Great post! When starting a green field project, how would you approach the choice between the two options? Are there specific use cases in which one would be preferable over the other?
Readit Newsitsronenh commented on OPA : Zanzibar :: SOAP : REST? aserto.com/blog/opa-zanzi... · Posted by u/ogazitt
itsronenh commented on Show HN: RBAC for your REST API in 2 minutes aserto.com/playground... · Posted by u/ogazitt
By convention, we generate a package for every API definition in the OpenAPI spec. But the calling application can decide which package to use when authorizing an operation, so you can use a single policy for multiple endpoints.
So this is basically a tool for generating and testing Rego policies from an OpenAPI spec. Very cool!
itsronenh commented on Show HN: RBAC for your REST API in 2 minutes aserto.com/playground... · Posted by u/ogazitt
Do package names have to match API routes? Can I create a policy that is shared by multiple endpoints?
itsronenh commented on How to talk to your boss about open source opensource.org/how-to-tal... · Posted by u/TangerineDream
In my experience:
- It makes us more hirable
Nowadays every new engineer wants to contribute to open source.
That's been my experience too. In addition to attracting new engineers that want to contribute to open source, it's an opportunity to showcase your organization's (hopefully good) coding practices to candidates.
itsronenh commented on Aserto: Developer API for permissions and RBAC aserto.com/blog/aserto-th... · Posted by u/vklmn
So much of authorization is context / application dependent, I'm struggling with this a bit.
For example, I have a cluster of services. I allow access to some of them, for certain actions, based on whether the user is part of a patient's care team.
That's very dynamic, I need to do a FHIR query to one of my services to determine that. Then there's a lot more logic, like what servicer / organization affiliation the user is part of, this is also a runtime lookup in a shared session state thing, etc...
I just list all that as a basic example, there are so many things that are application specific that require runtime evaluation, it's hard for me to understand the benefit of writing all that in a different language, in a different place, where I can't use the libraries and utilities that are already part of the application.
This goes straight to the core of what makes authorization in complex applications such a challenge. You hit the nail on the head when you say that authorization in inseparable from each application's unique circumstances.
At the most abstract level, an authorization decision is an answer to the question "is an identity (user, service, computer, etc.) allowed to perform an action on a resource?".
Each one of these constituents (identity, action, and resource) may include contextual information that is unique to the application at hand. Aserto gives you the ability to imbue each one with the necessary information.
Identities are stored in a directory where they can be enriched with arbitrary data. Roles, teams, attributes, and anything else that is directly tied to an identity whose actions need to be authorized.
Relevant information about the resource being accessed is collected by the application and sent as part of the authorization call.
Then there are the authorization policies that receive identity and resource information and make decisions.
There can be multiple ways to model an application's authorization scheme. In your example it sounds like the user (identity) is a care giver and the "resource" is patient data. If users belong to numerous care teams and their membership in them is highly dynamic, your application may perform the FHIR query to retrieve the identities of the the patient's care team prior to the authorization call and include that information in the resource context.
The policy can then make decision based on whether or not the acting identity is a member of the team, as well as any other relevant information (e.g. are they the patient's primary care giver or a specialist?).
There are many advantages to keeping authorization policies separate from application logic. Change management, provenance, and testability are a few.
Having a single place where all authorization policies are defined allows us to reason more deeply about the behavior of our applications.
itsronenh commented on Aserto: Developer API for permissions and RBAC aserto.com/blog/aserto-th... · Posted by u/vklmn
There are a lot of new-ish products in the last 5 years in the auth/identity space. I have been meaning to dig into them: Kanadm, Keycloak, Ory, SuperTokens, Oso, FusionAuth, CAS, maybe Authzed. I hadn't heard of Aserto yet, adding them to the list. Although I'm most interested in OSS products and Aserto looks like it is hosted-only.
If anyone has already done an independent study of the ecosystem I'd love a link.
Aserto takes a hybrid approach. It runs a hosted control plane where you configure your user-directory, authorization policies, etc. But the authorization logic itself can run alongside the application that uses it, ensuring high availability and low latency.
I agree with most, if not all, the points raised in the post. I'm curious how people deal with:
1. Organizing knowledge. Too often I've seen a lot of well-written and well-intended information thrown into a shared cloud drive or wiki to rot and grow stale. You end up with multiple, sometimes contradicting documents about the same topic, finding what you're looking for is difficult, and before you know it people revert to tribal knowledge and slack DMs to find out what they need.
2. A writing culture can penalize and demoralize non-native speakers whose writing skills may not be as strong as their peers. I've worked with brilliant individuals who felt like they're perceived as "stupid" because their language skills weren't as polished.
itsronenh commented on Exa is a modern replacement for ls github.com/ogham/exa... · Posted by u/tosh
I love exa! Been using it exclusively (with ls as an alias) for about 6 months now and not looking back. Wonderful tool.
Can the tool push policies to other OCI registries like docker hub or the GitHub registry? I mean, it's nice to have a dedicated registry for OPA policies but are there alternatives?
itsronenh commented on Nuclear Fusion Heat Record theguardian.com/environme... · Posted by u/askaquestion01
A little ray of sunshine this morning. I'm not a physicist and have no idea how close this technology is to powering our electric grids, but it seems like humanity's best chance for a carbon-free future.