Ask HN: Experience using Zanzibar-styled authorization in production?
In particular, with some OSS solution, like Ory Keto (https://www.ory.sh/keto) or Authorizer (https://www.authorizer.tech/docs/overview/introduction), both of which look promising for our use case.
Even though Ory Keto is more well known, Authorizer seems to be a step ahead by already supporting subject set rewrites, one of the key core concepts from the original Zanzibar paper (the lack of which being a major handicap).
Also, how do you manage cascade relation tuple deletion upon deleting the corresponding object/subject resource (e.g. user/group/etc)?
2 comments
[ 2.4 ms ] story [ 16.6 ms ] threadhttps://tailscale.com/blog/rbac-like-it-was-meant-to-be/
And see also this talk explaining the Zanzibar paper from Authzed.com a startup that will sell you Zanzibar as a service.
https://authzed.com/blog/what-is-zanzibar/
I'm aware of authzed, and have watched their PWL talk. Fwiw, I found their solution to be very compelling, however it just doesn't seem to work well for the problem I'm working on (basically requiring a sidecar service running in a Docker container, as opposed to a SaaS).