I'm looking for recommendation for separating access control from the core logic of the application. I've looked at a few different open-source solutions, a number of them have their own languages for specifying the policies but I prefer not use a custom language. So far cerbos.dev (using yaml to write policies) seems like a good option.<p>have you used cerbos.dev or any other access control projects (open-source only)? how's your experience with them?
A bit late to the party, but future HN searchers may read this. I think Cerbos is pretty straightforward and possibly the least risky option if the company ceases to exist. It doesn't have the concept of a data plane. So basically you call the Cerbos microservice and you must provide all the data that can possibly be used to make the authorization decision. Depending upon your app, that may be a pro or con.<p>Personally, for what I'm building it's a pro. I like the simplicity. Other authz sass products want to own your user store to implement their fancy features you see in their marketing. Cerbos doesn't have those fancy features (such as UI components). Once again, that may be a pro or con.<p>At the time of writing (Cerbos v0.37), I find Cerbos' scope functionality is not very well thought out and possibly dangerous if it's not well understood. And the marketing/documentation on multi-tenancy is a bit deceiving in that out of the box it may only be a good fit for a certain type of multi-tenancy. Definitely do a POC to see if it will fit your needs. But the company seems responsive to feedback and I think they will address this in future updates.
Other options are Casbin, Cedar, and OPA. It looks like cerbos is really only for roles and rules, and unlike those others would not be a good fit for an ACL-type system that required object-based permissions.