undefined | Better HN

0 pointsrhamzeh3y ago0 comments

> neither of the solutions you called out has been out for more than ~1 year,

That's a good callout. These are still early days when it comes to Zanzibar & co, and all implementations are very new. I'm glad different implementations exist. This will allow the community to experiment with multiple ideas and allow them to flourish or be discarded.

Authzed's idea Jimmy linked to elsewhere (Caveats) [0] is not in the Zanzibar paper, however it is an interesting option to try to tackle ABAC scenarios within a Zanzibar context.

OSO (and Aserto seems to be doing the same) is approaching this the other way - they have a good Policy/ABAC solution, do they benefit from a more Zanzibar-like approach to the AuthZ problem, the answer seems to be also yes (OSO Cloud [1]).

In OpenFGA, we dropped the concept of Zookies. Will we regret this? Time will tell. SpiceDB bet on the importance of Zookies, and in some cases they are right. We also added support for having multiple model versions active at the same time and some ABAC scenarios through Contextual Tuples [2] (less powerful than caveats, but more Zanzibar-y). Is that a good idea? Hopefully!

That's the beauty of it, there are considerations (pros and cons) for all of these approaches, users can pick and choose what works best for their situations. We will all learn and adapt. We may all end up discarding some of our assumptions and adopting new ones. Ultimately this will benefit all of us, and more importantly the wider audience and the ecosystem. And maybe newcomers will implement all of the good ideas floating around while discarding the cruft existing solutions are stuck with.

Hopefully as the ecosystem matures, all the implementations benefit from it. Multiple implementations allows each to investigate certain solutions.

Quoting Jimmy above:

> it'd be awesome to collaborate [...] this is what open source is all about

100%! Though as a FOSS fan myself, I'm hoping for a new comer GPL/copyleft solution to come about and rule us all :)

Side-note: Absolutely loved this article from OSO with Abhishek Parmar, one of the co-creators of Zanzibar [3]

[0]: https://github.com/authzed/spicedb/issues/386

[1]: https://www.osohq.com/docs/concepts/oso-cloud-data-model

[2]: https://openfga.dev/docs/modeling/contextual-time-based-auth...

[3]: https://www.osohq.com/post/abhishek-parmar-oso

[Disclaimer: On the OpenFGA team]

0 comments

ogazitt3y ago

I'm Omri, one of the Aserto co-founders. Very much agree that this space is still pretty early - we all started building developer-centric authorization solutions in the last couple of years, and we're still in the phase where exploring different trade-offs helps the overall ecosystem learn and move forward.

You're exactly right that with Aserto (and Topaz), we started from a Policy-as-code design at the center. As we spent time with developers, we recognized that having a way to model their domain and write data-centric rules (ReBAC tuples) was a powerful extension to the policy-as-code approach. Bringing them together is the focus of Topaz.

Thanks for posting the link to the interview with Abhishek - great read!

gneray3y ago

Yeah, Abhishek has seen a lot and has proven to be an invaluable advisor to us at Oso.

ogazitt3y ago

Really great context on what worked and what was perhaps overengineered. The approachability of any system by its consumers (developers in this case) is hugely important. You've done a good job with Oso :)

j / k navigate · click thread line to collapse

0 pointsrhamzeh3y ago0 comments

> neither of the solutions you called out has been out for more than ~1 year,

Authzed's idea Jimmy linked to elsewhere (Caveats) [0] is not in the Zanzibar paper, however it is an interesting option to try to tackle ABAC scenarios within a Zanzibar context.

Hopefully as the ecosystem matures, all the implementations benefit from it. Multiple implementations allows each to investigate certain solutions.

Quoting Jimmy above:

> it'd be awesome to collaborate [...] this is what open source is all about

100%! Though as a FOSS fan myself, I'm hoping for a new comer GPL/copyleft solution to come about and rule us all :)

Side-note: Absolutely loved this article from OSO with Abhishek Parmar, one of the co-creators of Zanzibar [3]

[0]: https://github.com/authzed/spicedb/issues/386

[1]: https://www.osohq.com/docs/concepts/oso-cloud-data-model

[2]: https://openfga.dev/docs/modeling/contextual-time-based-auth...

[3]: https://www.osohq.com/post/abhishek-parmar-oso

[Disclaimer: On the OpenFGA team]

0 comments

ogazitt3y ago

Thanks for posting the link to the interview with Abhishek - great read!

gneray3y ago

Yeah, Abhishek has seen a lot and has proven to be an invaluable advisor to us at Oso.

ogazitt3y ago

j / k navigate · click thread line to collapse