[Extension Proposal] Authzed Client

[iocanel]

Description

An extension for connecting to authzed instances. Autzed is a dynamic, centralized, permissions database, inspired by Google's tried-and-true Zanzibar system.

The extension is the equivallent of https://github.com/quarkiverse/quarkus-openfga-client and eventually could be used in https://github.com/quarkiverse/quarkus-zanzibar to add authzed support.

Repository name

quarkus-authzed-client

Short description

An extension for connecting to authzed instances.

Repository Homepage URL

https://quarkiverse.github.io/quarkiverse-docs/quarkus-authzed-client/dev/

Repository Topics

• quarkus-extension
• fga
  ...

Team Members

• iocanel

GitHub Applications?

• Stale - Automatically close stale Issues and Pull Requests that tend to accumulate during a project

Additional context

A prototype can be found at: https://github.com/iocanel/quarkus-authzed-client

[quarkus-bot]

/cc @aloubyansky, @gastaldi, @gsmet, @maxandersen

[sberyozkin]

@iocanel Hi, can quarkus-openfga-client talk to Authzed as well, or do you think of providing a more Authzed specific client support with this new extension ?

[jzelinskie]

Hey there! I'm a maintainer for SpiceDB (Authzed) and thought it might be useful to chime in.

While OpenFGA has adopted code from SpiceDB for its internals, they chose not to create an API that was compatible.

This is actually quite reasonable, because the Zanzibar paper documents a live system at Google rather than a particular algorithm or methodology. Folks that have read the paper can walk away with completely different ideas of what makes the system novel. It's unlikely that the systems "inspired by Zanzibar" are going to have a standardized API any time soon because these systems might have entirely different goals.

For example, there are parts of the paper that are open-ended, such as how to represent users. The paper documents a system reliant on GAIA, Google's identity provider, which does not exist outside of Google. Thus implementers are forced to come up with their own solutions. For example, SpiceDB is designed to model users in their system however one pleases, which is more powerful and open for integration with other systems.

As the ecosystem matures, I don't necessarily see a convergence -- rather the opposite. Having implemented the paper's APIs ~2 years ago, SpiceDB is focused on new functionality that improves the status quo. It supports APIs such as LookupResources and LookupSubjects that are powerful additions, but are unlikely to be available in other systems.

[sberyozkin]

@jzelinskie Hi, thanks for the insightful comments, it makes it clearer that having a dedicated quarkus-authzed-client does indeed makes sense, cheers

[iocanel]

@jzelinskie thanks for chiming in.