Launch HN: Warrant (YC S21) – Authorization and access control as a service

115 pointsby akajlaalmost 3 years ago

Hi HN! We're Aditya and Karan, the co-founders of Warrant (<a href="https://warrant.dev" rel="nofollow">https://warrant.dev</a>). Warrant provides APIs and infrastructure for authorization and access control.Teams typically implement their earliest version of an access control system with a home-grown solution or an open source library. Many implement role-based access control, often with roles, attributes, and authorization logic hard coded and/or tightly coupled with their business logic.As a product grows in usage and complexity, this is no longer enough. Teams find themselves constantly modifying their access control system as their product evolves, or building whole new systems to meet their ever-changing needs. Some teams move towards fine-grained, resource-based access control. Some require attribute based access control. Adjacent problems like multi-tenancy/data isolation, pricing tiers/entitlements, feature flagging, and audit logging come into the picture as well. The problems and the solutions are endless, and typically only large companies have the resources to build and maintain a system that does it all.We’re software engineers who worked for years on access control systems at companies like Lyft, Yahoo, AppLovin, and Medallia. We often found ourselves spending time maintaining and iterating on these in-house systems to keep up with new product, infra, and security/compliance requirements.Later, while building our own SaaS product, we had to implement access control yet again, and we realized three things: (1) Implementing access control is necessary but tangential to building core product features, so it should be standardized somehow. (2) Access control systems are difficult to maintain as a product evolves, and changing an authorization model or access rules often requires developer involvement. (3) While role based access control (RBAC) still has its place, modern applications require more powerful and customizable authorization models. For example, a data analytics product might want to express that “a specific user X can edit report Y” rather than “all admins can edit reports.” In the end, we built a service to manage and enforce access rules for our SaaS product. We quickly realized access control was a much more compelling problem to solve for engineering teams, and that service became the first version of Warrant.Warrant is a fully managed access control service accessible via API/SDKs. As fans of Google’s approach to authorization and access control, we based Warrant on Google Zanzibar (<a href="https://research.google/pubs/pub48190/" rel="nofollow">https://research.google/pubs/pub48190/</a>). Users can define custom authorization models for their applications via flexible “object types” or use built-in models to quickly implement common authz scenarios like RBAC and Multitenancy. Our dashboard makes it easy for anyone from developers to product managers to manage an application’s authorization model and access rules.We’re a centralized service, which raises two obvious issues: (1) the latency/reliability concerns of adding a network request to nearly all requests, and (2) the tedium/bloat of keeping data and access rules in sync via API/SDK calls. We’ve built solutions for both of these. Teams can start with our fully managed cloud offering—the simplest approach—and then move to these more specialized solutions as their needs evolve.Teams with strict latency/availability requirements can run our Edge Agent (<a href="https://docs.warrant.dev/quickstart/edge-agent" rel="nofollow">https://docs.warrant.dev/quickstart/edge-agent</a>) on their own infrastructure to minimize the latency of access checks and improve reliability in the event that Warrant faces an outage. The Edge Agent services access checks from a local cache and connects to Warrant to receive updates in real-time.Teams looking to avoid the overhead of integrating via API/SDKs can run our Sync Agent (<a href="https://docs.warrant.dev/concepts/sync" rel="nofollow">https://docs.warrant.dev/concepts/sync</a>) alongside their database to stream changes to their data directly to Warrant. With object types configured for syncing, Warrant Sync automatically keeps access rules up-to-date.As developers, we’re focused on providing stellar developer experience, so we also created an easy way to perform client-side access checks: <a href="https://docs.warrant.dev/quickstart/creating-sessions" rel="nofollow">https://docs.warrant.dev/quickstart/creating-sessions</a>. Our client-side SDKs for React, Vuejs, and Nextjs provide components that make it easy to build dynamic UIs based on a user’s access rules.We currently handle authorization in production for startups and indie developers alike. If you’d like to try us out, sign-up for an account at <a href="https://app.warrant.dev/signup" rel="nofollow">https://app.warrant.dev/signup</a> (free, no credit card required) to get an API key and refer to our docs at <a href="https://docs.warrant.dev/" rel="nofollow">https://docs.warrant.dev/</a> to get started.We appreciate your time and feedback HN! Let us know what you think in the comments!

22 comments

ohmanjjjalmost 3 years ago

As a SaaS veteran I can confidently say I would never put my entire company on the line for a remote API call before any request is served. Not just latency, but also - what the heck happens if you’re gone/down? The entire business operation grinds to a halt. This is such a huge non-starter. I reviewed Sync Agent and I doubt it is much help in case of an actual outage.

评论 #32251888 未加载

评论 #32268030 未加载

评论 #32254533 未加载

评论 #32259299 未加载

评论 #32259400 未加载

评论 #32259942 未加载

评论 #32252921 未加载

digitallogicalmost 3 years ago

> Teams typically implement their earliest version of an access control system with a home-grown solution or an open source library. Many implement role-based access control, often with roles, attributes, and authorization logic hard coded and/or tightly coupled with their business logic.Here's the thing, teams do this for a reason. Each one of these checks takes all of 2 minutes to add. And the next one takes 2 mins to add, and so forth. Until it's a total mess. But, as someone who been through this cycle multiple times, that's exactly what I would do again in the future. Because, on day zero, if my options are "the 2 minute solution" or "spend hours/days/weeks? evaluating a vendor for a problem I won't have for years"... well, the choice seems pretty clear there.> As a product grows in usage and complexity, this is no longer enough. But the thing is... while it's not enough... I can add to it. Far more easily than I can to refactor everything to support a vendor provided system. And I know it'll be a big ball of mud, but at just about every decision point along the way I'm better off not switching. And every time I add something to my system, it's that much harder to adopt yours.It feels like there's a circular dependency here. The easiest time to adopt your product (day zero) is also when I'm least likely to get value out of it. Solve that for me, and I'm very interested in your product.

评论 #32261632 未加载

nwellinghoffalmost 3 years ago

Stuff like this is sorely needed. Glad to see people jumping on the problem. It would be nice if you also included all the UI components for managing all these permissions and users. E.g. you cover the model and all the UI upkeep and I just bolt it on to my app. The amount of man hours we have all spent reinventing the wheel on this area is mind blowing.To echo the other commenter, I would strongly suggest offering a self hosted option. E.g. same IAC and your cloud but I can host a copy on my cloud.

评论 #32253942 未加载

评论 #32252176 未加载

jphalmost 3 years ago

Congratulations on launch! Access control is an excellent area to modularize IMHO, and your approach of edge cache and data sync is a smart way to improve availability.This area is a rapidly-increasing market need. Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and Relationship-Based Access Control (RelBAC) are all growing in technical complexity and business importance, because users are intermixing more physical devices (e.g. laptop, phone), in more environmental contexts (e.g. remote, cross-border), and with more sophisticated needs for controls (e.g. co-action, delegation).

jamesmcintyrealmost 3 years ago

Having recently worked to implement a large, well-known authorization provider's services into a large ecommerce app let me share some tips from the developers perspective:1.) It's likely your surface area and integration-points are better designed for DX but the provider I've worked with had a large surface area, many integration patterns to choose from (likely to accommodate the plethora of customer needs over time) and because of this their documentation was often inadequate or misleading. Then you rely on support and I'll just say- please put priority on quality, experienced dev-support especially during early integration for paying customers. Also example project repos go a LONG way. I'm sure this is all stuff you're on top of but that early integration phase (especially for larger orgs) is sometimes a high-visibility, high-risk phase for the internal teams where setting them up for success and exiting that phase with a good impression would likely pay-off for the resources you invest on your side (especially if those devs, PMS, EMs, etc. then evangelize your service later at other orgs- you can imagine the inverse scenario, lol).2.) A lot of the time, especially in larger orgs, your biggest skeptics will be deeply experienced in rolling their own auth even at decent scale. Having a healthy, substantive youtube (talks) or blog presence where you deep dive on best practices would go a long way here to alleviate their uncertainty.3.) Supporting staging/local dev environments with as little additional dev work would be awesome. You may already accomplish this, didn't go deep into the docs.4.) Plug-n-play logging to popular services like Datadog. Again, if orgs are coming from internal solutions to yours they'll already expect and have comprehensive logs around various auth events so making this easy would be a win.Hope this helps! Warrant looks awesome and I'll definitely keep an eye on it for future projects!

评论 #32255696 未加载

jwineingeralmost 3 years ago

How would you approach building an authorization-aware search/filtering functionality? It seems like you'd either need to ship all of the search/filtering attributes into the authz system, or you'd need to materialize a view of the access graph back into the product's database and join on it when searching.

评论 #32256930 未加载

newusertodayalmost 3 years ago

I am not sure if "Launch HN" is a thing but by using this tag you lose out on existing tags that have dedicated link like "Show" or "Ask". Why i am telling this? because i saw this headline and made a mental note to look at it later and than i couldn't find it in "Show" where generally these announcements go, it took me a while to search for it again.Product looks good and polished ! Do you have any plans to add authentication as well? It would be great to have registration/authentication and access control in a single service.

评论 #32262709 未加载

评论 #32265770 未加载

colinchartieralmost 3 years ago

How does this compare with existing access control solutions like <a href="https://aws.amazon.com/cognito/" rel="nofollow">https://aws.amazon.com/cognito/</a> or auth0 rbac?

评论 #32251935 未加载

评论 #32251879 未加载

评论 #32251772 未加载

drawqrtzalmost 3 years ago

How does Warrant compare to other Zanzibar based solutions like Ory Keto ?<a href="https://github.com/ory/keto" rel="nofollow">https://github.com/ory/keto</a>

schnebbaualmost 3 years ago

Just so we're clear: if you have an outage, then I have an outage?

评论 #32252412 未加载

评论 #32253348 未加载

padresmurfaalmost 3 years ago

Amazing work. Thanks for sharing! Having experienced my fair share of pain in this area, I’ll definitely be looking into the possibility of integrating your solution in my upcoming endeavour.I share other folks concern regarding a remote api call for authentication, but I think your Edge Agent solution would address most of these concerns. I’d thus hope to be able to terraform-apply your edge agent into my infrastructure.As for UI, I imagine that I could use your supplied solutions with minor styling for admin-and-powr-user-facing use cases, while having to customize for end-user facing solutions.I’d love to see that you also provided native mobile app samples for that, if you don’t already.Also, at first glance,I don’t see that you take care of my third-party integrated login headaches. If not, then I’d just love to be rid of that thorn in my dev-team’s side in one fell sweep. Just sayin’, and probably revealing my ignorance at the same time ;)My worries are towards vendor-lockin and inheriting uour attack surface, although I imagine that you will actually handle the security aspects better as part of your core business model than I would. Regarding vendor-lockin, I imagine that you could solve this with legal licensing. As a European, I’d also like to be 100% sure that all of your infrastructure was running in the EU.Just sharing in case my opinion is of value to you, as I appreciate the solution you are attempting to bring to the world.

评论 #32255482 未加载

Dachande663almost 3 years ago

If there’s not an on-prem version of this, it’s just a non-starter. As simple as.

评论 #32253846 未加载

krageonalmost 3 years ago

Given the ease with which Okta was recently penetrated, any company that asked me "should we use a SaaS offering for any sort of access control" would get a firm no. That said, I'm sure you'll make absolutely rude amounts of money with this. So good on you.

评论 #32267837 未加载

ianpurtonalmost 3 years ago

The authz solutions I've seen so far are quite good at does a user have permission to do x.But not so good at the database side of things. I.e. give me the data this user is allowed to see. Which is harder in my opinion.I've been using postgres row level security to handle this.

raxitsalmost 3 years ago

Congratulation on the launchCheck similar product for more complex use case (like Menu/Tree level authorization, Web/Non-web based/Terminal/Daemon based app, LDAP/SSO/Hardware token based authentication etc.) <a href="https://arxsuite.com/" rel="nofollow">https://arxsuite.com/</a>PS: I was part of Arx product suite for 5 yrs (before rebranding) :)1. Demo is targeted towards developer & target market is B2B/Enterprise 2. Usually developer does not have purchasing power/influence + We can build it too attitude.Happy to helpRaxit Sheth

评论 #32255210 未加载

bluelightning2kalmost 3 years ago

I would never use this as is (sorry).Rolling your own is about the same level of effort, easier to mock/modify/customize as needed.And if I wasn't rolling my own, I'd look to a library (many in NPM) or I'd look to a Kubernetes sidecar where that makes sense (Dapr or a service mesh).Going with an API adds concerns about compliance, GDPR, inheriting your entire attack surface, inheriting your downtime risk, configuration foot-guns, and cost.But I don't like leaving negativity - so here's some suggestions which might tip the value:- Having really high quality RBAC front-end UI that I can just let you deal with it- Same for inviting people to join accounts- Testing utilities, so it becomes really easy to run the same tests with different permissions- Similar to the above but a browser extension where a superuser can switch to emulate any other user (or admins can switch to any user in their org if policy allows)- Audit logging and customer facing UI for viewing audit logs

评论 #32252519 未加载

评论 #32253560 未加载

scarytomalmost 3 years ago

I'm curious: how does this compare to <a href="https://www.aserto.com" rel="nofollow">https://www.aserto.com</a> ?

评论 #32260930 未加载

akshayshahalmost 3 years ago

It's cool to see so many authz startups over the past few years! Many established companies have had some bad reliability issues (especially Auth0), and the Zanzibar paper gives that special Google sheen to new products.Authzed seems to be doing pretty well in this space, but more competition's better for customers. Best of luck!

jeremynevansalmost 3 years ago

Happy customer here. Warrant has been great for us so far, thoroughly recommend giving them a try!

iceyalmost 3 years ago

This is an awesome idea. Hope you have a lot of success, and congrats on the launch!

aaur0almost 3 years ago

Awesome project. Keep it up, guys!

freddgnalmost 3 years ago

Congrats on the launch! One of the founders of Permify is here. We love this approach and Google Zanzibar paper, as we're a taking pretty similar approach with Permify but as an Open-source product.[1]As some mentioned there are legacy tools like AWS Cognito, which mostly focuses on authentication and simpler authorization use cases. But it's evident for us, that in order to solve these problems you have mentioned[2] we need a product which can cover more complex use cases and easier to start with.[1] <a href="https://github.com/Permify/permify" rel="nofollow">https://github.com/Permify/permify</a>[2]<a href="https://www.permify.co/post/why-decouple-authorizations" rel="nofollow">https://www.permify.co/post/why-decouple-authorizations</a>