-
spicedb
Open Source, Google Zanzibar-inspired permissions database to enable fine-grained access control for customer applications
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
Are there any policy-language-libraries-backed-by-sql like Polar but that aren't based on logic programming languages? I don't really want to learn logic programming for this purpose nor do I want to require it on my coworkers.
I guess I'm just looking for a SQL shorthand that can easily interpolate request variables and session variables but that gets declared in code where a route is declared. Just spitballing but something like `(blogs.id = $req.blogid).userid = $session.userid OR (users.id = $session.userid).isAdmin`.
This [0] is close but it doesn't have enough momentum to be usable in every language you'd want.
[0] https://github.com/mrumkovskis/tresql
Disclosure: I'm the founder of Authzed, YC company building a permissions database[0] inspired by Google's Zanzibar paper.
This is actually a really hard problem and depends on the systems with which you are integrating. We call this problem "ACL filtering"[1] and there are two general strategies: pre and post filtering. We have a blog post[2] describing our API for pre-filtering which can stream results that you can then use build into a SQL query or data-structures like bloom filters/bitmaps. We currently have a proposal on GitHub[3] for a an extension to that strategy adding a denormalization/caching layer. You might also be surprised at the performance you can achieve with post-filtering by building an iterator in your programming language of choice that will batch together permission checks and amortize the cost of filtering those results from the set of all results that you pull out of your database. Additionally, if you're interested in running your databases, we've been exploring building direct integrations into various datastores (e.g. Postgres).
[0]: https://github.com/authzed/spicedb
[1]: https://docs.authzed.com/reference/glossary#acl-filtering
[2]: https://authzed.com/blog/acl-filtering-in-authzed/
[3]: https://github.com/authzed/spicedb/issues/207
Maybe I'm not understanding. But in a JWT you can verify the signature from when you originally signed that user's JWT. So even if I change some data in my JWT, on the backend it will not match the signature. So just reject if it doesn't match, say someone change permission:read to permission:admin
https://jwt.io/