HackerTrans
TopNewTrendsCommentsPastAskShowJobs

akajla

no profile record

Submissions

ExtendDB – open-source DynamoDB-compatible API adapter with pluggable storage

github.com
2 points·by akajla·2 maanden geleden·0 comments

A New Browser War

akajla.com
2 points·by akajla·11 maanden geleden·0 comments

What Is Google Zanzibar?

warrant.dev
3 points·by akajla·3 jaar geleden·0 comments

Warrant Launch Week – Authorization Model Templates

blog.warrant.dev
3 points·by akajla·3 jaar geleden·0 comments

Warrant Launch Week – Day 3 (Consistency, Performance and Multi-Region)

blog.warrant.dev
3 points·by akajla·3 jaar geleden·0 comments

OWASP API Security Top 10 2023RC

owasp.org
1 points·by akajla·3 jaar geleden·0 comments

comments

akajla
·2 jaar geleden·discuss
I think one major difference between the Zanzibar implementations that are out there is support for the 'zookie' consistency token (as mentioned in the original paper). OpenFGA afaik doesn't implement zookies yet[1]. With zookies, each permission write generates a unique token that represents that particular write. Clients can store that token (per resource) and optionally provide it during runtime checks to ensure checks are consistent up to that write. It also helps the system guard against the 'new-enemy problem' (incorrect permissions checks due to permissions changes being read out of order) by ordering writes.

I'd argue that it also unlocks a variety of caching implementations on the Zanzibar server while still allowing clients to specify desired consistency on a per-request/per-resource level. In other words, a Zanzibar implementation with support for zookies can guarantee consistency at a much higher throughput than one that relies on time (second, millisecond delay). This is important for generic 'read after write' scenarios.

Disclaimer: I'm a former founder of Warrant[2] which was recently acquired by WorkOS. Our team has spent a ton of time building our Zanzibar-based authorization service (WorkOS FGA[3]) which supports zookies[4] and other Zanzibar concepts.

[1] https://openfga.dev/docs/interacting/consistency#future-work

[2] https://warrant.dev/

[3] https://workos.com/docs/fga

[4] https://workos.com/docs/fga/warrant-tokens
akajla
·3 jaar geleden·discuss
The specific challenge with authz in the app layer is that different apps can have different access models with varying complexity, especially the more granular you get (e.g. implementing fine grained access to specific objects/resources - like Google Docs).

Personally, I think a rebac (relationship/graph based) approach works best for apps because permissions in applications are mostly relational and/or hierarchical (levels of groups). There are authz systems out there such as Warrant https://warrant.dev/ (I'm a founder) in which you can define a custom access model as a schema and enforce it in your app.
akajla
·3 jaar geleden·discuss
The article references the F-35A which is the conventional take-off/landing variant whereas the VTOL variant is the F-35B.
akajla
·3 jaar geleden·discuss
We offer this natively within Warrant's authz service: https://docs.warrant.dev/guides/feature-flags/
akajla
·3 jaar geleden·discuss
You can encode capabilities/permissions as scopes in distributed tokens (e.g. OAuth) but this can start to break down if you have very granular, fine-grained permissions (e.g. user:1 has 'editor' access to 1000s of documents/objects). This is similar to the problem that Carta ran into while building out their permissions[1].

In addition, yes - validating permissions on each request makes it so that you can revoke privilege(s) with immediate effect without needing a token to be invalidated.

[1] https://medium.com/building-carta/authz-cartas-highly-scalab...
akajla
·3 jaar geleden·discuss
What we're building at Warrant (https://warrant.dev/) might work for a lot of what you mentioned including APIs to build and manage multi-tenancy, groups, users, orgs/tenants.

Note - Warrant is an authz engine so it doesn't handle authn/identity/SSO but can plug-in with any authn system.
akajla
·3 jaar geleden·discuss
They might not be the exact same concept but they're definitely related. I'd argue feature flags, authorization, and pricing tiers/entitlements all make up modern 'access control' and 'access management'.

It used to be that authz was just roles and permissions assigned to users, or feature flags & entitlements just booleans, but sophisticated systems allow for all kinds of permutations and rules based on attributes, relationships and environment such that the lines between them are blurred and implementations are likely similar.

As others have said, the differences still come down to a handful of factors like correctness, tolerance for error and performance.

(Disclaimer: I'm a founder in this space and spend a lot of time thinking about it at Warrant - https://warrant.dev/ )
akajla
·3 jaar geleden·discuss
> I want to include role (or other) information directly in the token for the sake of convenience

This works up until a certain point. Once you get past simple RBAC to more fine-grained (resource-based) authz, jwts don't scale: https://medium.com/building-carta/authz-cartas-highly-scalab...
akajla
·4 jaar geleden·discuss
The self-service dashboard is scoped only to privileged users (typically account/tenant-specific admins like IT admins) that have a specific permission.
akajla
·4 jaar geleden·discuss
Building and maintaining UIs for RBAC and org management (including self-service, user-facing UIs) isn't trivial. That's why we built it into Warrant. We handle basic authz schemes like RBAC as well as fine-grained authz: https://blog.warrant.dev/introducing-the-self-service-dashbo...
akajla
·4 jaar geleden·discuss
Disclaimer: I'm the founder of an authorization company [1] & previously worked at a large, enterprise/SaaS company so basing my comment on my experiences.

Your considerations and things you need to worry about will vary greatly based on your stage (early-stage startup, late-stage startup, public, etc.), market (fintech, health-tech, etc.) and customers you target (early-stage startups or bigger, Fortune 100 types). As others have stated, it's important to figure out the go to market strategy first by talking to potential customers before building anything.

Assuming you've pressure-tested your idea and built an MVP/early product that shows some traction, you'll want to take care of app + data security basics (authn, authz). Guides like the OWASP Top 10 and your future customers will guide you in the right direction here.

On the authz side (since that's my area of focus) - multiple comments have mentioned RBAC (role based access control) which most enterprise/SaaS companies end up implementing but it's rarely where authz stops. As products evolve and grow more complex over time, you'll need to implement some form of fine-grained (object/resource based) authorization (ex. attribute based, relationship based access control) as well as auditing capabilities, all of which customers will ask for at some point.

In an ideal world, you'd have all of these capabilities already built but that's rarely the case. In reality, you prioritize and implement these over time based on security needs, risk and customer requirements.

[1] https://warrant.dev/