Fine-grained authorization for your Ruby apps
Access controls in Ruby on Rails
Ruby on Rails is an open-source server-side web application framework written in Ruby. Rails is a model–view–controller (MVC) framework that provides default structures for databases, web services, and web pages. It’s the most popular Ruby web framework and one of the top reasons developers choose to learn Ruby.
Aserto is an authorization service that brings secure, distributed, auditable access management of applications built with Ruby on Rails. It is built on top of trusted open-source projects like Open Policy Agent (OPA), Open Container Initiative (OCIv2), and Topaz, and brings role-based access control (RBAC), attribute-based access control (ABAC), and relationship-based access controls to Ruby on Rails applications.
Why use Aserto over libraries, like CanCanCan?
There are a few key differences that set Aserto apart from the Ruby on Rails libraries you might be familiar with:
Authorize locally, manage centrally
When implementing authorization in an application, Rails libraries are embedded directly into the application. This means that each microservice has to define and enforce its own authorization policy. The application also needs to capture, and handle decision logs, for compliance and auditability.
If your application consists of several services and runs multiple instances of these services, central management of all the authorization artifacts and decision logs creates a streamlined path to operating a distributed and/or modern microservices architecture. Aserto comes with a central control plane for centralized management of your users, authorization data, policies, and decision logs.
Separation of concerns
Aserto facilitates separation of concerns by extracting the authorization logic out of the application code and storing/versioning it as its own code artifact. This allows security engineers to evolve the policy independently of application code. It also brings a policy-as-code approach to developing policies, rather than hardcoding permission logic into application code.
Users as first-class citizens
Additionally, Aserto treats users and roles as first-class citizens. The Aserto directory is continuously synchronized with the local authorizer instances, so that Aserto can reason about users and roles as a part of the policy without requiring role resolution as an additional external step.
Having user and role information come from the Aserto directory mitigates the risks of coding errors feeding incorrect data into the decision engine.
Setting things up
To get started you’ll want to leverage the Ruby on Rails SDK to add authorization middleware. This package allows Rails applications to use Aserto as the Authorization provider.
Deployment options
Creating a tenant in Aserto will automatically create a corresponding Authorizer instance with which you can develop and test. The Ruby on Rails SDK uses the gRPC API bindings to make it easy to integrate the Aserto authorizer into Ruby on Rails applications.
Projects in production can deploy Aserto Authorizes as sidecars, or local services right next to your application instances. By launching the authorizer as close to the application as possible we are able to provide minimal latency and 100% availability.
Decision logging
Decision logging creates an easy audit trail for security and compliance. All decisions made by an Aserto authorizer are automatically captures and can be viewed and in the Aserto control plane. You can also easily stream these logs to your SIEM or favorite log analysis tool.
Topaz OSS authorizer
The Aserto authorizer is known as Topaz. Topaz is an open-source authorization system you can launch in your cloud today to begin to add RBAC, ABAC, or ReBAC to your Ruby on Rails applications.
Topaz makes authorization decisions based on three important inputs:
1. Policies from your policy registry
2. Users, attributes, and roles from your identity provider (e.g. Okta, Auth0) supplemented with application-specific information stored in the Aserto directory
3. Resource context passed by in your application
Any changes to users, attributes, policy, or resources are automatically synchronized into the Aserto directory. Aserto pushes updates to all the local authorizers in real-time, ensuring your decisions are based on up-to-date information.
Aserto comes with the following benefits:
- Out-of-the-box support for audit trails, custom roles, RBAC, ABAC, and ReBAC
- Open-source authorizer you can deploy in your cloud today
- Use a policy-as-code workflow to build, tag, push, version, and pull policy images just like docker images
- Quick onboarding via first-class citizen integrations with your identity provider, artifact registry, logging system, backend programming language, and frontend framework.
- Built on top of a trusted open source projects, including the Open Policy Agent (OPA) and Topaz