[HN Gopher] Show HN: Permify - Open-source authorization service...
___________________________________________________________________
Show HN: Permify - Open-source authorization service based on
Google Zanzibar
Author : freddgn
Score : 87 points
Date : 2022-07-14 14:38 UTC (8 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| soco wrote:
| How does that look in a microservice/distributed environment in
| terms of network traffic? Do you have some thoughts about it,
| minimizing number of queries, minimizing payload, such things?
| mtolga wrote:
| Hey Soco!
|
| I'm Tolga one of the co-founders of Permify. We have couple of
| ideas around there such as a better cache or using Redis
| persistence as writeDB.
|
| I don't know if this totally answers your questions. But I'd
| love to discuss further more - tolga@permify.co
| gneray wrote:
| Disclosure: I'm the founder of Oso (osohq.com).
|
| It's good to see more activity in this domain. One thing I've
| noticed over the last several years has been: beyond the fact
| that we haven't had good options for authorization tools, the
| world doesn't have enough mental models and good language for
| describing the authorization _problem_. It's mostly RBAC and
| ABAC. That is...limited!
|
| As more people work on this problem, I hope we'll continue to
| build out the collective knowledgebase in addition to having
| tools that supercharge us. To get the ball rolling, we've written
| a number of articles, e.g.,
|
| - What is Google Zanzibar (https://www.osohq.com/learn/google-
| zanzibar) - Authorization Academy (https://www.osohq.com/academy)
| - Series of technical guides on building out authorization - Why
| Authorization is Hard (https://www.osohq.com/post/why-
| authorization-is-hard) - Breakdown of the problem into its piece
| parts -- enforcement, decision architecture, and modeling -- with
| examples. - Best Practices for Authorization Microservices
| (https://www.osohq.com/post/microservices-authorization-patte...)
| - Authorization Patterns in GraphQL
| (https://www.osohq.com/post/graphql-authorization)
|
| Onward :)
| _jezell_ wrote:
| Very cool.
| techn00 wrote:
| I also wrote something similar that also has a dashboard where
| you can see the graph between relations (code quality is really
| lacking though). It uses a DSL built on yaml.
|
| https://github.com/DeluxeOwl/kala-go
| https://kala.andreisurugiu.com/
| jzelinskie wrote:
| Welcome! Glad to see more folks joining the open source
| FGA/Zanzibar space! Making synchronization first-class is a great
| area to explore. It'd be nice to connect and chat about all
| things Zanzibar, not just data syncing!
|
| The Authzed team[0] built Postgres syncing with the SpiceDB
| Postgres Connector[1] to explore syncing, but we never got it
| into a place that the community could agree upon. Users in the
| SpiceDB community are using technologies like CDC external to
| SpiceDB successfully, but there are many foot-guns to syncing
| because it can violate data consistency. Is there documentation
| on how Permify handles consistency (e.g. the Zookies/The New
| Enemy Problem from the Zanzibar paper)?
|
| [0]: https://github.com/authzed/spicedb
|
| [1]: https://github.com/authzed/connector-postgresql
| mtolga wrote:
| Hey Jimmy,
|
| I'm Tolga one of the co-founders of Permify. Lovely to be in
| the space. Thanks for the kind words we're always open to chat
| as well.
|
| Right there things we have to improve such as data consistency
| as you mentioned. We'll be following Zookie model. And we will
| be adding message queue, and planning to add a message broker
| soon.
|
| You can check this article for more:
| https://www.permify.co/post/why-decouple-authorizations
|
| Would love to discuss further more.
| mlejva wrote:
| Congratulations on the launch!
|
| Do you have any repos with example implementations?
| mtolga wrote:
| Right now we don't have, but we would love to help you
| personally. As well as, we'll be sharing updates about these at
| our discord community :)
|
| https://discord.gg/kHdzX4HkN3
| EgeAytin wrote:
| Hey HN! Ege from Permify here. Permify is an open-source
| authorization service and policy engine based on Google-
| Zanzibar[0] with our own twist. Me and my co-founders have known
| each other for years since high school. And we love building
| things.
|
| We have both worked with fortune 500 companies to small
| businesses [1], and every authorization system was unique. Yet we
| always tackle the same problems.
|
| - Modeling the authorization logic was hard. As the product grows
| things get complicated very fast. So, it's challenging to design
| a model that's both easy to start with and future-proof. [2] -
| Designing the architecture was a dread. It's not a huge problem
| when you have a monolith. But when it comes to micro-services
| it's a nightmare since authorization data is a subset of
| application data. [3] - Authorization checks occur in so many
| places; like user interfaces, routers, API endpoints, database
| queries... So, choosing where to enforce authorization, and
| loading the authorization data is hard.
|
| So, Permify syncs your authorization data as relation tuples with
| CDC(Change Data Capture) from Databases you want to a DB you
| point at.[4] And based on this data you can get boolean returns
| for your access control checks.
|
| I know many alternatives had launched at HN over the course of
| time. So what's the twist. What we concurrently encountered was
| orchestrating the authorization data was a nightmare.
|
| What you can except from Permify in following months;
|
| - Message broker to support more Databases. - Redis Cache
| support. - Better debugging and auditing tools such as
| transparency logs. - More compatibility with the Zanzibar paper.
|
| [0]: https://research.google/pubs/pub48190/
|
| [1]: https://www.permify.co/post/why-decouple-authorizations
|
| [2]: https://medium.com/building-carta/authz-cartas-highly-
| scalab...
|
| [3]: https://medium.com/airbnb-engineering/himeji-a-scalable-
| cent...
|
| [4]: https://dbconvert.com/blog/postgresql-change-data-capture-
| cd...
| lkurtz wrote:
| See also https://openfga.dev/, Auth0's open-source ReBAC solution
| scorpiopie wrote:
| Interesting to see another project open sourced around Google
| Zanzibar. On a timeline for context:
|
| - Ory came out first with Ory Keto ( https://github.com/ory/keto
| ) which is trying to be a close adaptation of the paper.
| Initially, many concepts were missing but they are making a lot
| of progress with the DSL and it interfaces with the rest of Ory
| (OAuth2, User Mangement)
|
| - Authzed came out as a SaaS only, open sorucing the code base
| later on at https://github.com/authzed/spicedb
|
| - Auth0 has been playing around with Zanzibar concepts in various
| forms and published a beta service at https://dashboard.fga.dev -
| apparently now also open source parts of it similar to what
| Authzed did: https://github.com/openfga
|
| - Permify - who on a side note spammed me quite a lot with
| outreach because I was active in these communities - joins as
| well https://github.com/Permify/permify
|
| It's exciting to see so much movement, yet also sad that so many
| companies are brewing their own beer instead of working
| collaborative on the more succesful projects. Feels like we'll
| just end up with one or two successful projects (looking at Ory /
| Auth0 here) with the rest perishing. I'm wondering if there truly
| is a business model for just this permission system as a saas
| service (looks like this is what everyone is going with). Here
| I'm giving Auth0 probably the biggest plus as they have an
| established identity service. Then again, Okta (parent of Auth0)
| and Auth0 themselves are not particularly known for good business
| practices that we usually expect from developer tooling.
|
| What's refreshing though with Permify is that they are trying a
| bit of a different approach to Zanzibar!
| mtolga wrote:
| Hey there,
|
| Sorry for the outreach spam, just were trying to get feedback.
| Sometimes me and my co-founders reach out same person :) I hope
| we didn't bothered you a lot.
|
| Thanks for the kind words, hopefully we believe there are a lot
| more space for players in the space. I guess we should wait and
| see.
|
| About the approach thanks for the kind words :) We're trying to
| focus on 2 main issues with Permify. 1. Modeling of
| authorization: Make it dead simple so everyone can build
| future-proof system without the effort. 2. Data Orchestration:
| Make it easy to move and sync authorization data, especially
| for. distributed systems. So you don't have to.
|
| We love to chat about these topics so would love to connect and
| chat :)
| jchw wrote:
| It doesn't seem to deal with consistency issues solved by the
| Zanzibar design, at least that I can see. While this is
| understandable since it is probably the most complicated bit of
| the Zanzibar paper, it is a bit disappointing that, as far as I
| can tell, nobody has really gotten that far.
| mtolga wrote:
| Hey there,
|
| Tolga from Permify here!
|
| Yes this is very true. But we have this in our road.
|
| First we'll be focusing on message broker, and improving CDC.
|
| Then we'll add Zookies.
|
| I'd love to connect & chat about anything related
| Authorization. - tolga@permify.co
| jeffbee wrote:
| "Google thing, but without all that pesky correctness" is a
| sadly common pattern.
| jzelinskie wrote:
| SpiceDB does fully support all consistency described in the
| Zanzibar paper[0] and even allows the requests to specify
| consistency on the fly[1]. We've designed around this from the
| start because it'd be very difficult to add after the fact. We
| also built a CI pipeline that leverages ChaosMesh[2] to test
| for the New Enemy Problem.
|
| [0]: https://docs.authzed.com/reference/zedtokens-and-zookies
|
| [1]: https://docs.authzed.com/reference/api-consistency
|
| [2]: https://chaos-mesh.org
| dastbe wrote:
| imo i would add to your docs more details around what to do
| when you ex. update a relationship but fail to persist a
| zedtoken, or at least the options and what the ramifications
| are. these are things that people may not truly reason
| through and your team has the most context on how these
| decisions can affect user experience.
| jchw wrote:
| I hate to detract from the Show HN post, but frankly, you
| have my attention. I'm taking a look at SpiceDB.
| colinclerk wrote:
| Nice, love that you launched with React components! I need to
| decide to show a button before I decide to allow a button's
| action :)
___________________________________________________________________
(page generated 2022-07-14 23:00 UTC)