CRE-2025-0105

SpiceDB Datastore Startup FailureHigh

Impact: 9/10

Mitigation: 3/10

CRE-2025-0105View on GitHub

SpiceDBAuthorizationDatastoreMisconfigurationStartup Failure

Description

Detects critical failures where a SpiceDB instance cannot start due to an invalid schema or an uninitialized datastore during the bootstrap process. This is a common configuration error that prevents the service from initializing and serving requests, leading to a total service outage.\n

Mitigation

IMMEDIATE RESPONSE:\n - Examine the SpiceDB container logs for a `FATAL` or `ERROR` level message.\n - The error is `relation \"namespace_config\" does not exist`:** The datastore is uninitialized. For a fresh deployment, add the `--datastore-bootstrap-overwrite` flag to the SpiceDB `serve` command to force the database migration to run before bootstrapping the schema.\n - **If the error is `undefined object type` or `schema parsing error`:** The schema itself is invalid. Retrieve the schema file, validate it using the `zed validate <file>` command, correct the errors, and redeploy.\n\nPREVENTIVE MEASURES:\n - Integrate `zed validate` into your CI/CD pipeline to automatically check all schema changes before deployment.\n - Use the `--datastore-bootstrap-overwrite` flag in startup commands for all initial/fresh deployments to ensure tables are created correctly.\n - Implement robust health checks that validate the service is not only running but also responsive to basic API calls after startup.\n

References

• https://docs.authzed.com/reference/schema-lang
• https://github.com/authzed/zed