top | item 28349965

Ask HN: Experience using Zanzibar-styled authorization in production?

5 points| gruuya | 4 years ago | reply

In particular, with some OSS solution, like Ory Keto (https://www.ory.sh/keto) or Authorizer (https://www.authorizer.tech/docs/overview/introduction), both of which look promising for our use case.

Even though Ory Keto is more well known, Authorizer seems to be a step ahead by already supporting subject set rewrites, one of the key core concepts from the original Zanzibar paper (the lack of which being a major handicap).

Also, how do you manage cascade relation tuple deletion upon deleting the corresponding object/subject resource (e.g. user/group/etc)?

2 comments

[+] wikibob|4 years ago|reply

Check out this comprehensive explanation from TailScale.io, a wireguard VPN startup, on how they use Zanzibar

https://tailscale.com/blog/rbac-like-it-was-meant-to-be/

And see also this talk explaining the Zanzibar paper from Authzed.com a startup that will sell you Zanzibar as a service.

https://authzed.com/blog/what-is-zanzibar/

[+] gruuya|4 years ago|reply

Nice article, thanks for sharing - good to read about some background here. Interesting that Tailscale basically describes Google Zanzibar but does not name it explicitly.

I'm aware of authzed, and have watched their PWL talk. Fwiw, I found their solution to be very compelling, however it just doesn't seem to work well for the problem I'm working on (basically requiring a sidecar service running in a Docker container, as opposed to a SaaS).