Watch AuthZed's CPO and co-founder Jimmy Zelinskie's talk at FOSDEM 2024, as he delves into the world of authorization systems, specifically focusing on the evolution of access control models and the genesis of SpiceDB.
Introduction
- The talk aims to discuss the broader context of authorization issues rather than just promoting SpiceDB.
Authorization and Its Challenges
- Discussion on the evolution of web security threats, highlighting Broken Access Control's rise to the top of OWASP's threat list from 2017 to 2021.
- Overview of the historical context and development of authorization concepts by academia and industry.
- Introduction to various access control models: Discretionary Access Control (DAC), Mandatory Access Control (MAC), Role-based Access Control (RBAC), Attribute-based Access Control (ABAC), and Relationship-based Access Control (ReBAC).
Evolution of Access Control Models
- Detailed explanation of DAC and MAC, their origins, and examples.
- RBAC's emergence in 1992, its core idea of mapping users to roles, and the challenges of defining roles consistently across different systems.
- ABAC was introduced in 2015, offering more dynamic and context-aware access control mechanisms.
- ReBAC's concept from around 2007, focusing on access control through relationships, popularized by systems like Facebook's social graph and Google's Zanzibar.
The Impact of Zanzibar and SpiceDB's Origins
- Zanzibar's introduction by Google as a global, consistent authorization system, inspiring the creation of SpiceDB.
- SpiceDB's development story, from initial prototypes in Python to a mature system written in Go, inspired by Google's project and the novel Dune.
SpiceDB Features and Capabilities
- SpiceDB as a parallel graph database optimized for authorization checks.
- Explanation of how developers use SpiceDB, including schema application, data storage, and querying.
- Description of SpiceDB's architecture, including its gRPC and HTTP APIs, Kubernetes-native design, and its ability to scale and maintain consistency globally.
- Introduction to developer tools like Zed and a web IDE for SpiceDB, enhancing developer experience and enabling easy integration and testing.
Challenges and Extensions to Zanzibar
- While SpiceDB builds on Zanzibar's concepts, it extends them to be more flexible and applicable outside of Google's infrastructure.
- Additions include support for dynamic, context-based relationships and improvements in developer experience to encourage open-source community adoption.