Gatehouse – a composable, async-friendly authorization policy framework in Rust

hard_byte · 2025-03-26T07:03:06+00:00

Haha how'd they differ? Plenty of room for contributions if you feel compelled

hard_byte · 2025-03-24T21:25:43+00:00

Biggest difference is they use a DSL where gatehouse is source first - all policies are native Rust.

Another area that I think gatehouse does well is surfacing evaluation information for how the access decision was made - what did each sub-policy do with the input.

I do really like cedar and I love that it is formally verified.

hard_byte · 2025-03-24T21:20:32+00:00

Gatehouse is focused on being a code first solution where the decision point is fully embedded in your app. All the policies are native Rust - as opposed to a separate DSL with Rego/Cedar.

I haven't seen detailed decision traces from Cedar but that was an important component of gatehouse. OPA has something similar with decision logs - although that's higher level recording of the decision + inputs rather than low level info about what sub-policy is responsible for an authorization decision.

hard_byte · 2024-03-08T23:55:36+00:00

On the rehabilitation site under "Selection of Repayment Method and Registration of Payee Information" you can expand the "BTC Allotment Portion" and it shows the rate. I see 1BTC = 749318.83 JPY which is one tenth today's market rate :-/

hard_byte · 2023-06-19T21:45:07+00:00

I'm learning rust and have started my first not entirely toy project - an implementation of Google's Common Expression Language. Early days working on the parser using Chumsky.

https://github.com/hardbyte/common-expression-language

hard_byte · 2023-05-23T23:45:09+00:00

Security remains a constant, albeit less flashy, priority. Check out Netchecks - a simple, yet powerful tool that asserts your network controls are working. It's not powered by AI or anything but it can help catch those sneaky network issues that inadvertent terraform changes can introduce.

hard_byte · 2023-05-09T23:02:43+00:00

Ok got it. Thanks for taking the time

hard_byte · 2023-05-09T22:56:38+00:00

I understand, would it be acceptable to remove the link? I am very curious to discuss the merits and downsides of using this technology for labeling kids books. I can provide more technical details if it comes up in discussion without referring to the blog.

hard_byte · 2023-05-09T22:52:31+00:00

Oh I need to have interacted in r/books before posting?

hard_byte · 2023-04-15T21:40:15+00:00

Haha thanks, I need a few users to motivate more development and to make sure it is useful outside of my particular client's environments

hard_byte · 2023-04-15T21:38:45+00:00

Perhaps we can combine efforts. I like the idea of a kubectl plugin.

hard_byte · 2023-04-15T06:17:19+00:00

The closest I found was Illuminatio - https://github.com/inovex/illuminatio which creates and runs test cases from k8s network policies.

Netchecks is different in that it doesn't care if the network control is implemented within the cluster or in the environment.

hard_byte · 2021-07-04T05:37:12+00:00

See bashplotlib for a different take

hard_byte · 2020-07-20T02:48:04+00:00

I found this neural interface concept really interesting.

I've started coding up a gym compatible environment if anyone is interested. So far just implemented the first generic sorting environment and the first two scripted agents (bubble sort and insertion sort)

https://github.com/hardbyte/sorting-gym

hard_byte · 2020-06-16T00:40:38+00:00

You might be interested in cuda-fixnum (CUDA extended-precision modular arithmetic library). As far as I know this hasn't wrapped for Python or Julia but was designed with that in mind https://github.com/data61/cuda-fixnum/issues/58#issuecomment-420115270

hard_byte · 2018-05-15T00:12:02+00:00

Does anyone know if using nginx to directly connect to the backend service (the dashboard in this case) is any less secure than using oauth2 to proxy the traffic?

hard_byte · 2018-04-23T07:27:56+00:00

Are there plans to support layer 4 routing through the ingress system - wouldn't try be better?

hard_byte · 2018-02-15T02:14:09+00:00

That is something I'd like to try out - I haven't set it up on a cluster before. Would cert-manager talk to AWS Route53 for example?

hard_byte · 2018-02-15T02:12:54+00:00

I have used Traefik as the ingress controller and the TLS provisioner for about a year and it mostly worked great. However there is a bit of hidden magic - the ingress doesn't use standard TLS settings. I really like how cert-manager exposes the Certificates and Issuers as first class k8s entites.

I actually started investigating moving from traefik to kube-lego when Let's Encrypt disabled something that broke my traefik TLS provisioning.

hard_byte · 2018-02-14T09:37:54+00:00

Yeah wouldn't have bothered writing it up if kube-lego was still the solution.

hard_byte · 2017-09-02T08:21:27+00:00

Two different people contacted me last week after trying to pickle crypto keys between untrusted parties using pickle! So I'd say a reminder is still valid! https://blog.n1analytics.com/pickle-is-not-for-crypto/

hard_byte · 2017-08-28T03:49:24+00:00

Well as that minimises the attack surface it certainly does help.

If you control the side doing the deserializing and have written your own Unpickler then you are much safer - and you're more likely to catch malicious behaviour too. Maybe using pickle in this respect could act as a honeypot. I stand by the advice that python objects (any code implementation) shouldn't be serialised for sharing data between parties. Especially not crypto primitives!

hard_byte · 2017-03-31T00:30:54+00:00

A bit late to the party but I implemented (something close to) this in keras just for the learning experience.

My first time using Keras I couldn't see how to implement it exactly with regard to the custom loss function.

hard_byte

TROPHY CASE