Here's what's new with Warrant this month:
Support for ABAC policies (including time-based warrants)
We're excited to announce that the Warrant authorization engine now supports expression and evaluation of ABAC policies in addition to its native ReBAC capabilities. Although most application authorization scenarios can be modeled via ReBAC (e.g. RBAC, fine-grained access control), there are certain scenarios where access depends on an object or environment's attributes.
For example, we might want to express a rule that states that
[user:1] is a [member] of [role:admin] but only if that user's requests are originating from
[ip-address:220.127.116.11]. Although Warrant's existing ReBAC engine allows us to represent the
member relation between
role:admin, we must also check for the user's IP context at runtime for the full check to pass.
To enable such scenarios, Warrant now supports definition of policies directly within warrants and evaluation of those policies at runtime using 'contextual data' provided by the client. For the example above, we can define a warrant with an IP equality check as follows:
"policy": "user.client_ip == \"192.168.1.1\""
This warrant states that
[user:1] is a [member] of [role:admin] if [user.client_ip == 192.168.1.1]. At check time, a request with the following context would result in an
access allowed response:
In addition to strict equality (
==), Warrant policies also support a variety of operands including comparators, regex and time (expiration) expressions. For more details, check out the docs.
We've also made a few significant improvements to the Warrant admin dashboard this month to make finding, viewing and editing your access control data much easier. More specifically:
Dynamic table views & sorting
All table views (e.g. tenants, users, roles, permissions etc.) now support sorting by column (e.g. by 'created_at' date) and dynamic, in-place data fetching via a 'load more' button to make it even easier for users to traverse and search through their data.