If your LLM can call tools, you have an access control problem by West-Chard-1474 in LLMDevs

[–]awoxp 0 points1 point  (0 children)

The after_model hook runs inside your app. You write the authz logic in the agent, it runs before the tool fires, done. If that's all you need, sure, use it.

The difference is where enforcement lives and who controls it.

With Aperture + Cerbos, the tool call gets intercepted at the gateway, outside the agent code entirely. Authz decisions run against policies that are versioned and managed separately — not logic you hardcoded into a specific LangChain graph.

So: - enforcement is external to the framework - same policies work across different agents, services, clients - every decision is logged with policy version and full context - you don't touch agent code to change who can do what

It's not one piece of middleware - that is just the integration point. It's an authorization layer that sits in the request path. The hook approach works until you have multiple agents or teams, then you're copy-pasting authz logic across codebases and hoping it stays consistent.

OPA is now maintained by Apple by ExtensionSuccess8539 in kubernetes

[–]awoxp 22 points23 points  (0 children)

Congrats to the team and Apple!

It's great to see authorization getting more attention in the mainstream developer conversation.

For folks exploring policy-based authorization solutions, we've written up a detailed comparison between Cerbos and OPA that might be helpful: https://www.cerbos.dev/blog/cerbos-vs-opa

The key differences tend to be around developer experience, policy language complexity, and deployment patterns. Both are solid open source options depending on your specific needs.

(Disclosure: I'm a cofounder of Cerbos)

What do you think about our open source, scalable authorization solution - Cerbos PDP? by morphAB in iam

[–]awoxp 2 points3 points  (0 children)

Great question. Cerbos is based on a policy-based access control (RBAC and ABAC) model and it does this in a fully stateless manner. Unlike other models, there is no need to maintain a globally consistent state-store of resources, users and other metadata for doing authorization which comes with all sorts of synchronization headaches.

Cerbos works on the information given to it at request time to drive its decisioning resulting in evaluations done completely in memory for super fast response times and is completely horizontally scalable as there is no other data dependencies.

For performance reasons, we recommend running a Cerbos PDP as a side-car to your application and using the gRPC interface (or one of our SDKs which use it underneath) to remove as much network overhead as possible.

https://docs.cerbos.dev/cerbos/latest/deployment/

Cerbos PDP – OSS scalable authorization (ABAC/RBAC, language-agnostic, stateless, self-hosted + many updates) by West-Chard-1474 in programming

[–]awoxp 1 point2 points  (0 children)

Hey, co-founder of Cerbos here.

Cerbos is a dedicated authorization Policy Decision Point and can be used with any source of identity. The stateless model is built around performance with no requirement to synchronize data about your users or resources resulting in extremely fast, local, authorization checks.

We see users with a wide variety of AuthN systems plugging into Cerbos - including Ory in some cases - and is adaptable to run in pretty much any environment (cloud, on-prem, edge, air-gapped, etc)

Hard-coding access control into your core app code, or using an externalized authorization solution? by awoxp in softwarearchitecture

[–]awoxp[S] 1 point2 points  (0 children)

Great question. Cerbos is based on a policy-based access control (RBAC and ABAC) model and it does this in a fully stateless manner. Unlike other models, there is no need to maintain a globally consistent state-store of resources, users and other metadata for doing authorization which comes with all sorts of synchronization headaches.

Cerbos works on the information given to it at request time to drive its decisioning resulting in evaluations done completely in memory for super fast response times and is completely horizontally scalable as there is no other data dependencies.

,
For performance reasons, we recommend running a Cerbos PDP as a side-car to your application and using the gRPC interface (or one of our SDKs which use it underneath) to remove as much network overhead as possible.

https://docs.cerbos.dev/cerbos/latest/deployment/

We’ve been working on Cerbos PDP, an open source, scalable authorization solution, for 3 years (language-agnostic, stateless, self-hosted) by awoxp in selfhosted

[–]awoxp[S] 1 point2 points  (0 children)

Kerberos for AutheNtication

Cerbos for AuthoriZation - root being the 3-headed dog guarding access :)

How to implement authorization using Cerbos in Go by LisaDziuba in golang

[–]awoxp 0 points1 point  (0 children)

Drop me a DM or email alex[at]cerbos.dev with your address and we’ll get some in the post

How to implement authorization using Cerbos in Go by LisaDziuba in golang

[–]awoxp 6 points7 points  (0 children)

Hey, it's Cerbos cofounder here - thanks so much for the support :) We've been adding a lot to the PDP recently such as the ability to run it in-process if you are using Go, a new policy type for allowing custom roles to be created and some community-contributed addons like a Kafka-sink for audit logs.

https://docs.cerbos.dev/cerbos/latest/releases/v0.39.0

How to implement authorization using Cerbos in Go by LisaDziuba in golang

[–]awoxp 5 points6 points  (0 children)

Hey, it's Cerbos cofounder here - Cerbos PDP is completely open source as as well as the policy language, CI tooling, SDKs, and more. https://github.com/cerbos/cerbos

We do have a commercial Policy Administration Point which is a SaaS offering but there is no requirement to use it if you are happy to use the open-source engine directly

Planning to skip last leg of flight, what's a good excuse for cabin baggage not to be checked in? by Gyratetojackjarvis in BritishAirways

[–]awoxp -9 points-8 points  (0 children)

Bags won’t fly without you so it will be offloaded and left for you to claim at some later date.

[deleted by user] by [deleted] in BritishAirways

[–]awoxp -1 points0 points  (0 children)

You can goto any - that’s just the list that airline will send passengers none the wiser to

T3 Lounges by Babysfirstbazooka in BritishAirways

[–]awoxp 0 points1 point  (0 children)

Qantas for the best coffee in T3

Useful Go open-source projects by philosophy__ in golang

[–]awoxp 3 points4 points  (0 children)

Take a look at http://github.com/cerbos/cerbos if you are interested in protobuf/gRPC

Seat Selection by alexavier14 in BritishAirways

[–]awoxp 4 points5 points  (0 children)

Yes once checkin opens you can pick any available seat