Solving Fine Grained Authorization with Incremental Computation

13
4
gz09
2 weeks ago
feldera.com

alephu5
·
2 weeks ago
·
[ - ]

I've been interested in this problem space for a couple of years, have tried a whole bunch of products but settled on using cedar policy engine[1] wrapped in some custom code and using the application database and static files to generate policies that can be concatenates to make decisions. A useful property is that they can be indexed based on the "subject verb object" triplet used to represent authorisation queries (e.g. Can "John" download "File 1"?)

Have tried a whole bunch of other FGA providers with their own storage and retrieval services, I think that fundamentally all the DSLs are just variants on prolog and can be quite easily transformed into one another. Another thing to consider is that authorisation is in the critical path of everything, so if you need to call out to an external service it's going to add latency and becomes a single point of failure. Not to mention that it creates an explosion of complexity by distributing the system more widely, so if you can leverage your existing database and file storage to manage policies it's probably easier to build and mange long-term.

Overall I think it's worthwhile using an FGA solution to separate authorisation from business logic, I expect this will become industry standard in the years to come.

[1] https://www.cedarpolicy.com/en

ryzhyk
·
2 weeks ago
·
[ - ]

[I am the author of the blog] It's been fun working on this demo. FGA is a very cool concept, but building an efficient FGA engine is hard: you basically need to solve a graph reachability problem for each auth request.

So I tried a different approach: precompute all authorization decisions ahead of time and incrementally update the computation in real-time. As the post explains, there's not free lunch; there's a space/time tradeoff involved, but overall I think it's very promising.

MattPalmer1086
·
2 weeks ago
·
[ - ]

Very interesting! Many years ago I implemented a mandatory access control system with complex access rules. In a similar fashion, I had to precompute authorisation, as it was just too damn slow to do it all on the fly. Not as complicated as yours, but same principle.

model-15-DAV
·
2 weeks ago
·
[ - ]

I met some of the Feldera team last year at a conference and their knowledge of incremental computation engines is top-tier. Good luck to you all!

As discussed at the end, the storage costs for such a system may be exorbitant. How much space did the example than ran at 115k updates per second take?