feat: migrate from Cedar to SpiceDB authorization system

This is a major architectural change that replaces the Cedar policy-based authorization system with SpiceDB's relation-based authorization. Key changes: - Migrate from Rust to Go implementation - Replace Cedar policies with SpiceDB schema and relationships - Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks - Update build system and dependencies for Go ecosystem - Maintain Envoy integration for external authorization This change enables more flexible permission modeling through SpiceDB's Google Zanzibar inspired relation-based system, supporting complex hierarchical permissions that were difficult to express in Cedar. Breaking change: Existing Cedar policies and Rust-based configuration will no longer work and need to be migrated to SpiceDB schema.
author: mo khan <mo@mokhan.ca> 2025-07-15 16:37:08 -0600
committer: mo khan <mo@mokhan.ca> 2025-07-17 16:30:22 -0600
commit: 45df4d0d9b577fecee798d672695fe24ff57fb1b (patch)
tree: 1b99bf645035b58e0d6db08c7a83521f41f7a75b /etc/authzd/spice.schema
parent: f94f79608393d4ab127db63cc41668445ef6b243 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/etc/authzd/spice.schema b/etc/authzd/spice.schema
index 0d6a6482..da408b80 100644
--- a/etc/authzd/spice.schema
+++ b/etc/authzd/spice.schema
@@ -1,7 +1,17 @@
 definition user {}
+
 definition project {
   relation developer: user
   relation maintainer: user
+
+  permission read = developer + maintainer
+  permission write = maintainer
+}
+
+definition group {
+  relation developer: user
+  relation maintainer: user
+
   permission read = developer + maintainer
   permission write = maintainer
 }
author	mo khan <mo@mokhan.ca>	2025-07-15 16:37:08 -0600
committer	mo khan <mo@mokhan.ca>	2025-07-17 16:30:22 -0600
commit	45df4d0d9b577fecee798d672695fe24ff57fb1b (patch)
tree	1b99bf645035b58e0d6db08c7a83521f41f7a75b /etc/authzd/spice.schema
parent	f94f79608393d4ab127db63cc41668445ef6b243 (diff)