11/04/2022, 3:17 AM
Hi Guys, we are exploring zanzibar/spicedb for authz engine, have some doubts, posted in stackoverflow Not sure it's the right way to ask, but re-posting the same here as well...apologies if it's too long. We currently have a home grown authz system in production that uses opa/rego policy engine as core for decision making(close to what netflix done). We been looking at Zanzibar rebac model to replace our opa/policy based decision engine, and AuthZed got our attention. Further looking at AuthZed, we like the idea of defining a schema of "resource + subject" types and their relations (like OOP model). We like the simplicity of using a social-graph between resource & subject to answer questions. But the more we dig-in and think about real usage patterns, we get more questions and missing clarity in some aspects. I put down those thoughts below, hope it's not confusing... [Doubts/Questions] 1. [tuple-data] resource data/metadata must be continuously added into the authz-system in the form of tuple data. -- e.g. doc{org,owner} must be added as tuple to populate the relation in the decision-graph. assume, i'm a CMS system, am i expected to insert(or update) the authz-engine(tuple) for for every single doc created in my cms system for lifetime?. -- resource-owning applications are kept in hook(responsible) for continuous keep-it-current updates. -- how about old/stale relation-data(tuples) - authz-engine don't know they are stale or's burnded to tidy it?. 2. [check-api] - autzh check is answered by graph walking mechanism - [resource--to-->subject] traverse path. -- there is no dynamic mixture/nature in decision making - like rego-rule-script to decide based on json payload. -- how to do dynamic decision based on json payload? Appreciate any input.