diff options
| author | mo khan <mo@mokhan.ca> | 2025-07-15 16:37:08 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-07-17 16:30:22 -0600 |
| commit | 45df4d0d9b577fecee798d672695fe24ff57fb1b (patch) | |
| tree | 1b99bf645035b58e0d6db08c7a83521f41f7a75b /cmd | |
| parent | f94f79608393d4ab127db63cc41668445ef6b243 (diff) | |
feat: migrate from Cedar to SpiceDB authorization system
This is a major architectural change that replaces the Cedar policy-based
authorization system with SpiceDB's relation-based authorization.
Key changes:
- Migrate from Rust to Go implementation
- Replace Cedar policies with SpiceDB schema and relationships
- Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks
- Update build system and dependencies for Go ecosystem
- Maintain Envoy integration for external authorization
This change enables more flexible permission modeling through SpiceDB's
Google Zanzibar inspired relation-based system, supporting complex
hierarchical permissions that were difficult to express in Cedar.
Breaking change: Existing Cedar policies and Rust-based configuration
will no longer work and need to be migrated to SpiceDB schema.
Diffstat (limited to 'cmd')
| -rw-r--r-- | cmd/authzd/main.go | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/cmd/authzd/main.go b/cmd/authzd/main.go new file mode 100644 index 00000000..809916c9 --- /dev/null +++ b/cmd/authzd/main.go @@ -0,0 +1,40 @@ +package main + +import ( + "context" + "net" + "os" + "os/signal" + "syscall" + + "github.com/xlgmokha/x/pkg/env" + "github.com/xlgmokha/x/pkg/log" + "github.com/xlgmokha/x/pkg/x" + "gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd.git/pkg/authz" + "gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd.git/pkg/pls" +) + +func main() { + logger := log.New(os.Stdout, log.Fields{"app": "authzd"}) + ctx := logger.WithContext(context.Background()) + + client := x.Must(authz.NewClient(ctx, + env.Fetch("SPICEDB_ENDPOINT", ":50051"), + env.Fetch("SPICEDB_SECRET", "secret"), + )) + server := authz.New(authz.Connection.With(ctx, client)) + defer client.Close() + + c := make(chan os.Signal, 1) + signal.Notify(c, syscall.SIGINT, syscall.SIGTERM) + go func() { + <-c + server.GracefulStop() + logger.Log().Str("status", "goodbye").Send() + }() + + defer server.GracefulStop() + logger.Log().Str("status", "ready").Send() + socket := x.Must(net.Listen("tcp", ":50052")) + pls.LogErrorNow(ctx, server.Serve(socket)) +} |