Feature flags and authorization abstract the same concept

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com
zanzibar Permissions Authorization Acl fine-grained-access-control

InfluxDB - Power Real-Time Data Analytics at Scale
Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
www.influxdata.com
featured
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com
featured

  • spicedb

    Open Source, Google Zanzibar-inspired permissions database to enable fine-grained access control for customer applications

    • At AuthZed, we think about this topic regularly while developing SpiceDB[0], except we believe feature flags are a subset of authorization. I'd disagree with the author that permissions are always long-lived -- authorization can also be ephemeral (and often that's how it's most secure) or dependent on run-time context[1]. What's more, using SpiceDB, we can often collapse checking for authorization and feature-flags into a single round-trip by defining a permission that can additionally require a feature flag (e.g. permission = admin & has_feature_flag).

    It's a little silly, but lots of folks ask for the moon when it comes to performance for authorization because it's critical to every request, but then go on and sprinkle a dozen feature flag RPCs each adding more and more latency. We think you should be able to have both.

    What we're excited about is use cases beyond feature flags and authorization: we've also seen some folks use SpiceDB as an update graph or others as a dependency graph.

    [0]: https://github.com/authzed/spicedb

    [1]: https://authzed.com/blog/caveats/

  • warrant

    Warrant is a highly scalable, centralized authorization service based on Google Zanzibar, used for defining, querying, and auditing application authorization models and access control rules.

    • They might not be the exact same concept but they're definitely related. I'd argue feature flags, authorization, and pricing tiers/entitlements all make up modern 'access control' and 'access management'.

    It used to be that authz was just roles and permissions assigned to users, or feature flags & entitlements just booleans, but sophisticated systems allow for all kinds of permutations and rules based on attributes, relationships and environment such that the lines between them are blurred and implementations are likely similar.

    As others have said, the differences still come down to a handful of factors like correctness, tolerance for error and performance.

    (Disclaimer: I'm a founder in this space and spend a lot of time thinking about it at Warrant - https://warrant.dev/ )

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

    InfluxDB logo
NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts

  • CASL – Isomorphic authorization JavaScript library

    1 project | news.ycombinator.com | 24 Jan 2024

  • OpenFGA: A high performance and flexible authorization/permission engine

    1 project | news.ycombinator.com | 29 Aug 2023

  • warrant VS openfga - a user suggested alternative

    2 projects | 15 Aug 2023

  • Want to make restricted access with Cognito

    1 project | /r/aws | 3 Apr 2023

  • Authz: Authorization backend using ABAC and RBAC

    1 project | /r/golang | 16 Jan 2023