Congrats on the launch!<p>Combining policy with Zanzibar is super cool and it's great to see the folks in the OPA ecosystem moving in this direction. Most of the novelty of the Zanzibar paper is about scaling ReBAC systems that might not be applicable in a system that starts with policy. Unfortunately, I found the website a little vague on technical details and had some questions:<p>- I'm curious how this is different from using an API client in rego, which other projects like OpenFGA and SpiceDB support.<p>- It seems like for the variety of projects in this space "Zanzibar" is used to mean many different things mentioned in the paper. Can you clarify which properties Topaz is inspired by? From the documentation, I can only find references to tuples and union rewrites[0].<p>Disclosure: I work on SpiceDB, an established open source project also "inspired by Zanzibar" that also has policy integrations with OPA and Google's CEL.<p>[0]: <a href="https://www.topaz.sh/docs/directory/define-domain-model" rel="nofollow">https://www.topaz.sh/docs/directory/define-domain-model</a>
Ah, super cool to see an implementation of Zanzibar out in the wild. The paper looked really interesting when it bubbled up on HN a while back.<p>Wonder if there are planned integrations with any stacks? For instance, would be super cool to see how this could plug into Rails/ActiveRecord for a kind of out-of-the-box authorization experience.
I actually worked on an implementation based on the Zanzibar paper using OPA at the previous company I worked at. We actually used a Proxy running in front of the microservice to determine whether the request was authorized or not.<p>We were working in Healthcare and the authorization requirements for healthcare are quite complicated. Every Microservice needed to handle 50 different roles and get the permissions right for each endpoint, so a more centralised approach made a lot of sense to prevent these types of mistakes<p>Cool to see an open source implementation of the idea. Authorization in general is such a hard topic to get right in a microservice architecture. I'd be happy to take a look at the project and see if I can contribute as well!
Great to see an authz app building block based on a robust model as OSS. This is one of those things every app needs but so far most folks were building it in-house (as I can attest myself) instead of focusing on what really moves their app forward. I wish it was available a few years ago when we were starting.
Yet another golang gRPC authorization framework... That couple of ms response time for a decision could be fine,if you only call a couple of time per request,but its quickly adds up
Two years ago, we founded Aserto to simplify authorization for developers. Authorization is critical and hard to get right, yet isn't a source of differentiation for most applications.<p>Google [1], Airbnb [2], Netflix [3], Carta [4], Intuit [5], and others have written about their authorization systems. It's clear that these are all significant undertakings by sizable teams. Most engineering organizations don't want to spend their precious cycles reinventing this wheel.<p>Over the last two years, we've collected a set of best practices that are common across these projects. We call these the Principles of Authorization [6]. Our goal has been to democratize these principles into an authorization service, and save you time and effort.<p>Topaz [7] is an open source authorization system you can use to start building robust authorization in minutes. It provides fine-grained, real-time, policy-based access control for modern cloud applications. You can deploy it as a sidecar or a microservice in your cloud, ensuring low latency to your application.<p>Topaz combines the best ideas from two cloud-native authorization ecosystems: OPA and Zanzibar. Read our blog post [8] for more on why we built Topaz.<p>Happy hacking!<p>[1] <a href="https://research.google/pubs/pub48190/" rel="nofollow">https://research.google/pubs/pub48190/</a><p>[2] <a href="https://medium.com/airbnb-engineering/himeji-a-scalable-centralized-system-for-authorization-at-airbnb-341664924574" rel="nofollow">https://medium.com/airbnb-engineering/himeji-a-scalable-cent...</a><p>[3] <a href="https://www.infoq.com/presentations/authorization-scalability/" rel="nofollow">https://www.infoq.com/presentations/authorization-scalabilit...</a><p>[4] <a href="https://medium.com/building-carta/authz-cartas-highly-scalable-permissions-system-782a7f2c840f" rel="nofollow">https://medium.com/building-carta/authz-cartas-highly-scalab...</a><p>[5] <a href="https://medium.com/intuit-engineering/authz-intuits-unified-dynamic-authorization-system-bea554d18f91" rel="nofollow">https://medium.com/intuit-engineering/authz-intuits-unified-...</a><p>[6] <a href="https://www.topaz.sh/docs/intro#principles" rel="nofollow">https://www.topaz.sh/docs/intro#principles</a><p>[7] <a href="https://github.com/aserto-dev/topaz" rel="nofollow">https://github.com/aserto-dev/topaz</a><p>[8] <a href="https://www.aserto.com/blog/topaz-oss-cloud-native-authorization-combines-opa-zanzibar" rel="nofollow">https://www.aserto.com/blog/topaz-oss-cloud-native-authoriza...</a>
It looks interesting, but I would rather like a package I can import and use locally than running an independent service, because of latency/performance.