github.com/authzed/spicedb@v1.32.1-0.20240520085336-ebda56537386/README.md (about)

     1  <h1 align="center">
     2      <a href="https://authzed.com#gh-dark-mode-only" target="_blank">
     3          <img width="300" src="https://github.com/authzed/spicedb/assets/343539/82234426-468b-4297-8b5c-f06a44fe2278" alt="spicedb logo">
     4      </a>
     5      <a href="https://authzed.com#gh-light-mode-only" target="_blank">
     6          <img width="300" src="https://github.com/authzed/spicedb/assets/343539/312ff046-7076-4c30-afd4-2e3d86c06f51" alt="spicedb Logo">
     7      </a>
     8  </h1>
     9  
    10  <h3 align="center">
    11    SpiceDB sets the standard for authorization that <i>scales</i>.
    12    <br/><br/>Scale with<br/>
    13    Traffic • Dev Velocity • Functionality • Geography
    14  </h3>
    15  
    16  <p align="center">
    17    <a href="https://github.com/authzed/spicedb/releases"><img alt="release badge" src="https://img.shields.io/github/v/release/authzed/spicedb?color=%236EC93F&label=latest%20release&sort=semver&style=flat-square"></a>
    18    &nbsp;
    19    <a href="https://hub.docker.com/repository/docker/authzed/spicedb" target="_blank"><img alt="docker pulls badge" src="https://img.shields.io/docker/pulls/authzed/spicedb?color=%23448CE6&style=flat-square"></a>
    20    &nbsp;
    21    <a href="https://authzed.com/blog/go-ecosystem"><img alt="built with Go badge" src="https://img.shields.io/badge/built_with-Go-367B99.svg?style=flat-square"></a>
    22    &nbsp;
    23    <a href="https://www.bestpractices.dev/en/projects/6348" target="_blank"><img alt="cii badge" src="https://img.shields.io/cii/percentage/6348?style=flat-square&label=cii%20best%20practices&color=F8D44B"></a>
    24    &nbsp;
    25  </p>
    26  
    27  <p align="center">
    28    <a href="https://discord.gg/spicedb"><img alt="discord badge" src="https://img.shields.io/discord/844600078504951838?color=7289da&label=discord&style=flat-square"></a>
    29  	&nbsp;
    30      <a href="https://twitter.com/authzed"><img alt="twitter badge" src="https://img.shields.io/badge/twitter-@authzed-1d9bf0.svg?style=flat-square"></a>
    31      &nbsp;
    32      <a href="https://www.linkedin.com/company/authzed/"><img alt="linkedin badge" src="https://img.shields.io/badge/linkedin-+authzed-2D65BC.svg?style=flat-square"></a>
    33  </p>
    34  
    35  ## What is SpiceDB?
    36  
    37  SpiceDB is a graph database purpose-built for storing and evaluating access control data.
    38  
    39  As of 2021, [broken access control became the #1 threat to the web][owasp]. With SpiceDB, developers finally have the solution to stopping this threat the same way as the hyperscalers.
    40  
    41  [owasp]: https://owasp.org/Top10/A01_2021-Broken_Access_Control/
    42  
    43  ### Why SpiceDB?
    44  
    45  - [**World-class engineering**][about]: painstakingly built by experts that pioneered the cloud-native ecosystem
    46  - [**Authentic design**][zanzibar]: mature and feature-complete implementation of Google's Zanzibar paper
    47  - [**Proven in production**][1M]: 5ms p95 when scaled to millions of queries/s, billions of relationships
    48  - [**Global consistency**][consistency]: consistency configured per-request unlocks correctness while maintaining performance
    49  - [**Multi-paradigm**][caveats]: caveated relationships combine the best concepts in authorization: ABAC & ReBAC
    50  - [**Safety in tooling**][tooling]: designs schemas with real-time validation or validate in your CI/CD workflow
    51  - [**Reverse Indexes**][reverse-indexes]: queries for "What can `subject` do?", "Who can access `resource`?"
    52  
    53  [about]: https://authzed.com/why-authzed
    54  [zanzibar]: https://authzed.com/zanzibar
    55  [1M]: https://authzed.com/blog/google-scale-authorization
    56  [caveats]: https://netflixtechblog.com/abac-on-spicedb-enabling-netflixs-complex-identity-types-c118f374fa89
    57  [tooling]: https://authzed.com/docs/spicedb/modeling/validation-testing-debugging
    58  [reverse-indexes]: https://authzed.com/docs/spicedb/getting-started/faq#what-is-a-reverse-index
    59  [consistency]: https://authzed.com/docs/spicedb/concepts/consistency
    60  
    61  ## Joining the Community
    62  
    63  SpiceDB is a community project where everyone is invited to participate and [feel welcomed].
    64  While the project has a technical goal, participation is not restricted to those with code contributions.
    65  
    66  [feel welcomed]: CODE-OF-CONDUCT.md
    67  
    68  ### Learn
    69  
    70  - Ask questions via [GitHub Discussions] or our [Community Discord]
    71  - Read [blog posts] from the Authzed team describing the project and major announcements
    72  - Watch our [YouTube videos] about SpiceDB, modeling schemas, leveraging CNCF projects, and more
    73  - Explore the [SpiceDB Awesome List] that enumerates official and third-party projects built by the community
    74  - Reference [community examples] for demo environments, integration testing, CI pipelines, and writing schemas
    75  
    76  [GitHub Discussions]: https://github.com/orgs/authzed/discussions/new?category=q-a
    77  [Community Discord]: https://authzed.com/discord
    78  [blog posts]: https://authzed.com/blog
    79  [SpiceDB Awesome List]: https://github.com/authzed/awesome-spicedb
    80  [YouTube videos]: https://www.youtube.com/@authzed
    81  [community examples]: https://github.com/authzed/examples
    82  
    83  ### Contribute
    84  
    85  [CONTRIBUTING.md] documents communication, contribution flow, legal requirements, and common tasks when contributing to the project.
    86  
    87  You can find issues by priority: [Urgent], [High], [Medium], [Low], [Maybe].
    88  There are also [good first issues].
    89  
    90  Our [documentation website] is also open source if you'd like to clarify anything you find confusing.
    91  
    92  [CONTRIBUTING.md]: CONTRIBUTING.md
    93  [Urgent]: https://github.com/authzed/spicedb/labels/priority%2F0%20urgent
    94  [High]: https://github.com/authzed/spicedb/labels/priority%2F1%20high
    95  [Medium]: https://github.com/authzed/spicedb/labels/priority%2F2%20medium
    96  [Low]: https://github.com/authzed/spicedb/labels/priority%2F3%20low
    97  [Maybe]: https://github.com/authzed/spicedb/labels/priority%2F4%20maybe
    98  [good first issues]: https://github.com/authzed/spicedb/labels/hint%2Fgood%20first%20issue
    99  [documentation website]: https://github.com/authzed/docs
   100  
   101  ## Getting Started
   102  
   103  ### Installing the binary
   104  
   105  Binary releases are available for Linux, macOS, and Windows on AMD64 and ARM64 architectures.
   106  
   107  [Homebrew] users for both macOS and Linux can install the latest binary releases of SpiceDB and [zed] using the official tap:
   108  
   109  ```command
   110  brew install authzed/tap/spicedb authzed/tap/zed
   111  ```
   112  
   113  [Debian-based Linux] users can install SpiceDB packages by adding a new APT source:
   114  
   115  ```command
   116  sudo apt update && sudo apt install -y curl ca-certificates gpg
   117  curl https://pkg.authzed.com/apt/gpg.key | sudo apt-key add -
   118  sudo echo "deb https://pkg.authzed.com/apt/ * *" > /etc/apt/sources.list.d/fury.list
   119  sudo apt update && sudo apt install -y spicedb zed
   120  ```
   121  
   122  [RPM-based Linux] users can install SpiceDB packages by adding a new YUM repository:
   123  
   124  ```command
   125  sudo cat << EOF >> /etc/yum.repos.d/Authzed-Fury.repo
   126  [authzed-fury]
   127  name=AuthZed Fury Repository
   128  baseurl=https://pkg.authzed.com/yum/
   129  enabled=1
   130  gpgcheck=0
   131  EOF
   132  sudo dnf install -y spicedb zed
   133  ```
   134  
   135  [zed]: https://github.com/authzed/zed
   136  [homebrew]: https://docs.authzed.com/spicedb/installing#brew
   137  [Debian-based Linux]: https://en.wikipedia.org/wiki/List_of_Linux_distributions#Debian-based
   138  [RPM-based Linux]: https://en.wikipedia.org/wiki/List_of_Linux_distributions#RPM-based
   139    
   140  ### Running a container
   141  
   142  Container images are available for AMD64 and ARM64 architectures on the following registries:
   143  
   144  - [authzed/spicedb](https://hub.docker.com/r/authzed/spicedb)
   145  - [ghcr.io/authzed/spicedb](https://github.com/authzed/spicedb/pkgs/container/spicedb)
   146  - [quay.io/authzed/spicedb](https://quay.io/authzed/spicedb)
   147  
   148  [Docker] users can run the latest SpiceDB container with the following:
   149  
   150  ```command
   151  docker run --rm -p 50051:50051 authzed/spicedb serve --grpc-preshared-key "somerandomkeyhere"
   152  ```
   153  
   154  SpiceDB containers use [Chainguard Images] to ship the bare minimum userspace which is a huge boon to security, but can complicate debugging.
   155  If you want to execute a user session into a running SpiceDB container and install packages, you can use one of our debug images.
   156  
   157  Appending `-debug` to any tag will provide you an image that has a userspace with debug tooling:
   158  
   159  ```command
   160  docker run --rm -ti --entrypoint sh authzed/spicedb:latest-debug
   161  ```
   162  
   163  Containers are also available for each git commit to the `main` branch under `${REGISTRY}/authzed/spicedb-git:${COMMIT}`.
   164  
   165  [Docker]: https://docs.docker.com/get-docker/
   166  [Chainguard Images]: https://github.com/chainguard-images/images
   167    
   168  ### Deploying to Kubernetes
   169  
   170  Production Kubernetes users should be relying on a stable release of the [SpiceDB Operator].
   171  The Operator enforces not only best practices, but orchestrates SpiceDB updates without downtime.
   172  
   173  If you're only experimenting, feel free to try out one of our community-maintained [examples] for [testing SpiceDB on Kubernetes]:
   174  
   175  ```command
   176  kubectl apply -f https://raw.githubusercontent.com/authzed/examples/main/kubernetes/example.yaml
   177  ```
   178  
   179  [examples]: https://github.com/authzed/examples
   180  [SpiceDB Operator]: https://github.com/authzed/spicedb-operator
   181  [testing SpiceDB on Kubernetes]: https://github.com/authzed/examples/tree/main/kubernetes
   182  
   183  ### Developing your own schema
   184  
   185  You can try both SpiceDB and zed entirely in your browser in the [hosted Playground] thanks to the power of WebAssembly.
   186  The [Playground app is open source] and can also be self-hosted.
   187  
   188  If you don't want to start with the examples loadable from the Playground, you can follow a guide for [developing a schema] or review the the schema language [design documentation].
   189  
   190  Watch the SpiceDB primer video to get started with schema development:
   191  
   192  <a href="https://www.youtube.com/watch?v=AoK0LrkGFDY" target="_blank"><img width="600" alt="SpiceDB Primer YouTube Thumbnail" src="https://github.com/authzed/spicedb/assets/343539/7784dfa2-b330-4c5e-b32a-090759e48392"></a>
   193  
   194  [hosted Playground]: https://play.authzed.com
   195  [Playground app is open source]: https://github.com/authzed/playground
   196  [developing a schema]: https://docs.authzed.com/guides/schema
   197  [design documentation]: https://docs.authzed.com/reference/schema-lang
   198  
   199  ### Trying out the API
   200  
   201  For debugging or getting started, we recommend [installing zed], the official command-line client.
   202  The [Playground] also has a tab for experimenting with zed all from within your browser.
   203  
   204  When it's time to write code, we recommend using one of the [existing client libraries] whether it's official or community-maintained.
   205  
   206  Because every millisecond counts, we recommend using libraries that leverage the gRPC API for production workloads.
   207  
   208  To get an understanding of integrating an application with SpiceDB, you can follow the [Protecting Your First App] guide or review API documentation on the [Buf Registry] or [Postman].
   209  
   210  [installing zed]: https://authzed.com/docs/spicedb/getting-started/installing-zed
   211  [playground]: https://play.authzed.com
   212  [existing client libraries]: https://github.com/authzed/awesome-spicedb#clients
   213  [Protecting Your First App]: https://docs.authzed.com/guides/first-app
   214  [Buf Registry]: https://buf.build/authzed/api/docs
   215  [Postman]: https://www.postman.com/authzed/workspace/spicedb/overview
   216  
   217  ## Acknowledgements
   218  
   219  SpiceDB is a community project fueled by contributions from both organizations and individuals.
   220  We appreciate all contributions, large and small, and would like to thank all those involved.
   221  
   222  In addition, we'd like to highlight a few notable contributions:
   223  
   224  - <img alt="github logo" height="15px" src="https://github.com/authzed/spicedb/assets/343539/c05b8aef-c862-4499-bebf-0a43f3b423c4"> The GitHub Authorization Team for implementing and contributing the MySQL datastore
   225  - <img alt="netflix logo" height="15px" src="https://github.com/authzed/spicedb/assets/343539/e64128f0-978f-4fd6-bdd7-1ce7cb6b34b9"> The Netflix Authorization Team for sponsoring and being a design partner for caveats
   226  - <img alt="equinix logo" height="15px" src="https://github.com/authzed/spicedb/assets/343539/7bf706f9-910d-4902-8957-c914a7468eff"> The Equinix Metal Team for sponsoring our benchmarking hardware