Hi, I'm the post writer. I have a habit of writing like a textbook author, but the things that jumped out at me while I was working on this with Oso were:
1. Least privilege can address a lot of these issues. We all know that, but in practice we don't really apply it because it can be a pain.
2. These applications are interesting because they can interpret meaning instead of rigidly following instructions, but that makes them prone to misunderstanding and manipulation. That breaks a lot of our assumptions about how software responds to input.
3. It's helpful to think of these applications in terms of impersonation. The user's rights should be the upper bound of the LLM's permissions when it acts on their behalf.
4. Ideally, we'd also constrain permissions according to the task being performed, but that's trickier.
The article goes into all that in exhaustive (some might say tedious) detail. It was a difficult write because this space moves so quickly and has so much hype, but it's been a good exercise to try to sift through that and think about it seriously.
(edited because I don't know how to make a legible list)
Full disclosure: I'm the author and I work at Oso. We're an Authorization as a Service company that competes with products that are inspired by Zanzibar. So, my take is admittedly biased.
But for all Zanzibar's power, I've always found it curious that people call it flexible, and this post was my opportunity to sit down and work out why I don't agree.
Hi, wkirby! I'm the post author, I do DevRel at Oso.
> Permissions have three moving parts, who wants to do it, what do they want to do, and on what object. Any good permission system has to be able to efficiently answer any permutation of those variables. Given this person and this object, what can they do? Given this object and this action, who can do it? Given this person and this action, which objects can they act upon?
> We’ve found most permissioning systems end up with a pick-2 approach, and the most common one to be abused is given a person and an action, give me the collection. This leads to implementing permissions twice, once in code, and once as a query.
I love the way you put this! I'm always looking for good ways to talk about authorization without falling back on jargon and I've never come up with a way to talk about the difference between authorizing an action on a single resource and returning a list of authorized resources that I've been happy with. Would you mind if I adapted this in future writing?
For application authorization, Oso is a compelling solution. (Disclaimer: I work for Oso). It provides a DSL and a prescriptive, but flexible data model that are capable of modeling RBAC, ReBAC, ABAC, or whatever else you'd like to model. Obviously I'm biased, but I think it strikes a great balance between opinion and flexibility.
One significant complication that all centralized authorization solutions share is that you end up needing to reproduce application data in the authorization system. We've been doing a lot of work in this area to simplify data management and have some beta functionality available. I'll include some links to the docs for those.
1. Least privilege can address a lot of these issues. We all know that, but in practice we don't really apply it because it can be a pain.
2. These applications are interesting because they can interpret meaning instead of rigidly following instructions, but that makes them prone to misunderstanding and manipulation. That breaks a lot of our assumptions about how software responds to input.
3. It's helpful to think of these applications in terms of impersonation. The user's rights should be the upper bound of the LLM's permissions when it acts on their behalf.
4. Ideally, we'd also constrain permissions according to the task being performed, but that's trickier.
The article goes into all that in exhaustive (some might say tedious) detail. It was a difficult write because this space moves so quickly and has so much hype, but it's been a good exercise to try to sift through that and think about it seriously.
(edited because I don't know how to make a legible list)