[HN Gopher] SpiceDB Is Open Source
___________________________________________________________________
SpiceDB Is Open Source
Author : jzelinskie
Score : 88 points
Date : 2021-09-30 18:58 UTC (4 hours ago)
(HTM) web link (authzed.com)
(TXT) w3m dump (authzed.com)
| aidenn0 wrote:
| ELI5: What is Zanzibar?
| ImJasonH wrote:
| I found this to be a good, concise description of the problem
| space, and Zanzibar's approach:
| https://www.youtube.com/watch?v=1nbSbe3kw2U
| rshm wrote:
| https://storage.googleapis.com/pub-tools-public-publication-...
|
| The paper itself is also good.
| kondro wrote:
| An easy to digest article: https://authzed.com/blog/what-is-
| zanzibar/
|
| tl;dr: Highly scalable RBAC/ABAC
| jakemoshenko wrote:
| Jake, Authzed co-founder here.
|
| Zanzibar is a global highly available distributed permissions
| system used within Google to power application permissions for
| things like Maps, YouTube, Calendar, Doc/Drive, etc. They wrote
| about it in a paper[0] that was widely discussed on HN at the
| time[1].
|
| The service stores relationships between people, other people,
| and data, in a giant directed graph. There are primitives for
| querying and processing that graph to make permissions
| decisions. The majority of the rest of the engineering effort
| is spent on replicating the data globally and caching
| permissions decisions regionally and locally, since permissions
| don't lend themselves very well to sharding or siloing along
| service boundaries.
|
| For the 5+ explanation, I wrote a little bit about my digestion
| of the paper and what the important parts are here[2].
|
| [0] https://research.google/pubs/pub48190/
|
| [1] https://news.ycombinator.com/item?id=20132520
|
| [2] https://authzed.com/blog/what-is-zanzibar/
| aidenn0 wrote:
| going from link #2 it sounds like it is a highly scalable
| engine that does the following:
|
| 1. Stores arbitrary state related to permissions
|
| 2. Customizable rules that may refer to any state in #1
|
| 3. A service which allows clients to query if User U should
| be given permission P on artifact A, based upon #2
|
| [edit]
|
| Actually it sounds like #1 is actually a directed graph, not
| arbitrary state.
| tlarkworthy wrote:
| That ACL filtered list seems like it could be super useful. Its
| extremely horrid if a UI is full of controls you don't have
| permission to use.
| itake wrote:
| How did it all get started? Did you hack at this in your free
| time and eventually get an MVP out to share with investors?
| jakemoshenko wrote:
| Sort of, except instead of free time it was full time. After
| reading the Zanzibar paper, we had a strong conviction that
| this solution could address many of the authorization
| challenges we've had in our past products and roles.
| itake wrote:
| Why Golang?
| rad_gruchalski wrote:
| Congratulations! I have looked in depth at Ory Keto some time
| ago. Will be interesting to take this for a spin and see how it
| compares.
| ipodopt wrote:
| Looks good.
|
| 1. How does this compare with Ory Keto?
| https://www.ory.sh/keto/docs/
|
| 2. Can it be nativity (I can integrate in Postgres SQL)
| integrated with Row Level Security in Postgres?
|
| 3. Any interest in supporting TiDB as a backend?
|
| Edit: Number questions.
| jzelinskie wrote:
| Disclosure: Another founder of Authzed, here.
|
| Also, in case anyone was wondering, yes, SpiceDB is reference
| both Zanzibar and a popular sci-fi novel that will be in
| cinemas shortly.
|
| >1. How does this compare with Ory Keto?
|
| The blog post has a section dedicated to how SpiceDB improves
| on the Zanzibar paper[0]. Keto was originally a different
| project that has been rewritten to be Zanzibar-like. It is
| missing lots of the core functionality that I'd personally
| consider requirements to really be faithful to the paper:
| horizontally scalable, bounded staleness (Zookies), and userset
| rewrites, for example. ORY also develops a whole identity
| suite, while we're attempting to stay laser-focused on
| permissions and maintain vendor-neutrality.
|
| >2. Can it be nativity (I can integrate in Postgres SQL)
| integrated with Row Level Security in Postgres?
|
| We have been exploring the space between integrating deeply
| with Postgres from both entrypoints (SpiceDB->Postgres and
| Postgres->SpiceDB). For the former, we're playing with
| representing applications' Postgres databases as a read-only
| SpiceDB datastores. For the latter, we've checked out Postgres
| Foreign Data Wrappers, but they don't seem portable to the
| cloud hosted services like RDS. We're continuing to look for
| clever solutions, if anyone reading this bumps into any.
|
| >3. Any interest in supporting TiDB as a backend?
|
| I've created an issue for this[1].
|
| [0]: https://authzed.com/blog/spicedb-is-open-
| source/#everybody-i... [1]:
| https://github.com/authzed/spicedb/issues/154
| mst wrote:
| > For the latter, we've checked out Postgres Foreign Data
| Wrappers, but they don't seem portable to the cloud hosted
| services like RDS.
|
| My experience is that teams who want the full power of
| postgresql run their own compute nodes because of limitations
| like this.
|
| It's a trade-off, as almost everything is, but I _suspect_
| the sort of company who 's buying in to things like RLS is
| also the sort of company who're reasonably likely to have
| already migrated off RDS in digust.
|
| I could easily be wrong, of course, but at the very least I
| think it's worth asking your users before assuming that
| excluding RDS would be a problem for the people who would
| want the feature in the first place.
| ipodopt wrote:
| > For the latter, we've checked out Postgres Foreign Data
| Wrappers, but they don't seem portable to the cloud hosted
| services like RDS. We're continuing to look for clever
| solutions, if anyone reading this bumps into any.
|
| Probably off the mark here but...
|
| View -> Function -> Table (Atomic Permissions) - On Miss ->
| Rest Call to SpiceDB
|
| RLS:
|
| CREATE POLICY "Resources are updateble by certain groups of
| users." ON public.resources for UPDATE USING ( EXISTS (
| SELECT FROM atomic_permissions_view WHERE (user_id =
| auth.uid()) and (action_enum = 'modify') and (resource_id =
| id) ) );
|
| Where resources inherit from resources tables..
| ipodopt wrote:
| Thanks! :)
___________________________________________________________________
(page generated 2021-09-30 23:00 UTC)