Skip to main content

"Django-SpiceDB"

"A declarative authorization framework integrating Django with SpiceDB for relationship-based access control (ReBAC)"

PythonDjangoSpiceDBgRPCZanzibar

What is django-spicedb?

PyPI | GitHub Repository
django-spicedb is a declarative authorization framework that brings Google Zanzibar-style relationship-based access control (ReBAC) to Django applications. It integrates seamlessly with SpiceDB, allowing you to define authorization rules directly on your Django models using RebacMeta classes.
Instead of scattering permission checks throughout your codebase, you define authorization rules once in Python and the library handles the rest — automatically synchronizing relationship changes to SpiceDB through Django signals.

Key Features

  • Model-Centric Configuration: Define permissions directly on Django models via RebacMeta inner classes
  • Automatic Tuple Sync: FK and M2M relationship changes are automatically propagated to SpiceDB through signals
  • Permission Inheritance: Express hierarchical permissions with parent expressions (e.g., document inherits folder permissions)
  • Group-Based Access Control: Built-in support for role membership and group permissions
  • QuerySet Filtering: Filter Django querysets by SpiceDB permissions for efficient authorized queries
  • Stale Tuple Cleanup: Automatically tracks and cleans up old relationship tuples when foreign keys change

Quick Example

python
1from django.db import models
2 
3class Document(models.Model):
4    title = models.CharField(max_length=200)
5    folder = models.ForeignKey("Folder", on_delete=models.CASCADE)
6 
7    class RebacMeta:
8        resource = "document"
9        relations = {
10            "owner": {"type": "user"},
11            "editor": {"type": "user"},
12            "viewer": {"type": "user"},
13            "parent": {"type": "folder", "field": "folder"},
14        }
15        permissions = {
16            "edit": "owner + editor",
17            "view": "edit + viewer + parent->view",
18        }
With this configuration, django-spicedb automatically:
  1. Creates the SpiceDB schema for the document resource
  2. Syncs relationship tuples when documents are created or updated
  3. Cleans up stale tuples when the folder FK changes
  4. Lets you check permissions with check_permission(user, "view", document)

Installation

bash
1pip install django-spicedb

Compatibility

  • Django: 5.0, 5.1, 5.2, 6.x
  • Python: 3.11, 3.12
  • License: MIT

Why ReBAC?

Traditional role-based access control (RBAC) struggles with fine-grained permissions. ReBAC models authorization as a graph of relationships — "User A is an editor of Document B" or "Document B is in Folder C" — enabling permission inheritance and context-aware access decisions at scale. This is the same approach Google uses internally (Zanzibar) to handle authorization across billions of resources.

Get Started on PyPI | View Source on GitHub