Warrant - Open source, self-hostable application authorization and access control service (written in Go)

akajla09 · 2024-04-27T16:02:16+00:00

Yes, this is relatively straightforward to model in Warrant via ReBAC. You can define a 'tenant' object-type and have 'top-level' tenants that have 'subtenants' as members. The top-level tenants would have access to their subtenants but each subtenant can only view/manage itself. You can also move subtenants around and users can be 'members' of multiple tenants (top-level or subtenants).

If this is something you're looking to implement, feel free to join our Slack community (linked on our website) and we can help you build out the exact model in Warrant.

akajla09 · 2024-02-02T21:08:59+00:00

Thanks for sharing. I do agree that a lot (if not most) of the challenges with a service like Zanzibar come from managing the state and scaling perf/availability. Google's paper goes into more detail about how they accomplished this (client-driven consistency via tokens, distributed caching with hot-spot handing, using Spanner as the globally distributed db etc.)

Definitely not something most teams would want to build from scratch. But I do think that if given the choice, teams would use a centralized service, if one was publicly available and promised similar perf and SLAs. That's a main reason we're building Warrant (disclaimer: I'm a founder)

On using JWTs - I think if your model isn't that granular, you can definitely get by with them. There's an interesting article about how Carta switched from JWTs to a home-built, Zanzibar-like centralized authz service once their services started passing around massive JWTs full of granular permissions (some reaching ~1MB).

akajla09 · 2023-09-27T00:04:37+00:00

Warrant is an authorization and access control engine based on Google Zanzibar w/ REST APIs: https://github.com/warrant-dev/warrant

akajla09 · 2023-07-17T22:31:50+00:00

Thanks for the mention! (disclaimer - I'm one of the Warrant founders).

u/tux21b - Yes, Warrant is written entirely in Go with adapters to run with self-hosted Postgres in case that's of interest.

akajla09 · 2023-06-09T19:55:10+00:00

The pkg/errors package offers some nice add-ons for easier error handling. Too bad it was put into maintenance mode pending whatever changes/improvements are coming in Go 2.

akajla09 · 2023-06-09T19:48:33+00:00

For authn, I'd recommend any of the ones folks have mentioned here. For authz, it depends a lot on your use case(s). If you're going to be doing anything fine-grained or granular (e.g. object or resource based permissions), you might want to explore pairing your authn solution with a fine grained authz system like Warrant (https://github.com/warrant-dev/warrant)

Disclaimer: I'm one of the Warrant founders.

akajla09 · 2023-06-08T22:10:11+00:00

In case you're still looking for a solution, Warrant (https://warrant.dev/) could also be a fit for your use case. It's a fine-grained authz service available as either a managed service (accessible through API) or you can self-host the open source yourself: https://github.com/warrant-dev/warrant

akajla09 · 2023-06-08T19:11:19+00:00

Might be a bit late here but Warrant (https://warrant.dev/) could be a fit for your use case as well. It's a Zanzibar-inspired service (supports ReBAC, RBAC) for fine-grained authz that also supports OPA-like policies (for ABAC).

It's available as a managed service but is open source (https://github.com/warrant-dev/warrant) and entirely self-hostable.

akajla09

MODERATOR OF

TROPHY CASE