We rewrote OpenFGA in pure Postgres

https://getrover.substack.com/p/how-we-rewrote-openfga-in-pure-postgres

24•wbadart•2h ago

Comments

ygouzerh•1h ago

Interesting read! It kind of a became a rule nowadays to never store logic in the database nowadays, but it's always refreshing to see when it could work. Please give us an update in few months of how it is going on the long run!

esafak•1h ago

I have similar concerns, like how to reconcile authz with search. Search wants to be its own thing, and so does authz. Pray tell how I'm supposed to get a paginated list of authorized results? You have to filter or have the search service call the authz service. Life is easier when the main database can handle everything.

We should develop and translate this extension to other databases.

babelfish•36m ago

Authorized search isn't difficult. Store authorized readers (people, groups, etc) on each result to pre-filter results, then post-filter results with an additional authorization check in case the authorization store was updated but the search results store was not. Context: I've built an authorized search solution before.

jschorr•36m ago

Reconciling externalized authz with search is actually quite a challenging problem. For standard externalized authz, the recommendation is some form of pre-filtering or post-filtering [1], for which we actually built LookupResources (pre-filtering) and CheckBulkPermission (post-filtering) into SpiceDB.

However, as you mentioned, life is easier when the main database can handle everything, so we actually built a solution in that space called Materialize [2], which heavily denormalizes the authorization data and allows for joining within application databases such as Postgres. My colleague Evan actually put together a really cool video about using it with Gitea [3].

Recognizing that even with Materialize, however, the need to consume events can be a bit annoying, I've been doing some work to allow Postgres itself to do native JOINs against SpiceDB (and other operations). I demo it briefly in our recent announcements video [4] and I think it effectively solves this problem within Postgres, while still allowing for all the benefits (scale, performance, redundancy, distribution) of externalized authz.

[1]: https://authzed.com/docs/spicedb/modeling/protecting-a-list-...

[2]: https://authzed.com/products/authzed-materialize

[3]: https://www.youtube.com/live/u3i1SEd9Ll8?si=mCz5mZterxthoEwj

[4]: https://www.youtube.com/live/uz_gxz3whS0?si=g4NUZAIltYVyFzYj...

Disclaimer: I'm cofounder and CTO at AuthZed and we build SpiceDB and Materialize

bsder•33m ago

I originally read that as OpenFPGA (note the extra P) and wondered what kind of eldritch abomination they had created ...

forks•27m ago

> The big problem that we kept running into was keeping everything in sync all the time. Every time we add a new user, organization, repository, etc. in our database, we also had to add the corresponding tuples in OpenFGA.

This is a fundamental problem with all Zanzibar-inspired authorization systems[0] that require centralizing ~all authorization data and led us @ Oso to build a more flexible system[1] that grants more control over what authorization-relevant data you centralize vs. decide keep locally.

0: https://www.osohq.com/post/authorization-for-the-rest-of-us

1: https://www.osohq.com/docs/develop/facts/local-authorization

disclosure: founding engineer at Oso

The natural clocks that can pinpoint someone's time of death

Tomorrow Corporation Tech Demo [video]

Why more people are going to gigs, festivals and clubs alone

Suzanne Somers' widower is trying to recreate her with AI

Perplexity at Work: A Guide to Getting More Done [pdf]

Illinois utility tries using electric school buses for bidirectional charging

Chris Paik: A Taxonomy of Innovation – Capacity, Coordination, and Connectivity

Show HN: LunaRoute – a high-performance local proxy for AI coding assistants

ShieldAI Launches the X-Bat

No Appointments, No Nurses, No Private Insurance Needed

AI Video Maker – Generate videos from text or images using Sora, Veo, and more

15M Budget Line That Doesn't Exist – Certificates

A billionaire has rebuilt downtown Detroit

Knowledge Transfer from High-Resource to Low-Resource Languages for Code LLMs (2023)

C++26: Printing `std:tuple` with expression templates

"Butt breathing" might soon be a real medical treatment

The future of Python web services looks GIL-free

A Furious Debate over Autism's Causes Leaves Parents Grasping for Answers

Active mechanical logic gates – Capstan Lever Logic (CLL) [video]

Git considers SHA-256, Rust, LLMs, and more

Experts say the high failure rate in AI adoption isn't a bug, but a feature

My Data Career Journey So Far

It's Not Just You – The iOS Keyboard Is Broken [video]

California cracks down on water theft but spares data centers

The Hidden Engineering of Niagara Falls

You Probably Don't Need to Switch from Pandas to Polars

Uber: Rebuilding Uber's Apache Pinot Query Architecture

I Still Love R. I Just Wish More People Did

Why calm leadership matters most when everything's on fire

Pixel Art in Microcontroller Displays [link fixed]