Warrant Changelog - June 2023
Here's what's new with Warrant this month:
Support for ABAC policies (including time-based warrants)
We're excited to announce that the Warrant authorization engine now supports expression and evaluation of ABAC policies in addition to its native ReBAC capabilities. Although most application authorization scenarios can be modeled via ReBAC (e.g. RBAC, fine-grained access control), there are certain scenarios where access depends on an object or environment's attributes.
For example, we might want to express a rule that states that [user:1] is a [member] of [role:admin] but only if that user's requests are originating from [ip-address:192.192.0.1]. Although Warrant's existing ReBAC engine allows us to represent the member relation between user:1 and role:admin, we must also check for the user's IP context at runtime for the full check to pass.
To enable such scenarios, Warrant now supports definition of policies directly within warrants and evaluation of those policies at runtime using 'contextual data' provided by the client. For the example above, we can define a warrant with an IP equality check as follows:
{
"objectType": "role",
"objectId": "admin",
"relation": "member",
"subject": {
"objectType": "user",
"objectId": "1"
}
"policy": "user.client_ip == \"192.168.1.1\""
}
This warrant states that [user:1] is a [member] of [role:admin] if [user.client_ip == 192.168.1.1]. At check time, a request with the following context would result in an access allowed response:
{
"objectType": "role",
"objectId": "admin",
"relation": "member",
"subject": {
"objectType": "user",
"objectId": "1"
}
"context": {
"user": {
"client_ip": "192.168.1.1"
}
}
}
In addition to strict equality (==), Warrant policies also support a variety of operands including comparators, regex and time (expiration) expressions. For more details, check out the docs.
Dashboard updates
We've also made a few significant improvements to the Warrant admin dashboard this month to make finding, viewing and editing your access control data much easier. More specifically:
Dynamic table views & sorting
All table views (e.g. tenants, users, roles, permissions etc.) now support sorting by column (e.g. by 'created_at' date) and dynamic, in-place data fetching via a 'load more' button to make it even easier for users to traverse and search through their data.
Access & Resource log pages with datetime filtering
To make it even easier to track and distinguish between access check logs (e.g. 'a check result for is user:1 an editor of doc:x returned false') and resource logs (e.g. 'role:a was created'), we've split the Logs dashboard page into two separate pages: the Access Log and Resource Log.
Both log pages also now support filtering events by specific date and time windows, making debugging around specific time periods much easier.
New blog post - 'Why Google Zanzibar Shines at Building Authorization'
Over the past couple of years, Google’s Zanzibar has emerged as a popular implementation standard for modern, fine grained authorization and access control systems, including Warrant.
In this recent post, our CTO Karan explores key Zanzibar concepts in detail and shares how they have influenced Warrant's authorization service architecture. The post also generated quite a bit of discussion on Hacker News.
Warrant open source crosses 500 stars
Just a month after crossing 350 stars, the Warrant open source service has hit another milestone of 500+ stars! We really appreciate the community's engagement, input and feedback so far. Check us out and give us a ⭐ if you haven't already!
And that's it for this June, but more to come next month!
