We had an amazing time at KubeCon last week. It was great to discuss cloud-native authorization and share the exciting news about the launch of Topaz, an open-source authorization system that combines the best of OPA and Google’s Zanzibar.

Up until now, there really wasn't a way to build fine-grained, policy-based, real-time access control for applications using open-source software. The open policy agent (OPA) is a great decision engine, but is optimized for infrastructure scenarios, like Kubernetes admission control. On the other hand, there is a new generation of access control popularized by Google's Zanzibar, the authorization system for Google Drive. This model is called relationship-based access control (ReBAC).

Topaz marries the two together to provide developers with the best of both worlds. Topaz is an OPA policy-based system with an embedded directory that allows you to answer questions like ”does user X have permission Y on object Z?” Bringing it all together and making it open-source is a real game changer.

As organizations grow and spin up more and more microservices, each one of these microservices does authorization differently. And, as a result, it's impossible to reason about the full surface area of permissions in the application. We are hearing from more and more organizations that they need a standard layer for authorization across the organization. That is what we are solving with Aserto.

Aserto is built on top of Topaz and provides a control plane which enables central management of policies, users, groups, objects, relations, and decision logs. And it syncs any changes to these with every locally-deployed authorizer over a real-time data fabric.

Industry leaders pathing the way

It seems that almost every industry leader has shared their story of how they built fine-grained authorization into their system. It's not just Google with Zanzibar, it's Intuit with AuthZ, it’s Airbnb with Himeji, it's Carta, and it's Netflix. All of them are now talking about how they extracted access control into its own service to manage complexity and regain agility.

These organizations have engineering powerhouses that are capable of building what every other organization can only dream of. And that is to have one access control service for all of their microservices, applications, and APIs.

Topaz is how the common organization is going to implement an access control service without having to build it in the same way that large companies with sizable engineering teams have.

More about this, the future of the cloud, and thoughts about WebAssembly in the video below: