warrant
Warrant is a highly scalable, centralized authorization service based on Google Zanzibar. Use it to define, enforce, query, and audit application authorization and access control.
Top Related Projects
Open Source (Go) implementation of "Zanzibar: Google's Consistent, Global Authorization System". Ships gRPC, REST APIs, newSQL, and an easy and granular permission language. Supports ACL, RBAC, and other access models.
An authorization library that supports access control models like ACL, RBAC, ABAC in Golang: https://discord.gg/S5UjpzGZjN
Open Policy Agent (OPA) is an open source, general-purpose policy engine.
An open-source authorization as a service inspired by Google Zanzibar, designed to build and manage fine-grained and scalable authorization systems for any application.
Open Source, Google Zanzibar-inspired permissions database to enable fine-grained authorization for customer applications
Oso is a batteries-included framework for building authorization in your application.
Quick Overview
Warrant is an open-source, developer-friendly authorization and access control service. It provides a flexible and scalable solution for implementing fine-grained permissions and role-based access control (RBAC) in applications, with support for various programming languages and frameworks.
Pros
- Easy integration with existing applications and APIs
- Flexible and customizable permission models
- Supports both self-hosted and cloud-hosted options
- Comprehensive documentation and examples
Cons
- Relatively new project, may have fewer community contributions
- Limited built-in integrations compared to some commercial alternatives
- Requires additional setup and maintenance for self-hosted deployments
- Learning curve for complex authorization scenarios
Code Examples
- Creating a user and assigning a role:
const Warrant = require('@warrantdev/warrant-node');
const client = new Warrant.Client({ apiKey: 'your_api_key' });
async function createUserWithRole() {
const user = await client.createUser({ userId: 'user123' });
await client.assignRoleToUser('admin', 'user123');
}
- Checking if a user has permission:
const hasPermission = await client.hasPermission({
permissionId: 'edit_posts',
userId: 'user123'
});
if (hasPermission) {
console.log('User has permission to edit posts');
} else {
console.log('User does not have permission to edit posts');
}
- Creating a custom authorization rule:
await client.createAuthorizationRule({
objectType: 'post',
relation: 'editor',
rules: [
{
operation: 'is',
roleId: 'admin'
},
{
operation: 'is',
roleId: 'editor'
}
]
});
Getting Started
- Install the Warrant SDK for your programming language:
npm install @warrantdev/warrant-node
- Initialize the Warrant client:
const Warrant = require('@warrantdev/warrant-node');
const client = new Warrant.Client({ apiKey: 'your_api_key' });
- Use the client to manage users, roles, and permissions:
async function setupAuthorization() {
await client.createUser({ userId: 'user123' });
await client.createRole({ roleId: 'editor' });
await client.assignRoleToUser('editor', 'user123');
const hasPermission = await client.hasPermission({
permissionId: 'edit_posts',
userId: 'user123'
});
console.log(`User has edit_posts permission: ${hasPermission}`);
}
setupAuthorization();
Competitor Comparisons
Open Source (Go) implementation of "Zanzibar: Google's Consistent, Global Authorization System". Ships gRPC, REST APIs, newSQL, and an easy and granular permission language. Supports ACL, RBAC, and other access models.
Pros of Keto
- More mature project with a larger community and ecosystem
- Supports multiple storage backends (SQL, Redis, in-memory)
- Offers a REST API and gRPC interface for flexibility
Cons of Keto
- Steeper learning curve due to its complexity
- Requires more setup and configuration
- May be overkill for simpler authorization needs
Code Comparison
Keto (using the REST API):
import "github.com/ory/keto-client-go"
client, _ := keto.NewSDK(&keto.Configuration{
Servers: []keto.ServerConfiguration{
{URL: "http://localhost:4466"},
},
})
allowed, _, _ := client.PermissionApi.CheckPermission(context.Background()).
Namespace("files").
Object("file:1").
Relation("view").
Subject("user:john").
Execute()
Warrant:
import "github.com/warrant-dev/warrant-go"
client := warrant.NewClient("api_key")
isAuthorized, _ := client.IsAuthorized(warrant.IsAuthorizedParams{
WarrantToken: "user:john",
Object: "file:1",
Relation: "view",
})
Both Keto and Warrant provide authorization solutions, but they differ in complexity and features. Keto offers more flexibility and scalability, while Warrant focuses on simplicity and ease of use. The choice between them depends on the specific requirements of your project and the level of control you need over the authorization process.
An authorization library that supports access control models like ACL, RBAC, ABAC in Golang: https://discord.gg/S5UjpzGZjN
Pros of Casbin
- More mature and widely adopted, with a larger community and ecosystem
- Supports multiple programming languages and frameworks
- Offers a flexible, policy-based access control model (PERM)
Cons of Casbin
- Steeper learning curve due to its more complex policy language
- May require more setup and configuration for simple use cases
Code Comparison
Casbin policy example:
[request_definition]
r = sub, obj, act
[policy_definition]
p = sub, obj, act
[policy_effect]
e = some(where (p.eft == allow))
[matchers]
m = r.sub == p.sub && r.obj == p.obj && r.act == p.act
Warrant policy example:
{
"objectType": "document",
"objectId": "doc1",
"relation": "reader",
"subject": {
"objectType": "user",
"objectId": "user1"
}
}
Casbin offers a more flexible and powerful policy language, allowing for complex rules and conditions. Warrant, on the other hand, provides a simpler JSON-based policy structure that may be easier to understand and implement for basic authorization scenarios.
Both libraries aim to solve authorization problems, but Casbin offers more flexibility and language support, while Warrant focuses on simplicity and ease of use for specific use cases.
Open Policy Agent (OPA) is an open source, general-purpose policy engine.
Pros of OPA
- More mature and widely adopted project with extensive documentation
- Supports multiple policy languages (Rego, JSON, YAML)
- Offers a broader scope for policy enforcement across various domains
Cons of OPA
- Steeper learning curve, especially for Rego language
- Can be overkill for simpler authorization use cases
- Requires more setup and configuration for basic scenarios
Code Comparison
OPA (Rego policy):
package authz
default allow = false
allow {
input.method == "GET"
input.path == ["api", "users"]
input.user.role == "admin"
}
Warrant:
const warrant = new Warrant({
apiKey: "YOUR_API_KEY",
});
const isAuthorized = await warrant.isAuthorized(
userId,
"view",
"user_list"
);
Summary
OPA is a more comprehensive policy engine suitable for complex scenarios across various domains, while Warrant focuses specifically on authorization with a simpler API. OPA offers more flexibility but requires more setup, whereas Warrant provides a more straightforward solution for basic authorization needs.
An open-source authorization as a service inspired by Google Zanzibar, designed to build and manage fine-grained and scalable authorization systems for any application.
Pros of Permify
- More flexible and customizable authorization model
- Better support for complex hierarchical structures
- More active community and frequent updates
Cons of Permify
- Steeper learning curve due to increased complexity
- Less out-of-the-box integrations compared to Warrant
Code Comparison
Permify:
schema:
user:
relations:
manager: user
team:
relations:
member: user
lead: user
document:
relations:
viewer: [user, team#member]
editor: [user, team#lead]
Warrant:
{
"objectType": "document",
"relation": "viewer",
"subject": {
"objectType": "user",
"objectId": "user123"
}
}
Both Permify and Warrant are authorization solutions, but they differ in their approach and complexity. Permify offers a more flexible and customizable authorization model, making it suitable for complex hierarchical structures. It has a more active community and receives frequent updates. However, this flexibility comes at the cost of a steeper learning curve.
Warrant, on the other hand, provides a simpler, more straightforward approach to authorization. It offers more out-of-the-box integrations, making it easier to implement in existing systems. However, it may be less suitable for highly complex authorization scenarios.
The code comparison shows that Permify uses a schema-based approach, allowing for more intricate relationship definitions, while Warrant uses a simpler JSON-based structure for defining permissions.
Open Source, Google Zanzibar-inspired permissions database to enable fine-grained authorization for customer applications
Pros of SpiceDB
- More mature project with a larger community and more contributors
- Supports multiple storage backends (PostgreSQL, MySQL, CockroachDB)
- Offers a GraphQL API in addition to gRPC
Cons of SpiceDB
- Steeper learning curve due to its more complex schema language
- Requires more setup and configuration compared to Warrant
- May be overkill for simpler authorization use cases
Code Comparison
SpiceDB schema definition:
definition user {}
definition document {
relation viewer: user
relation editor: user
permission view = viewer + editor
permission edit = editor
}
Warrant schema definition:
{
"object_types": [
{
"type": "document",
"relations": [
{ "name": "viewer", "object_type": "user" },
{ "name": "editor", "object_type": "user" }
]
}
]
}
Both projects aim to provide fine-grained authorization, but SpiceDB offers a more powerful and flexible schema language at the cost of increased complexity. Warrant provides a simpler JSON-based schema that may be easier to understand and implement for smaller projects or teams new to authorization systems.
Oso is a batteries-included framework for building authorization in your application.
Pros of Oso
- More comprehensive documentation and extensive guides
- Supports multiple programming languages (Python, Ruby, Java, Node.js, Go)
- Offers a domain-specific language (Polar) for writing authorization rules
Cons of Oso
- Steeper learning curve due to the custom Polar language
- May be overkill for simpler authorization needs
- Requires more setup and configuration
Code Comparison
Oso (using Polar language):
allow(user, "read", post) if
user.role = "admin" or
post.public = true or
post.author = user;
Warrant:
await warrant.authorize(
userId,
"read",
{
type: "post",
id: postId
}
);
Summary
Oso is a more feature-rich and flexible authorization solution supporting multiple languages and offering a custom DSL for complex rules. Warrant provides a simpler, more straightforward approach focused on JSON-based policies and a REST API. Oso may be better suited for larger, multi-language projects with complex authorization needs, while Warrant offers a quicker setup and easier integration for simpler use cases or projects primarily using JavaScript/TypeScript.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
Website | Warrant Cloud | Docs | API Reference
Warrant - Google Zanzibar-inspired, Fine-Grained Authorization Service
Warrant is a highly scalable, centralized, fine-grained authorization service for defining, storing, querying, checking, and auditing application authorization models and access rules. At its core, Warrant is a relationship based access control (ReBAC) engine (inspired by Google Zanzibar) capable of enforcing any authorization paradigm, including role based access control (RBAC) (e.g. [user:1] has [permission:view-billing-details]
), attribute based access control (ABAC) (e.g. [user:1] can [view] [department:accounting] if [geo == "us"]
), and relationship based access control (ReBAC) (e.g. [user:1] is an [editor] of [document:docA]
). It is especially useful for implementing fine-grained access control (FGAC) in internal and/or customer-facing applications.
Features
- HTTP APIs for managing your authorization model, access rules, and other Warrant resources (roles, permissions, features, tenants, users, etc.) from an application, a CLI tool, etc.
- Real-time, low-latency API for performing access checks in your application(s) at runtime (e.g.
is [user:A] an [editor] of [tenant:X]?
) - Integrates with in-house and third-party authn/identity providers like Auth0, Firebase, and more
- Officially supported SDKs for popular languages and frameworks (backend and frontend)
- Support for a number of databases, including: MySQL, Postgres, and SQLite (in-memory or file)
Use Cases
Warrant is built specifically for application authorization and access control, particularly for product, security, and compliance use-cases. Examples of problems Warrant solves are:
- Add role based access control (RBAC) to your SaaS application with the ability for your customers to self-manage their roles and permissions via the Warrant self-service dashboard or your own custom dashboard built using Warrant's component library.
- Allow customers to define and manage their own roles & permissions for their tenant (organization)
- Add 'fine-grained role-based access control' (role based access to specific resources)
- Implement fine-grained, object/resource-level authorization specific to your application's data model (
[user:1] is an [editor] of [document:x]
) - Add centralized and auditable access control around your internal applications and tools.
- Implement 'approval flows' (i.e. request access to a resource from an admin -> admin approves access).
- Add Google Docs-like sharing and permissioning for your application's resources and objects.
- Gate access to SaaS features based on your product's pricing tiers and feature packages.
- Satisfy auditing and compliance requirements of frameworks and standards such as SOC2, HIPAA, GDPR and CCPA.
Getting Started
Check out the development guide to learn how to run Warrant locally and refer to the deployment examples for examples of self-hosting Warrant using Docker or Kubernetes.
Resources
SDKs
Warrant's native SDKs are compatible with both the cloud and open-source versions of Warrant. We currently support SDKs for:
Documentation
Visit our docs to learn more about Warrant's key concepts & architecture and view our quickstarts & API reference.
Limitations
Serving check and query requests with low latency at high throughput requires running Warrant as a distributed service with the use of Warrant-Tokens (also referred to as Zookies in Google Zanzibar). As a result, this open source version of Warrant is only capable of handling low-to-moderate throughput and is best suited for POCs, development/test environments, and low throughput use-cases.
Get <10ms Latency at Scale
Warrant Cloud
The quickest and easiest way to get low-latency performance for high-throughput production usage is to use Warrant Cloud, a fully managed, serverless offering of Warrant. With Warrant Cloud, you don't need to worry about managing multiple instances of Warrant or its underlying datastore (e.g. Postgres, MySQL, etc). It can scale to millions of warrants and hundreds of millions of check and query requests while still providing <10ms latencies. You can sign up for a free account here.
Warrant Cloud is compatible with the same APIs as this open source version and provides additional functionality like:
- An admin dashboard for quickly managing your authorization model and access rules via an intuitive, easy-to-use UI
- Batch endpoints
- Multi-region availability
- Improved access check latency & throughput for large scale use cases
Once you've created an account, refer to our docs to get started.
Enterprise Self-Hosted
Customers looking to self-host Warrant for low-latency, high-throughput production use cases can run a licensed version of Warrant Cloud themselves. To learn more about this option, schedule a call or contact us.
Contributing
Contributions are welcome. Please see our contributing guide for more details.
Top Related Projects
Open Source (Go) implementation of "Zanzibar: Google's Consistent, Global Authorization System". Ships gRPC, REST APIs, newSQL, and an easy and granular permission language. Supports ACL, RBAC, and other access models.
An authorization library that supports access control models like ACL, RBAC, ABAC in Golang: https://discord.gg/S5UjpzGZjN
Open Policy Agent (OPA) is an open source, general-purpose policy engine.
An open-source authorization as a service inspired by Google Zanzibar, designed to build and manage fine-grained and scalable authorization systems for any application.
Open Source, Google Zanzibar-inspired permissions database to enable fine-grained authorization for customer applications
Oso is a batteries-included framework for building authorization in your application.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot