Show HN: Topaz 0.30 – OSS authz service combining the best of OPA and Zanzibar
aserto.comHey folks! As Topaz turns a year old, we just released a big update, including support for a new authorization schema language, a built-in visual console, REST APIs for the ReBAC directory, a full test harness, and many other improvements.
Would love to get your feedback! Check out the blog post [0] for the complete details (including some cool screenshots), or clone / fork the repo here [1]. Many thanks!
[0] https://www.aserto.com/blog/announcing-topaz-030
[1] https://github.com/aserto-dev/topaz Been fun to watch this project progress. I have tried it out in a few apps before. Love the test harness, that's super useful! Thanks! "topaz test" is already pretty useful, and we hope to bring assertions into the visual console in a future release. How does this compare to other CNCF solutions like OpenFGA and OPA? Today we are using OpenFGA and OPA together, as OPA does not provide a real solution managing our data and we only have a few real attribute based checks we need to make. OpenFGA is a nice data plane, but does not provide an attribute based solution, so we are http.Send integrating the two, which is not ideal. In simple terms topaz brings a rebac data solution together with OPA, so you only have to create attribute based authorization rules when really needed, to compliment the relation authorization provided by the topaz directory. I see it is a container based solution, is that a requirement, we (have to) run on Windows Server, can I run topaz without a container, just bare metal? You can, simply use the topazd.exe binary from the topaz_windows_x86_64.zip from the GH releases page (https://github.com/aserto-dev/topaz/releases). Note this is currently not a Windows Service, so not net start topaz. Let me know if that would be interesting. Thanks for the question! Those are both great projects. Topaz combines the best elements of both: * It uses OPA as its decision engine and Rego as the policy language, and supports the "policy as code" methodology * It also implements a ReBAC directory, much like OpenFGA, in the same container image. It goes further, by allowing you to store not just relationships between subjects and objects, but also properties... which makes it easy to author policies that combine attribute-based (ABAC) and relationship-based (ReBAC) rules. It is great to see this release coming together. I am working on a new app right now. While authentication is a solved problem with services like Auth0, how to set up a robust authorization mechanism left me scratching my head. With Topaz, the decision to not built it myself was easy. Topaz is to AuthZ what Auth0 is to AuthN. Congrats on the release, very timely! Thanks! That's exactly the analogy we think of... Auth0 : AuthN :: Topaz : AuthZ :) Congrats! Great to see the evolution and love how it scales. If I never have to implement authZ again, that will be a happy day :-) Thanks! Yes, the days where you have to hand-roll authorization logic are (hopefully) soon to be behind us :) I love the fact it is bring relational and attribute based together, happy birthday Topaz ! Thanks! ABAC and ReBAC are indeed complementary, and you can build powerful authorization models by combining the best of these. Congrats to the Topaz team. This project has had some huge advancements since it launched last year. Thanks! Do let us know what your favorite feature is in the 0.30 release :)