connector-postgresql is a tool that translates data from postgres databases into SpiceDB relationships.

No guarantees are made for the stability of the CLI interface or the format of config files.

See CONTRIBUTING.md for instructions on how to contribute and perform common tasks like building the project and running tests.

connector-postgresql import will connect to postgres, generate an example schema and config to map postgres data into SpiceDB, and then attempt to sync that data into SpiceDB as relationships.

By default, it will dry-run to show you what would be synced.

It can also be run as two stages: one to generate an example schema and config, and one to actually import relationships based on that config.

$ connector-postgresql import --dry-run=false --spicedb-endpoint=localhost:50051 --spicedb-token=somesecretkeyhere --spicedb-insecure=true "postgres://postgres:secret@localhost:5432/mydb?sslmode=disable"

• Prints out a zed schema + a config mapping from pg to SpiceDB
• Appends the generated zed schema to SpiceDB's schema
• Mirrors all relationships into SpiceDB according to that config

$ connector-postgresql import --spicedb-endpoint=localhost:50051 --spicedb-token=somesecretkeyhere --spicedb-insecure=true "postgres://postgres:secret@localhost:5432/mydb?sslmode=disable"

• Prints out a zed schema + a config mapping from pg to SpiceDB
• Logs relationships that would have been written to SpiceDB

$ connector-postgresql import --config=config.yaml --spicedb-endpoint=localhost:50051 --spicedb-token=somesecretkeyhere --spicedb-insecure=true "postgres://postgres:secret@localhost:5432/mydb?sslmode=disable"

• Uses the provided config.yaml to write relationships into SpiceDB
• If the required schema is already in SpiceDB, skip appending it with --append-schema=false

schema: |2
  definition customer {}

  definition contact {
      relation customer: customer
  }

  definition article {
      relation tags: tags
  }

  definition tags {
      relation article: article
  }
tables:
# for each row in the contacts table
- name: contacts
  relationships:
  # generate a relationship contact:<contact_id>#customer@customer:<customer_id>_<customer_name>
  - resource_type: contact
    resource_id_cols:
    - contact_id
    relation: customer
    subject_type: customer
    subject_id_cols:
    - customer_id
    - customer_name
# for each row in the article_tag table (a join table from articles <-> tags)
- name: article_tag
  relationships:
  # generate a relationship article:<article_id>#tags@tag:<tag_id>
  - resource_type: article
    resource_id_cols:
    - article_id
    relation: tags
    subject_type: tags
    subject_id_cols:
    - tag_id
  # generate a second relationship tags:<tag_id>#article@article:<article_id>
  - resource_type: tags
    resource_id_cols:
    - tag_id
    relation: article
    subject_type: article
    subject_id_cols:
    - article_id

WARNING: This is exploratory, and the current implementation has serious flaws that mean the connector should not be run in production.

The connector can be run continuously with connector-postgresql run. Running the connector will first run a full import via connector-postgresql import, but then it will follow the postgres replication log and sync data as it changes.

$ connector-postgresql run --dry-run=false --spicedb-endpoint=localhost:50051 --spicedb-token=somesecretkeyhere --spicedb-insecure=true "postgres://postgres:secret@localhost:5432/mydb?sslmode=disable"