warrant VS GoatCounter

Warrant — Hosted enterprise-grade authorization and access control service for your apps. The free tier includes 1 million monthly API requests and 1,000 authz rules.

The specific challenge with authz in the app layer is that different apps can have different access models with varying complexity, especially the more granular you get (e.g. implementing fine grained access to specific objects/resources - like Google Docs).

Personally, I think a rebac (relationship/graph based) approach works best for apps because permissions in applications are mostly relational and/or hierarchical (levels of groups). There are authz systems out there such as Warrant https://warrant.dev/ (I'm a founder) in which you can define a custom access model as a schema and enforce it in your app.

Let's use warrant.dev as an example. The system provides a set of REST APIs for you to define object types and access policies (called warrants). The general process is first to create object types using HTTP POST:

https://warrant.dev/ (Provider) Relatively new authZ provider, they have a dashboard where you can manage your rules in a central location and then use them from multiple languages via their SDKs, even on the client to perform UI checks. Rules can also be managed programmatically via SDK.

I would describe this debate more as Policy-as-Data (Zanzibar) vs Policy-as-Code (OPA et al).

In Zanzibar, all of the information required to make an authorization decision (namespaces, relationship tuples, etc.) is stored in Zanzibar, and the decision engine resolves access checks based on this data. This data can be scaled horizontally (and consistently) as needed for an application’s needs. This makes Zanzibar a centralized, unified solution for all of an application’s authorization needs. I’ve found this approach more purpose built / well suited for application authorization.

With OPA and other policy engines, the data required for performing access checks lives somewhere else (maybe the application’s database) and must be separately queried and included as part of the authorization check because OPA et al. are stateless decision engines. This makes it such that you need to piece together data from different sources in order to get your final decision, which IMO is something most developers don’t want to deal with.

On the flip side, Zanzibar’s “namespaces” are a very simple policy layer not well suited to querying against data outside of Zanzibar’s scope (e.g. geolocation, time, etc). For scenarios like this, a full fledged policy-as-code solution is great. However, it should be noted that some open source Zanzibar implementations like Warrant[1] and SpiceDB[2] (mentioned in the article) also offer a policy-as-code layer on top of Zanzibar’s graph-based/ReBAC approach to tackle these scenarios.

Disclaimer, I’m one of the founders of Warrant.

[1] https://github.com/warrant-dev/warrant

[2] https://github.com/authzed/spicedb

Hey HN, I recently shared my thoughts on why Google Zanzibar is a great solution for implementing authorization[1] and why we decided to build Warrant’s core authz service using key concepts from the Zanzibar paper. As I mentioned in the post, we recently open sourced the authz service powering our managed cloud service, Warrant Cloud[2], so I thought I’d share it with everyone here. Cheers!

[1] https://news.ycombinator.com/item?id=36470943

[2] https://warrant.dev/

More than two years after choosing to build Warrant atop Zanzibar’s core principles, we’re extremely happy with our decision. Doing so gave us a solid technical foundation on which to tackle the various complex authorization challenges companies face today. As we continue to encounter new scenarios and use cases, we’ll keep iterating on Warrant to ensure it’s the most capable authorization service. To share what we learn and what we build with the developer community, we recently open-sourced the core authorization engine that powers our fully managed authorization platform, Warrant Cloud. If you’re interested in authorization (or Zanzibar), check it out and give it a star!

GoatCounter — GoatCounter is an open-source web analytics platform available as a hosted service (free for non-commercial use) or self-hosted app. It aims to offer easy-to-use and meaningful privacy-friendly web analytics as an alternative to Google Analytics or Matomo. The free tier is for non-commercial use and includes unlimited sites, six months of data retention, and 100k pageviews/month.

> Not sure when GoatCounter started

"Hello, world" - arp242 committed on May 28, 2019 - 66a4d7f9b7af8dccacaf3ad8a9fb57a9f9008030 - https://github.com/arp242/goatcounter/commit/66a4d7f9b7af8dc...

Location: Ireland (Galway)

Remote: yes

Willing to relocate: yes

Technologies: Go ("Golang"), Python, Ruby, JavaScript, Linux, Unix, PostgreSQL

Résumé/CV: https://www.arp242.net/cv/cv-martintournoij

Email: [email protected]

I've been using Go as my primary language for the last seven years, although I don't overly care about the specific language and have experience with a wide variety of tools and languages such as Python, Ruby, PHP, C, JavaScript, Lua, and probably some more. While I've mainly focused on backend in the last few years, I also have written plenty of frontend code over the years, from the "pre-jQuery" days to VueJS.

In the last few years I mainly focused on GoatCounter (https://www.goatcounter.com) with the occasional contract job, but I'm keen to start working on something new for the longer term.

I've got quite a bit of code on my GitHub, so you can take a look at that if you want: https://github.com/arp242/

I suggest using analytics that you can self-host, like https://www.goatcounter.com/ and renting a cheap vm to run it on along with your blog. It is way better, you have more control and you can be sure that javascript tracking is working for 100% of people using the site since you have full control over it not getting blocked by adblockers.

I'm self-hosting GoatCounter and using it across all my websites.

Apart from controlling my data, I also have more accurate visitor statistics, as it doesn't get picked up by script blockers, unlike GA.

https://github.com/arp242/goatcounter

https://www.goatcounter.com

I first used basic google analytics but found it too invasive/heavy so I switched over to https://www.goatcounter.com/.

For comments, most solutions were also too heavy, paid or had ads, but I finally found https://giscus.app/.

So while I did add these 2 features, I'm happy with those variants that I managed to find.

Location: Ireland

Remote: yes

Willing to relocate: yes

Technologies: Go ("Golang"), Python, Ruby, JavaScript, Linux, Unix, PostgreSQL

Résumé/CV: https://www.arp242.net/cv/cv-martintournoij

Email: [email protected]

I've been using Go as my primary language for the last seven years, although I don't overly care about the specific language and have experience with a wide variety of tools and languages such as Python, Ruby, PHP, C, JavaScript, Lua, and probably some more. While I've mainly focused on backend in the last few years, I also have written plenty of frontend code over the years, from the "pre-jQuery" days to VueJS.

In the last few years I mainly focused on GoatCounter (https://www.goatcounter.com) with the occasional contract job, but I'm keen to start working on something new for the longer term.

I've got quite a bit of code on my GitHub, so you can take a look at that if you want: https://github.com/arp242/