Hacker News: ogazitt

Building permission-aware AI chatbots

ogazitt — Thu, 07 Nov 2024 16:03:11 +0000

Article URL: https://www.aserto.com/blog/building-permission-aware-enterprise-chatbots

Comments URL: https://news.ycombinator.com/item?id=42077828

Points: 1

# Comments: 0

RAG with Access Control

ogazitt — Thu, 25 Apr 2024 16:09:36 +0000

Article URL: https://www.pinecone.io/learn/rag-access-control/

Comments URL: https://news.ycombinator.com/item?id=40159306

Points: 3

# Comments: 2

New comment by ogazitt in "Distributed Authorization"

ogazitt — Wed, 17 Apr 2024 05:33:03 +0000

Congrats on the launch!

[Disclosure: I'm one of the co-founders of Aserto, the creators of Topaz].

The problem of data filtering is indeed a huge part of building an effective authorization system. Partial evaluation is one way of doing it, although with systems like OPA [0] it requires a lot of heavy lifting (parsing the returned AST and converting it into a WHERE clause). Looking forward to seeing how turnkey that can be with Oso.

With that said, there are applications where you really want the data close to the authorization engine. With a ReBAC model, you can easily find the objects that a user has access to, or the users that have access to an object, by walking the relationship graph. That's the approach we've taken with Topaz [1].

Funny timing - a few days ago we published a blog post on that very topic! [2]

[0] https://openpolicyagent.org

[1] https://topaz.sh

[2] https://www.aserto.com/blog/how-rebac-helps-solve-data-filte...

New comment by ogazitt in "Open Policy Agent"

ogazitt — Wed, 13 Mar 2024 18:54:35 +0000

If you want to try Topaz (which supports all three), check it out here [0]. We'd love to help you solve your authorization scenario :)

[0] https://github.com/aserto-dev/topaz

New comment by ogazitt in "Open Policy Agent"

ogazitt — Wed, 13 Mar 2024 18:52:59 +0000

Topaz is essentially a combination of OPA (which is used as the decision engine, with full support for Rego), and a Zanzibar-style directory, which is fairly isomorphic to what OpenFGA has implemented.

The advantage is that it's a single container image (or go binary, if that's how you want to run it), and supports a combination of RBAC, ABAC, and ReBAC. ABAC is accomplished via the Rego language, which is as "standard" as it comes in the cloud-native world.

New comment by ogazitt in "Open Policy Agent"

ogazitt — Tue, 12 Mar 2024 22:30:48 +0000

OPA is a great tool for implementing a policy-as-code system. But if you're trying to use it for application authorization (e.g. fine-grained authz for B2B SaaS or a set of internal applications), you may find that its policy story is strong, but it doesn't really have a "data plane": you either store data in a data.json file and rebuild the policy any time that data changes, or make an http.send call out of the policy to fetch dynamic data.

Check out Topaz [0], which uses OPA as its decision engine, but adds a data plane that is based on the ReBAC ideas explored in the Google Zanzibar [1] paper.

Disclaimer: I work on the team [2] that builds and maintains the Topaz project.

[0] https://www.topaz.sh

[1] https://research.google/pubs/zanzibar-googles-consistent-glo...

[2] https://www.aserto.com

New comment by ogazitt in "LetsGo – A new starter kit for starting startups"

ogazitt — Wed, 22 Nov 2023 19:21:50 +0000

LetsGo looks really cool! Excited to see how this evolves.

New comment by ogazitt in "Show HN: Add auth to Next.js and deploy in 60 seconds – no manual config"

ogazitt — Thu, 16 Nov 2023 02:24:28 +0000

Really cool to see an identity provider that's free, both in price and in friction. Nicely done!

New comment by ogazitt in "Show HN: Topaz 0.30 – OSS authz service combining the best of OPA and Zanzibar"

ogazitt — Mon, 06 Nov 2023 18:53:03 +0000

Thanks! Yes, the days where you have to hand-roll authorization logic are (hopefully) soon to be behind us :)

New comment by ogazitt in "Show HN: Topaz 0.30 – OSS authz service combining the best of OPA and Zanzibar"

ogazitt — Mon, 06 Nov 2023 18:15:13 +0000

Thanks! That's exactly the analogy we think of... Auth0 : AuthN :: Topaz : AuthZ :)

New comment by ogazitt in "Show HN: Topaz 0.30 – OSS authz service combining the best of OPA and Zanzibar"

ogazitt — Mon, 06 Nov 2023 16:55:05 +0000

Thanks! Do let us know what your favorite feature is in the 0.30 release :)

New comment by ogazitt in "Show HN: Topaz 0.30 – OSS authz service combining the best of OPA and Zanzibar"

ogazitt — Mon, 06 Nov 2023 16:53:20 +0000

Thanks! ABAC and ReBAC are indeed complementary, and you can build powerful authorization models by combining the best of these.

New comment by ogazitt in "Show HN: Topaz 0.30 – OSS authz service combining the best of OPA and Zanzibar"

ogazitt — Mon, 06 Nov 2023 16:52:09 +0000

Thanks! "topaz test" is already pretty useful, and we hope to bring assertions into the visual console in a future release.

New comment by ogazitt in "Show HN: Topaz 0.30 – OSS authz service combining the best of OPA and Zanzibar"

ogazitt — Mon, 06 Nov 2023 16:20:55 +0000

Thanks for the question! Those are both great projects. Topaz combines the best elements of both:

* It uses OPA as its decision engine and Rego as the policy language, and supports the "policy as code" methodology

* It also implements a ReBAC directory, much like OpenFGA, in the same container image. It goes further, by allowing you to store not just relationships between subjects and objects, but also properties... which makes it easy to author policies that combine attribute-based (ABAC) and relationship-based (ReBAC) rules.

Show HN: Topaz 0.30 – OSS authz service combining the best of OPA and Zanzibar

ogazitt — Mon, 06 Nov 2023 16:02:00 +0000

Hey folks! As Topaz turns a year old, we just released a big update, including support for a new authorization schema language, a built-in visual console, REST APIs for the ReBAC directory, a full test harness, and many other improvements.

Would love to get your feedback! Check out the blog post [0] for the complete details (including some cool screenshots), or clone / fork the repo here [1]. Many thanks!

[0] https://www.aserto.com/blog/announcing-topaz-030

[1] https://github.com/aserto-dev/topaz

Comments URL: https://news.ycombinator.com/item?id=38164327

Points: 35

# Comments: 16

It's time for authorization standards: AuthZEN WG at OpenID Foundation

ogazitt — Tue, 24 Oct 2023 15:01:38 +0000

Article URL: https://www.aserto.com/blog/authorization-standards-authzen

Comments URL: https://news.ycombinator.com/item?id=38000167

Points: 11

# Comments: 2

New comment by ogazitt in "OPA : Zanzibar :: SOAP : REST?"

ogazitt — Wed, 19 Apr 2023 16:30:57 +0000

Thanks! Analogies are always challenging, but the Zanzibar ReBAC model fits the “opinion” and “simplicity” of REST (at least when compared to SOAP).

We will definitely need the “Rails” equivalent for making ReBAC accessible to many more developers than it is today, and Topaz / Aserto definitely aims to be one of these! :)

New comment by ogazitt in "OPA : Zanzibar :: SOAP : REST?"

ogazitt — Wed, 19 Apr 2023 15:38:08 +0000

Good question. OPA is best suited for ABAC-centric scenarios, where your authorization logic is expressed in terms of attributes on users, objects, or environment.

The ReBAC / Zanzibar model is more opinionated, but most use-cases seem to be pretty easily described in ReBAC.

OPA : Zanzibar :: SOAP : REST?

ogazitt — Wed, 19 Apr 2023 15:00:21 +0000

Article URL: https://www.aserto.com/blog/opa-zanzibar-soap-rest

Comments URL: https://news.ycombinator.com/item?id=35628974

Points: 18

# Comments: 4

New comment by ogazitt in "Show HN: Topaz: open-source authorization combining the best of OPA and Zanzibar"

ogazitt — Wed, 26 Oct 2022 11:26:32 +0000

Thanks! Let us know if you have any feedback!