Skip to main content

· 5 min read
The Warrant Team

Warrant Changelog - Jan 2024

Hey everyone! 👋

In our latest batch of changes, we've made some major updates to the Warrant event + audit log, added the ability to configure org-level roles for teammates in the Warrant Dashboard, and made a ton of usability improvements to the Dashboard. Let's get into the details!

· 5 min read
Aditya Kajla

At Warrant, we're building authorization and access control infrastructure for developers.

Our mission is to provide developers with everything they need to quickly add enterprise-grade authorization and access control (roles and permissions, ABAC, fine-grained, pricing tiers and feature entitlements) into their applications, so they can focus on building their core products.

As a fast moving startup, our focus is often on 'now' and 'what's next', and less so on what 'was'. However, with only a few days left until 2024, I wanted to take a few minutes to reflect on an action-packed 2023 and all that our team accomplished this year.

Highlights

· 4 min read
Aditya Kajla

Launch Week, Day 5

Happy Friday! It's the final day of Launch Week! In case you missed the previous days, you can catch up here: Day 1, Day 2, Day 3 and Day 4.

Throughout the week, we've talked about various nuts & bolts upgrades to the Warrant platform that bring improved performance, resiliency, and safety to the APIs and core authorization service.

Today, we're excited to introduce Warrant templates, a repository of pre-defined and purpose-built object types schemas designed to get you up and running with Warrant in minutes. Simply pick a template that matches your application use-case and deploy it into your Warrant environment using the CLI. Each template also ships with a test suite with sample tests, making it easy to iterate.

· 3 min read
Aditya Kajla

Launch Week, Day 4

Welcome to Day 4 of Launch Week! In case you're just joining us, check out what we launched on Day 1, Day 2, and Day 3.

Yesterday's post detailed many of the enhancements we've made to Warrant over the past few months to improve overall performance and resiliency in production. Today's post is going to focus exclusively on testing and correctness, which are equally (if not more) important in an authorization service.

· 4 min read
Aditya Kajla

Launch Week, Day 3

Happy hump day! Day 3 of launch week is focused entirely on some exciting performance and reliability upgrades for Warrant. In case you missed the previous days, here are the links: Day 1 and Day 2.

From the beginning, we've envisioned Warrant as a globally distributed, highly performant and highly available authorization service that developers can easily plug into their applications without worry. Building such a cloud service is tough. We're thankful to our customers who have entrusted us with powering their authorization and helped us evolve Warrant over the past year+ into a service that now processes millions of API requests per day while maintaining 99.995% availability (or < 30m of downtime per year).

· 5 min read
Karan Kajla

Launch Week, Day 2

Welcome to day 2 of our first Launch Week! On day 1, we introduced the new and improved v2 Warrant API. In case you missed it, you can catch up on the details here. Now let's get into day 2!

Warrant Query Language (WQL)

In a recent blog post, Why Google Zanzibar Shines at Building Authorization, we detailed why Google Zanzibar is extremely well-suited to handling application authorization. One of the key reasons we covered is that Zanzibar is a stateful, centralized authorization service. This means the authorization rules for an application (along with any other data necessary to make authorization decisions for the application) are stored centrally in Zanzibar, making it possible to query access rules for a user or resource in real time without the need to consult another data source. This allows developers to not only audit users' access rules but to also query Zanzibar directly from their application to fetch only the resources a user has access to.

Today, we're excited to introduce the Warrant Query Language (WQL), a declarative, SQL-like language for querying Warrant for lists of access controlled data from the context of an application. In particular, WQL is there to help developers answer two types of queries from within their applications:

  1. Which objects of type T does user U have access to?
  2. Which users have access to object O?

· 7 min read
Karan Kajla

Launch Week, Day 1

Hey everyone! It's finally time to kick off our first ever Launch Week! Before we get started, for those of you who don't know: At Warrant, we're building authorization and access control infrastructure for developers.

The team has been hard at work over the past few months iterating on our platform in close partnership with our customers. We've improved many areas, from developer experience to performance and reliability, while also adding a slew of new features and can't wait to share more about everything we've built. Now let's get started!

On this inaugural day of Launch Week, we're excited to announce two huge releases:

  • v1.0 of Warrant OSS, the open source, self-hostable authorization service powering Warrant
  • Our v2 API, with tons of new features and improvements to both performance and developer experience

Let's get into the details!

· 3 min read
Aditya Kajla

Hey Everyone! It's been a while since our last product update. The team has been hard at work this summer with some major improvements to Warrant. We decided to take a quick break to tell you about some of the things we've been working on!

New CLI commands

The Warrant CLI is now the quickest way to get started with Warrant. We've added new commands for listing object types, making assertions on check requests (for testing), and managing objects (create, get, update, delete). The CLI now also supports multiple environments via the env command.

Check out these instructions to install and get started with the CLI.

Update CLI

· 4 min read
Aditya Kajla

Here's what's new with Warrant this month:

Support for ABAC policies (including time-based warrants)

We're excited to announce that the Warrant authorization engine now supports expression and evaluation of ABAC policies in addition to its native ReBAC capabilities. Although most application authorization scenarios can be modeled via ReBAC (e.g. RBAC, fine-grained access control), there are certain scenarios where access depends on an object or environment's attributes.

For example, we might want to express a rule that states that [user:1] is a [member] of [role:admin] but only if that user's requests are originating from [ip-address:192.192.0.1]. Although Warrant's existing ReBAC engine allows us to represent the member relation between user:1 and role:admin, we must also check for the user's IP context at runtime for the full check to pass.

To enable such scenarios, Warrant now supports definition of policies directly within warrants and evaluation of those policies at runtime using 'contextual data' provided by the client. For the example above, we can define a warrant with an IP equality check as follows:

{
"objectType": "role",
"objectId": "admin",
"relation": "member",
"subject": {
"objectType": "user",
"objectId": "1"
}
"policy": "user.client_ip == \"192.168.1.1\""
}

This warrant states that [user:1] is a [member] of [role:admin] if [user.client_ip == 192.168.1.1]. At check time, a request with the following context would result in an access allowed response:

{
"objectType": "role",
"objectId": "admin",
"relation": "member",
"subject": {
"objectType": "user",
"objectId": "1"
}
"context": {
"user": {
"client_ip": "192.168.1.1"
}
}
}

In addition to strict equality (==), Warrant policies also support a variety of operands including comparators, regex and time (expiration) expressions. For more details, check out the docs.

Dashboard updates

We've also made a few significant improvements to the Warrant admin dashboard this month to make finding, viewing and editing your access control data much easier. More specifically:

Dynamic table views & sorting

All table views (e.g. tenants, users, roles, permissions etc.) now support sorting by column (e.g. by 'created_at' date) and dynamic, in-place data fetching via a 'load more' button to make it even easier for users to traverse and search through their data.

Table sort

· 10 min read
Karan Kajla

Why Google Zanzibar Shines at Building Authorization

Over the last couple years, authorization (AKA “authz”) has become a hot topic of debate. Proponents of various authz frameworks, libraries, and philosophies have voiced their opinions on how it should be implemented, jockeying for position to become the de facto way to implement authz. Among the contestants in this debate, Google’s Zanzibar has recently emerged as a popular way of not only modeling and enforcing authorization for modern, fine grained use cases, but also of scaling to meet the requirements of today’s large-scale, cloud-native applications.