Embedded SpiceDB for Python — embedded authorization using the standard gRPC API

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for rendil from gravatar.com rendil

Unverified details

These details have not been verified by PyPI
Meta
  • License: Apache Software License (Apache-2.0)
  • Author: Borkfork
  • Tags authorization , authzed , embedded , grpc , spicedb , zanzibar
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

spicedb-embedded (Python)

Sometimes you need a simple way to run access checks without spinning up a new service. This library provides an embedded version of SpiceDB in various languages. Each implementation is based on a C-shared library (compiled from the SpiceDB source code) with a very thin FFI binding on top of it. This means that it runs the native SpiceDB code within your already-running process.

from spicedb_embedded import EmbeddedSpiceDB
from authzed.api.v1 import (
    CheckPermissionRequest,
    CheckPermissionResponse,
    Consistency,
    ObjectReference,
    Relationship,
    SubjectReference,
)

schema = """
definition user {}

definition document {
    relation reader: user
    permission read = reader
}
"""

rel = Relationship(
    resource=ObjectReference(object_type="document", object_id="readme"),
    relation="reader",
    subject=SubjectReference(object=ObjectReference(object_type="user", object_id="alice")),
)

with EmbeddedSpiceDB(schema, [rel]) as spicedb:
    req = CheckPermissionRequest(
        consistency=Consistency(fully_consistent=True),
        resource=ObjectReference(object_type="document", object_id="readme"),
        permission="read",
        subject=SubjectReference(object=ObjectReference(object_type="user", object_id="alice")),
    )
    resp = spicedb.permissions().CheckPermission(req)
    allowed = resp.permissionship == CheckPermissionResponse.PERMISSIONSHIP_HAS_PERMISSION

Who should consider using this?

If you want to spin up SpiceDB, but don't want the overhead of managing another service, this might be for you.

If you want an embedded server for your unit tests and don't have access to Docker / Testcontainers, this might be for you.

If you have a schema and set of permissions that are static / readonly, this might be for you.

Who should avoid using this?

If you live in a world of microservices that each need to perform permission checks, you should almost certainly spin up a centralized SpiceDB deployment.

If you want visibility into metrics for SpiceDB, you should avoid this.

How does storage work?

The default datastore is "memory" (memdb). If you use this datastore, keep in mind that it will reset on each app startup. This is a great option if you can easily provide your schema and relationships at runtime. This way, there are no external network calls to check relationships at runtime.

If you need a longer term storage, you can use any SpiceDB-compatible datastores.

from spicedb_embedded import EmbeddedSpiceDB

# Run migrations first: spicedb datastore migrate head --datastore-engine postgres --datastore-conn-uri "postgres://..."
schema = """
definition user {}

definition document {
    relation reader: user
    permission read = reader
}
"""

with EmbeddedSpiceDB(schema, [], options={
    "datastore": "postgres",
    "datastore_uri": "postgres://user:pass@localhost:5432/spicedb",
}) as spicedb:
    # Use full Permissions API (writeRelationships, checkPermission, etc.)
    pass

Running code written in Go compiled to a C-shared library within my service sounds scary

It is scary! Using a C-shared library via FFI bindings introduces memory management in languages that don't typically have to worry about it.

That being said, the SpiceDB code still runs in a Go runtime with garbage collection, which is where the vast majority of time is spent. To help mitigate some of the risk, the FFI layer is kept as straightforward as possible. protobuf is marshalled and unmarshalled at the FFI <--> language runtime boundary in a standardized way. After unmarshalling, requests are sent directly to the SpiceDB server, and responses are returned directly back to the language runtime (after marshalling).

Installation

pip install spicedb-embedded

Or from source:

cd python && pip install -e .

Prerequisites: Go 1.23+ with CGO enabled. Build the shared library first:

cd shared/c && CGO_ENABLED=1 go build -buildmode=c-shared -o libspicedb.dylib .  # macOS
cd shared/c && CGO_ENABLED=1 go build -buildmode=c-shared -o libspicedb.so .      # Linux

The library looks for libspicedb.dylib (macOS) or libspicedb.so (Linux) in SPICEDB_LIBRARY_PATH or relative to the working directory (shared/c, ../shared/c, etc.). Override with SPICEDB_LIBRARY_PATH=/path/to/shared/c.

Usage

from spicedb_embedded import EmbeddedSpiceDB
from authzed.api.v1 import (
    CheckPermissionRequest,
    CheckPermissionResponse,
    Consistency,
    ObjectReference,
    Relationship,
    SubjectReference,
)

schema = """
definition user {}

definition document {
    relation reader: user
    permission read = reader
}
"""

rel = Relationship(
    resource=ObjectReference(object_type="document", object_id="readme"),
    relation="reader",
    subject=SubjectReference(object=ObjectReference(object_type="user", object_id="alice")),
)

with EmbeddedSpiceDB(schema, [rel]) as spicedb:
    stub = spicedb.permissions()
    req = CheckPermissionRequest(
        consistency=Consistency(fully_consistent=True),
        resource=ObjectReference(object_type="document", object_id="readme"),
        permission="read",
        subject=SubjectReference(object=ObjectReference(object_type="user", object_id="alice")),
    )
    resp = stub.CheckPermission(req)
    allowed = resp.permissionship == CheckPermissionResponse.PERMISSIONSHIP_HAS_PERMISSION

API

  • EmbeddedSpiceDB(schema, relationships, options=None) — Create an instance. Pass [] for no initial relationships. Pass options dict for datastore/transport config. Supports context manager (with).
  • permissions() — Permissions service stub (CheckPermission, WriteRelationships, ReadRelationships, etc.).
  • schema() — Schema service stub (ReadSchema, WriteSchema, ReflectSchema, etc.).
  • watch() — Watch service stub for relationship changes.
  • channel() — Underlying gRPC channel for custom usage.
  • close() — Dispose the instance and close the channel.

Use types from authzed.api.v1 (ObjectReference, SubjectReference, Relationship, etc.).

Options

options = {
    "datastore": "memory",          # or "postgres", "cockroachdb", "spanner", "mysql"
    "datastore_uri": "postgres://user:pass@localhost:5432/spicedb",  # required for remote
    "spanner_credentials_file": "/path/to/key.json",  # Spanner only
    "spanner_emulator_host": "localhost:9010",       # Spanner emulator
    "mysql_table_prefix": "spicedb_",                 # MySQL only (optional)
    "metrics_enabled": False,                         # default; set True to enable Prometheus metrics
}

with EmbeddedSpiceDB(schema, [], options=options) as spicedb:
    ...

Building & Testing

mise run shared-c-build
cd python
pip install -e ".[dev]"
pytest

Or from the repo root: mise run python-test

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for rendil from gravatar.com rendil

Unverified details

These details have not been verified by PyPI
Meta
  • License: Apache Software License (Apache-2.0)
  • Author: Borkfork
  • Tags authorization , authzed , embedded , grpc , spicedb , zanzibar
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

0.7.0

0.6.2

0.6.1

0.6.0

0.5.2

0.5.1

0.4.3

0.3.9

0.3.8

0.3.7

0.3.6

0.3.5

This version

0.3.4

0.3.3

0.3.2

0.3.1

0.3.0

0.2.6

0.2.5

0.2.4

0.2.3

0.2.2

0.2.1

0.2.0

0.1.21

0.1.20

0.1.19

0.1.18

0.1.17

0.1.16

0.1.15

0.1.14

0.1.13

0.1.12

0.1.9

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

spicedb_embedded-0.3.4.tar.gz (8.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

spicedb_embedded-0.3.4-py3-none-any.whl (25.6 MB view details)

Uploaded Python 3

File details

Details for the file spicedb_embedded-0.3.4.tar.gz.

File metadata

  • Download URL: spicedb_embedded-0.3.4.tar.gz
  • Upload date:
  • Size: 8.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for spicedb_embedded-0.3.4.tar.gz
Algorithm Hash digest
SHA256 1388cac7d0785857bec301a91289893f9c1eac701d7fc8a399cb185a9bf52245
MD5 f396483d3644372034ed103dcaff11af
BLAKE2b-256 3188faff2121e626bba498b4fff55c937279d0ed33aeb327bcd5c709ca2e5df4

See more details on using hashes here.

Provenance

The following attestation bundles were made for spicedb_embedded-0.3.4.tar.gz:

Publisher: release.yml on borkfork/spicedb-embedded

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file spicedb_embedded-0.3.4-py3-none-any.whl.

File metadata

File hashes

Hashes for spicedb_embedded-0.3.4-py3-none-any.whl
Algorithm Hash digest
SHA256 def2ddbb0aa945e947c27f7ef80923ae7d9c7cca8f53239eeba90019137456c2
MD5 c7b8ad180e57cc1655893406092e5d71
BLAKE2b-256 250862d23a1a4b8e01e5bc294b74070ffe1995eda4f8bd5e6f1d61b30115fc96

See more details on using hashes here.

Provenance

The following attestation bundles were made for spicedb_embedded-0.3.4-py3-none-any.whl:

Publisher: release.yml on borkfork/spicedb-embedded

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page