From 45df4d0d9b577fecee798d672695fe24ff57fb1b Mon Sep 17 00:00:00 2001 From: mo khan Date: Tue, 15 Jul 2025 16:37:08 -0600 Subject: feat: migrate from Cedar to SpiceDB authorization system This is a major architectural change that replaces the Cedar policy-based authorization system with SpiceDB's relation-based authorization. Key changes: - Migrate from Rust to Go implementation - Replace Cedar policies with SpiceDB schema and relationships - Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks - Update build system and dependencies for Go ecosystem - Maintain Envoy integration for external authorization This change enables more flexible permission modeling through SpiceDB's Google Zanzibar inspired relation-based system, supporting complex hierarchical permissions that were difficult to express in Cedar. Breaking change: Existing Cedar policies and Rust-based configuration will no longer work and need to be migrated to SpiceDB schema. --- cmd/authzd/main.go | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 cmd/authzd/main.go (limited to 'cmd') diff --git a/cmd/authzd/main.go b/cmd/authzd/main.go new file mode 100644 index 00000000..809916c9 --- /dev/null +++ b/cmd/authzd/main.go @@ -0,0 +1,40 @@ +package main + +import ( + "context" + "net" + "os" + "os/signal" + "syscall" + + "github.com/xlgmokha/x/pkg/env" + "github.com/xlgmokha/x/pkg/log" + "github.com/xlgmokha/x/pkg/x" + "gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd.git/pkg/authz" + "gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd.git/pkg/pls" +) + +func main() { + logger := log.New(os.Stdout, log.Fields{"app": "authzd"}) + ctx := logger.WithContext(context.Background()) + + client := x.Must(authz.NewClient(ctx, + env.Fetch("SPICEDB_ENDPOINT", ":50051"), + env.Fetch("SPICEDB_SECRET", "secret"), + )) + server := authz.New(authz.Connection.With(ctx, client)) + defer client.Close() + + c := make(chan os.Signal, 1) + signal.Notify(c, syscall.SIGINT, syscall.SIGTERM) + go func() { + <-c + server.GracefulStop() + logger.Log().Str("status", "goodbye").Send() + }() + + defer server.GracefulStop() + logger.Log().Str("status", "ready").Send() + socket := x.Must(net.Listen("tcp", ":50052")) + pls.LogErrorNow(ctx, server.Serve(socket)) +} -- cgit v1.2.3