github.com/authzed/spicedb@v1.32.1-0.20240520085336-ebda56537386/README.md (about) 1 <h1 align="center"> 2 <a href="https://authzed.com#gh-dark-mode-only" target="_blank"> 3 <img width="300" src="https://github.com/authzed/spicedb/assets/343539/82234426-468b-4297-8b5c-f06a44fe2278" alt="spicedb logo"> 4 </a> 5 <a href="https://authzed.com#gh-light-mode-only" target="_blank"> 6 <img width="300" src="https://github.com/authzed/spicedb/assets/343539/312ff046-7076-4c30-afd4-2e3d86c06f51" alt="spicedb Logo"> 7 </a> 8 </h1> 9 10 <h3 align="center"> 11 SpiceDB sets the standard for authorization that <i>scales</i>. 12 <br/><br/>Scale with<br/> 13 Traffic • Dev Velocity • Functionality • Geography 14 </h3> 15 16 <p align="center"> 17 <a href="https://github.com/authzed/spicedb/releases"><img alt="release badge" src="https://img.shields.io/github/v/release/authzed/spicedb?color=%236EC93F&label=latest%20release&sort=semver&style=flat-square"></a> 18 19 <a href="https://hub.docker.com/repository/docker/authzed/spicedb" target="_blank"><img alt="docker pulls badge" src="https://img.shields.io/docker/pulls/authzed/spicedb?color=%23448CE6&style=flat-square"></a> 20 21 <a href="https://authzed.com/blog/go-ecosystem"><img alt="built with Go badge" src="https://img.shields.io/badge/built_with-Go-367B99.svg?style=flat-square"></a> 22 23 <a href="https://www.bestpractices.dev/en/projects/6348" target="_blank"><img alt="cii badge" src="https://img.shields.io/cii/percentage/6348?style=flat-square&label=cii%20best%20practices&color=F8D44B"></a> 24 25 </p> 26 27 <p align="center"> 28 <a href="https://discord.gg/spicedb"><img alt="discord badge" src="https://img.shields.io/discord/844600078504951838?color=7289da&label=discord&style=flat-square"></a> 29 30 <a href="https://twitter.com/authzed"><img alt="twitter badge" src="https://img.shields.io/badge/twitter-@authzed-1d9bf0.svg?style=flat-square"></a> 31 32 <a href="https://www.linkedin.com/company/authzed/"><img alt="linkedin badge" src="https://img.shields.io/badge/linkedin-+authzed-2D65BC.svg?style=flat-square"></a> 33 </p> 34 35 ## What is SpiceDB? 36 37 SpiceDB is a graph database purpose-built for storing and evaluating access control data. 38 39 As of 2021, [broken access control became the #1 threat to the web][owasp]. With SpiceDB, developers finally have the solution to stopping this threat the same way as the hyperscalers. 40 41 [owasp]: https://owasp.org/Top10/A01_2021-Broken_Access_Control/ 42 43 ### Why SpiceDB? 44 45 - [**World-class engineering**][about]: painstakingly built by experts that pioneered the cloud-native ecosystem 46 - [**Authentic design**][zanzibar]: mature and feature-complete implementation of Google's Zanzibar paper 47 - [**Proven in production**][1M]: 5ms p95 when scaled to millions of queries/s, billions of relationships 48 - [**Global consistency**][consistency]: consistency configured per-request unlocks correctness while maintaining performance 49 - [**Multi-paradigm**][caveats]: caveated relationships combine the best concepts in authorization: ABAC & ReBAC 50 - [**Safety in tooling**][tooling]: designs schemas with real-time validation or validate in your CI/CD workflow 51 - [**Reverse Indexes**][reverse-indexes]: queries for "What can `subject` do?", "Who can access `resource`?" 52 53 [about]: https://authzed.com/why-authzed 54 [zanzibar]: https://authzed.com/zanzibar 55 [1M]: https://authzed.com/blog/google-scale-authorization 56 [caveats]: https://netflixtechblog.com/abac-on-spicedb-enabling-netflixs-complex-identity-types-c118f374fa89 57 [tooling]: https://authzed.com/docs/spicedb/modeling/validation-testing-debugging 58 [reverse-indexes]: https://authzed.com/docs/spicedb/getting-started/faq#what-is-a-reverse-index 59 [consistency]: https://authzed.com/docs/spicedb/concepts/consistency 60 61 ## Joining the Community 62 63 SpiceDB is a community project where everyone is invited to participate and [feel welcomed]. 64 While the project has a technical goal, participation is not restricted to those with code contributions. 65 66 [feel welcomed]: CODE-OF-CONDUCT.md 67 68 ### Learn 69 70 - Ask questions via [GitHub Discussions] or our [Community Discord] 71 - Read [blog posts] from the Authzed team describing the project and major announcements 72 - Watch our [YouTube videos] about SpiceDB, modeling schemas, leveraging CNCF projects, and more 73 - Explore the [SpiceDB Awesome List] that enumerates official and third-party projects built by the community 74 - Reference [community examples] for demo environments, integration testing, CI pipelines, and writing schemas 75 76 [GitHub Discussions]: https://github.com/orgs/authzed/discussions/new?category=q-a 77 [Community Discord]: https://authzed.com/discord 78 [blog posts]: https://authzed.com/blog 79 [SpiceDB Awesome List]: https://github.com/authzed/awesome-spicedb 80 [YouTube videos]: https://www.youtube.com/@authzed 81 [community examples]: https://github.com/authzed/examples 82 83 ### Contribute 84 85 [CONTRIBUTING.md] documents communication, contribution flow, legal requirements, and common tasks when contributing to the project. 86 87 You can find issues by priority: [Urgent], [High], [Medium], [Low], [Maybe]. 88 There are also [good first issues]. 89 90 Our [documentation website] is also open source if you'd like to clarify anything you find confusing. 91 92 [CONTRIBUTING.md]: CONTRIBUTING.md 93 [Urgent]: https://github.com/authzed/spicedb/labels/priority%2F0%20urgent 94 [High]: https://github.com/authzed/spicedb/labels/priority%2F1%20high 95 [Medium]: https://github.com/authzed/spicedb/labels/priority%2F2%20medium 96 [Low]: https://github.com/authzed/spicedb/labels/priority%2F3%20low 97 [Maybe]: https://github.com/authzed/spicedb/labels/priority%2F4%20maybe 98 [good first issues]: https://github.com/authzed/spicedb/labels/hint%2Fgood%20first%20issue 99 [documentation website]: https://github.com/authzed/docs 100 101 ## Getting Started 102 103 ### Installing the binary 104 105 Binary releases are available for Linux, macOS, and Windows on AMD64 and ARM64 architectures. 106 107 [Homebrew] users for both macOS and Linux can install the latest binary releases of SpiceDB and [zed] using the official tap: 108 109 ```command 110 brew install authzed/tap/spicedb authzed/tap/zed 111 ``` 112 113 [Debian-based Linux] users can install SpiceDB packages by adding a new APT source: 114 115 ```command 116 sudo apt update && sudo apt install -y curl ca-certificates gpg 117 curl https://pkg.authzed.com/apt/gpg.key | sudo apt-key add - 118 sudo echo "deb https://pkg.authzed.com/apt/ * *" > /etc/apt/sources.list.d/fury.list 119 sudo apt update && sudo apt install -y spicedb zed 120 ``` 121 122 [RPM-based Linux] users can install SpiceDB packages by adding a new YUM repository: 123 124 ```command 125 sudo cat << EOF >> /etc/yum.repos.d/Authzed-Fury.repo 126 [authzed-fury] 127 name=AuthZed Fury Repository 128 baseurl=https://pkg.authzed.com/yum/ 129 enabled=1 130 gpgcheck=0 131 EOF 132 sudo dnf install -y spicedb zed 133 ``` 134 135 [zed]: https://github.com/authzed/zed 136 [homebrew]: https://docs.authzed.com/spicedb/installing#brew 137 [Debian-based Linux]: https://en.wikipedia.org/wiki/List_of_Linux_distributions#Debian-based 138 [RPM-based Linux]: https://en.wikipedia.org/wiki/List_of_Linux_distributions#RPM-based 139 140 ### Running a container 141 142 Container images are available for AMD64 and ARM64 architectures on the following registries: 143 144 - [authzed/spicedb](https://hub.docker.com/r/authzed/spicedb) 145 - [ghcr.io/authzed/spicedb](https://github.com/authzed/spicedb/pkgs/container/spicedb) 146 - [quay.io/authzed/spicedb](https://quay.io/authzed/spicedb) 147 148 [Docker] users can run the latest SpiceDB container with the following: 149 150 ```command 151 docker run --rm -p 50051:50051 authzed/spicedb serve --grpc-preshared-key "somerandomkeyhere" 152 ``` 153 154 SpiceDB containers use [Chainguard Images] to ship the bare minimum userspace which is a huge boon to security, but can complicate debugging. 155 If you want to execute a user session into a running SpiceDB container and install packages, you can use one of our debug images. 156 157 Appending `-debug` to any tag will provide you an image that has a userspace with debug tooling: 158 159 ```command 160 docker run --rm -ti --entrypoint sh authzed/spicedb:latest-debug 161 ``` 162 163 Containers are also available for each git commit to the `main` branch under `${REGISTRY}/authzed/spicedb-git:${COMMIT}`. 164 165 [Docker]: https://docs.docker.com/get-docker/ 166 [Chainguard Images]: https://github.com/chainguard-images/images 167 168 ### Deploying to Kubernetes 169 170 Production Kubernetes users should be relying on a stable release of the [SpiceDB Operator]. 171 The Operator enforces not only best practices, but orchestrates SpiceDB updates without downtime. 172 173 If you're only experimenting, feel free to try out one of our community-maintained [examples] for [testing SpiceDB on Kubernetes]: 174 175 ```command 176 kubectl apply -f https://raw.githubusercontent.com/authzed/examples/main/kubernetes/example.yaml 177 ``` 178 179 [examples]: https://github.com/authzed/examples 180 [SpiceDB Operator]: https://github.com/authzed/spicedb-operator 181 [testing SpiceDB on Kubernetes]: https://github.com/authzed/examples/tree/main/kubernetes 182 183 ### Developing your own schema 184 185 You can try both SpiceDB and zed entirely in your browser in the [hosted Playground] thanks to the power of WebAssembly. 186 The [Playground app is open source] and can also be self-hosted. 187 188 If you don't want to start with the examples loadable from the Playground, you can follow a guide for [developing a schema] or review the the schema language [design documentation]. 189 190 Watch the SpiceDB primer video to get started with schema development: 191 192 <a href="https://www.youtube.com/watch?v=AoK0LrkGFDY" target="_blank"><img width="600" alt="SpiceDB Primer YouTube Thumbnail" src="https://github.com/authzed/spicedb/assets/343539/7784dfa2-b330-4c5e-b32a-090759e48392"></a> 193 194 [hosted Playground]: https://play.authzed.com 195 [Playground app is open source]: https://github.com/authzed/playground 196 [developing a schema]: https://docs.authzed.com/guides/schema 197 [design documentation]: https://docs.authzed.com/reference/schema-lang 198 199 ### Trying out the API 200 201 For debugging or getting started, we recommend [installing zed], the official command-line client. 202 The [Playground] also has a tab for experimenting with zed all from within your browser. 203 204 When it's time to write code, we recommend using one of the [existing client libraries] whether it's official or community-maintained. 205 206 Because every millisecond counts, we recommend using libraries that leverage the gRPC API for production workloads. 207 208 To get an understanding of integrating an application with SpiceDB, you can follow the [Protecting Your First App] guide or review API documentation on the [Buf Registry] or [Postman]. 209 210 [installing zed]: https://authzed.com/docs/spicedb/getting-started/installing-zed 211 [playground]: https://play.authzed.com 212 [existing client libraries]: https://github.com/authzed/awesome-spicedb#clients 213 [Protecting Your First App]: https://docs.authzed.com/guides/first-app 214 [Buf Registry]: https://buf.build/authzed/api/docs 215 [Postman]: https://www.postman.com/authzed/workspace/spicedb/overview 216 217 ## Acknowledgements 218 219 SpiceDB is a community project fueled by contributions from both organizations and individuals. 220 We appreciate all contributions, large and small, and would like to thank all those involved. 221 222 In addition, we'd like to highlight a few notable contributions: 223 224 - <img alt="github logo" height="15px" src="https://github.com/authzed/spicedb/assets/343539/c05b8aef-c862-4499-bebf-0a43f3b423c4"> The GitHub Authorization Team for implementing and contributing the MySQL datastore 225 - <img alt="netflix logo" height="15px" src="https://github.com/authzed/spicedb/assets/343539/e64128f0-978f-4fd6-bdd7-1ce7cb6b34b9"> The Netflix Authorization Team for sponsoring and being a design partner for caveats 226 - <img alt="equinix logo" height="15px" src="https://github.com/authzed/spicedb/assets/343539/7bf706f9-910d-4902-8957-c914a7468eff"> The Equinix Metal Team for sponsoring our benchmarking hardware