SpiceDB | AuthZed

Features

SpiceDB is the most scalable and consistent Google Zanzibar-inspired database for storing and computing permissions data—use it to build global-scale fine grained authorization services.

Expressive APIs

Expressive gRPC and HTTP/JSON APIs for powering authorization logic in your client applications.

Distributed Graph

Distributed, parallel graph engine faithful to the architecture described in Google’s Zanzibar paper.

Prevents New Enemies

A flexible consistency model configurable per-request that includes resistance to the New Enemy Problem.

Configuration Language

Intuitive authorization configuration language — SpiceDB Schema — with CI/CD integrations for validation & testing.

Pluggable Storage

Support for in-memory, Spanner, CockroachDB, PostgreSQL, and MySQL relationship storage.

Deep Observability

Deep observability with Prometheus metrics, pprof profiles, structured logging, and OpenTelemetry tracing.

Latest Release

SpiceDB v1.53.0

miparnisari released this 3 days ago

Install

Release Notes

Added

Add DispatchExecutor, a query plan executor that is Dispatch-aware and sends subproblems on Alias boundaries (https://github.com/authzed/spicedb/pull/3074)
Implement Dispatch caching for query plan execution (https://github.com/authzed/spicedb/pull/3079)
Add new optimizer to query planner based on set theory laws for simplifications (https://github.com/authzed/spicedb/pull/3051)
Experimental: Add unified schema storage with ReadStoredSchema/WriteStoredSchema APIs for improved schema read performance (https://github.com/authzed/spicedb/pull/2924)

This feature stores the entire schema as a single serialized proto rather than reading individual namespace and caveat definitions separately, significantly improving schema read performance.

Migration to unified schema storage is controlled by the --experimental-schema-mode flag, which supports a 4-phase rolling migration:
1. read-legacy-write-legacy (default) - No change; reads and writes use legacy per-definition storage.
2. read-legacy-write-both - Reads from legacy storage, writes to both legacy and unified storage. This is the first migration step and backfills the unified schema table.
3. read-new-write-both - Reads from unified storage, writes to both. Validates the new read path while maintaining backward compatibility.
4. read-new-write-new - Reads and writes only unified storage. This is the final migration target.
Deployment:
- With the SpiceDB Operator:* Configure the operator to roll through stages 1 through 4 in sequence. The operator handles the rolling update of SpiceDB instances at each stage.
- Without the operator:* Progress through the stages manually by updating the --experimental-schema-mode flag and performing a rolling restart at each stage. You can also take the system down briefly and move directly from stage 1 to stage 4, which runs the full migration in one step.

Changed

Build: strip quarantine attribute for MacOS (https://github.com/authzed/spicedb/pull/3082)

Fixed

Query plan contexts are written to during recursive calls -- for now, disable dispatch inside recursive calls (https://github.com/authzed/spicedb/pull/3078)

What's Changed

chore: roll changelog by @tstirrat15 in https://github.com/authzed/spicedb/pull/3080
feat: add a DispatchExecutor for query plans to the dispatch package by @barakmich in https://github.com/authzed/spicedb/pull/3074
test: prevent flaky TestCertWatcher by @miparnisari in https://github.com/authzed/spicedb/pull/3083
fix: do not dispatch within a recursive context by @barakmich in https://github.com/authzed/spicedb/pull/3078
build: strip quarantine attribute for macos by @miparnisari in https://github.com/authzed/spicedb/pull/3082
chore(deps): bump github.com/jackc/pgx/v5 from 5.9.1 to 5.9.2 by @dependabot[bot] in https://github.com/authzed/spicedb/pull/3068
feat: implement handling of dispatch and caching for DispatchQueryPlan by @barakmich in https://github.com/authzed/spicedb/pull/3079
feat: add unified schema storage with ReadStoredSchema/WriteStoredSchema by @josephschorr in https://github.com/authzed/spicedb/pull/2924
chore: remove errant comment by @tstirrat15 in https://github.com/authzed/spicedb/pull/3090
fix: add benchmark fixes after schema cache, applying optimizations by @barakmich in https://github.com/authzed/spicedb/pull/3091
fix: wire DispatchExecutor into the GRPC path properly and fix correctness by @barakmich in https://github.com/authzed/spicedb/pull/3093
chore: bump go version to 1.26.3 by @barakmich in https://github.com/authzed/spicedb/pull/3098
ci: save benchmarks to cache on main by @miparnisari in https://github.com/authzed/spicedb/pull/3103
chore(deps): bump the github-actions group across 1 directory with 18 updates by @dependabot[bot] in https://github.com/authzed/spicedb/pull/3104
refactor: wire QueryPlanMetadata through dispatch as well by @barakmich in https://github.com/authzed/spicedb/pull/3096
feat(queryopt): set simplification optimizer by @jzelinskie in https://github.com/authzed/spicedb/pull/3051