Hacker News new | past | comments | ask | show | jobs | submit login

This reminds me I need to get my authz paper published, and now sooner than later...

I've built an authz system that is built around labeled security and RBAC concepts. Basically:

  - resource owners label resources
  - the labels are really names for ACLs in a directory
  - the ACL entries grant roles to users/groups
  - roles are sets of verbs
There are unlimited verbs, and unlimited roles. There are no negative ACL entries, which means they are sets -- entry order doesn't matter. The whole thing resembles NTFS/ZFS ACLs, but without negative ACL entries, and with indirection via naming the ACLs.

ACL data gets summarized and converted to a form that makes access control evaluation fast to compute. This data then gets distributed to where it's needed.

The API consists mainly of:

  - check(subject, verb, label) -> boolean
  - query(subject, verb, label) -> list of grants
    (supports wildcarding)
  - list(subject) -> list of grants
  - grant(user-or-group, role, label)
  - revoke(user-or-group, role, label)
  - interfaces for creating verbs, roles, and labels,
    and adding/removing verbs from roles.
Note that access granting/revocation is done using roles, while access checking is done using verbs.

What's really cool about this system is that because it is simple it is composable. If you model certain attributes of subjects (e.g., whether they are on-premises, remote, in a public cloud, ...) as special subjects, then you can compose multiple check() calls to get ABAC, CORS/on-behalf-of/impersonation, MAC and DAC, SAML/OAuth-style authorization, and more. When I started all I wanted was a labeled security system. It was only later that compositions came up.

Because we built a summarized authz data distribution system first, all the systems that have data will continue to have it even in an outage -- an outage becomes just longer than usual update latencies.

check() performance is very fast, on the order of 10us to 15us, with no global locks, and this could probably be made faster.

check() essentially look's up the subject's group memberships (with the group transitive closure expanded) and the {verb, label}'s direct grantees, and checks if the intersection is empty (access denied) or not (access granted). In the common case (the grantee list is short) this requires N log M comparisons, and in the worst case (the two lists are comparable in size) it requires O(N) comparisons. This means check() performance is naturally very fast when using local authz data. Using a REST service adds latency, naturally, but the REST service itself can be backended with summarized authz data, making it fast. Using local data makes the system reliable and reliably fast.

query() does more work, but essentially amounts to a union of the subject's direct grants and a join of the subject's groups and the groups' direct grants.

special entities like "ANYONE" (akin to Authenticated Users in Windows) and "ANONYMOUS" also exist, naturally, and can be granted. These are treated like groups in the summarized authz data. We also have a "SELF" special entity which allows one to express grants to any subject who is the same as the one running the process that calls check().

Cool. Keep us posted

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact