There are different types of access control approaches:
- ABAC - Attribute based access control.
- DAC - Discretionary access control.
- GBAC - Graph based access control.
- MAC - Mandatory access control.
- OrBAC - Organization based access control.
- ReBAC - Relationship based access control.
- RBAC - Role based access control.
- RLS - Row level security PostgreSQL security feature
Origins of permissions DAC/MAC/ACL: https://tailscale.com/blog/rbac-like-it-was-meant-to-be#getting-more-concrete-rbac-and-abac
We built own ABAC solution with Nodejs for current CRUD tables for restricting users and create a team of teams. But faced with a inability to manage access for other microservices so we are looking for a solution that will not trap us on a monolithic architecture. So we can develop our value proposition for end-user with different programming languages.
It's very handy to deploy an additional microservices and add custom action at frontend. But it required to split this resource for each user.
Current monolithic solution uses 4 tables to store each rule and gives a conviniet dropdowns, parsing table of picked resource and dropdowns to select required column of a resource table while creating an if statement.
GUI builder with dropdowns for resources, actions, table's columns and etc.
Since monolith is started to decentralize own backend we are looking for permission contorol solution to limit reseources per each user.
Too bad that we wasted time for developing own ABAC solution that could not be refactored into separate standalone service that could play a gatekeeper role. So I made some research to find best practices and ended with a list of an access control management frameworks.
Requirements
- Policy should be written as a code for easy cope, paste and deploy
- Centralized allow/deny/transform service for any backend or message broker
- Open-source and self hosted
- ?
Solutions
OpenFGA
https://github.com/openfga/openfga
A high performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar
Topaz
https://github.com/aserto-dev/topaz
Product of Aserto company: https://www.aserto.com/
Topaz is an open-source authorization service providing fine-grained, real-time, policy-based access control for applications and APIs.
It uses the Open Policy Agent (OPA) as its decision engine, and provides a built-in directory that is inspired by the Google Zanzibar data model.
Ory Keto
Cloud based - https://www.ory.sh
Open Source - https://github.com/ory/keto
Cloud based solution Ory appears to offer a complete stack for the entire AuthN/AuthZ space
Open Source (Go) implementation of "Zanzibar: Google's Consistent, Global Authorization System". Ships gRPC, REST APIs, newSQL, and an easy and granular permission language. Supports ACL, RBAC, and other access models
RBAC with Ory Keto - https://gruchalski.com/posts/2021-05-15-rbac-with-ory-keto/
Permify
https://github.com/Permify/permify
Permify is a open-source authorization service for creating and managing fine-grained permissions in your applications and services. Inspired by Googleβs consistent, global authorization system, Google Zanzibar
Our goal is to make Google's Zanzibar available to everyone and help them build robust, flexible, and easily auditable authorization systems that perform well in scaled environments.
Pros:
- Testing: https://play.permify.co/
- Multi-tenancy https://docs.permify.co/use-cases/multi-tenancy
Cerbos
https://github.com/cerbos/cerbos
Cerbos is the open core, language-agnostic, scalable authorization solution that makes user permissions and authorization simple to implement and manage by writing context-aware access control policies for your application resources.
Zenstack
https://github.com/zenstackhq/zenstack
Typescript toolkit on top of Prisma ORM, offering flexible and declarative Access Control Policy(Authorization/Permission) for RBAC/ABAC/PBAC/ReBAC with auto-generated type-safe APIs and frontend hooks.
ZenStack OSS project is built above the Prisma ORM, and one of its focuses is to add access control capability.
References
- Building an Admin Console With Minimum Code Using React-Admin, Prisma, and Zenstack https://dev.to/zenstack/building-an-admin-console-with-minimum-code-using-react-admin-prisma-and-zenstack-pkl
- RLS of Supabase(PostgreSQL) Is Good, But - https://dev.to/zenstack/rls-of-supabasepostgresql-is-good-but--1394
Casbin
https://github.com/casbin/casbin
An authorization library that supports access control models like ACL, RBAC, ABAC for any popular language
Supabase
Supabase RLS Rules based on a PostgreSQL RLS.
SpiceDB
https://github.com/authzed/spicedb
SpiceDB is an open source authorization system originally inspired by Google's Zanzibar paper -
OSO
Deprecated their open-source project, supporting only cloud solution for now.
Reference
- Curated list of information and resources about authorization - https://github.com/warrant-dev/awesome-authorization
- Cloud-native authorization standards - https://www.youtube.com/watch?v=VPi-VZvJ_d8
- Community discussion about different policy approach - https://news.ycombinator.com/item?id=33317597
- https://news.ycombinator.com/item?id=35556463
Top comments (2)
Waste a decent amount of time to conduct an initial research and still in a process. Any question or commentary would be very helpful, so I will update article or publish new with more details and closer comparison.
Maybe little too to the party, but I would also add OPAL to the list github.com/permitio/opal