SpiceDB

0

Open Source, Google Zanzibar-inspired permissions database to enable fine-grained access control for customer applications

Security

scale
database
permissions
zanzibar

spicedb logo spicedb Logo

SpiceDB sets the standard for authorization that scales.

Scale with
Traffic • Dev Velocity • Functionality • Geography

release badge   docker pulls badge   built with Go badge   cii badge  

discord badge   twitter badge   linkedin badge

What is SpiceDB?

spicedb diagram spicedb diagram

SpiceDB is the most mature open source project inspired by Google's internal authorization system: Zanzibar.

As of 2021, broken access control became the #1 threat to web security according to OWASP. With SpiceDB, platform teams are armed with the same techniques for stopping this threat that the hyperscale tech companies have been doing for years behind closed doors.

Similar to a relational database, developers define a schema, write data to the database, and query that data in various ways. However, unlike relational databases that use general-purpose SQL, SpiceDB exposes a gRPC API specifcally optimized for authorizing actions in your systems.

Because SpiceDB self-contains data and logic for used for authorization, it is often ran as a centralized service shared across product suites and microservice architectures.

SpiceDB is focused purely on authorization and is designed to be fully agnostic to authentication solutions/identity providers.

What is Google Zanzibar?

In 2019, Google released the paper "Zanzibar: Google's Consistent, Global Authorization System" providing the original inspiration for SpiceDB. The paper presents the design, implementation, and deployment of, Zanzibar, Google's internal system for storing and evaluating access control lists. Originally designed for Google+ Circles, Zanzibar now sits at the core Google's entire product suite (Calendar, Drive, Maps, Photos, YouTube) and powers the Google Cloud IAM service.

While SpiceDB has gone on to innovate well beyond the functionality outlined in the paper, development of SpiceDB aims to always remain faithful to the paper's values and goals.

Why SpiceDB?

  • World-class engineering: painstakingly built by experts that pioneered the cloud-native ecosystem
  • Authentic design: mature and feature-complete implementation of Google's Zanzibar paper
  • Proven in production: 5ms p95 when scaled to millions of queries/s, billions of relationships
  • Global consistency: consistency configured per-request unlocks correctness while maintaining performance
  • Multi-paradigm: caveated relationships combine the best concepts in authorization: ABAC & ReBAC
  • Safety in tooling: designs schemas with real-time validation or validate in your CI/CD workflow
  • Reverse Indexes: queries for "What can subject do?", "Who can access resource?"

Who uses SpiceDB?

SpiceDB is a powerful tool in a variety of domains and in organizations of all sizes; we've chosen to highlight a few interesting community members:

Beyond the community, you can also read customer stories for commercial usage of SpiceDB.

Joining the Community

Join our fellow contributors from companies such as github logo GitHub, adobe logo Adobe, google logo Google, fastly logo Fastly, plaid logo Plaid, red hat logo Red Hat, and reddit logo Reddit.

SpiceDB is a community project where everyone is invited to participate and feel welcomed. While the project has a technical goal, participation is not restricted to those with code contributions.

CONTRIBUTING.md documents communication, contribution flow, legal requirements, and common tasks when contributing to the project.

You can find issues by priority: Urgent, High, Medium, Low, Maybe. There are also good first issues.

Our documentation is also open source if you'd like to clarify anything you find confusing.

Getting Started

Familiarizing yourself with our learning materials

Installing the binary

Binary releases are available for Linux, macOS, and Windows on AMD64 and ARM64 architectures.

Homebrew users for both macOS and Linux can install the latest binary releases of SpiceDB and zed using the official tap:

brew install authzed/tap/spicedb authzed/tap/zed

Debian-based Linux users can install SpiceDB packages by adding a new APT source:

sudo apt update && sudo apt install -y curl ca-certificates gpg
curl https://pkg.authzed.com/apt/gpg.key | sudo apt-key add -
sudo echo "deb https://pkg.authzed.com/apt/ * *" > /etc/apt/sources.list.d/fury.list
sudo apt update && sudo apt install -y spicedb zed

RPM-based Linux users can install SpiceDB packages by adding a new YUM repository:

sudo cat << EOF >> /etc/yum.repos.d/Authzed-Fury.repo
[authzed-fury]
name=AuthZed Fury Repository
baseurl=https://pkg.authzed.com/yum/
enabled=1
gpgcheck=0
EOF
sudo dnf install -y spicedb zed

Running a container

Container images are available for AMD64 and ARM64 architectures on the following registries:

Docker users can run the latest SpiceDB container with the following:

docker run --rm -p 50051:50051 authzed/spicedb serve --grpc-preshared-key "somerandomkeyhere"

SpiceDB containers use Chainguard Images to ship the bare minimum userspace which is a huge boon to security, but can complicate debugging. If you want to execute a user session into a running SpiceDB container and install packages, you can use one of our debug images.

Appending -debug to any tag will provide you an image that has a userspace with debug tooling:

docker run --rm -ti --entrypoint sh authzed/spicedb:latest-debug

Containers are also available for each git commit to the main branch under ${REGISTRY}/authzed/spicedb-git:${COMMIT}.

Deploying to Kubernetes

Production Kubernetes users should be relying on a stable release of the SpiceDB Operator. The Operator enforces not only best practices, but orchestrates SpiceDB updates without downtime.

If you're only experimenting, feel free to try out one of our community-maintained examples for testing SpiceDB on Kubernetes:

kubectl apply -f https://raw.githubusercontent.com/authzed/examples/main/kubernetes/example.yaml

Developing your own schema

You can try both SpiceDB and zed entirely in your browser in the hosted Playground thanks to the power of WebAssembly. The Playground app is open source and can also be self-hosted.

If you don't want to start with the examples loadable from the Playground, you can follow a guide for developing a schema or review the the schema language design documentation.

Watch the SpiceDB primer video to get started with schema development:

SpiceDB Primer YouTube Thumbnail

Trying out the API

For debugging or getting started, we recommend installing zed, the official command-line client. The Playground also has a tab for experimenting with zed all from within your browser.

When it's time to write code, we recommend using one of the existing client libraries whether it's official or community-maintained.

Because every millisecond counts, we recommend using libraries that leverage the gRPC API for production workloads.

To get an understanding of integrating an application with SpiceDB, you can follow the Protecting Your First App guide or review API documentation on the Buf Registry or Postman.

Acknowledgements

SpiceDB is a community project fueled by contributions from both organizations and individuals. We appreciate all contributions, large and small, and would like to thank all those involved.

In addition, we'd like to highlight a few notable contributions:

  • github logo The GitHub Authorization Team for implementing and contributing the MySQL datastore
  • netflix logo The Netflix Authorization Team for sponsoring and being a design partner for caveats
  • equinix logo The Equinix Metal Team for sponsoring our benchmarking hardware