monolith vs microservices
When Oso differentiates btwn monoliths & microservices, what are the 2 main things we need to know to confirm a company is microservices by our definiton?
1. separate services supporting the same app
2. separate databases supporting those services
What is RBAC/ABAC/ReBAC
Ways to think about modeling the authz problem
What is list filtering?
When I want to show a list to my user that will be filtering in some way with authorization
How does Oso ensure low latency?
We achieve low latency by running instances of Oso Cloud as close as humanly possible to your VPC.
What is the Oso Fallback?
Instance of Oso in our customers VPC
Why do we care if services are supported by different databases?
Because then the company needs to worry about getting data from one place to another. That's painful and creates a good opp for Oso
What is Polar?
DSL that we built and maintain for authz
Why does list filtering need to be fast?
User experience
My authz model is for a calendly. All users can create calendly links. Links cannot be edited by anyone who isn't the creator. Some links are private and can only be used by internal employees. Some links are public and can be used by anyone who has the link. Admins at my company can adjust availability for anyone's calendly link.
What patterns do you hear?
Public/Private
Roles
Relationships (owner/creator)
How does Oso ensure high availability?
running instances of Oso Cloud everywhere from Singapore to SF and across multiple availability zones
Why are microservices in our ICP?
Since data is separated, these companies have more pain when they're doing authz. We want to work with companies in pain!
What are the three parts of the authz probem?
Model, data, enforcement
Example for why we would need non authorization data in list filtering?
Up to marci
Can you describe an example of list filtering in Docusign?
All of the documents I have access to sign
What is the difference between "centralizing the logic" and syncing the data to a centralized place?
Logic can be moved to a central place and called upon with an API
What does Oso do to solve authz in microservices?
Why is authorization on the critical path?
Apps need to use authorization
What are the shortcomings with Zanzibar?
1. Syncing the data is hard to keep in sync, error prone
2. It's computationally intensive and will leave to poor performance
My authorization model includes Project owners who create projects. Some projects are public, some are private. If they are public, they become private by a certain date. All projects belong to domains. There are also members. Members can view all projects, but they can't create them.
What patterns do you hear?
Hierarchy
ABAC/Public and Private
Expiring Access
RBAC
When we ask the app an authorization question
Why is authorization/list filtering particularly hard in microservices?
We want to centralize authorization but the data is spread out across multiple services. These 2 things are fundamentally at odds with eachother
What is the difference between the backend and the rules?
The backend refers to a physical part of the application where all of the logic is stored to make the app actually work
The rules (also called the model or the logic) refers to the authorization logic specifically in your app
How does Zanzibar solve for list filtering?
Sync all authz relevant data to one place
Does the Fallback help with performance/latency or uptime?
*why*?
Uptime
what are the 2 types of authorization questions you can ask? With an example
1. Yes/No: Can I open this file?
2. List: show me all of the opps I have access too