Skip to main content

Crate spicedb_embedded

Crate spicedb_embedded 

Source
Expand description

Embedded SpiceDB using CGO FFI with native gRPC.

This crate provides an in-process SpiceDB instance for authorization checks. It uses a C-shared library to start SpiceDB servers, then connects via Unix socket. All API access is through tonic clients generated from buf.build/authzed/api (see the spicedb-grpc-tonic crate).

§Example

use spicedb_embedded::{v1, EmbeddedSpiceDB};

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let schema = r#"
definition user {}
definition document {
    relation reader: user
    permission read = reader
}
"#;

    let relationships = vec![v1::Relationship {
        resource: Some(v1::ObjectReference { object_type: "document".into(), object_id: "readme".into() }),
        relation: "reader".into(),
        subject: Some(v1::SubjectReference {
            object: Some(v1::ObjectReference { object_type: "user".into(), object_id: "alice".into() }),
            optional_relation: String::new(),
        }),
        optional_caveat: None,
    }];

    let spicedb = EmbeddedSpiceDB::new(schema, &relationships, None)?;
    let mut permissions = spicedb.permissions();
    // Use the full SpiceDB API via the generated client
    let response = permissions.check_permission(&v1::CheckPermissionRequest {
        consistency: None,
        resource: Some(v1::ObjectReference { object_type: "document".into(), object_id: "readme".into() }),
        permission: "read".into(),
        subject: Some(v1::SubjectReference {
            object: Some(v1::ObjectReference { object_type: "user".into(), object_id: "alice".into() }),
            optional_relation: String::new(),
        }),
        context: None,
        with_tracing: false,
    })?;
    Ok(())
}

Modules§

v1

Structs§

EmbeddedSpiceDB
Embedded SpiceDB instance (in-memory transport). All RPCs go through the FFI. For streaming APIs (Watch, ReadRelationships, etc.) use streaming_address (the C library starts a streaming proxy and returns it in the start response).
MemoryPermissionsClient
Permissions service client for memory transport. All methods are synchronous and use the -sys safe layer.
MemorySchemaClient
Schema service client for memory transport.
StartOptions
Options for starting an embedded SpiceDB instance.

Enums§

SpiceDBError
Errors from embedded SpiceDB operations