SpiceDB Documentation
Getting Started
Coming From
Open Policy Agent

SpiceDB for Open Policy Agent (OPA) users

This document is designed to cover the conceptual differences between SpiceDB and Open Policy Agent (OPA).

ℹ️

The focus of the content below is not intended to be a competitive anlaysis, but rather a bridge to understand SpiceDB for existing OPA users.

SpiceDB vs OPA

Every complete permissions system is made up of three major components: models, data, and an engine.

While comparing SpiceDB and OPA is akin to comparing apples and oranges because they are fundamentally two different approaches, both can analyzed through the lens of these three components to understand the design of each.

A quick recap on the components and their purpose:

  • Models define the logic and rules governing actions in the system.
  • Data provides the context for action itself (who's doing it, the object of the action, and more)
  • An engine interprets models and data in order to make an access control decision
modelsenginedata

Open Policy Agent is a class of technology called a policy engine. The fundamental idea behind policy engines is that access control decisions are the result of executing a computer program.

Referring back to the three components of a complete permissions system, policy engines typically implement only two of the three components: models and an engine. Developers write programs, called policies, to provide the models of their system. For OPA, their models are written in a language called Rego that was inspired by Datalog. An engine, OPA itself, then executes these policies using any data usually provided at runtime with the request. For data that is not provided with a request, there exist various configurations, strategies, and software projects for providing data into OPA-based systems; this aspect of OPA is open-ended.

OPAenginedata?Deploymentpolicies( models )app

SpiceDB is a class of technology called a database. The fundamental idea behind databases is that they store and index data efficiently so that it can be effectively queried. While many databases are general-purpose, SpiceDB is optimized specifically for storing and querying authorization data. SpiceDB provides all three components of a permissions systems: schema provides the models, the data is stored within the database itself, and the query engine interprets the two in order to make access control decisions.

relationshipsschemagraphSpiceDBapps microservicesware-house( models )( data )( engine )

When to use SpiceDB instead of OPA

SpiceDB provides a comprehensive system and, while doing so, enforces opinions about how authorization should be done. It encourages developers to consider data consistency upfront as they integrate applications and face other, often silent, failure domains such as the New Enemy Problem. Adopting SpiceDB can be a powerful tool for enabling a shift towards centralizing authorization into one service that can be operated by a specialized team.

When to use OPA instead of SpiceDB

OPA excels where in scenarios where it can be easily embedded or ran alongside an existing workload. Because it is a fairly open-ended how one deals with data in OPA deployments, it shines best as a solution when access control decisions don't require much data.

© 2024 AuthZed.