Netflix Engineering is always looking for security, ergonomic, and efficiency improvements; and this extends to authorization tools. While experimenting with Zanzibar approaches to authorization, Netflix found SpiceDB and used it to build a prototype for experimentation. The prototype uncovered trade-offs required to implement Attribute-Based Access Control (ABAC) in SpiceDB, which made it poorly suited for Netflix’s core requirements for application identities. To address the shortcomings, the authorization team at Netflix sponsored work to add ABAC support to SpiceDB.
For a technical overview of the Caveats feature design process, read the blog post announcing the collaboration.
Sponsored Open Source Feature Development
With Netflix’s support, the AuthZed team pondered a Zanzibar-native approach to Attribute-Based Access Control. The requirements were captured and published as the caveated relationships proposal on GitHub for feedback from the SpiceDB community. The community’s excitement and interest became apparent through comments, reactions, and conversations on the AuthZed Discord server. Clearly, Netflix wasn’t the only one facing challenges when reconciling SpiceDB with policy-based approaches, so Netflix decided to help! By sponsoring the project, Netflix was able to help AuthZed prioritize engineering effort and accelerate adding the Caveats feature to SpiceDB.
SpiceDB Caveats
SpiceDB Caveats allows Netflix to specify authorization policy to include system attributes. Instead of requiring the entire state of the authorization world to be persisted as relations, a system can have both relations and identity attributes used at authorization check time.
Outcome
Netflix and AuthZed are both excited about the collaboration’s outcome. Netflix can employ another authorization tool and SpiceDB users have another option to perform rich authorization checks. Bridging the gap between policy based authorization and ReBAC is a powerful paradigm that is already benefiting companies looking to Zanzibar-based implementations for modernizing their authorization stack.