feat: migrate from Cedar to SpiceDB authorization system

This is a major architectural change that replaces the Cedar policy-based authorization system with SpiceDB's relation-based authorization. Key changes: - Migrate from Rust to Go implementation - Replace Cedar policies with SpiceDB schema and relationships - Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks - Update build system and dependencies for Go ecosystem - Maintain Envoy integration for external authorization This change enables more flexible permission modeling through SpiceDB's Google Zanzibar inspired relation-based system, supporting complex hierarchical permissions that were difficult to express in Cedar. Breaking change: Existing Cedar policies and Rust-based configuration will no longer work and need to be migrated to SpiceDB schema.
author: mo khan <mo@mokhan.ca> 2025-07-15 16:37:08 -0600
committer: mo khan <mo@mokhan.ca> 2025-07-17 16:30:22 -0600
commit: 45df4d0d9b577fecee798d672695fe24ff57fb1b (patch)
tree: 1b99bf645035b58e0d6db08c7a83521f41f7a75b /share/man/README.md
parent: f94f79608393d4ab127db63cc41668445ef6b243 (diff)
1 files changed, 12 insertions, 12 deletions
diff --git a/share/man/README.md b/share/man/README.md
index 72c52028..02d7630e 100644
--- a/share/man/README.md
+++ b/share/man/README.md
@@ -77,7 +77,7 @@ This is different from Rails where authorization typically happens inside the ap
 |                 |                   |   |
 |                 v                   v   |
 |         +-------------+    +----------+ |
-|         |  Sparkled   |    | Go Authzd| |
+|         |  Sparkled   |    |  Authzd  | |
 |         |    (App)    |    | (sidecar)| |
 |         +-------------+    +----+-----+ |
 +==============================|==========+
@@ -94,7 +94,7 @@ This is different from Rails where authorization typically happens inside the ap
 |                    |                   |
 |                    v                   |
 |            +---------------+           |
-|            | Rust Authzd   |           |
+|            |    Authzd     |           |
 |            |   (remote)    |           |
 |            +---------------+           |
 +========================================+
@@ -141,7 +141,7 @@ User-Agent     Envoy(Sparkle)     Sparkled       GitLab
 ## Slide 6: Request Flow - Authenticated User
 
 ```
-User-Agent  Envoy(Sparkle)       Go Authzd    Rust Authzd
+User-Agent  Envoy(Sparkle)     Sidecar Authzd    Remote Authzd
    |                |                 |              |
    | GET /dashboard |                 |              |
    | (with cookies) |                 |              |
@@ -177,14 +177,14 @@ User-Agent  Envoy(Sparkle)       Go Authzd    Rust Authzd
 
 ## Slide 7: The Dual Authzd Architecture
 
-### Current: Go Sidecar + Rust Remote
+### Current: Sidecar + Remote
 
 ```
 +-----------------------------------------------------+
 |                  Docker Container                   |
 |                                                     |
 |  +---------+    +--------------+    +----------+    |
-|  |  Envoy  |--->|  Go Authzd   |    | Sparkled |    |
+|  |  Envoy  |--->|    Authzd    |    | Sparkled |    |
 |  | (local) |    |  (sidecar)   |    |   (App)  |    |
 |  +---------+    +------+-------+    +----------+    |
 |                        |                            |
@@ -193,13 +193,13 @@ User-Agent  Envoy(Sparkle)       Go Authzd    Rust Authzd
                          | gRPC call (fallback)
                          v
                  +---------------+
-                 | ENVOY PROXY   |
+                 |  ENVOY PROXY  |
                  |   (remote)    |
                  +-------+-------+
                          |
                          v
                  +---------------+
-                 | Rust Authzd   |
+                 |    Authzd     |
                  |   (remote)    |
                  +---------------+
 ```
@@ -211,7 +211,7 @@ User-Agent  Envoy(Sparkle)       Go Authzd    Rust Authzd
 |                  Docker Container                   |
 |                                                     |
 |  +---------+    +--------------+    +----------+    |
-|  |  Envoy  |--->| Rust Authzd  |    | Sparkled |    |
+|  |  Envoy  |--->|    Authzd    |    | Sparkled |    |
 |  | (local) |    |  (library)   |    |   (App)  |    |
 |  +---------+    +------+-------+    +----------+    |
 |                        |                            |
@@ -220,7 +220,7 @@ User-Agent  Envoy(Sparkle)       Go Authzd    Rust Authzd
                          | HTTP call (fallback)
                          v
                  +---------------+
-                 | Rust Authzd   |
+                 |    Authzd     |
                  |   (remote)    |
                  +---------------+
 ```
@@ -239,8 +239,8 @@ User-Agent  Envoy(Sparkle)       Go Authzd    Rust Authzd
 
 The OAuth2 and JWT filters shown below may be removed in future versions:
 
-- **Option 1**: Move to Rust authzd's Envoy configuration
-- **Option 2**: Implement as code inside Rust authzd
+- **Option 1**: Move to Remote authzd's Envoy configuration
+- **Option 2**: Implement as code inside Remote authzd
 - **Goal**: Replace JWT with URT (Unified Request Token) via `ext_authz`
 
 ### Current Filter Chain (order matters!)
@@ -265,7 +265,7 @@ Each filter processes the request and can:
 
 ### **Future Architecture**
 
-This OIDC authentication may move to Rust authzd for centralized token management.
+This OIDC authentication may move to Remote authzd for centralized token management.
 
 ### Configuration
author	mo khan <mo@mokhan.ca>	2025-07-15 16:37:08 -0600
committer	mo khan <mo@mokhan.ca>	2025-07-17 16:30:22 -0600
commit	45df4d0d9b577fecee798d672695fe24ff57fb1b (patch)
tree	1b99bf645035b58e0d6db08c7a83521f41f7a75b /share/man/README.md
parent	f94f79608393d4ab127db63cc41668445ef6b243 (diff)