Skip to main content

0034: ReBAC Engine Selection

Date: 2025-11-08

Status: Proposed

Context

The permissions-service is responsible for managing fine-grained, graph-based permissions (Relationship-Based Access Control, or ReBAC). This requires a specialized database capable of efficiently querying complex relationships, inspired by Google's Zanzibar paper.

A naive implementation using a standard relational database would require complex, recursive queries that are difficult to maintain and do not perform well at scale. We need to select a dedicated, open-source ReBAC engine that is performant, scalable, and well-supported.

The primary candidates considered were SpiceDB and Ory Keto, both of which are open-source implementations of the Zanzibar model.

Decision

We will adopt SpiceDB as the underlying ReBAC engine for the permissions-service.

The permissions-service will act as an adapter layer on top of SpiceDB. It will handle platform-specific concerns like multi-tenancy enforcement, authentication, and providing a stable internal API, while delegating the core storage and query operations to a SpiceDB instance.

SpiceDB is chosen for its strong performance characteristics, clear schema language, active community, and its ability to use PostgreSQL as a storage backend, which aligns with our existing infrastructure stack.

Consequences

Positive

  • Proven Model: Leverages the battle-tested, scalable Zanzibar model for authorization.
  • High Performance: SpiceDB is designed for low-latency permission checks.
  • Infrastructure Alignment: Can be configured to use our existing PostgreSQL instances, reducing operational overhead for a new database technology.
  • Developer Experience: The schema language is clear and expressive, making it easier for developers to model permissions.
  • Decoupling: By placing it behind our permissions-service adapter, we retain the flexibility to swap it out in the future if needed.

Negative

  • New Component: Adds a new stateful component (the SpiceDB server) to our architecture that must be deployed, monitored, and maintained.
  • Learning Curve: Developers will need to learn the SpiceDB schema language to define permission models.
  • Data Consistency: Requires a strategy for keeping the data in SpiceDB consistent with data in other services (e.g., deleting a user in iam-service should trigger a cleanup of their relationships in SpiceDB).