|
|
|
|
|
|
by geal
1583 days ago
|
|
|
(biscuit author here) I like how that post points a crucial issue in authorization systems: how powerful and flexible should we make them? If you go towards flexibility, you get more complexity and possibly unexpected results. And they become hard to audit and explain. You can choose simple, single purpose systems, like a RBAC only authz backed by a SQL database. You write tight, easy to understand policies. But systems always grow beyond the bounds of those rules, and you end up with a lot of ad hoc rules, or role explosion. Datalog was a good tradeoff for Biscuit (https://www.biscuitsec.org): powerful enough to cover a lot of use cases, simple enough to be implemented the same way in multiple languages |
|
|