Fork me on GitHub
#web-security
<
2022-11-18
>
Rupert (All Street)10:11:47

@anders982 / Open Policy Agent Users. For a social network website where users are only authorised to send messages to "friends". Would OPA (or similar Authorisation frameworks) work for this usecase? It seems the whole friendship graph would have to be replicated into OPA which is major duplication. Also the friendship graph can be so large it doesn't fit in memory - would that be a problem for OPA?

Anders Eknert10:11:33

You’re right that you probably wouldn’t want to replicate the friendship graph of every user into each OPA running in your environment. More likely you’d fetch that data as needed, and then cache it for some time. There are many strategies for working with large amounts of permission data, and that is commonly where most of the time is spent in large-scale deployments from my experience.

Rupert (All Street)10:11:10

Great, thanks for the info @anders982. That's good that OPA can do external lookups of data for authorisation (e.g. the friendship graph), but I guess this limits the the ability for OPA to do any introspection/explanation on authorisation? (e.g. Given X tell me everyone who can do Y or explain why person A can do Y)

Anders Eknert10:11:53

Yes, if you’re dealing with large datasets and graphs, you’d probably integrate OPA with something like a Zanzibar-style database, and query that for those type of things.

Anders Eknert10:11:07

They certainly aren’t mutually exclusive 🙂

Rupert (All Street)10:11:33

Thanks, really helpful advice. Will explore more!

😃 1
👍 1