SpiceDB — Zanzibar-Inspired Authorization Database

Introduction

SpiceDB implements a permissions system modeled after Google's Zanzibar paper. It stores relationships between objects and subjects, then evaluates permission checks against a schema you define. This lets applications enforce consistent, fine-grained access control without embedding authorization logic in application code.

What SpiceDB Does

• Stores relationship tuples that describe who has access to what
• Evaluates permission checks in milliseconds using a graph-based engine
• Enforces a typed schema language for defining relations and permissions
• Supports multiple storage backends including PostgreSQL, CockroachDB, and MySQL
• Provides gRPC and HTTP APIs with client libraries for Go, Java, Python, Ruby, and more

Architecture Overview

SpiceDB runs as a stateless gRPC service backed by a relational datastore. Relationship data is stored as tuples in the database. On a permission check request, SpiceDB traverses the relation graph defined by the schema, resolving nested relations and intersections to return an allow or deny result. A watch API streams relationship changes for cache invalidation.

Self-Hosting & Configuration

• Run via Docker, Helm chart, or the SpiceDB Operator on Kubernetes
• Configure the datastore backend with --datastore-engine (postgres, cockroachdb, mysql, memdb)
• Set preshared keys or mTLS for API authentication
• Run spicedb migrate head to initialize or upgrade the datastore schema
• Horizontal scaling is achieved by adding stateless SpiceDB replicas behind a load balancer

Key Features

• Schema language with IDE support for defining typed relations and permissions
• Consistent snapshot reads using Zanzibar-style zookies (consistency tokens)
• Bulk import and export of relationship data for migration or backup
• Watch API for streaming real-time changes to relationships
• Caveat system for conditional permissions based on runtime context

Comparison with Similar Tools

• Permify — Similar Zanzibar approach but a younger project; SpiceDB has broader language support
• Ory Keto — Earlier Zanzibar implementation; SpiceDB provides a richer schema language
• Casbin — Library-based policy engine; SpiceDB is a standalone scalable service
• Open Policy Agent — General-purpose policy engine; SpiceDB specializes in relationship-based access control

FAQ

Q: What is the Zanzibar model? A: It is Google's approach to authorization where permissions are derived from stored relationships between objects and users, enabling consistent checks at scale.

Q: Can SpiceDB handle millions of relationships? A: Yes. With CockroachDB or PostgreSQL as the backend, SpiceDB scales to billions of relationships.

Q: Does SpiceDB support RBAC and ABAC? A: SpiceDB natively models ReBAC (relationship-based). RBAC is expressible as relations; ABAC is supported via the caveat system.

Q: Is SpiceDB free? A: The core database is open source under Apache 2.0. AuthZed offers a managed cloud version.

Sources

• https://github.com/authzed/spicedb
• https://authzed.com/docs