometheus metrics, pprof profiles, structured logging, and OpenTelemetry tracing.

Latest Release

SpiceDB v1.52.0

tstirrat15 released this 6 days ago

Install

Release Notes

What's changed

Added

Added support for YAML-based validation files in DevContext (https://github.com/authzed/spicedb/pull/3024)
Added support for YAML-based validation files in the Language Server (https://github.com/authzed/spicedb/pull/3024)
Enable statistics-based optimizations when --experimental-query-plan is enabled. (https://github.com/authzed/spicedb/pull/3052)
Added missing implementations of cursoring for LookupResource, LookupSubjects and ReadRelationships calls in FDW (https://github.com/authzed/spicedb/pull/3016)
Add new gRPC Dispatch API and messages for dispatching query plans (https://github.com/authzed/spicedb/pull/3072)
Support new withDebug flag in LookupResources calls to identify cycles (https://github.com/authzed/spicedb/pull/3070)

Changed

Removed MySQL metrics prefixed with go_sql_stats_connections_* in favor of those prefixed with go_sql_* (https://github.com/authzed/spicedb/pull/2980)
Removed support for Spanner flag value --datastore-spanner-metrics=deprecated-prometheus; please use values otel or native (https://github.com/authzed/spicedb/pull/2980)
Reduced binary size (https://github.com/authzed/spicedb/pull/3005)
Reduce memory consumption of Watch API (https://github.com/authzed/spicedb/pull/2578)

Fixed

Improved error message when expiration is written before caveat in a relationship (https://github.com/authzed/spicedb/pull/3071)
On a Postgres setup with read replicas, some requests may silently swallow errors of sort "revision not found in replica" (https://github.com/authzed/spicedb/pull/2979)
Use cgroup-aware memory detection for cache and watch buffer sizing in containerized environments (https://github.com/authzed/spicedb/pull/3000)
Upgraded the spanner client, which changed the internal implementation to not use a session pool. This means that the --datastore-spanner-max-sessions and --datastore-spanner-min-sessions flags are now deprecated and no-op. We also strongly recommend using Application Default Credentials in favor of a credentials file. (https://github.com/authzed/spicedb/pull/3038)
Query Planner: error "ERROR: index \"pk_relation_tuple\" cannot be used for this query (SQLSTATE 42809)" returned when using wildcards (https://github.com/authzed/spicedb/pull/3039)
Providing one of (--grpc-tls-cert-path, --grpc-tls-key-path) but not the other is now considered an error state, as both are necessary if you want to use TLS.
In a caveat context that uses nested lists of lists, the hashes generated for cache keys could collide because of an issue with the serialization logic. The serialization now uses deterministic protobuf serialization which avoids this issue (https://github.com/authzed/spicedb/pull/3065)