What is your opinion (benefits, drawbacks) about Zanzibar https://research.google/pubs/pub48190/? (Ory Keto/Ory Keto Cloud (https://www.ory.sh/keto/), authzed(http://authzed.com/) (Possible integration plans as policy repository for Cerbos?)

Zanzibar is a very interesting paper with a lot of great ideas. One thing to keep in mind though is that it was designed for Google-scale workloads. There are lots of moving parts involved and the infrastructure required to make it work well is not trivial. There are very few applications that require that level of sophistication and investment. This is probably why all the current Zanzibar providers are offering it as a SaaS solution. Trying to run all of that by yourself is not practical and you need the economies of scale afforded by a SaaS to make it work. Our approach is different because we want to provide a simpler, self-hostable solution that works well for most applications that serve maybe thousands of users at most and not millions or billions. We also believe that access control is too critical to be handled by a SaaS because access control permeates through the entire application. Every single action a user makes with your application needs to be checked quickly and correctly. If the decision point is down, your application simply can't function at all because there's no fallback. With Cerbos you are in full control of that critical infrastructure. Your downtime is your downtime and not somebody else's.

Same question about OSO (https://www.osohq.com/) and OPA (https://www.openpolicyagent.org/)? (Possible integrations plans as wrappers between Cerbos and other products?)

Same question about Casbin (https://casbin.org/) and Keycloak (https://www.keycloak.org/, ex.: https://medium.com/@harsh.manvar111/keycloak-authorization-service-rbac-1c3204a33a50)

These are all great projects and I am not going to compare all of them one by one and point out perceived flaws. What we think differntiates Cerbos from these offerings are the following: - Cerbos doesn't require you to learn a completely new policy programming language. - Cerbos is external to your application. You can share policies and effect change across many services at once without having to recompile and redeploy a bunch of applications. - Cerbos is simple to deploy. To get it up and running all you need to do is run the container and point it to a Git repository.

What do you think about role activation feature? Somehow track this activation event and execute AWS Lambda or Google Cloud function or something like that…

Intriguing idea. We would love to hear more about your use case.

What do you think about multi-tenants feature? Is it possible to create several organizations using same service? It is useful for B2B SaaS’es (at least with freemium/trial/starter plans)…

I am not sure I understand your question. Cerbos can support multi-tenant use cases. If there's something specific you have in mind, we can discuss that and see how we can help you there.

What do you think about “roles/tags for resources” feature for creating groups of objects? What is preferred way to implement it?

Cerbos does not make a lot of assumptions about the state of your objects. You can pass in whatever useful information you think is pertinent in the

attributes

and write a policy rule that makes use of that information.

Is it possible to set object-level access? (add user1 with role2 to object3)?

I think you are talking about ACLs. It is possible but perhaps not as easy as we'd like it to be. We are working on figuring out the best way to express such relationships.

Is it possible to implement something like Google Cloud IAM (without service accounts) on top of Cerbos (https://cloud.google.com/iam/docs/concepts)?..

Yes. There are lots of overlaps between IAM policies and Cerbos policies. If you have something specific in mind, we'd love to hear it and see how Cerbos can be used to implement that.

Is Cerbos stable and good choice for beta/MVP production bootstrapped project (as alternative to django-guardian, for example)?

Yes. Cerbos is quite stable at this point. We don't envision any major breaking changes in the near future.

Can I somehow deploy it to Google Cloud Run and Google Cloud Storages or AWS Lambda and S3?..

You can deploy the Cerbos container to Cloud Run or Lambda. We don't have support for loading policies directly from GCS or S3 yet though.

Do you have plans to create Python SDK (async based, https://www.python-httpx.org/ may be… async is good for I/O bounded tasks)?

Yes. Python is at the top of our list.

@Charith (Cerbos) The question about OPA is what prompted the tweet - https://twitter.com/moderat10n/status/1435043789848989699

At the moment, yes, we do convert YAML to Rego for evaluation. But we are not aiming to be a wrapper around OPA so that's likely to change in the future.

Ok, thanks

Hi, is OPA still used as a backend? I wonder is there any benchmarks of Cerbos can be found, specifically for IAM like policies where large amount of users/groups+large amount of resources + small amount of actions all stored in multi-tenant DB? I would like to try Cerbos as a replacement for home-brewed authorization system based off of OPA, but I’m concerned about using OPA underneath, mainly due to performance problems found in our system similar to what Ory guys discovered while using OPA - https://github.com/open-policy-agent/opa/issues/1443, that driven them to move off to Zanzibar impl.