Both REST and built-ins for OPA have been available for existing projects like OpenFGA[0] and SpiceDB[1]. In case of SpiceDB, the first built-in was actually available in June of last year[2].
Since there is a clear interest from the existing communities with mature solutions, it'd be awesome to collaborate for the graph layer. Speaking from the SpiceDB community, we'd be glad to welcome you -- this is what open source is all about!
Our design approach with Aserto has been to have a single OPA-based decision engine integrated with a built-in directory. So Topaz carries this forward.
We do have a gRPC contract for the directory (which is pluggable in Topaz), and it would be interesting to see if there could be SpiceDB or OpenFGA implementations of that contract!
Hey, congrats on the launch! It’s great to see more activity in the authorization domain – a rising tide floats all boats.
FWIW I totally see the benefit of having standards and widely adopted open source solutions, Jimmy. But neither of the solutions you called out has been out for more than ~1 year, so I can also see why Omri and the Topaz team decided to go their own route. Your two companies also compete directly with each other, so I can’t really blame them.
Neither of those solutions was around when we released the first version of Oso in 2020, so we too went our own route and have learned a lot along the way. We’ve since shared a lot of what we’ve learned in Authorization Academy [0], a series of technical guides on building application authorization that are not specific to Oso. We also recently wrote about our view of what an authorization system should look like — opinionated but flexible — in a post on what authorization can learn from Rails [1].
Will be instructive to see what feedback the dev community shares in the years to come.
Disclaimer: I'm founder of Oso[2], a batteries-included system for authorization.
> neither of the solutions you called out has been out for more than ~1 year,
That's a good callout. These are still early days when it comes to Zanzibar & co, and all implementations are very new. I'm glad different implementations exist. This will allow the community to experiment with multiple ideas and allow them to flourish or be discarded.
Authzed's idea Jimmy linked to elsewhere (Caveats) [0] is not in the Zanzibar paper, however it is an interesting option to try to tackle ABAC scenarios within a Zanzibar context.
OSO (and Aserto seems to be doing the same) is approaching this the other way - they have a good Policy/ABAC solution, do they benefit from a more Zanzibar-like approach to the AuthZ problem, the answer seems to be also yes (OSO Cloud [1]).
In OpenFGA, we dropped the concept of Zookies. Will we regret this? Time will tell. SpiceDB bet on the importance of Zookies, and in some cases they are right. We also added support for having multiple model versions active at the same time and some ABAC scenarios through Contextual Tuples [2] (less powerful than caveats, but more Zanzibar-y). Is that a good idea? Hopefully!
That's the beauty of it, there are considerations (pros and cons) for all of these approaches, users can pick and choose what works best for their situations. We will all learn and adapt. We may all end up discarding some of our assumptions and adopting new ones. Ultimately this will benefit all of us, and more importantly the wider audience and the ecosystem. And maybe newcomers will implement all of the good ideas floating around while discarding the cruft existing solutions are stuck with.
Hopefully as the ecosystem matures, all the implementations benefit from it. Multiple implementations allows each to investigate certain solutions.
Quoting Jimmy above:
> it'd be awesome to collaborate [...] this is what open source is all about
100%! Though as a FOSS fan myself, I'm hoping for a new comer GPL/copyleft solution to come about and rule us all :)
Side-note: Absolutely loved this article from OSO with Abhishek Parmar, one of the co-creators of Zanzibar [3]
I'm Omri, one of the Aserto co-founders. Very much agree that this space is still pretty early - we all started building developer-centric authorization solutions in the last couple of years, and we're still in the phase where exploring different trade-offs helps the overall ecosystem learn and move forward.
You're exactly right that with Aserto (and Topaz), we started from a Policy-as-code design at the center. As we spent time with developers, we recognized that having a way to model their domain and write data-centric rules (ReBAC tuples) was a powerful extension to the policy-as-code approach. Bringing them together is the focus of Topaz.
Thanks for posting the link to the interview with Abhishek - great read!
Really great context on what worked and what was perhaps overengineered. The approachability of any system by its consumers (developers in this case) is hugely important. You've done a good job with Oso :)
We provide a set of OPA built-ins which enable the integration which are documented here: https://www.topaz.sh/docs/directory/built-ins.