/plushcap/analysis/authzed/authzed-spicedb-relationship-integrity

Relationship integrity

What's this blog post about?

Google's Zanzibar model of authorization differentiates itself from other models by relying on relationships between objects, known as "resources" and "subjects". SpiceDB is an open-source implementation of Zanzibar developed by AuthZed. It stores relationships in an underlying datastore and uses this data to compute permissions. However, there exists a possibility that relationships within the external datastore could be modified without SpiceDB's knowledge, leading to incorrect or malicious answers to permissions questions. To address this issue, SpiceDB v1.36.0 introduces relationship integrity, which allows for each relationship written into the backing datastore to be signed by a key known only to SpiceDB. Currently, relationship integrity is supported with the CockroachDB datastore driver and may extend support to other drivers in the future.

Company
AuthZed

Date published
Sept. 30, 2024

Author(s)
Joey Schorr

Word count
708

Language
English

Hacker News points
None found.


By Matt Makai. 2021-2024.