protobuf-rules-gen VS OPA (Open Policy Agent)

A long time ago, I was the PM on Firestore security rules, which was intended to solve both of those issues.

https://github.com/FirebaseExtended/protobuf-rules-gen was the closest we got: declaring types as protobufs (because Google, of course) and then generating both security rules to guarantee validity as well as client types that would match. I wanted to add proto annotations to do additional validity (e.g. add a regex to validate the phone number string was correct, do length checks on strings, etc.).

The short answer is that backend rules engines, either in their own DSL or bolted on to e.g. SQL, are pretty tough to get right, and have a super steep learning curve. IMO, AWS API Gateway with Lambda Authorizers get this most correct.

Now there are more subdivided practice: * Policy as Code: Sentinel, OPA * Database as Code: bytebase * AppConfiguration as Code: KusionStack, Acorn * ...... (Welcome to add more)

CIAM is not nearly as popular of a term as it needs to be. When most developers build apps today, they still look at their cloud provider's IAM or Active Directory for inspiration in design of their customer-facing systems. I think this article is actually understating the complexity. Conway's Law rules all and sometimes your systems and users won't even necessarily be in your control. I urge folks to look into policy engines like OPA[0] and ReBAC systems like SpiceDB[1] rather than reinventing the wrong wheel.

[0]: https://www.openpolicyagent.org

[1]: https://github.com/authzed/spicedb

At this point, someone spotted that we were getting a lot of timeouts in the API server logs for write operations. But not specifically on the writes themselves. Rather, it was timeouts calling the admission controllers on the cluster. Reddit utilizes several different admission controller webhooks. On this cluster in particular, the only admission controller we use that’s generalized to watch all resources is Open Policy Agent (OPA). Since it was down anyway, we took this opportunity to delete its webhook configurations. The timeouts disappeared instantly… But the cluster didn’t recover.

Open Policy Agent

Thanks for sharing Biscuit, I was collecting examples of authentication policy languages.

Datalog is also the basis for Open Policy Agent https://www.openpolicyagent.org/docs/latest/ , more specifically it's Rego language which is also implemented in go https://github.com/open-policy-agent/opa/tree/main/rego

OPA is a full fledged solution as an external auth provider to reverse proxies like Nginx, Envoy or Traefik...etc. It can be a bit complex and overkill for smaller systems. I have a solution called bouncer as a much simpler and opinionated replacement to OPA. Have a look at it, at least it can give you ideas.

We believe in validating your work around complex errors before deploying so you spend less time fixing them. So in our Monokle 1.7.0 release we added support forOPA (OPA) to automate how you validate, identify, and fix mission-critical Kubernetes errors.