Hacker News new | past | comments | ask | show | jobs | submit login

I'm just wondering if there's a one size fits all solution for authz. I spent a few days on a use case : - users have one or several roles ( these are hierarchical ) - there are some objects in the system ( hierarchical too, eg files and folders ) - there are different features available according to a user's subscription. I ended up with a 30 lines program which given a set of rules calculates who can access what in less than a millisecond. Does it worth an over-engineered mega system ?



The problem isn't the 30 lines, though. The problem is "millions of users, billions/trillions of objects" and both are non-hierarchical with pairwise sharing etc.

If the requirements were simple, the POSIX model would still work too :)


I agree. for my use case, once a user is authenticated, you get his roles and subscription. There's a limited number of features or actions for each object type, and a limited number of object types. So you can get the set of rules in the client to manage UI, and apply the same set of rules on the backend in the API. In this use case the authz calculation time will be the same with a million users and a billion objects.


You are not wrong. And this pattern shows up everywhere. e.g. do you need a SaaS for "feature flags", since they're just an if statement?

In the case of authz, the argument for separating it as a concern is that many applications can share the same scheme, and you can have specialized tools for provisioning, auditing, etc.


Exactly. When you cross a certain complexity threshold, it's worth separating concerns. It's true for configuration, it's true for IaC, and also for authorization policy.


> do you need a SaaS for "feature flags", since they're just an if statement?

If you want the ability to remotely enable/disable a feature, then yes.


It'd be remiss of us to let left-pad aaS [0] go unmentioned in this thread... For those in today's 'lucky 10,000'^, you're welcome.

There are definitely good arguments for it, services like feature-flagging I mean, and such things are generally relatively low-cost; it's more the risk of adding a 'disappearable' dependency for anything and everything that'd put me off.

(^And if you don't know about this, OMG how can you not have heard about lucky 10k?! Just kidding. [1])

[0] - http://left-pad.io/

[1] - https://xkcd.com/1053/




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: