warrant VS Zulip

Warrant — Hosted enterprise-grade authorization and access control service for your apps. The free tier includes 1 million monthly API requests and 1,000 authz rules.

The specific challenge with authz in the app layer is that different apps can have different access models with varying complexity, especially the more granular you get (e.g. implementing fine grained access to specific objects/resources - like Google Docs).

Personally, I think a rebac (relationship/graph based) approach works best for apps because permissions in applications are mostly relational and/or hierarchical (levels of groups). There are authz systems out there such as Warrant https://warrant.dev/ (I'm a founder) in which you can define a custom access model as a schema and enforce it in your app.

Let's use warrant.dev as an example. The system provides a set of REST APIs for you to define object types and access policies (called warrants). The general process is first to create object types using HTTP POST:

https://warrant.dev/ (Provider) Relatively new authZ provider, they have a dashboard where you can manage your rules in a central location and then use them from multiple languages via their SDKs, even on the client to perform UI checks. Rules can also be managed programmatically via SDK.

I would describe this debate more as Policy-as-Data (Zanzibar) vs Policy-as-Code (OPA et al).

In Zanzibar, all of the information required to make an authorization decision (namespaces, relationship tuples, etc.) is stored in Zanzibar, and the decision engine resolves access checks based on this data. This data can be scaled horizontally (and consistently) as needed for an application’s needs. This makes Zanzibar a centralized, unified solution for all of an application’s authorization needs. I’ve found this approach more purpose built / well suited for application authorization.

With OPA and other policy engines, the data required for performing access checks lives somewhere else (maybe the application’s database) and must be separately queried and included as part of the authorization check because OPA et al. are stateless decision engines. This makes it such that you need to piece together data from different sources in order to get your final decision, which IMO is something most developers don’t want to deal with.

On the flip side, Zanzibar’s “namespaces” are a very simple policy layer not well suited to querying against data outside of Zanzibar’s scope (e.g. geolocation, time, etc). For scenarios like this, a full fledged policy-as-code solution is great. However, it should be noted that some open source Zanzibar implementations like Warrant[1] and SpiceDB[2] (mentioned in the article) also offer a policy-as-code layer on top of Zanzibar’s graph-based/ReBAC approach to tackle these scenarios.

Disclaimer, I’m one of the founders of Warrant.

[1] https://github.com/warrant-dev/warrant

[2] https://github.com/authzed/spicedb

Hey HN, I recently shared my thoughts on why Google Zanzibar is a great solution for implementing authorization[1] and why we decided to build Warrant’s core authz service using key concepts from the Zanzibar paper. As I mentioned in the post, we recently open sourced the authz service powering our managed cloud service, Warrant Cloud[2], so I thought I’d share it with everyone here. Cheers!

[1] https://news.ycombinator.com/item?id=36470943

[2] https://warrant.dev/

More than two years after choosing to build Warrant atop Zanzibar’s core principles, we’re extremely happy with our decision. Doing so gave us a solid technical foundation on which to tackle the various complex authorization challenges companies face today. As we continue to encounter new scenarios and use cases, we’ll keep iterating on Warrant to ensure it’s the most capable authorization service. To share what we learn and what we build with the developer community, we recently open-sourced the core authorization engine that powers our fully managed authorization platform, Warrant Cloud. If you’re interested in authorization (or Zanzibar), check it out and give it a star!

Zulip — Real-time chat with a unique email-like threading model. The free plan includes 10,000 messages of search history and File storage up to 5 GB. also, it provides a self-hostable open-source version.

(1) Zulip Chat - https://zulip.com/ - seems to be reasonably popular, but more people should know about it

I’ve been using it for over 5 years now [1], and it’s as good as ever. It’s way faster than any other chat app I’ve used. It has a good UI and conversation model. It has a simple and functional API that lets me curl threads and write blog posts based on them.

(only problem is that I Ctrl-+ in my browser to make the font bigger – I think it’s too dense for most people)

(2) re2c regex to state machine compiler - https://re2c.org

A gem from the 90’s, which people have done a great job maintaining and improving (getting Go and Rust target support in the last few years). I started using it in 2016, and used for a new program a few months ago. I came to the conclusion that it should have been built into C, because C has shitty string processing – and Ken Thompson both invented C AND brought regular languages to computing !!

In comparison, treesitter lexers are very low level, fiddly, and error prone. I recently saw dozens of ad hoc fixes to the tree-sitter-bash lexer, which is unsurprising if you look at the structure of the code (manually crawling through backslashes and braces in C).

https://github.com/tree-sitter/tree-sitter-bash/blob/master/...

These fixes are definitely appreciated, but I think it indicates a problem with the model itself.

(based on https://lobste.rs/s/endspx/software_you_are_thankful_for#c_y...)

[1] https://www.oilshell.org/blog/2018/04/26.html

A few more truly in the vibe of open source projects not advertising their hosting providers: https://plane.so/ , https://element.io/ , https://www.loomio.com/ , https://zulip.com/ , and it keeps going... Very few open source projects, in the FOSS sense, are advertising their hosting provider.

I was so excited to see this happen!

I'm not a customer of yours, but your blog posts inspired me a lot. Your journey through quitting caffeine is a great and heartening read.

I've got two things to say;

1) Will you consider source-availabling the web portal (app.keygen.sh) too? Some enterprises could use it for easy management/support for custoner's licenses. Although now that I think about it, it could also discourage custom, more suitable implementations for each use-case... I'm torn on this one. I would like to see it available on GitHub too just out of curiosity too. It's very beautiful.

2) For a team + customers' chat, I cannot recommend Zulip enough. It's a joy to use and has the most innovative chat system I've ever seen. https://zulip.com

I hope your business keeps prospering!

Zulip | Senior Flutter Engineer | REMOTE or San Francisco | Full-time | https://zulip.com/

At Zulip, we’re out to build the world’s best collaboration platform, and we’re committed to keeping it 100% open source. Zulip is the only modern team chat app that is designed for both live and asynchronous conversations. Our product serves as the communication hub for businesses, open-source projects, educators and communities around the world.

We're building the next generation of Zulip's mobile apps in Flutter. We're looking for a senior engineer with Flutter experience to join our small core team and help define the future of team chat. Our Flutter prototype is just a few months old, so this is a greenfield opportunity to help shape the app's architecture from early on.

For full details, check out https://zulip.com/jobs/. Apply at [email protected].

Anyways, I'm an internet stranger, not a social media expert. So let me know what you all think. And if we make a discord or zulip or something to make this a reality, let me know and I'd love to help any way I can.