Releases: authzed/spicedb
v1.40.0
Note
All datastores have a migration to add new columns for relationship expiration support
Highlights
⌛ Expiring relationships
⚡ Experimental SQL optimization
🔧 Read replica fixes
Features
Introducing first class support for expiring relationships in SpiceDB! Developers can now define a lifespan for relationships in schema, preventing unintended access through lingering permissions. Relationship expiration terms can also be dynamically defined by application end users, providing them with even more granular control over how they choose to share data.
For more details, refer to SpiceDB documentation: https://authzed.com/docs/spicedb/concepts/expiring-relationships
End to end support for experimental first-class relationship expiration feature by @josephschorr in #2152
Enhancements
Various improvements
- Make index creation idempotent by @josephschorr in #2197
- Implement simpler import syntax by @tstirrat15 in #2207
- Change feature detection for CRDB watch to not require waiting by @josephschorr in #2205
- Delete LookupResources v1, ReachableResources and all helper code by @josephschorr in #2203
- add schemaFile to ValidationFile by @kartikaysaxena in #2206
Garbage collection
- GC improvements: GC only on a single node and add a missing index in PG by @josephschorr in #2159
- Move unlock call to a background context in GC by @josephschorr in #2198
- Change GC test to always call GC directly by @josephschorr in #2165
Datastore tests
- Additional datastore tests by @josephschorr in #2180
- Add some additional datastore tests to improve coverage by @josephschorr in #2173
- Switch datastore tests to use a larger runner by @josephschorr in #2182
- Add basic steelthread tests for bulk import and export of relationships by @josephschorr in #2166
- Add steelthread tests to CI and to mage test:all by @josephschorr in #2167
- Add support for bulk check in steelthread test by @josephschorr in #2171
- Deparallelize the steelthread tests to hopefully remove the flakiness by @josephschorr in #2169
- Increase max number of retries on flaky test by @josephschorr in #2204
- Add additional tests to the datastore consistency test suite by @josephschorr in #2168
- Remove parallel running on datastore consistency tests to reduce flakiness by @josephschorr in #2186
- Disable retries on the serialization test for PG by @josephschorr in #2200
- Remove sleep in stats test unless needed by @josephschorr in #2201
- Improve test coverage of memdb datastore with some new rel tests by @josephschorr in #2172
- Switch postgres tests to run in a matrix of versions by @josephschorr in #2195
- Add caveated bulk load test to datastore tests by @josephschorr in #2176
Observability, Debugging
- Add tracing to the LR2 implementation by @josephschorr in #2174
- Ensure source is returned for all check debug traces by @josephschorr in #2196
- Small changes around node IDs and trace IDs by @josephschorr in #2202
- Add support for debug traces in Check Bulk Permission by @josephschorr in #2193
- Add option to enable query parameters to appear in traces by @josephschorr in #2177
- Add slightly more information to the LR2 dispatch traces by @josephschorr in #2183
- Wire Spanner's logging up to zerolog by @josephschorr in #2181
Caveats
- Move caveat loading into a shared runner to reduce overhead in dispatch by @josephschorr in #2179
- Switch postgres to use a set and return an error if a duplicate caveat name is given by @josephschorr in #2199
- Relationships selected in SQL-based datastores now elide columns that have static values by @josephschorr in #2096
Fixes
- Remove now-unused windows workflow by @tstirrat15 in #2158
- Fix bulk export of relationships with caveats by @josephschorr in #2163
- Ensure datastore containers do not auto-restart by @josephschorr in #2187
- Fix the strict read proxy by @josephschorr in #2188
Updated dependencies
- Update Go crypto to v0.31.0 due to a reported vuln in that lib by @josephschorr in #2162
- Update net lib for reported Go library vulnerability by @josephschorr in #2175
- Bump the go_modules group across 2 directories with 1 update by @dependabot in #2161
- Bump golang from 1.23.3-alpine3.20 to 1.23.4-alpine3.20 in the docker group by @dependabot in #2184
- Bump the go-mod group with 23 updates by @dependabot in #2185
New Contributors
- @kartikaysaxena made their first contribution in #2206!
Full Changelog: v1.39.0...v1.40.0
Docker Images
This release is available at authzed/spicedb:v1.40.0, quay.io/authzed/spicedb:v1.40.0, ghcr.io/authzed/spicedb:v1.40.0
v1.39.1
This patch release includes a fix for a bug where exporting relationships were not including caveats.
What's Changed
- Backport changes from #2163 into 1.39.0 by @josephschorr in #2164
Full Changelog: v1.39.0...v1.39.1
Docker Images
This release is available at authzed/spicedb:v1.39.1, quay.io/authzed/spicedb:v1.39.1, ghcr.io/authzed/spicedb:v1.39.1
Contributors
Assets 16
v1.39.0
Warning
1.39.0 has a bug in BulkExportRelationships where caveat data is not included in exported relationships. Please update to v1.39.1 if you are using Bulk Export and Caveats.
Highlights
Introducing
📊 Native histograms for gRPC server metrics
🏥 Smarter health checks with user-specified set of safe migrations
🧹 Remove LookupResources v1 implementation
🗃️ Improvements for transaction metadata
Foundational work
⌛ Expiring relationships: foundational work to natively support defining relations in schema that last for set amount of time. This release introduces core system updates and changes to the type system and schema compiler.
🎼 Composable schemas: initial steps to support multi-part SpiceDB schemas by implementing local import functionality in this release.
Features
- Type system changes for first-class expiration support by @josephschorr in #2145
- Parser changes for supporting relationship expiration by @josephschorr in #2141
- Schema compiler support for relationship expiration trait by @josephschorr in #2142
- Add explicit option to enable expiration in schema by @josephschorr in #2144
- Add support to the core and tuple packages for relationship expiration by @josephschorr in #2146
- Copy old schema package into new package by @tstirrat15 in #2101
- Implement parsing of local imports by @tstirrat15 in #2103
- Update compiler to consume local imports by @tstirrat15 in #2116
- Handle circular and duplicate imports by @tstirrat15 in #2123
- Enable native histograms in server latency metrics by @bison in #2102
- Make all and any into keywords by @tstirrat15 in #2105
- Adds postgres index to support efficient querying via Watch API by @vroldanbet in #2143
- Add subject filters in schema relation delete to force use of the index by @josephschorr in #2131
- Introduce emission strategy into CockroachDB Watch API by @vroldanbet in #2120
- Introduces ByteSortable method in Revision by @vroldanbet in #2125
Enhancements
- Increase the aggressive postgres instantiation timeout of 5 seconds to 30 seconds #2094 by @anoopsundial in #2095
- Change from using protos to structs for relationships, ONRs and RRs by @josephschorr in #2081
- Updates to tuple helpers by @tstirrat15 in #2107
- Add relationtuple stringifying function by @tstirrat15 in #2112
- Add currently-enabled workflow to release windows by @tstirrat15 in #2087
- Add a new consistency middleware for full-consistency-only callers by @josephschorr in #2109
- Move consistency middleware into pkg so embedded uses can override by @josephschorr in #2110
- Remove internal label from consistency middleware to allow it to be replaced by @josephschorr in #2111
- Small improvements for transaction metadata by @josephschorr in #2115
- Add a flag to allow spicedb to run against non-head migrations by @ecordell in #2137
-Issue a checkpoint when head revision moved outside an application transaction by @vroldanbet in #2139 - Ensure caveats are read in bulk import by @josephschorr in #2147
Fixes
- Fix MySQL test breakage caused by daylight savings change by @josephschorr in #2117
- Change the trivy database to work around rate limits by @josephschorr in #2104
- Remove LookupResources v1 implementation by @tstirrat15 in #2099
- Fix signature of MustParseV1Rel by @tstirrat15 in #2108
- Use complete sentence in error by @drigz in #2118
- Improve PG serialization error on writes by @josephschorr in #2126
- Fix HCLRevision mismatch on zero logical clock by @vroldanbet in #2122
- Add missing limit in schema delta checking by @josephschorr in #2130
- Postgres watch: checkpoints should move the high watermark revision by @vroldanbet in #2140
- Fix cache inconsistency segfault by @tstirrat15 in #2148
- Fix: schema watch causes incorrect delete event for schema changes by @vroldanbet in #2149
- Changes to address flaky DB tests by @josephschorr in #2154
- Remove duplicate clause from namespace deletion in PG driver by @josephschorr in #2153
- Remove t.Parallel from pgbouncer tests to fix flakes by @josephschorr in #2155
- Add missing service label in metrics for consistency by @josephschorr in #2156
Updated dependencies
- pkg/proto: adopt CodecV2 and gRPC buffer pooling by @jzelinskie in #2070
- Bump golang from 1.23.1-alpine3.20 to 1.23.2-alpine3.20 in the docker group by @dependabot in #2114
- Bump the go-mod group across 1 directory with 23 updates by @dependabot in #2119
- Bump golang from 1.23.2-alpine3.20 to 1.23.3-alpine3.20 in the docker group by @dependabot in #2151
- Bump the go-mod group with 18 updates by @dependabot in #2150
New Contributors
- @anoopsundial made their first contribution in #2095
- @drigz made their first contribution in #2118
Full Changelog: v1.38.0...v1.39.0
Contributors
Assets 16
v1.38.1
What's Changed
- backport: Add subject filters in schema relation delete to force use of the index by @vroldanbet in #2136
Full Changelog: v1.38.0...v1.38.1
Docker Images
This release is available at authzed/spicedb:v1.38.1, quay.io/authzed/spicedb:v1.38.1, ghcr.io/authzed/spicedb:v1.38.1
Contributors
Assets 13
v1.37.2
What's Changed
- backport: Add subject filters in schema relation delete to force use of the index by @vroldanbet in #2132
Full Changelog: v1.37.1...v1.37.2
Docker Images
This release is available at authzed/spicedb:v1.37.2, quay.io/authzed/spicedb:v1.37.2, ghcr.io/authzed/spicedb:v1.37.2
Contributors
Assets 13
v1.38.0
Note
All datastores have a migration to add new columns (MySQL, Postgres) or new tables (CRDB, Spanner) for transaction metadata
Highlights
ℹ️ Write transactions now support metadata which can be attached to the call and which is then returned by the Watch API
Features
- Implement support for metadata associated with read-write transactions by @josephschorr in #1914
- Add API support for transaction metadata on WriteRels and DeleteRels by @josephschorr in #2084
- Metrics: spicedb_environment_info from telemetry by @jzelinskie in #2093
Enhancements
- Emit memdb checkpoints after changes by @vroldanbet in #2082
Fixes
- Fix CI errors on recent merge by @vroldanbet in #2092
Updated Dependencies
- Bump the go-mod group with 15 updates by @dependabot in #2083
Full Changelog: v1.37.0...v1.38.0
Docker Images
This release is available at authzed/spicedb:v1.38.0, quay.io/authzed/spicedb:v1.38.0, ghcr.io/authzed/spicedb:v1.38.0
Contributors
Assets 14
v1.37.1
Note
1.37.1 fixes a reported issue with LookupResources v2. It is recommended that all users of v1.37.0 upgrade to v1.37.1. See: GHSA-3c32-4hq9-6wgj
Full Changelog: v1.37.0...v1.37.1
Docker Images
This release is available at authzed/spicedb:v1.37.1, quay.io/authzed/spicedb:v1.37.1, ghcr.io/authzed/spicedb:v1.37.1
v1.37.0
Warning
1.37.0 enables LookupResources v2 by default, which was found to not be passing caveat context to dispatches in certain scenarios, causing permissions of CONDITIONAL to be returned instead of determined results. We recommend upgrading to v1.37.1 which fixes this problem. See: GHSA-3c32-4hq9-6wgj
Highlights
⭐ LookupResources v2 now enabled by default!
Features
- Enable LRv2 by default and update the steelthread tests by @josephschorr in #2079
Enhancements
- Add support for secondary dispatching on LR2 by @josephschorr in #2069
- Stop using yaml anchors in release action configuration by @tstirrat15 in #2071
- Make bulk export service functions use read-only datastore by @vroldanbet in #2072
- README: rework sections: zanzibar, contrib, users by @jzelinskie in #2060
- Register common flags with helper by @tstirrat15 in #2074
Fixes
- Fix serve-devtools command and flags by @tstirrat15 in #2073
- Fixes memory leak via HTTP Gateway by @vroldanbet in #2075
- Remove duplicate and redundant code by @cuishuang in #2080
Updated dependencies
- Bump to most recent version of goreleaser by @tstirrat15 in #2067
New Contributors
@cuishuang made their first contribution in #2080
Full Changelog: v1.36.3...v1.37.0
v1.36.2
333532c
tstirrat15
Tanner Stirrat
This fixes a small issue with the spicedb datastore head command but is otherwise the same as https://github.com/authzed/spicedb/releases/tag/v1.36.0
Full Changelog: v1.36.0...v1.36.2
Docker Images
This release is available at authzed/spicedb:v1.36.2, quay.io/authzed/spicedb:v1.36.2, ghcr.io/authzed/spicedb:v1.36.2
v1.36.0
d0e5fca
tstirrat15
Tanner Stirrat
Highlights
🔐 Added relationship integrity: protects authorization data in an underlying SpiceDB datastore from inadvertent modification.
📋 Reorganized spicedb serve flags into logically-related flagsets
🚤 Ensure cursored LRv2 calls are dispatched to LRv2
Features
- Relationship integrity by @josephschorr in #1980
- Implement non-experimental bulk import and export by @tstirrat15 in #2065
Enhancements
- Ensure cursored LRv2 calls are dispatched to LRv2 by @josephschorr in #2040
- Ensure the validationfile loader passes the full caveats to the typesystem by @josephschorr in #2042
- Check data structure improvements by @josephschorr in #2037
- Reorganize serve flags into flagsets by @tstirrat15 in #2023
- Add a default connect timeout for watch in CRDB driver by @josephschorr in #2041
- Have diffexpr handle the case of adding to a single child expression by @josephschorr in #2038
- Add configurable max buffer size for watch change tracker by @josephschorr in #2044
- Add continuous checkpointing to Datastore Features by @vroldanbet in #2064
- Add analyzer to enforce usage of VT versions of marshalling and unmarshalling by @tstirrat15 in #2043
- Make the max size exceeded error public by @josephschorr in #2049
- Add goreleaser configuration to push Windows package to Chocolatey by @josephschorr in #1879
Fixes
- Cleanup handling of internal errors in Check dispatch by @josephschorr in #2029
- Only add the finalizer on iterators when CI testing by @josephschorr in #2034
- Ensure the validationfile loader passes the full caveats to the typesystem by @josephschorr in #2042
- Fix data type for pg_class relcount by @josephschorr in #2046
- Remove unnecessary branch from limit logic by @tstirrat15 in #2030
- Remove duplicate update test by @josephschorr in #2051
- Remove warning for an arrow referencing a relation in its own namespace by @josephschorr in #2062
- Fix security errors in lint steps by @tstirrat15 in #2061
Updated dependencies
- Integrate updates to cobrautil by @tstirrat15 in #2031
- Bump golang from 1.22.5-alpine3.20 to 1.23.0-alpine3.20 in the docker group by @dependabot in #2050
- Bump the go-mod group with 32 updates by @dependabot in #2052
- Bump github.com/opencontainers/runc from 1.1.13 to 1.1.14 in the go_modules group by @dependabot in #2054
What's Changed
Full Changelog: v1.35.3...v1.36.0
Docker Images
This release is available at authzed/spicedb:v1.36.0, quay.io/authzed/spicedb:v1.36.0, ghcr.io/authzed/spicedb:v1.36.0