Spicedb

SpiceDB is a distributed permission store and relationship-based access control system. It provides a scalable database for storing and querying fine-grained authorization relationships, implementing a consistency model inspired by Google Zanzibar to manage access rights across large-scale applications.

The system uses a dedicated schema language to define the rules and logic governing how relationships translate into permissions independently of application code. It functions as a pluggable authorization engine that persists relationship tuples in external relational databases such as PostgreSQL, MySQL, or Spanner.

The platform covers a broad range of capabilities including authorization schema management, recursive permission evaluation, and the ability to query access data via SQL. It includes infrastructure for managing data lifecycles through relationship expiration and garbage collection, as well as performance optimizations using set theory for query planning and read-replica request routing.

The project can be deployed via containers and supports telemetry export for observability.

Features

Relationship-Based Models - Implements a relationship-based access control model using graph-like tuples to evaluate recursive permissions.

Relationship-Based Access Controls - Manages permissions by defining and updating relationships between subjects and objects in a graph.

Authorization Databases - Provides a scalable database for storing and querying fine-grained authorization relationships based on the Zanzibar model.

Distributed Permission Stores - Provides a high-performance distributed data store specifically for managing granular access rights.

Global Consistency Models - Implements a Zanzibar-inspired consistency model for global scale and consistent permission evaluation.

Quad Stores - Stores authorization data as tuples of subjects and objects to enable recursive graph traversal.

Relationship Data Storage - Persists fine-grained authorization tuples across various supported database engines.

Authorization Services - Functions as a standalone authorization service that decouples policy enforcement from application code.

Granular Permission Systems - Implements complex authorization structures to determine if a user can perform specific actions.

Permission Calculation Logics - Implements logic to calculate and evolve permissions based on a user-defined authorization schema.

Authorization Services - Provides a remote service to evaluate fine-grained access control policies for users and services.

Permission-Based Access Control - Determines if a subject has a specific permission for a resource based on the defined schema.

Permission Management - Manages granular user authorization and permission requests across distributed microservices.

Scalable Authorization Infrastructure - Builds high-performance permission infrastructure capable of handling massive authorization datasets across distributed clusters.

Zanzibar-Inspired Authorization Systems - Implements a distributed permission system based on the Google Zanzibar model for global scale and consistency.

Authorization Schemas - Uses a dedicated schema language to define the rules and relationships governing permissions.

Permission Logic Definitions - Provides a dedicated domain language to define how relationships translate into permissions independently of the application code.

Authorization Schemas - Uses a dedicated schema language to define the rules and logic governing how relationships translate into permissions.

API to SQL Mapping - Maps permissions to virtual tables to enable standard SQL queries against access control data.

Rolling Deployment Migrations - Supports sequenced rolling deployment of schema updates to ensure the distributed system remains available during structural changes.

Permission-to-Query Translators - Allows executing permission checks and relationship lookups using standard SQL select and join statements.

Pluggable Storage Backends - Features a pluggable architecture for swapping between different relational storage backends like Postgres, MySQL, and Spanner.

Authorization Engines - Implements a permission evaluation service that persists authorization tuples within a PostgreSQL database.

Query Planning - Optimizes authorization lookups using set theory and statistics to construct efficient execution plans.

Read Replicas - Offloads read traffic to database replicas to improve scalability and reduce primary store load.

Replica Load Balancers - Distributes read operations across multiple database replicas to increase throughput and reduce primary node load.

Query Optimization Algorithms - Accelerates permission lookups by applying mathematical laws and statistics to reduce the search space of the graph.

Storage Abstractions - Implements an abstraction layer that allows the core logic to be decoupled from specific relational database engines.

Access Control Frameworks - Database for managing application permissions inspired by Zanzibar.

Security & Privacy - Zanzibar-inspired database for fine-grained authorization.

authzedspicedb

Features

Star history