On this week’s episode of the Kubelist podcast, Jake Moshenko and Jimmy Zelinskie from Authzed joined us to discuss SpiceDB, their open source implementation of the Zanzibar project. Listen to this episode if you are thinking about adding a robust authorization feature to your app, or if you have one that’s a little painful to maintain. Jake and Jimmy have clearly been thinking a lot about this problem! 🎧

Issue #155

Tune into this week’s episode of the podcast to hear Jake and Jimmy talk about SpiceDB, why it’s OSS, what it does, and a lot more. This is the core of their product (Authzed) and it’s open source. SpiceDB is a great project and gives you a lot of authorization (authz) services quickly. 🎙

Digging into the SpiceDB project, this is a good example of how thoughtful the project is at productionizing authz. It turns out that it’s not just enforcement, you need to continuously test and migrate RBAC policies as you roll out new functionality.

Here’s a link to the Zanzibar paper that started it all. Google published this doc outlining how to build these complex authorization systems, and SpiceDB is an implementation of Zanzibar. If you are interested in the paper, it’s a really good read and helps show the complexity of the problem. 📃

Jake mentioned the New Enemy problem on the podcast, and we weren’t familiar. So we did a little research, grabbed a link, and included it here. This blog post does a good job explaining this problem with distributed systems and ACLs, as defined in the zanzibar paper, and starts to show the complexity of designing and building your own authorization system. 👾

Enforce, decide, model. Authorization might seem easy, but it’s not. I’ve even heard of Authorization defined as the “third rail” of systems, best to be careful and thoughtful about implementation. A good authz system is complex enough that you really should put it in the bucket with crypto: best to not attempt to implement yourself. This post is a great description of why the problem is so hard. 👥

A good post from the Authzed team describing the work that Jake has done collecting and comparing different Zanzibar implementations. There are 6 listed here, and all worth checking out. Of course, we’d recommend SpiceDB after this conversation, but make an informed decision!

A cool visual guide to troubleshooting deployments. Also wow, Kubernetes is complex.