From 45df4d0d9b577fecee798d672695fe24ff57fb1b Mon Sep 17 00:00:00 2001 From: mo khan Date: Tue, 15 Jul 2025 16:37:08 -0600 Subject: feat: migrate from Cedar to SpiceDB authorization system This is a major architectural change that replaces the Cedar policy-based authorization system with SpiceDB's relation-based authorization. Key changes: - Migrate from Rust to Go implementation - Replace Cedar policies with SpiceDB schema and relationships - Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks - Update build system and dependencies for Go ecosystem - Maintain Envoy integration for external authorization This change enables more flexible permission modeling through SpiceDB's Google Zanzibar inspired relation-based system, supporting complex hierarchical permissions that were difficult to express in Cedar. Breaking change: Existing Cedar policies and Rust-based configuration will no longer work and need to be migrated to SpiceDB schema. --- Makefile | 61 +++++++++---------------------------------------------------- 1 file changed, 9 insertions(+), 52 deletions(-) (limited to 'Makefile') diff --git a/Makefile b/Makefile index 6f08a38d..a6795d1c 100644 --- a/Makefile +++ b/Makefile @@ -14,52 +14,32 @@ else ZED_CMD = zed --endpoint "$(SPICEDB_ENDPOINT)" --token "$(SPICEDB_TOKEN)" --insecure endif -.PHONY: build check test run clean fmt lint doc vendor +.PHONY: build test run clean tidy .PHONY: build-image run-image -.PHONY: health-check list-services -.PHONY: staging-entities production-entities setup: mise install mise exec go -- go install github.com/xlgmokha/minit@latest - mise exec rust -- rustup component add clippy rustfmt rust-analyzer - mise exec rust -- cargo install --locked cedar-policy-cli -$(AUTHZD_BIN): $(shell find src -name "*.rs" 2>/dev/null) Cargo.toml - @cargo build --bin authzd --offline - @cp target/debug/authzd bin/authzd +$(AUTHZD_BIN): $(shell find src -name "*.go" 2>/dev/null) go.sum + @go build -o $(AUTHZD_BIN) ./cmd/authzd/main.go -# Cargo targets build: $(AUTHZD_BIN) -check: - @cargo check - test: - @cargo test + @go test ./... run: build @minit clean: @rm -f $(AUTHZD_BIN) - @cargo clean - -fmt: - @cargo fmt - @for policy in etc/authzd/*.cedar; do cedar format --policies $$policy --write; done - -lint: - @cargo clippy - @for policy in etc/authzd/*.cedar; do cedar check-parse --policies $$policy; done - @for policy in etc/authzd/*.cedar; do cedar format --policies $$policy --check; done - @./bin/envoy --mode validate -c ./etc/envoy/envoy.yaml || echo "Envoy not available, skipping validation" -doc: - @cargo doc --open - -vendor: - @cargo vendor +tidy: + @go get -u ./... + @go mod tidy + @go mod vendor + @go tool yamlfmt -exclude vendor . # Docker targets build-image: @@ -68,29 +48,6 @@ build-image: run-image: build-image @docker run --rm -p 20000:20000 --init -it $(IMAGE_TAG) -# HTTP and gRPC testing targets -health-check: - @grpcurl -plaintext localhost:20000 grpc.health.v1.Health/Check - -list-services: - @grpcurl -plaintext localhost:20000 list - -# entities targets -check-gitlab-token: - @if [ -z "$$GITLAB_TOKEN" ]; then \ - echo "Error: GITLAB_TOKEN environment variable is required"; \ - echo "Set it with: export GITLAB_TOKEN=your_token"; \ - exit 1; \ - fi - -staging-entities: $(AUTHZD_BIN) check-gitlab-token - @$(AUTHZD_BIN) generate --host https://staging.gitlab.com --project authorization/sparkle/team --output etc/authzd/staging.gitlab.com/authorization/sparkle/team/entities.json - -production-entities: $(AUTHZD_BIN) check-gitlab-token - @$(AUTHZD_BIN) generate --project gitlab-org/gitlab --output etc/authzd/gitlab.com/gitlab-org/gitlab/entities.json - @$(AUTHZD_BIN) generate --project gitlab-org/software-supply-chain-security/authorization/authzd --output etc/authzd/gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd/entities.json - @$(AUTHZD_BIN) generate --project gitlab-org/software-supply-chain-security/authorization/sparkled --output etc/authzd/gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/entities.json - # spice targets # Usage: make run-spicedb-setup SPICEDB_ENDPOINT=localhost:20000 # make run-spicedb-setup SPICEDB_ENDPOINT=authzd.staging.runway.gitlab.net:443 -- cgit v1.2.3