Discover and read the best of Twitter Threads about #fgaatscale

Most recents (4)

1/ Let's continue exploring how the "Zanzibar" model allows us to solve #fgaatscale 👇

3️⃣ Correctness: no invalid permissions are granted

To provide "correct" answers, an ACL check needs to always read a "valid view" of the system.
2/ "Valid" means: the full state read from storage should have existed at a "logical point in time" and includes all committed records at that point.

The picture provides a counterexample, a request should not read two different values from a namespace at different reads. Image
3/ Similarly, new tuples should not "show up" in a request's query replies while it executes.

This applies to:
- in progress transactions
- records committed in the lifetime of the request

Summarizing: reads should be consistent at a "logical timestamp" within a request.
Read 10 tweets
1/ Back after last week's break 😴, ready to talk about why we picked the "Zanzibar model" for project #sandcastle: 👇
2/ We've shared the 5 things needed to solve #fgaatscale


Let's explore high-level how "Zanzibar" works and how it meets those needs

research.google/pubs/pub48190/
facebook.com/atscaleevents/…
3/ 0️⃣ Introduction
Zanzibar is a "Relationship based access control" (ReBAC) authorization system, i.e.: a user has access to an object if it has a particular relation to it.

Zanzibar stores (object, relation, user) "tuples" with data about these relations.
Read 11 tweets
1/ We've analyzed the #fgaatscale problem:

We've shared our view on the market:

It's time to tell you what we are planning to build 🥁... 🧵
2/ Project #sandcastle will be a globally distributed, highly reliable service for large scale, fine grained authorization.

It's based on @Google's Zanzibar paper: research.google/pubs/pub48190/, that powers #fgaatscale for @googledrive @googlecloud @YouTube and @Google other products!
3/ You'd:
1. Sign up for a subscription
2. Configure who has access to what
3. Pick an SDK for your favorite language/tool
4. (optionally) Feed your authZ data from existing sources into #sandcastle

That's the ideal future. At this point you'd have AuthZ for your app 🤯
Read 8 tweets
1/ Having analyzed the @github and @googledrive #fgaatscale cases, we'll share our view on the authz market.

We'll go over what is currently being addressed and what the gaps are👇
2/
As we've mentioned before, solving #fgaatscale requires:
1️⃣ Permission modelling flexibility
2️⃣ Auditing capabilities
3️⃣ Correctness: no invalid permissions are granted
4️⃣ Low Latency
5️⃣ High availability
3/ Solving #fgaatscale is becoming a need because:
☝️ Users expect collaboration features in most products they used, and that requires FGA
✌️ Increasing privacy and compliance regulations require companies in different verticals to restrict access as much as possible
Read 21 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!