[HN Gopher] Ory Keto, open source authorization server based on ...
___________________________________________________________________
Ory Keto, open source authorization server based on Google Zanzibar
Author : An0mammall
Score : 205 points
Date : 2021-04-08 13:19 UTC (9 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| MattyRad wrote:
| I was auditing Keto recently, I came across this discussion:
|
| https://github.com/ory/keto/issues/47
|
| It's a impressive example of high functioning discourse: all the
| participants provide valuable insight, state concerns, elegantly
| summarize very complex issues, and show a lot of respect to each
| other; great gains are made as a result. It's worth reading in
| its entirety.
| de6u99er wrote:
| Great effort!
|
| But your docker files are not really related to the source code.
| Your Dockerfile expects a prebuilt binary, and your docker-
| compose file a pre-built image from a container-registry (usually
| Dockerhub).
|
| It would be better to do building of the project in a multi-stage
| Dockerfile [1], and use the local Dockerfile [2] instead of a
| pre-built image from Dockerhub.
|
| [1] https://fabianlee.org/2020/01/26/golang-using-multi-stage-
| bu...
|
| [2] https://docs.docker.com/compose/compose-file/compose-
| file-v3...
| TriNetra wrote:
| Do you plan to add ABAC permission policies consisting of an
| expression of arbitrary attribute-based conditions for the
| object? Say 'o.group = 'guest' AND o.location in ['CA', 'WA'].
|
| Recently a prospective client, coming from the world of Active
| Directory, has expressed a need for such a feature in
| ASPSecurityKit.
|
| I haven't read the Zanzibar paper, but In ASPSecurityKit we've
| implemented ACLs on a similar concept - we call it activity-data
| authorization (ADA) [0]. Since it works as part of your
| application as a library, it can inspect request and
| automatically discover and authorize access to objects [1]. The
| attribute-based permission policies for users is something we're
| evaluating now.
|
| 0: https://youtu.be/u9NnBNEMpF4 1:
| https://aspsecuritykit.net/docs/article/how-to-perform-activ...
| zepatrik wrote:
| This is tracked here: https://github.com/ory/keto/issues/319
|
| Basically the idea is to check the attributes before actually
| forwarding the request to Keto. That could be done through e.g.
| a OPA integration. This can scale much better IMO than just
| doing everything in OPA.
| indiv0 wrote:
| How does this differ from OpenPolicyAgent?
| neupatr wrote:
| OPA takes a whole different approach. They basically have a
| specific language and a corresponding interpreter. The previous
| version of Keto was based off of OPA. We discovered that it is
| not suitable for our needs and what we want to offer because it
| can be very hard to meet certain performance goals (e.g.
| https://github.com/ory/keto/issues/104)
|
| Taking this simple approach allows us to provide a global, low
| latency, and consistent authorization system.
| [deleted]
| neupatr wrote:
| Hello! I am one of the maintainers of Ory Keto. We spent a lot of
| time and effort to read, learn, and analyse the Google Zanzibar
| paper (https://research.google/pubs/pub48190/) and the release
| brings that all together. There are still many things missing,
| but with a great community we hope to build the "Kubernetes" of
| permissions and access control! If you have any questions, I am
| here to help
| sroze wrote:
| Amazing, I was going to start such endeavour, Zanzibar is to me
| that best of the ACL system that I know of, from a theoretical
| flexibility perspective. However, I was thinking of taking the
| principles but actually represent the triples as RDF and use
| SparQL to represent policies, to use the power of graph engines
| rather than building my own triple store & query engine. Any
| reason you went for SQL storage and a custom query
| engine/language on top?
| jzelinskie wrote:
| I don't work at ORY, but I do work on a Zanzibar
| implementation.
|
| Basically, what you're describing is called "GBAC". GBAC can
| be great if you need the full power of a typical Graph API,
| but Zanzibar-like services are focused on solving the problem
| of finding a path between two edges[1] and doing everything
| you can to optimize that operation for latency. GBAC is
| flexible, but at the cost of performance compared to
| something more structured.
|
| [0]: https://docs.authzed.com/authz/what-else#gbac-graph-
| based-ac...
|
| [1]: https://authzed.com/blog/identity-isnt-the-foundation/
| 1cvmask wrote:
| Who else does GBAC? How widely used is it?
| robertlagrant wrote:
| Fantastic news - a great achievement.
| neupatr wrote:
| Thank you ;)
| de6u99er wrote:
| Indeed!
| jzelinskie wrote:
| This is awesome!
|
| Full Disclosure: I'm a YC W21 founder that's built authzed,
| which is effectively Zanzibar as a Service, but anything that
| gets mindshare towards using ACL services is huge.
|
| How close do ya'll plan to follow the paper? At a glance, I
| noticed a few of differences.
|
| It'd be amazing if we had API compatibility across our
| products.
| zepatrik wrote:
| We tried to follow as close as possible, but left out all
| optimizations and cluster inter-node messaging for now. The
| data structures and APIs are followed 1:1. In some places it
| was hard to follow the paper as they leave out important
| details, but you probably experienced that as well ;)
|
| Your APIs look quite compatible, as you probably also stayed
| very close to the paper.
| wiradikusuma wrote:
| So this is like https://www.keycloak.org but without Java?
| neupatr wrote:
| Keto only does authorization, independent of users, devices,
| bots, applications, ... Basically you store your ACLs there and
| then ask "is _subject_ allowed to do _relation_ on _object_".
| All the variables are whatever you define them to be.
|
| Check out https://github.com/ory/kratos, our identity server.
| Or https://github.com/ory/hydra, our OAuth2 server. All of them
| together can be assembled to have something like Keycloak.
| candiddevmike wrote:
| Kratos can manage users and groups right? Looks like it
| requires a database backend today. I have been noodling what
| a distributed AAA service like kratos might look like--any
| plans to leverage etcd instead?
|
| What about managing auth for (Linux) servers? PAM, sudo, etc?
| atainter56 wrote:
| It's really awesome to see the Zanzibar implementation open
| sourced. I also built an implementation of Zanzibar. From my
| understanding, one of the core features of the paper is the
| Leopard index system which delivers fast permission checks at
| scale. I noticed that your system doesn't have an index
| algorithm, but there is an issue in your repo to implement it. Do
| you have any idea when you would implement it? I'd like to
| potentially use/contribute.
| throwaway86310 wrote:
| Not related to Ory: I don't know why the name of the Google's
| service is Zanzibar but if that's related to Zanzibar Island
| which was once a slave route, I don't feel good about it. I'd
| love to be enlightened on this part. You can call it my curiosity
| to know.
| jakemoshenko wrote:
| https://twitter.com/leakissner/status/1136691523104280576?la...
| throwaway86310 wrote:
| Thanks that cleared everything.
| robertlagrant wrote:
| In what way?
| packetslave wrote:
| virtue signaling is boring
| [deleted]
| qrush wrote:
| Hi - as someone who's been on the keto diet a lot over the
| pandemic and also in the before times - just wanted to chime in
| saying, you're going to have a heck of a time trying to break
| through the mountains of pages + SEO about keto recipes/books.
| I'd really suggest calling this something else.
| mumblemumble wrote:
| As a coffee drinker and world traveler, I have the same problem
| with finding information about Java.
| markild wrote:
| Just be more specific, like "java bean"... oh.
|
| Joking aside, I dislike stuff that reuses overly generic
| concepts and names. I get why it was chosen, it's sorta cute,
| and it fits the theme, but it would be very nice if it was a
| uniquely named concept.
| mumblemumble wrote:
| I think that that strategy is roughly how drugs all end up
| with such odd names.
| Scandiravian wrote:
| I have friends who's job it is to come up with names for
| new drugs. It's actually a difficult task, since it needs
| to be easy to remember, create a slightly positive or
| neutral association with consumers, and most importantly,
| not be even close to a dirty/offensive word in any
| language used in a major market
|
| It does result in some super silly names. So much so,
| that when I studied pharmaceutical sciences, we made a
| drinking game called "Pokemon or Drug"
| tyingq wrote:
| Searching for "Ory Keto" returns their pages. As does "Keto
| Auth", "Keto API", and so on. They seem to have done fine.
|
| I suppose "Keto REST" might be harder, but I don't know how
| many ambiguous queries like that are common.
| koolba wrote:
| I'd love to see the SEO involved in a blog post for a Chef
| recipe for deploying "Keto".
| neupatr wrote:
| Hm good point. The project itself exists already for quite some
| time now, this is just a complete rewrite. It is named after an
| ancient Greek goddess: https://en.wikipedia.org/wiki/Ceto (all
| of our projects are named after Greek mythology).
| throwaway823882 wrote:
| There's already 50 of these things that have different
| features/providers/etc. Can't we stop making 50 different ones
| and just focus development on one of them?
|
| Edit: My bad, it's a corporate product, they're not gonna focus
| development around somebody else's code. Corporate "open source"
| is hopeless.
| [deleted]
| nickthemagicman wrote:
| Can anyone give me a Google Zanzibar for dummies?
|
| It's the first I'm hearing about it.
|
| Is it Oauth for everything?
| jakemoshenko wrote:
| It's a really well designed distributed system for calculating
| access control decisions at scale. It makes a specific
| authorization CAP tradeoff that allows for consistency around
| access checks to different "versions" of a piece of content,
| allowing older content to be protected by checks served from
| read replicas and cache.
|
| Full disclosure: I am a co-founder of a company building and
| hosting a Zanzibar implementation as a service:
| https://authzed.com
| deadmutex wrote:
| > really well designed distributed system
|
| Since you're an expert in this area, and I am lazy... :)
|
| What makes it well designed? What are the top 2 or 3 things
| it does to make it a really well designed system?
| kleton wrote:
| Is Zanzibar ganpati?
| kyrra wrote:
| OAuth is just an identity tool (to say a login is a certain
| person). Zanzibar can be seen more as a ACL system that you can
| put across your system. So it is there to validate that a given
| user is able to access any specific resource.
| robertlagrant wrote:
| OAuth(2) are for access delegation. They are not for
| authentication or identity. For this reason, OIDC was built
| on top.
| throwaway3699 wrote:
| It is authorization (as opposed to authentication).
| jeffbee wrote:
| I went diving into the docs to find out how Keto implements
| Zanzibar's consistency guarantees, which for Zanzibar are
| provided mostly by Spanner, but it seems that Keto just does
| not[1]. This does not strike me as the kind of thing that can
| just be added after the project begins.
|
| https://github.com/ory/keto/blob/master/docs/docs/concepts/s...
| yenkel wrote:
| This looks great, good to learn that something like this is out
| there.
|
| I work at Auth0 and we are building a Zanzibar inspired SaaS as
| well (you can read here if interested
| https://twitter.com/auth0lab) and it is positive to see that
| there's interest in services like this, it's validating :)
|
| One of the things we found is that learning Zanzibar concepts can
| be a bit daunting, so we put together this playground:
| https://sandman-86.herokuapp.com/, that has samples and
| tutorials, etc.
|
| Hopefully that's useful for others getting started with Zanzibar.
| We are likely going to be adding the ability to write to the
| playground (it is read-only today) in the next few months.
| zepatrik wrote:
| Wow that playground looks awesome, is it open source? It really
| makes sense to have these graphs and trees, makes it way easier
| to understand.
|
| Nice work there!
| yenkel wrote:
| It's not OSS today but we could probably OSS if we spend a
| bit more time on it. Thanks for the idea!
| jzelinskie wrote:
| This is really polished with the graph visualization!
|
| Similarly, Authzed has a playground[0], but it's focused more
| on validation, exhaustively testing, and sharing your designs
| rather than visualization.
|
| [0]: https://play.authzed.com
| robertlagrant wrote:
| Can you make the Terraform provider better please? :D
| mooreds wrote:
| If you are interested in seeing what this software package can
| do, as I was, you might want to check out the quickstart example:
| https://www.ory.sh/keto/docs/quickstart
|
| and an example: https://www.ory.sh/keto/docs/examples/olymp-file-
| sharing
|
| as well as the concepts section:
| https://www.ory.sh/keto/docs/concepts/relation-tuples
|
| as well as their implemented and planned features:
| https://www.ory.sh/keto/docs/implemented-planned-features
___________________________________________________________________
(page generated 2021-04-08 23:01 UTC)