v1.19.1

Upgrade Notes

Warning
This is release includes a fix for CVE-2023-29193
Please read the Security Advisory to determine if you are affected and what workarounds can be applied if you cannot upgrade.

Full Changelog: v1.19.0...v1.19.1

Docker Images

This release is available at authzed/spicedb:v1.19.1, quay.io/authzed/spicedb:v1.19.1, ghcr.io/authzed/spicedb:v1.19.1

v1.19.0

Upgrade Notes

Warning
This is release includes migrations for the Postgres datastore that adds indices.
To learn more about migrations, see the migration documentation.
To automate migrations, Kubernetes users can run the SpiceDB Operator.

Highlights

🚀 Cockroach and Postgres datastores are much faster
🎏 Several new flags for tuning SpiceDB for best performance
🪵 Improved log messages

What's Changed

• postgres, crdb: update pgx to v5 by @ecordell in #1232
• Add flags for maxlifetime jitter by @ecordell in #1235
• Add covering indexes to Postgres and associated testing by @josephschorr in #1118
• port: datastore/postgres: fix invalid slice appends in snapshots by @vroldanbet in #1219
• use cgr.dev/chainguard/busybox as base instead of distroless.dev/busybox by @imjasonh in #1220
• Change schema compiler to squash union and intersection trees by @josephschorr in #1213
• mysql: prevents misleading log messages by avoiding Rollback if committed by @vroldanbet in #1180
• Add better logs for when datastore or dispatcher is not ready by @josephschorr in #1221
• reverts caveat covering index for postgres datastore by @vroldanbet in #1222
• Skip checking of relation on direct computed_userset by @josephschorr in #1225
• use implicit transactions for reads on crdb and postgres by @jakedt in #1230
• introduces configurable dispatch hashring replication factor by @vroldanbet in #1227

Docker Images

This release is available at authzed/spicedb:v1.19.0, quay.io/authzed/spicedb:v1.19.0, ghcr.io/authzed/spicedb:v1.19.0

Full Changelog: v1.18.0...v1.19.0

v1.18.1

Upgrade Notes

Warning
This release breaks our semantic versioning policy and as a result is not recommended.
Please use v1.19.0 which includes this release's changes but with a version number that better reflects the contents of the release.

This is release includes migrations for the Postgres datastore that adds indices.
To learn more about migrations, see the migration documentation.
To automate migrations, Kubernetes users can run the SpiceDB Operator.

What's Changed

• Add covering indexes to Postgres and associated testing by @josephschorr in #1118
• port: datastore/postgres: fix invalid slice appends in snapshots by @vroldanbet in #1219
• use cgr.dev/chainguard/busybox as base instead of distroless.dev/busybox by @imjasonh in #1220
• Change schema compiler to squash union and intersection trees by @josephschorr in #1213
• mysql: prevents misleading log messages by avoiding Rollback if committed by @vroldanbet in #1180
• Add better logs for when datastore or dispatcher is not ready by @josephschorr in #1221
• reverts caveat covering index for postgres datastore by @vroldanbet in #1222
• Skip checking of relation on direct computed_userset by @josephschorr in #1225
• use implicit transactions for reads on crdb and postgres by @jakedt in #1230
• introduces configurable dispatch hashring replication factor by @vroldanbet in #1227

Full Changelog: v1.17.0...v1.18.1

Docker Images

This release is available at authzed/spicedb:v1.18.1, quay.io/authzed/spicedb:v1.18.1, ghcr.io/authzed/spicedb:v1.18.1

v1.18.0

Highlights

🚀 Cockroach and Postgres datastores can now configure separate connection pools for read and write queries
📈 Additional metrics for datastore GC
🔄 Improved Postgres revision collision detection
🚫 Improved error codes when access is denied

What's Changed

• Add prometheus metric for GC failure in datastore by @josephschorr in #1177
• Dependabot updates for March 2023 by @josephschorr in #1188
• datastore/postgres: switch to DB snapshots as primary component of revisions by @jakedt in #1153
• makes the request caveat context size configurable by @vroldanbet in #1190
• README: refresh with more dev instructions by @jzelinskie in #1191
• README: add debug containers by @jzelinskie in #1194
• internal/datastore/crdb: split read/write connpools by @jzelinskie in #1179
• propagate option to disable stats in spanner datastore by @vroldanbet in #1192
• fixes behaviour of various datastores when HeadRevision is outside GC window by @vroldanbet in #1200
• Txid join fix by @jakedt in #1204
• fixes regression of revision precision problem in MacOS for MemDB by @vroldanbet in #1207
• changes the order gRPC prometheus middleware by @vroldanbet in #1209
• Bump golang.org/x/mod from 0.8.0 to 0.9.0 by @dependabot in #1189
• spanner: close row iterators when done by @ecordell in #1212
• datastore/postgres: fix invalid slice appends in snapshots by @jakedt in #1218

Full Changelog: v1.17.0...v1.18.0

Docker Images

This release is available at authzed/spicedb:v1.18.0, quay.io/authzed/spicedb:v1.18.0, ghcr.io/authzed/spicedb:v1.18.0

v1.17.0

Highlights

🎉 Caveats are now Generally Available!
🚀 APIs without configurable consistency have been reduced by one datastore roundtrip
☑ WriteRelationships validation now batch-loads schemas
⚠️ Additional metrics for caching and the Spanner datastore have added, requiring changes to users' PromQL queries
🪳The CockroachDB datastore GC window now warns instead of failing if the user configures an invalid window

What's Changed

• pkg/cache: implement a central collector by @jzelinskie in #1149
• makes dispatch metrics toggleable by @vroldanbet in #1151
• Change release notes update mode by @ecordell in #1150
• make cache collector unregister on close by @vroldanbet in #1152
• Mark caveats as a production-ready feature by @josephschorr in #1154
• Remove now-unused caveats flag by @josephschorr in #1155
• Fix MySQL parseTime check to use the DSN lib by @josephschorr in #1159
• improve CRDB GC error message by @vroldanbet in #1166
• adds caveats to AppliedSchemaChanges by @vroldanbet in #1167
• Fix spanner telemetry by @ecordell in #1156
• does not return an error if GC windows aren't aligned by @vroldanbet in #1169
• Move to Golang 1.19.6 to bring some security fixes by @josephschorr in #1172
• Use the shared relationships validation in dev package by @josephschorr in #1171
• Have validation for WriteRelationships batch load namespaces by @josephschorr in #1175
• Skip loading of head revision on write calls by @josephschorr in #1176

Full Changelog: v1.16.2...v1.17.0

Docker Images

This release is available at authzed/spicedb:v1.17.0, quay.io/authzed/spicedb:v1.17.0, ghcr.io/authzed/spicedb:v1.17.0

v1.16.2

What's Changed

• Expose the V1 API debug information in dev package by @josephschorr in #1107
• fixes problem with caveats not resolving protobuf types by @vroldanbet in #1109
• Make sure to catch error tokens in caveat parsing by @josephschorr in #1111
• .github: explicit github token for buf-generate by @jzelinskie in #1113
• Add additional option to CEL to compile caveat macro expressions by @josephschorr in #1112
• Part 2 of consistency tests using caveats by @josephschorr in #1106
• fixes positional argument errors failing silently by @vroldanbet in #1101
• Add a consistency test for the ipaddress type for caveats by @josephschorr in #1116
• Add consistency test for maps in caveats and better typed errors on caveat evaluation by @josephschorr in #1115
• pkg/cache: default TTL of 2x quantization window by @jzelinskie in #1110
• Remove TODOs in caveat CEL code by @josephschorr in #1121
• Only write caveats that have been possibly updated by @josephschorr in #1120

Docker Images

This release is available at:

• authzed/spicedb:v1.16.2
• quay.io/authzed/spicedb:v1.16.2
• ghcr.io/authzed/spicedb:v1.16.2
• authzed/spicedb:v1.16.2-debug
• quay.io/authzed/spicedb:v1.16.2-debug
• ghcr.io/authzed/spicedb:v1.16.2-debug

Full Changelog: v1.16.1...v1.16.2

v1.16.1

What's Changed

• Add additional goroutine leak testing to Lookup* and fix possible deadlock in ReachableResources by @josephschorr in #1086
• README: rephrase project description by @samkim in #1091
• refactor datastore flags to make them reusable by @vroldanbet in #1089
• Update reported min version for Postgres by @josephschorr in #1093
• align datastore defaults by @vroldanbet in #1092
• adds log.Ctx(ctx) calls (almost) everywhere by @vroldanbet in #1094
• Add an API test for deleting a relationship that does not exist by @josephschorr in #1095
• Consistency test reimplementation by @josephschorr in #1087
• Cleanup lock handling in task runner by @josephschorr in #1096
• Add consistency test for reading relationships by @josephschorr in #1097
• Add a distinct validation error type for schema write by @josephschorr in #1102
• Add additional consistency test cases and enable chunk size changing by @josephschorr in #1099
• Fix flake in debug tests by @josephschorr in #1104
• Optimize allocations by removing sprintf, using strings.Cut by @jzelinskie in #1098

Docker Images

This release is available at:

• authzed/spicedb:v1.16.1
• quay.io/authzed/spicedb:v1.16.1
• ghcr.io/authzed/spicedb:v1.16.1
• authzed/spicedb:v1.16.1-debug
• quay.io/authzed/spicedb:v1.16.1-debug
• ghcr.io/authzed/spicedb:v1.16.1-debug

Full Changelog: v1.16.0...v1.16.1

v1.16.0

Highlights

• Major performance improvements to the Watch API for the Postgres datastore
• v1.CheckPermission is now uses an optimization when there are many subjects with the same relation
• Caveats (experimental) are now supported in the development API
• Dispatch concurrency limits are now configurable per request type (e.g. --dispatch-check-permission-concurrency-limit)

What's Changed

• HTTP gateway graceful termination by @vroldanbet in #1001
• move off ristretto fork by @vroldanbet in #1012
• Add brief sleeps to fix flaky test on macos by @josephschorr in #1014
• Return a more descriptive error for watch when not enabled by @josephschorr in #1009
• Fix memdb to always generate unique revision IDs by @josephschorr in #1015
• Early iterator closing in dispatch by @josephschorr in #1016
• Debug API improvements by @josephschorr in #963
• Add configurable concurrency limits per dispatch type by @josephschorr in #1010
• Switch the namespace cache to use estimated costs and no serialization by @josephschorr in #1019
• internal/datastore: remove unused lock by @jzelinskie in #1021
• Fix the flake in the estimated size test for nsdefs by @josephschorr in #1023
• Fix metadata on ErrCannotWriteToPermission by @josephschorr in #1025
• Add a metric for estimated check direct queries by @josephschorr in #1024
• Remove old error message from CRDB test by @josephschorr in #1036
• Add support for caveat name and context to tuple syntax by @josephschorr in #1028
• Dependabot updates for Dec 2022 by @josephschorr in #1037
• Adjust estimated query count metric to only count dispatch if it was necessary by @josephschorr in #1030
• Link to annotated paper by @samkim in #1044
• Move to golang 1.19.4 by @josephschorr in #1049
• datastore/crdb: upgrade to v22.2.0 to get arm support by @jakedt in #1042
• Add warning when PG max connection count is lower than min by @josephschorr in #1052
• Improve the watch API performance and correctness for postgres by @jakedt in #1039
• Add prom metric for number of batch check dispatches by @josephschorr in #1048
• Add retries to the estimated size test to remove flakiness by @josephschorr in #1053
• Debug supporting caveats by @josephschorr in #1041
• Add support for tracking caveats in membership for development by @josephschorr in #1047
• Fix revision checking in memdb to allow for past now by @josephschorr in #1029
• Add another relationship parsing test by @josephschorr in #1056
• Change confusing flag help output. by @ensonic in #1043
• gomod: update cobraotel to support sample ratios by @jzelinskie in #1058
• Fix concurrent access issue in reachable resources and add additional testing and a small perf improvement by @josephschorr in #1061
• Fix debug tracing for batch dispatches by @josephschorr in #1060
• improvements on context cancellation by @vroldanbet in #1062
• Add test for dispatch metadata on all endpoints by @josephschorr in #1066
• redesigns middlware options for RunnableServer v2 by @vroldanbet in #1063
• datastore/proxy: add prom metrics to datastore operations by @jakedt in #1069
• Add exponential backoff to the GC worker for datastores by @josephschorr in #1068
• Add accessor in the dev package for V1 API by @josephschorr in #1071
• Fix bug in reachable resources that was causing extra work by @josephschorr in #1073
• Add a linter for improper use of panics and fix all found instances by @josephschorr in #1054
• Add datastore GC command to synchronously run GC by @josephschorr in #1067
• Add support for caveats in development package by @josephschorr in #1064
• reference libraries through awesome spicedb by @vroldanbet in #1076
• Dependabot updates for Jan 2023 by @josephschorr in #1084
• Direct check performance improvements by @josephschorr in #839

Docker Images

This release is available at:

• authzed/spicedb:v1.16.0
• quay.io/authzed/spicedb:v1.16.0
• ghcr.io/authzed/spicedb:v1.16.0
• authzed/spicedb:v1.16.0-debug
• quay.io/authzed/spicedb:v1.16.0-debug
• ghcr.io/authzed/spicedb:v1.16.0-debug

New Contributors

• @ensonic made their first contribution in #1043

Full Changelog: v1.15.0...v1.16.0

v1.15.0

Upgrade Notes

Warning
This is release includes changes for dispatching, which can result in an increased error rate during rollout. To avoid, deploy as a distinct cluster and switch over your load balancer(s)

CockroachDB, Spanner, MySQL, Postgres

(no migrations from v1.14.1)

What's Changed

• Update BaseSubjectSet to support caveat expressions by @josephschorr in #932
• Add support in LookupResources for caveats by @josephschorr in #938
• Remove support for the v1alpha1 API by @josephschorr in #976
• Fix observable proxy to use the more efficient namespace lookup by @josephschorr in #989
• Refactor the datastore testfixtures for better code reuse by @josephschorr in #988
• Provide additional capabilities around schema writing by @josephschorr in #990
• logging and error handling improvements by @vroldanbet in #986
• Fix test flake in loader by sorting the expected tuples by @josephschorr in #991
• Add support for caveats in LookupSubjects API by @josephschorr in #987
• address some caveat TODOs by @vroldanbet in #995
• Make sure ReadSchema returns caveats as well by @josephschorr in #997
• Add testutil packages and clean up copy-pasted code by @josephschorr in #996
• fixes broken docker compose link by @vroldanbet in #999
• datastore/postgres: remove the compensation code for migration phases by @jakedt in #992
• Add validation of relationships to file loader by @josephschorr in #981
• Fix for PG when schema is specified in the db url by @jvassev in #994
• Improve the error message for duplicate rels within a single WriteRel… by @josephschorr in #1003
• Return InvalidArgument if caveats are disabled in WriteRels call by @josephschorr in #1004
• Add context and default timeout for validationfile loading by @josephschorr in #1002
• Add len checks to WriteCaveats before attempting to write nothing by @peterfoldes in #1006
• Catch nil values for FoundSubjectsByResourceID map and return as errors by @josephschorr in #1008

Docker Images

This release is available at:

• authzed/spicedb:v1.15.0
• quay.io/authzed/spicedb:v1.15.0
• ghcr.io/authzed/spicedb:v1.15.0
• authzed/spicedb:v1.15.0-debug
• quay.io/authzed/spicedb:v1.15.0-debug
• ghcr.io/authzed/spicedb:v1.15.0-debug

New Contributors

• @jvassev made their first contribution in #994
• @peterfoldes made their first contribution in #1006

Full Changelog: v1.14.1...v1.15.0

v1.14.1

What's Changed

• prevent poisoning via build job by @vroldanbet in #961
• Fix panic in validationfile loader when no schema is specified by @josephschorr in #979
• datastore/cache: clear the RWT namespace cache when writing namespaces by @jakedt in #982
• Dispatch goleak checking by @josephschorr in #983
• cmd/serve: fix deprecated usage of jaeger by @jzelinskie in #984

Full Changelog: v1.14.0...v1.14.1

Docker Images

This release is available at authzed/spicedb:v1.14.1, quay.io/authzed/spicedb:v1.14.1, ghcr.io/authzed/spicedb:v1.14.1