v1.15.0

Upgrade Notes

Warning
This is release includes changes for dispatching, which can result in an increased error rate during rollout. To avoid, deploy as a distinct cluster and switch over your load balancer(s)

CockroachDB, Spanner, MySQL, Postgres

(no migrations from v1.14.1)

What's Changed

• Update BaseSubjectSet to support caveat expressions by @josephschorr in #932
• Add support in LookupResources for caveats by @josephschorr in #938
• Remove support for the v1alpha1 API by @josephschorr in #976
• Fix observable proxy to use the more efficient namespace lookup by @josephschorr in #989
• Refactor the datastore testfixtures for better code reuse by @josephschorr in #988
• Provide additional capabilities around schema writing by @josephschorr in #990
• logging and error handling improvements by @vroldanbet in #986
• Fix test flake in loader by sorting the expected tuples by @josephschorr in #991
• Add support for caveats in LookupSubjects API by @josephschorr in #987
• address some caveat TODOs by @vroldanbet in #995
• Make sure ReadSchema returns caveats as well by @josephschorr in #997
• Add testutil packages and clean up copy-pasted code by @josephschorr in #996
• fixes broken docker compose link by @vroldanbet in #999
• datastore/postgres: remove the compensation code for migration phases by @jakedt in #992
• Add validation of relationships to file loader by @josephschorr in #981
• Fix for PG when schema is specified in the db url by @jvassev in #994
• Improve the error message for duplicate rels within a single WriteRel… by @josephschorr in #1003
• Return InvalidArgument if caveats are disabled in WriteRels call by @josephschorr in #1004
• Add context and default timeout for validationfile loading by @josephschorr in #1002
• Add len checks to WriteCaveats before attempting to write nothing by @peterfoldes in #1006
• Catch nil values for FoundSubjectsByResourceID map and return as errors by @josephschorr in #1008

Docker Images

This release is available at:

• authzed/spicedb:v1.15.0
• quay.io/authzed/spicedb:v1.15.0
• ghcr.io/authzed/spicedb:v1.15.0
• authzed/spicedb:v1.15.0-debug
• quay.io/authzed/spicedb:v1.15.0-debug
• ghcr.io/authzed/spicedb:v1.15.0-debug

New Contributors

• @jvassev made their first contribution in #994
• @peterfoldes made their first contribution in #1006

Full Changelog: v1.14.1...v1.15.0

v1.14.1

What's Changed

• prevent poisoning via build job by @vroldanbet in #961
• Fix panic in validationfile loader when no schema is specified by @josephschorr in #979
• datastore/cache: clear the RWT namespace cache when writing namespaces by @jakedt in #982
• Dispatch goleak checking by @josephschorr in #983
• cmd/serve: fix deprecated usage of jaeger by @jzelinskie in #984

Full Changelog: v1.14.0...v1.14.1

Docker Images

This release is available at authzed/spicedb:v1.14.1, quay.io/authzed/spicedb:v1.14.1, ghcr.io/authzed/spicedb:v1.14.1

v1.14.0

Highlights

• Memory management for caching vastly improved by more accurately tracking the size of cache entries
• Postgres datastore rewritten with massive improvements to write performance
• Experimental caveats support
• Massive performance improvement for LookupResources
• GemFury DEB & RPM repositories are now available for SpiceDB releases

Upgrade Notes

Warning
This is release includes migrations for all datastores, but a more complex migration for Postgres.
You must have already upgraded to v1.13.0 before upgrading to v1.14.0.
To learn more about migrations, see the migration documentation.
To automate migrations, Kubernetes users can run the SpiceDB Operator.

CockroachDB, Spanner, MySQL

CockroachDB, Spanner, MySQL datastore users can run the command spicedb migrate head from a SpiceDB v1.14 binary to migrate a v1.13 cluster. This may result in a brief latency spike, but will otherwise cause no downtime. After the migration is complete, v1.13 processes can be replaced with v1.14 ones.

Postgres

PostgreSQL users have two options: zero downtime or not.

Downtime

1. Ensure SpiceDB v1.13.0 was running
2. Shut off SpiceDB in all clusters
3. Run spicedb migrate head using SpiceDB v1.14
4. Rollout v1.14 to your cluster(s)

Zero-downtime

1. Ensure SpiceDB v1.13.0 is currently running
2. Run spicedb migrate add-xid-columns using SpiceDB v1.14
3. Rollout v1.14 to your cluster(s) with the following flag: --datastore-migration-phase=write-both-read-old
4. Once the rollout is fully complete, run spicedb migrate add-xid-constraints using SpiceDB v1.14
5. Rollout v1.14 to your cluster(s) with the following flag: --datastore-migration-phase=write-both-read-new
6. Once the rollout is fully complete, run spicedb migrate drop-id-constraints using SpiceDB v1.14
7. Rollout v1.14 to your cluster(s) with the --datastore-migration-phase flag removed

What's Changed

• Improves Postgres write performance by @jakedt in #852
• streamline logging by @vroldanbet in #844
• Implement structured errors for all user facing errors by @josephschorr in #858
• disable async logging by @vroldanbet in #888
• adds tests to demonstrate various caveat use-cases by @vroldanbet in #878
• fix datastore integration tests not running by @vroldanbet in #893
• Incremental migrations by @jakedt in #891
• Enable goreleaser pro, push linux packages to gemfury by @jzelinskie in #897
• add caveat support to postgres datastore by @vroldanbet in #890
• refactoring of caveat datastore methods by @vroldanbet in #899
• fix calls to logger that are not being sent by @vroldanbet in #904
• Batch check for lookup by @josephschorr in #843
• Add a lint check for zerolog expression statements without Send or Msg calls by @josephschorr in #907
• integrates caveat context in PermissionService API methods by @vroldanbet in #886
• more follow ups to caveats in datastore by @vroldanbet in #906
• Fix stack overflow on error marshalling for zerolog by @ecordell in #909
• Tech Debt cleanup: move LogOnError into common datastore package by @josephschorr in #912
• internal: store serialized protos in caches by @jzelinskie in #900
• Add a namespace proxy cache test suite using a real datastore by @josephschorr in #919
• Add caveat references to schema and full type checking by @josephschorr in #896
• fix more instances of zerolog marshall recursion by @vroldanbet in #922
• add missing caveat test, update caveat example by @vroldanbet in #924
• Sever namespace read context by @ecordell in #925
• introduce caveat support in CockroachDB by @vroldanbet in #921
• Encode xmin in postgres revisions to respect zedtoken order by @jakedt in #930
• implement caveat support for spanner by @ecordell in #929
• Add support for defining caveats in schema, and associated type checks by @josephschorr in #926
• include sboms in release by @ecordell in #927
• Elide updates of namespaces which have not changed at all by @josephschorr in #913
• datastore/postgres: stop casting xid in queries altogether by @jakedt in #942
• Don't return the caveat key in the ObjectDefinitionNames in v1alpha1 … by @josephschorr in #944
• Mark devtools gRPC endpoint enabled by default for the serve-devtools command by @josephschorr in #945
• Breakout the integration test suite from unit tests by @josephschorr in #947
• refactor: add context to write methods within a datastore transaction by @jakedt in #948
• parallelize consistent hashring test by @ecordell in #949
• Faster CI Feedback Loop by @vroldanbet in #950
• introduce caveat support in MySQL by @vroldanbet in #936
• fixes caching of loop variable in the wrong place by @vroldanbet in #951
• internal/datastore: add observable proxy by @jzelinskie in #952
• Add datastore proxy for separating context by @jzelinskie in #953
• Update authzed-go for the additional validation rules by @josephschorr in #957
• specifies cache-dependency-path to prevent poisoning by @vroldanbet in #960
• pg: move column defaults to backfill migration by @ecordell in #955
• do not run CRDB migration in transaction by @vroldanbet in #956
• Change experimental caveats flag to be handled at the service level by @josephschorr in #962
• datastore: DeleteNamespace => DeleteNamespaces by @jzelinskie in #940
• Add shorter timeouts and better config to gRPC dialing in tests by @josephschorr in #965
• Depbot updates for Nov 1, 2022 by @josephschorr in #972

Full Changelog: v1.13.0...v1.14.0

Docker Images

This release is available at authzed/spicedb:v1.14.0, quay.io/authzed/spicedb:v1.14.0, ghcr.io/authzed/spicedb:v1.14.0

v1.13.0

Highlights

• Dispatched checks are now batched performed improving performance
• Protobuf serialization is now much faster by using vtprotobuf to avoid reflection
• Dispatch API is now compressed with Snappy
• Cache sizes can now be configured with percentages of free memory

Warning
This release contains a change to the internal dispatch API, which means that v1.13.0 and v1.12.0 can not dispatch to each other during a rolling upgrade. To upgrade without downtime, run these as separate Kubernetes services, or disable dispatch before upgrading.

What's Changed

• Add an error case for redefining a type in schema by @josephschorr in #810
• Add govulncheck to the linters by @josephschorr in #813
• don't generate nsswitch.conf (base images have it now) by @ecordell in #815
• Fix fallback for MySQL stats to fix test flake by @josephschorr in #812
• replace custom pgxpool collector with opensource module by @vroldanbet in #809
• dispatch: use Snappy S2 compression and vtprotobuf by @jzelinskie in #821
• gomod: bump compress to v1.15.10 by @jzelinskie in #822
• Disable GC in datastore drivers when in read-only mode by @josephschorr in #811
• bump kuberesolver to pick up serviceaccount token refresh by @ecordell in #817
• Ensure that internal errors are returned before dev errors by @josephschorr in #823
• Use MarshalVT() and UnmarshalVT() everywhere by @jzelinskie in #824
• internal/datastore: use proto.Marshal by @jzelinskie in #825
• Add a test for writing and reading back a serialized namespace in the datastores by @josephschorr in #826
• caveat in MemDB datastore by @vroldanbet in #807
• forward cli flags GCMaxOperationTime and SplitAtUsersetCount to MySQL datastore by @vroldanbet in #829
• Change all user-visible type errors into proper wrapped error structs by @josephschorr in #831
• reduce e2e flakes by @ecordell in #834
• Batch check improvements by @josephschorr in #777
• Fix performance for large schema writes in V1Alpha1 by @josephschorr in #837
• Fix chunking util to never call for an empty chunk by @josephschorr in #840
• Change caching to sort order resource and subject IDs by @josephschorr in #841
• Improve the WASM developer package interface by @josephschorr in #828
• internal/dispatch: gofumpt 4.0 by @jzelinskie in #845
• update cobrautil to latest commit by @vroldanbet in #842
• pkg/cmd: support cache sizes in percentages of free memory by @jzelinskie in #827
• Add building of WASM developer binary to releases by @samkim in #833
• pkg/cache: implement metrics for noop cache by @jzelinskie in #848
• introduce caveat support in WriteRelationships/ReadRelationships by @vroldanbet in #838
• Start work for dispatch for caveats by adding MembershipSet by @josephschorr in #849
• internal: add docker build tag to transitives by @jzelinskie in #854
• docker: switch to chainguard base images by @jzelinskie in #857
• Switch check dispatch to use the new MembershipSet by @josephschorr in #855
• Dependabot updates for Oct 2022 by @josephschorr in #867
• Dependabot updates for Oct 2022, Part 2 by @josephschorr in #873
• Change check dispatching to support caveat expr evaluation by @josephschorr in #865
• Dependabot updates for Oct 2022, Part 3 by @josephschorr in #876
• Add caveats flag to disable writing by default on all datastores by @josephschorr in #866

Full Changelog: v1.12.0...v1.13.0

Docker Images

This release is available at authzed/spicedb:v1.13.0, quay.io/authzed/spicedb:v1.13.0, ghcr.io/authzed/spicedb:v1.13.0

v1.12.0

Highlights

• new lookupsubjects RPC answers the question "which subjects have a given permission over a specific resource?"
• CRDB Store now exposes prometheus metrics for the connection pool
• new debug containers now being published, which includes busybox. This is convenient for development environments that require a shell
• PGX driver no longer logs on debug by default, cleaning up SpiceDB's info level
• CRDB datastore now properly supports connection draining procedures
• added configurable limits for write and delete relationship APIs
• leaner and more secure docker images based on distroless.dev

What's Changed

• hack: mv install-tools into hack dir by @jzelinskie in #737
• fix panic on cached optimized revisions by @vroldanbet in #740
• README: add OpenSSF best practices badge by @jzelinskie in #742
• bump crdb in tests to 22.1.5 by @ecordell in #745
• update spanner emulator logs by @ecordell in #746
• more resilient CRDB datastore on connection draining by @vroldanbet in #744
• Use distroless.dev/static base, add debug variants by @imjasonh in #750
• adds trivy security scanner to lint CI job by @vroldanbet in #751
• Begin work on LookupSubjects by @josephschorr in #736
• Add a nightly build for spicedb by @ecordell in #762
• Revert "Add a nightly build for spicedb" by @ecordell in #763
• fixes link to go-memdb by @vroldanbet in #766
• Fix various error references by @josephschorr in #769
• removes v1.RelationshipUpdate from datastore.ReadWriteTransaction by @vroldanbet in #771
• Fully implement the LookupSubjects API by @josephschorr in #770
• add datastore metrics to CockroachDB datastore by @vroldanbet in #774
• Begin implementation of a library for processing caveat expressions by @josephschorr in #760
• newly added lookup subject metrics weren't being unregistered by @vroldanbet in #778
• Add configurable limits for write and delete relationship APIs by @josephschorr in #775
• Dependabot Updates for Sept 1 by @josephschorr in #785
• Dependabot Updates for Sept 1, part 2 by @josephschorr in #792
• Dependabot updates for Sept 1, part 3 by @josephschorr in #795
• Handle duplicate writes in a nicer way by @josephschorr in #796
• remove dupe validation in WriteRelationships by @vroldanbet in #799
• map pgx info logging level to debug by @vroldanbet in #798
• Change v1alpha1 WriteSchema to only read namespaces it needs by @josephschorr in #805
• Update authzed-go client by @samkim in #806
• Improve write constraint failures by @josephschorr in #801
• reduce differences between release and dev dockerfiles by @vroldanbet in #797
• Remove checks on configurable PermissionService limits and rely upon defaults by @josephschorr in #808

Docker Images

This release is available at:

• authzed/spicedb:v1.12.0
• quay.io/authzed/spicedb:v1.12.0
• ghcr.io/authzed/spicedb:v1.12.0
• authzed/spicedb:v1.12.0-debug
• quay.io/authzed/spicedb:v1.12.0-debug
• ghcr.io/authzed/spicedb:v1.12.0-debug

New Contributors

• @imjasonh made their first contribution in #750

Full Changelog: v1.11.0...v1.12.0

v1.11.0

Warning
This release contains a change to the internal dispatch API, which means that v1.10.0 and v1.11.0 can not dispatch to each other during a rolling upgrade. To upgrade without downtime, run these as separate Kubernetes services, or disable dispatch before upgrading.

Highlights

• Check requests can now be traced using the zed CLI using zed permission check --explain
• serve-testing now supports HTTP
• Performance improvements for LookupResources, WriteSchemas, and dispatch in general
• The Watch API is disabled automatically if CRDB datatstores don't support Change Feeds

What's Changed

• Have WASM development package return updated validation YAML by @josephschorr in #710
• Add a flag for disabling stat writes by @ecordell in #711
• Add ability to trace a check request by @josephschorr in #703
• Implement support for batch reachability by @josephschorr in #691
• Add issue links to readme by @samkim in #694
• Concurrency limit by @jakedt in #713
• Add ability to enable the REST gateway for the test server by @josephschorr in #714
• remove rangefeed config from crdb migrations by @ecordell in #707
• Depbot updates for Aug 1 by @josephschorr in #721
• Depbot updates for Aug 1 - part 2 by @josephschorr in #727
• Depbot updates for Aug 1 - part 3 by @josephschorr in #732
• Fix bounds on check test by @josephschorr in #728
• switch crdb watch feature detection to only require CONTROLCHANGEFEED by @ecordell in #722
• Skip checking of permissions for relationships in WriteSchema by @josephschorr in #734

Full Changelog: v1.10.0...v1.11.0

Docker Images

This release is available at authzed/spicedb:v1.11.0, quay.io/authzed/spicedb:v1.11.0, ghcr.io/authzed/spicedb:v1.11.0

v1.10.0

Upgrade Notes

Warning
This is release includes migrations for Postgres and MySQL datastores that adds a column to the namespace table.

Highlights

• Enabled the ability to safely use Postgres read replicas
• Added a webassembly interface for devtools
• Fixed namespaces not being garbage collected for Postgres & MySQL datastores
• Added health checking and Watch service to HTTP API
• Added seamless TLS certificate rotation

What's Changed

• Return an error instead of calling panic() when debug.ReadBuildInfo() is unavailable by @lmt-swallow in #658
• watch TLS certs for changes by @ecordell in #656
• expose /healthz endpoint when using the http gateway by @ecordell in #661
• *: add NOTICE by @jzelinskie in #662
• examples: move k8s deployment into examples by @jzelinskie in #667
• Add log of the connection state for dispatcher IsReady check by @josephschorr in #664
• Depbot updates for July 5 by @josephschorr in #676
• Depbot updates for July 5, part 2 by @josephschorr in #682
• Bump cloud.google.com/go/spanner from 1.33.0 to 1.34.0 by @dependabot in #678
• Bump github.com/aws/aws-sdk-go from 1.44.47 to 1.44.48 by @dependabot in #683
• fix cert rotation test flake by @ecordell in #685
• Postgres datastore: make read tx REPEATABLE_READ by @williamdclt in #674
• Enable Watch API in REST gateway by @josephschorr in #686
• Add a WebAssembly interface for invoking the SpiceDB dev package by @josephschorr in #663
• Add retries to MySQL stats test, which can occasionally get back empty stats by @josephschorr in #689
• pkg/cmd: document use of application default credentials with spanner by @kirbyquerby in #690
• Prevent release version errors from blocking SpiceDB startup by @josephschorr in #697
• examples: mv https://github.com/authzed/examples by @jzelinskie in #698
• Increase the testing timeout to 30m by @josephschorr in #702
• Add a fallback into the MySQL driver for rel count by @josephschorr in #701
• Garbage collect namespaces by @jzelinskie in #673
• Add a dispatch test that verifies delete preconditions across datastores by @josephschorr in #704
• Further fixes to memdb to not panic post-close by @josephschorr in #708

New Contributors

• @lmt-swallow made their first contribution in #658
• @williamdclt made their first contribution in #674
• @kirbyquerby made their first contribution in #690

Full Changelog: v1.9.0...v1.10.0

Docker Images

This release is available at authzed/spicedb:v1.10.0, quay.io/authzed/spicedb:v1.10.0, ghcr.io/authzed/spicedb:v1.10.0

v1.9.0

Warning
This release contains a change to the internal dispatch API, which means that v1.8.0 and v1.9.0 can not dispatch to each other during a rolling upgrade. To upgrade without downtime, run these as separate Kubernetes services, or disable dispatch before upgrading.

What's Changed

• Fully remove support for the V0 ACL and Schema API by @josephschorr in #618
• Add dispatch ready, health check integration by @samkim in #615
• Depbot updates for June 1 by @josephschorr in #629
• Depbot Updates for June 1 - part 2 by @josephschorr in #635
• Handle case where memdb is closed before a transaction completes by @josephschorr in #637
• Bump google.golang.org/api from 0.78.0 to 0.82.0 by @dependabot in #634
• Shorten the prefixes on cache keys to save some memory by @josephschorr in #641
• postgres: rename migration variable to reduce confusion by @jakedt in #643
• Remove remaining references to v0 API (except developer API) by @josephschorr in #645
• Abstract health status management into a helper package and add datastore status by @josephschorr in #642
• Skip checking and redispatch in reachability when seeing duplicates by @josephschorr in #638
• propagate context to migration functions by @vroldanbet in #646
• Add tools for genproto to tools.go by @josephschorr in #649
• Start moving from the externally-defined developer API to an internally defined set of types by @josephschorr in #647
• Ensure the released version appears with a staring v prefix by @josephschorr in #650
• introduce support to run migrations atomically by @jakedt in #655
• Cleanup the core messages now that v0 is gone by @josephschorr in #652

Full Changelog: v1.8.0...v1.9.0

Docker Images

This release is available at authzed/spicedb:v1.9.0, quay.io/authzed/spicedb:v1.9.0, ghcr.io/authzed/spicedb:v1.9.0

v1.8.0

Highlights

• New, speedier LookupResources implementation
• New datastore interface improves performance for all datastores
• MySQL driver now has feature parity with the Postgres driver

What's Changed

• Dependabot for May 3 by @josephschorr in #583
• disable renovatebot by @ecordell in #585
• crdb: detect broken pipe as resettable error by @ecordell in #591
• Add spanner emulator env var detection by @samkim in #574
• Add a custom analyzers package for custom lint checks by @josephschorr in #563
• Dependabot changes for May 4 by @josephschorr in #593
• Implement revision quantization for MySQL by @bryanhuhta in #582
• Add middleware to return the server version when requested, unless disabled by @josephschorr in #572
• pg: set timezone to utc for revision selection by @ecordell in #592
• Upgrade CI crdb version to v21.2.10 by @samkim in #602
• Update NewEnemy test for datastore v2 by @ecordell in #607
• log successful telemetry attempts by @jakedt in #524
• Datastore v2 by @jakedt in #581
• prevent crdb from crashing in e2e tests by @ecordell in #611
• Implement a reachability graph and use for lookup by @josephschorr in #517
• caching dispatch: unregister prometheus metrics on close by @ecordell in #617
• support xDS as a dispatch resolver option by @ecordell in #612
• Propagate context in migrations by @nbarbey in #596
• Some small reachable resources and lookup improvements by @josephschorr in #620
• refactor(schemadsl): remove unused field by @fearlessfe in #622
• Move the cache implementation behind an interface by @josephschorr in #614
• Add quickstart examples by @bryanhuhta in #616

New Contributors

• @fearlessfe made their first contribution in #622

Full Changelog: v1.7.1...v1.8.0

Docker Images

This release is available at authzed/spicedb:v1.8.0, quay.io/authzed/spicedb:v1.8.0, ghcr.io/authzed/spicedb:v1.8.0

v1.7.1

This is a bugfix release for 1.7.0

What's Changed

• Fix datastore-engine help text by @bryanhuhta in #569
• pkg/cmd: catch nil registry initialization by @jzelinskie in #568
• postgres: handle negative relationhip count estimates by @jakedt in #570
• Switch to using Engines for the engine parameter by @josephschorr in #571
• addresses server panic when malformed authorization header is sent by @vroldanbet in #573
• k8s: add dispatch enabled comment by @jzelinskie in #575

Full Changelog: v1.7.0...v1.7.1

Docker Images

This release is available at authzed/spicedb:v1.7.1, quay.io/authzed/spicedb:v1.7.1, ghcr.io/authzed/spicedb:v1.7.1