This is an entry into the application AuthZ world. The space is in need of a general approach to get away from ad hoc solutions in every application or in the IDP. Cedar falls somewhere between OPA with its datalog (prolog) based search approach and a Zanzibar based approach. It’s not clear which direction will win out, but it is time that this problem got some attention.
Personally I prefer cuelang operating on JSON (aka IAM policy, kafka ACLs, IP blocklists, elasticsearch database config etc.) documents - cuelang-js is a wasm execution engine I can use with the cue binary across most apps/databases/kafka etc to have a unified policy engine.
The advantage here is that I can then simulate end-to-end policy what-ifs, and do build-time policy unit tests.
I can also handle business rules in a similar fashion for better visibility - how much of the business understands python/Go/Java/etc code?
>"Cedar falls somewhere between OPA with its datalog (prolog) based search approach and a Zanzibar based approach."
I understand the OPA from your description of it as a "datalog(prolog) based search approach" but you didn't characterize what the "Zanzibar based approach" is. Is there a similar short descriptive summary of its approach?
Zanzibar is an authorization system Google built and describes in a paper [1], which uses relationships to make authorization decisions (aka ReBAC): if there exists a path of such relationships between a resource's permission and, say, a user, then the user is considered to have that permission on the resource. This structural approach to permission checking allows for high levels of scaling and low latency on checks.
Disclaimer: I am the cofounder of AuthZed, where we are building an open source version of Zanzibar known as SpiceDB [2]
