|
|
|
|
|
|
by gemanor
1035 days ago
|
|
|
> And then you start to think about caching, data consistency, and so on If you are looking at OPA or Cedar as a standalone engine, this is the correct assumption. To avoid this hassle, there is an open-source tool called OPAL[1] that will let you run the policy engines with all the sync work without any investment in custom solutions. OPAL has a ready mechanism for data fetching and synchronization, so you can plug it into your application's data and not worry about the data. Disclaimer: I'm one of the OPA maintainers. [1] https://github.com/permitio/opal |
|
|
- Authz data is kept in memory, so what you can authorize over is limited by the memory of the box you run OPAL/OPA. The docs also mention sharding, but I'm not clear on how you actually do that with OPA. [0] Maybe there's another doc that I missed.
- You can get a token representing the last time data was synced to the cache in an OPAL health check, but I'm not clear on how you'd use it to ensure consistency in your application since hydrating the cache is asynchronous. [1]
Anyway, those are the types of things Zanzibar is concerned with, so that comparison (instead of Cedar) would've made more sense to me. Without spending more time on it, I'm not sure if I've represented OPAL correctly above, that's just what I found when I went looking.
[0]: https://docs.opal.ac/faq/#handling-a-lot-of-data-in-opa
[1]: https://docs.opal.ac/faq/#how-does-opal-guarantee-that-the-p...