Learning from the Best

and other lies you tell yourself to read tech-blogs at work.

Hi there! Daniel here with another weekly digest 💌

This week, let’s talk about problem-solving -

The easiest way to follow the industry standard when it comes to solving problems in our application is by looking at large corporations, seeing how they build solutions for their challenges, and adapting them to our needs. Luckily, many large organizations share their engineering insights with the community through dev blogs and conference talks, making it easier for us to learn and adopt best practices.

It’s always luring to build things yourself from scratch, especially for a young dev team building their product from scratch -

Illustrated by danayeva.com

But it’s important to remember that learning from others is a valuable resource.

It was the same for us at Permit.io when we just started out. Frustrated with the challenge of authorization, we sought to solve this issue for developers once and for all. Looking at how other companies have solved their authorization problems helped us shape our own approach and avoid reinventing the wheel. We started this journey by looking around to see what others did:

Netflix was the first company we looked at. Catering to millions of users worldwide and based on open-source foundations, we found their approach to policy-as-code-based authorization inspiring. So inspiring in fact, it was what drove us to build OPAL - our own open-source project, basically making the functionality Netflix built on top of OPA available to everyone for free.

We also extensively wrote and made videos on this subject back then. This was about a year ago, but all the information we gathered there is still more than relevant for applications today. That’s one of the benefits of learning from the big guys - for better or for worse, these solutions tend to last for years.

Netflix wasn’t the only one using Open Policy Agent for application authorization. The list is actually quite long, but Reddit is a great, more recent mention.

Reddit was not only able to solve the challenges they had with handling authorization for their ad platform, but they also achieved p99 <10ms per policy decision. We wrote extensively about how they used Open Policy Agent while integrating some Google Zanzibar principles to reach these amazing results.

We're also hosting a live stream with Braden Groom, Staff Engineer at Reddit, Inc., in just a few days! You are more than welcome to join us here:

We are huge fans of policy engines like OPA, Cedar, and OpenFGA (and not building them yourself), yet there are many organizations that choose to build these engines themselves, and we should learn from them as well!

Uber, for example, shared in this blog post how they utilize Google’s CEL language to create a dynamic attribute-based access control layer. Even if you are not looking to reinvent the wheel like Uber, their practice could give you a very good perspective on how to implement ABAC using policy as code.

LinkedIn shared its journey with dynamic authorization updates based on Kafka, yielding them some pretty impressive results. If you are looking for a similar implementation, here’s detailed documentation on how to use Kafka to build event-driven authorization with OPAL.

As always, if you’re down with supporting our open-source project, Give OPAL a star on GitHub, and join our Slack Community!

See you in two weeks 🌈✨

Comments

[Maria]

This was actually a really fun and worth to read newsletter! And that’s rare! Well done, thanks 😊