-
Notifications
You must be signed in to change notification settings - Fork 41
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #249 from jzelinskie/coming-from-opa
pages: add "coming from" section with opa & rails
- Loading branch information
Showing
13 changed files
with
4,241 additions
and
3,224 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| { | ||
| "opa": "Open Policy Agent", | ||
| "cancancan": "Ruby on Rails" | ||
| } | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,64 @@ | ||
| import { Callout } from 'nextra/components'; | ||
| import PSDLight from '@/public/images/ps-light.svg' | ||
| import PSDDark from '@/public/images/ps-dark.svg' | ||
| import CCCLight from '@/public/images/ps-cancancan-light.svg' | ||
| import CCCDark from '@/public/images/ps-cancancan-dark.svg' | ||
| import SpiceDBLight from '@/public/images/ps-spicedb-light.svg' | ||
| import SpiceDBDark from '@/public/images/ps-spicedb-dark.svg' | ||
|
|
||
| # SpiceDB for Ruby on Rails CanCanCan users | ||
|
|
||
| This document is designed to cover the conceptual differences between SpiceDB and the popular Ruby on Rails gem CanCanCan. | ||
|
|
||
| <Callout type="info" emoji="ℹ️"> | ||
| The focus of the content below is not intended to be a competitive anlaysis, but rather a bridge to understand SpiceDB for existing Rails users. | ||
| </Callout> | ||
|
|
||
| ## SpiceDB vs CanCanCan | ||
|
|
||
| Every complete permissions system is made up of three major components: *models*, *data*, and an *engine*. | ||
|
|
||
| While comparing SpiceDB and CanCanCan is akin to comparing apples and oranges because they are fundamentally two different approaches, both can analyzed through the lens of these three components to understand the design of each. | ||
|
|
||
| A quick recap on the components and their purpose: | ||
|
|
||
| - **Models** define the logic and rules governing actions in the system. | ||
| - **Data** provides the context for action itself (who's doing it, the object of the action, and more) | ||
| - An **engine** interprets models and data in order to make an access control decision | ||
|
|
||
| <center> | ||
| <PSDLight className="p-5 h-96 w-96 dark:hidden"/> | ||
| <PSDDark className="p-5 h-96 w-96 hidden dark:block"/> | ||
| </center> | ||
|
|
||
| CanCanCan is a *library* (gem) designed to help model authorization in Ruby on Rails projects. | ||
| The fundamental idea behind most authorization libraries is that access control can be modeled by reusing as much as possible from within your existing web framework. | ||
| For cancancan, developers defines their models from within an `Ability` class. | ||
| Engine logic is implemented within the library such that developers can simply load the `Ability` class within their `Controller` classes to enforce their models. | ||
| Data outside of the request context is left open ended, but most often is fetched from the primary database using ActiveRecord. | ||
|
|
||
| <center> | ||
| <CCCLight className="p-5 h-96 w-96 dark:hidden"/> | ||
| <CCCDark className="p-5 h-96 w-96 hidden dark:block"/> | ||
| </center> | ||
|
|
||
| SpiceDB is a class of technology called a *database*. | ||
| The fundamental idea behind databases is that they store and index data efficiently so that it can be effectively queried. | ||
| While many databases are general-purpose, SpiceDB is optimized specifically for storing and querying authorization data. | ||
| SpiceDB provides all three components of a permissions systems: schema provides the models, the data is stored within the database itself, and the query engine interprets the two in order to make access control decisions. | ||
|
|
||
| <center> | ||
| <SpiceDBLight className="p-5 h-96 w-96 dark:hidden"/> | ||
| <SpiceDBDark className="p-5 h-96 w-96 hidden dark:block"/> | ||
| </center> | ||
|
|
||
| ## When to use SpiceDB instead of Cancancan | ||
|
|
||
| SpiceDB provides a centralized system and, while doing so, enforces opinions about how authorization should be done. | ||
| Adopting SpiceDB can be a powerful tool for enabling a shift towards centralizing authorization into one service that can be operated by a specialized team. | ||
| This design is a perfect fit for when there are multiple software services in an organization that needs to share data in order to secure access to their resources. | ||
|
|
||
| ## When to use Cancancan instead of SpiceDB | ||
|
|
||
| Cancancan, and authorization libraries in general, excels when a monolithic or modular monolith architecture is the best fit for your software stack. | ||
| For example, there are framework utilities and reusable app libraries that your authorization models can leverage. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,69 @@ | ||
| import { Callout } from 'nextra/components'; | ||
| import PSDLight from '@/public/images/ps-light.svg' | ||
| import PSDDark from '@/public/images/ps-dark.svg' | ||
| import OPALight from '@/public/images/ps-opa-light.svg' | ||
| import OPADark from '@/public/images/ps-opa-dark.svg' | ||
| import SpiceDBLight from '@/public/images/ps-spicedb-light.svg' | ||
| import SpiceDBDark from '@/public/images/ps-spicedb-dark.svg' | ||
|
|
||
| # SpiceDB for Open Policy Agent (OPA) users | ||
|
|
||
| This document is designed to cover the conceptual differences between SpiceDB and Open Policy Agent (OPA). | ||
|
|
||
| <Callout type="info" emoji="ℹ️"> | ||
| The focus of the content below is not intended to be a competitive anlaysis, but rather a bridge to understand SpiceDB for existing OPA users. | ||
| </Callout> | ||
|
|
||
| ## SpiceDB vs OPA | ||
|
|
||
| Every complete permissions system is made up of three major components: *models*, *data*, and an *engine*. | ||
|
|
||
| While comparing SpiceDB and OPA is akin to comparing apples and oranges because they are fundamentally two different approaches, both can analyzed through the lens of these three components to understand the design of each. | ||
|
|
||
| A quick recap on the components and their purpose: | ||
|
|
||
| - **Models** define the logic and rules governing actions in the system. | ||
| - **Data** provides the context for action itself (who's doing it, the object of the action, and more) | ||
| - An **engine** interprets models and data in order to make an access control decision | ||
|
|
||
| <center> | ||
| <PSDLight className="p-5 h-96 w-96 dark:hidden"/> | ||
| <PSDDark className="p-5 h-96 w-96 hidden dark:block"/> | ||
| </center> | ||
|
|
||
| Open Policy Agent is a class of technology called a *policy engine*. | ||
| The fundamental idea behind policy engines is that access control decisions are the result of executing a computer program. | ||
|
|
||
| Referring back to the three components of a complete permissions system, policy engines typically implement only two of the three components: models and an engine. | ||
| Developers write programs, called policies, to provide the models of their system. | ||
| For OPA, their models are written in a language called Rego that was inspired by Datalog. | ||
| An engine, OPA itself, then executes these policies using any data usually provided at runtime with the request. | ||
| For data that is not provided with a request, there exist various configurations, strategies, and software projects for providing data into OPA-based systems; this aspect of OPA is open-ended. | ||
|
|
||
| <center> | ||
| <OPALight className="p-5 h-96 w-96 dark:hidden"/> | ||
| <OPADark className="p-5 h-96 w-96 hidden dark:block"/> | ||
| </center> | ||
|
|
||
| SpiceDB is a class of technology called a *database*. | ||
| The fundamental idea behind databases is that they store and index data efficiently so that it can be effectively queried. | ||
| While many databases are general-purpose, SpiceDB is optimized specifically for storing and querying authorization data. | ||
| SpiceDB provides all three components of a permissions systems: schema provides the models, the data is stored within the database itself, and the query engine interprets the two in order to make access control decisions. | ||
|
|
||
| <center> | ||
| <SpiceDBLight className="p-5 h-96 w-96 dark:hidden"/> | ||
| <SpiceDBDark className="p-5 h-96 w-96 hidden dark:block"/> | ||
| </center> | ||
|
|
||
| ## When to use SpiceDB instead of OPA | ||
|
|
||
| SpiceDB provides a comprehensive system and, while doing so, enforces opinions about how authorization should be done. | ||
| It encourages developers to consider data consistency upfront as they integrate applications and face other, often silent, failure domains such as the [New Enemy Problem]. | ||
| Adopting SpiceDB can be a powerful tool for enabling a shift towards centralizing authorization into one service that can be operated by a specialized team. | ||
|
|
||
| [New Enemy Problem]: ../../concepts/zanzibar#new-enemy-problem | ||
|
|
||
| ## When to use OPA instead of SpiceDB | ||
|
|
||
| OPA excels where in scenarios where it can be easily embedded or ran alongside an existing workload. | ||
| Because it is a fairly open-ended how one deals with data in OPA deployments, it shines best as a solution when access control decisions don't require much data. |
Oops, something went wrong.