• Stars
    star
    4,405
  • Rank 9,716 (Top 0.2 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created over 3 years ago
  • Updated 8 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Open Source, Google Zanzibar-inspired permissions database to enable fine-grained access control for customer applications

SpiceDB

CII Best Practices Container Image Docs Discord Server Twitter

SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions.

Developers create a schema that models their permissions requirements and use any of the official or community maintained client libraries to apply the schema to the database, insert data into the database, and query the data to efficiently check permissions in their applications.

Features that distinguish SpiceDB from other systems include:

Have questions? Ask in our Discord.

Want to learn more about the inspiration for SpiceDB? We've annotated Google's Zanzibar Paper with our own commentary.

Looking to contribute? See CONTRIBUTING.md.

You can find issues by priority: Urgent, High, Medium, Low, Maybe. There are also good first issues.

Getting Started

Installing the binary

Binary releases are available for Linux, macOS, and Windows on AMD64 and ARM64 architectures.

Homebrew users for both macOS and Linux can install the latest binary releases of SpiceDB and zed using the official tap:

brew install authzed/tap/spicedb authzed/tap/zed

Debian-based Linux users can install SpiceDB packages by adding a new APT source:

sudo echo "deb [trusted=yes] https://apt.fury.io/authzed/ /" > /etc/apt/sources.list.d/authzed-fury.list
sudo apt update && sudo apt install spicedb

RPM-based Linux users can install SpiceDB packages by adding a new YUM repository:

sudo cat << EOF >> /etc/yum.repos.d/Authzed-Fury.repo
[authzed-fury]
name=AuthZed Fury Repository
baseurl=https://yum.fury.io/authzed/
enabled=1
gpgcheck=0
EOF
sudo dnf install spicedb

Running a container

Container images are available for AMD64 and ARM64 architectures on the following registries:

Docker users can run the latest SpiceDB container with the following:

docker run --rm -p 50051:50051 authzed/spicedb serve --grpc-preshared-key "somerandomkeyhere"

SpiceDB containers use Chainguard Images to ship the bare minimum userspace which is a huge boon to security, but can complicate debugging. If you want to execute a user session into a running SpiceDB container and install packages, you can use one of our debug images.

Appending -debug to any tag will provide you an image that has a userspace with debug tooling:

docker run --rm -ti --entrypoint sh authzed/spicedb:latest-debug

Containers are also available for each git commit to the main branch under ${REGISTRY}/authzed/spicedb-git:${COMMIT}.

Deploying to Kubernetes

Production Kubernetes users should be relying on a stable release of the SpiceDB Operator. The Operator enforces not only best practices, but orchestrates SpiceDB updates without downtime.

If you're only experimenting, feel free to try out one of our community-maintained examples for testing SpiceDB on Kubernetes:

kubectl apply -f https://raw.githubusercontent.com/authzed/examples/main/kubernetes/example.yaml

Developing your own schema

You can try both SpiceDB and zed entirely in your browser on the Playground thanks to the power of WebAssembly.

If you don't want to start with the examples loadable from the Playground, you can follow a guide for developing a schema or review the the schema language design documentation.

To get a quick idea of schema development, you can watch the creators of SpiceDB writing a schema for GitHub:

Modeling GitHub YouTube Video Thumbnail

Trying out the API

For debugging or getting started, we recommend installing zed, the official command-line client. The Playground also has a tab for experimenting with zed all from within your browser.

When it's time to write code, we recommend using one of the existing client libraries whether it's official or community-maintained.

Because every millisecond counts, we recommend using libraries that leverage the gRPC API for production workloads.

To get an understanding of integrating an application with SpiceDB, you can follow the Protecting Your First App guide or review API documentation on the Buf Registry or Postman.

Acknowledgements

SpiceDB is a community project fueled by contributions from both organizations and individuals. We appreciate all contributions, large and small, and would like to thank all those involved.

In addition, we'd like to highlight a few notable contributions:

More Repositories

1

controller-idioms

Generic libraries for building idiomatic Kubernetes controllers
Go
162
star
2

zed

Official command-line tool for managing SpiceDB
Go
101
star
3

authzed-go

Official SpiceDB client library for Go
Go
66
star
4

zanzibar-annotated

Google's Zanzibar paper annotated for folks outside of Google
TypeScript
64
star
5

spicedb-operator

Kubernetes controller for managing instances of SpiceDB
Go
57
star
6

awesome-spicedb

An awesome list for the SpiceDB ecosystem
54
star
7

authzed-node

Official SpiceDB client library for NodeJS
TypeScript
42
star
8

consistent

gRPC Balancer that routes requests using a consistent hashring
Go
37
star
9

prom-authzed-proxy

A Prometheus proxy that performs SpiceDB permission checks based on labels
Go
33
star
10

authzed-py

Official SpiceDB client library for Python
Python
29
star
11

examples

A collection of examples for SpiceDB users
Go
26
star
12

crdbpool

node aware connection pooling for CockroachDB
Go
21
star
13

spicedb-kubeapi-proxy

Secure access to the Kubernetes API using SpiceDB
Go
21
star
14

animated-code-example-component

Embeddable component for displaying an animated code example, as well as a REPL and a browser window
TypeScript
17
star
15

authzed-java

Official SpiceDB client library for JVM languages
Java
16
star
16

authzed-rb

Official SpiceDB client library for Ruby
Ruby
15
star
17

api

Protocol Buffers & gRPC Services used by SpiceDB
13
star
18

action-spicedb-validate

GitHub Action for validating your SpiceDB schema
Dockerfile
11
star
19

connector-postgresql

Import PostgreSQL foreign key relationships into SpiceDB
Go
9
star
20

grpcutil

various utilities to simplify common gRPC APIs
Go
8
star
21

action-spicedb

GitHub Action for integration testing your application with SpiceDB
Shell
8
star
22

docs

Documentation website for Authzed & SpiceDB
MDX
7
star
23

spicedb-vscode

VS Code extension adding SpiceDB syntax highlighting, linting, and more
TypeScript
6
star
24

zed-testserver

Unit and Integration Testing server for Authzed
Dockerfile
4
star
25

action-testserver

@github action for running an @authzed test server
Dockerfile
3
star
26

actions

GitHub Actions used on various Authzed projects
JavaScript
3
star
27

servok

Serve endpoint metadata for client side load balancing
Go
3
star
28

cla

The agreements and signatures of contributors of the Authzed CLA
2
star
29

.github

Community defaults for our projects
1
star
30

homebrew-tap

a collection of @homebrew formula for @authzed
Ruby
1
star
31

tree-sitter-spicedb

tree-sitter grammar for SpiceDB schemas
JavaScript
1
star