FOSDEM 2024: SpiceDB: Mature, Open Source ReBAC

Подписаться 454

Просмотров 4,3 тыс.

50% 1

/ discord / authzed github.com/aut...
As more folks deploy cloud-native architectures and technologies, store ever larger amounts of data, and build ever more complex software suites, the complexity required to correctly and securely authorize requests only becomes exponentially more difficult.
Broken authorization now tops OWASP's Top 10 Security Risks for Web Apps. Their recommendation? Adopt an ABAC or ReBAC authorization model. This talk establishes the problems with the status quo, explains the core concepts behind ReBAC, and introduces SpiceDB, a mature and widely adopted open source ReBAC system inspired by the system internally powering Google: Zanzibar.

Наука

Опубликовано:

28 сен 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 4

@hcblue 7 месяцев назад

I'd read the Zanzibar paper a couple years ago, and it sounded robust and useful. But like a lot of things Google publishes, it felt like I couldn't justify the complexity of writing and maintaining something like that? It's great to hear about SpiceDB / Authzed though; I'm gonna have to check them out.

@sydnerd 7 месяцев назад

Great presentation and introduction, hopefully I can give it a try to integrate into some stack.

@asandor83 3 месяца назад

Great presentation, but I'm missing any mention of the downside of this solution. Namely that all services that contribute authorization data have to sync that data to SpiceDB, which is a pretty big distributed transaction problem.

@authzed 3 месяца назад

My apologies: this presentation was paced to spend more time on the context around authorization and unfortunately a little rushed when covering content on SpiceDB itself. Synchronizing the data powering authorization decisions is a complex subject, but is not unique to SpiceDB; all systems that federate or centralize these decisions must consider the consistency of the data in order to provide secure access control. Your acknowledgment that there should be distributed transactionality with SpiceDB is actually highlighting a core strength of SpiceDB that many systems ignore: the capability of having end-to-end consistency. There's plenty of work still to be done to make this more turn-key especially when representing external relationship data that hasn't yet been ingested by SpiceDB. Keep an eye out on our GitHub for new proposals related to this: we've got some clever ideas. Until then, we do have users finding success with designs that enable writes to be idempotent.