Convert Figma logo to code with AI

warrant-dev logowarrant

Warrant is a highly scalable, centralized authorization service based on Google Zanzibar. Use it to define, enforce, query, and audit application authorization and access control.

1,112
38
1,112
17
View on GitHubView on NPM

Top Related Projects

ory's avatar

keto

4,774

Open Source (Go) implementation of "Zanzibar: Google's Consistent, Global Authorization System". Ships gRPC, REST APIs, newSQL, and an easy and granular permission language. Supports ACL, RBAC, and other access models.

casbin's avatar

casbin

17,484

An authorization library that supports access control models like ACL, RBAC, ABAC in Golang: https://discord.gg/S5UjpzGZjN

open-policy-agent's avatar

opa

9,505

Open Policy Agent (OPA) is an open source, general-purpose policy engine.

Permify's avatar

permify

4,433

An open-source authorization as a service inspired by Google Zanzibar, designed to build and manage fine-grained and scalable authorization systems for any application.

authzed's avatar

spicedb

4,924

Open Source, Google Zanzibar-inspired permissions database to enable fine-grained authorization for customer applications

osohq's avatar

oso

3,467

Oso is a batteries-included framework for building authorization in your application.

Quick Overview

Warrant is an open-source, developer-friendly authorization and access control service. It provides a flexible and scalable solution for implementing fine-grained permissions and role-based access control (RBAC) in applications, with support for various programming languages and frameworks.

Pros

  • Easy integration with existing applications and APIs
  • Flexible and customizable permission models
  • Supports both self-hosted and cloud-hosted options
  • Comprehensive documentation and examples

Cons

  • Relatively new project, may have fewer community contributions
  • Limited built-in integrations compared to some commercial alternatives
  • Requires additional setup and maintenance for self-hosted deployments
  • Learning curve for complex authorization scenarios

Code Examples

  1. Creating a user and assigning a role:
const Warrant = require('@warrantdev/warrant-node');
const client = new Warrant.Client({ apiKey: 'your_api_key' });

async function createUserWithRole() {
  const user = await client.createUser({ userId: 'user123' });
  await client.assignRoleToUser('admin', 'user123');
}
  1. Checking if a user has permission:
const hasPermission = await client.hasPermission({
  permissionId: 'edit_posts',
  userId: 'user123'
});

if (hasPermission) {
  console.log('User has permission to edit posts');
} else {
  console.log('User does not have permission to edit posts');
}
  1. Creating a custom authorization rule:
await client.createAuthorizationRule({
  objectType: 'post',
  relation: 'editor',
  rules: [
    {
      operation: 'is',
      roleId: 'admin'
    },
    {
      operation: 'is',
      roleId: 'editor'
    }
  ]
});

Getting Started

  1. Install the Warrant SDK for your programming language:
npm install @warrantdev/warrant-node
  1. Initialize the Warrant client:
const Warrant = require('@warrantdev/warrant-node');
const client = new Warrant.Client({ apiKey: 'your_api_key' });
  1. Use the client to manage users, roles, and permissions:
async function setupAuthorization() {
  await client.createUser({ userId: 'user123' });
  await client.createRole({ roleId: 'editor' });
  await client.assignRoleToUser('editor', 'user123');
  
  const hasPermission = await client.hasPermission({
    permissionId: 'edit_posts',
    userId: 'user123'
  });
  
  console.log(`User has edit_posts permission: ${hasPermission}`);
}

setupAuthorization();

Competitor Comparisons

ory logo

keto

4,774

Open Source (Go) implementation of "Zanzibar: Google's Consistent, Global Authorization System". Ships gRPC, REST APIs, newSQL, and an easy and granular permission language. Supports ACL, RBAC, and other access models.

Pros of Keto

  • More mature project with a larger community and ecosystem
  • Supports multiple storage backends (SQL, Redis, in-memory)
  • Offers a REST API and gRPC interface for flexibility

Cons of Keto

  • Steeper learning curve due to its complexity
  • Requires more setup and configuration
  • May be overkill for simpler authorization needs

Code Comparison

Keto (using the REST API):

import "github.com/ory/keto-client-go"

client, _ := keto.NewSDK(&keto.Configuration{
    Servers: []keto.ServerConfiguration{
        {URL: "http://localhost:4466"},
    },
})

allowed, _, _ := client.PermissionApi.CheckPermission(context.Background()).
    Namespace("files").
    Object("file:1").
    Relation("view").
    Subject("user:john").
    Execute()

Warrant:

import "github.com/warrant-dev/warrant-go"

client := warrant.NewClient("api_key")

isAuthorized, _ := client.IsAuthorized(warrant.IsAuthorizedParams{
    WarrantToken: "user:john",
    Object:       "file:1",
    Relation:     "view",
})

Both Keto and Warrant provide authorization solutions, but they differ in complexity and features. Keto offers more flexibility and scalability, while Warrant focuses on simplicity and ease of use. The choice between them depends on the specific requirements of your project and the level of control you need over the authorization process.

casbin logo

casbin

17,484

An authorization library that supports access control models like ACL, RBAC, ABAC in Golang: https://discord.gg/S5UjpzGZjN

Pros of Casbin

  • More mature and widely adopted, with a larger community and ecosystem
  • Supports multiple programming languages and frameworks
  • Offers a flexible, policy-based access control model (PERM)

Cons of Casbin

  • Steeper learning curve due to its more complex policy language
  • May require more setup and configuration for simple use cases

Code Comparison

Casbin policy example:

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = r.sub == p.sub && r.obj == p.obj && r.act == p.act

Warrant policy example:

{
  "objectType": "document",
  "objectId": "doc1",
  "relation": "reader",
  "subject": {
    "objectType": "user",
    "objectId": "user1"
  }
}

Casbin offers a more flexible and powerful policy language, allowing for complex rules and conditions. Warrant, on the other hand, provides a simpler JSON-based policy structure that may be easier to understand and implement for basic authorization scenarios.

Both libraries aim to solve authorization problems, but Casbin offers more flexibility and language support, while Warrant focuses on simplicity and ease of use for specific use cases.

open-policy-agent logo

opa

9,505

Open Policy Agent (OPA) is an open source, general-purpose policy engine.

Pros of OPA

  • More mature and widely adopted project with extensive documentation
  • Supports multiple policy languages (Rego, JSON, YAML)
  • Offers a broader scope for policy enforcement across various domains

Cons of OPA

  • Steeper learning curve, especially for Rego language
  • Can be overkill for simpler authorization use cases
  • Requires more setup and configuration for basic scenarios

Code Comparison

OPA (Rego policy):

package authz

default allow = false

allow {
    input.method == "GET"
    input.path == ["api", "users"]
    input.user.role == "admin"
}

Warrant:

const warrant = new Warrant({
  apiKey: "YOUR_API_KEY",
});

const isAuthorized = await warrant.isAuthorized(
  userId,
  "view",
  "user_list"
);

Summary

OPA is a more comprehensive policy engine suitable for complex scenarios across various domains, while Warrant focuses specifically on authorization with a simpler API. OPA offers more flexibility but requires more setup, whereas Warrant provides a more straightforward solution for basic authorization needs.

Permify logo

permify

4,433

An open-source authorization as a service inspired by Google Zanzibar, designed to build and manage fine-grained and scalable authorization systems for any application.

Pros of Permify

  • More flexible and customizable authorization model
  • Better support for complex hierarchical structures
  • More active community and frequent updates

Cons of Permify

  • Steeper learning curve due to increased complexity
  • Less out-of-the-box integrations compared to Warrant

Code Comparison

Permify:

schema:
  user:
    relations:
      manager: user
  team:
    relations:
      member: user
      lead: user

  document:
    relations:
      viewer: [user, team#member]
      editor: [user, team#lead]

Warrant:

{
  "objectType": "document",
  "relation": "viewer",
  "subject": {
    "objectType": "user",
    "objectId": "user123"
  }
}

Both Permify and Warrant are authorization solutions, but they differ in their approach and complexity. Permify offers a more flexible and customizable authorization model, making it suitable for complex hierarchical structures. It has a more active community and receives frequent updates. However, this flexibility comes at the cost of a steeper learning curve.

Warrant, on the other hand, provides a simpler, more straightforward approach to authorization. It offers more out-of-the-box integrations, making it easier to implement in existing systems. However, it may be less suitable for highly complex authorization scenarios.

The code comparison shows that Permify uses a schema-based approach, allowing for more intricate relationship definitions, while Warrant uses a simpler JSON-based structure for defining permissions.

authzed logo

spicedb

4,924

Open Source, Google Zanzibar-inspired permissions database to enable fine-grained authorization for customer applications

Pros of SpiceDB

  • More mature project with a larger community and more contributors
  • Supports multiple storage backends (PostgreSQL, MySQL, CockroachDB)
  • Offers a GraphQL API in addition to gRPC

Cons of SpiceDB

  • Steeper learning curve due to its more complex schema language
  • Requires more setup and configuration compared to Warrant
  • May be overkill for simpler authorization use cases

Code Comparison

SpiceDB schema definition:

definition user {}

definition document {
    relation viewer: user
    relation editor: user
    permission view = viewer + editor
    permission edit = editor
}

Warrant schema definition:

{
  "object_types": [
    {
      "type": "document",
      "relations": [
        { "name": "viewer", "object_type": "user" },
        { "name": "editor", "object_type": "user" }
      ]
    }
  ]
}

Both projects aim to provide fine-grained authorization, but SpiceDB offers a more powerful and flexible schema language at the cost of increased complexity. Warrant provides a simpler JSON-based schema that may be easier to understand and implement for smaller projects or teams new to authorization systems.

osohq logo

oso

3,467

Oso is a batteries-included framework for building authorization in your application.

Pros of Oso

  • More comprehensive documentation and extensive guides
  • Supports multiple programming languages (Python, Ruby, Java, Node.js, Go)
  • Offers a domain-specific language (Polar) for writing authorization rules

Cons of Oso

  • Steeper learning curve due to the custom Polar language
  • May be overkill for simpler authorization needs
  • Requires more setup and configuration

Code Comparison

Oso (using Polar language):

allow(user, "read", post) if
    user.role = "admin" or
    post.public = true or
    post.author = user;

Warrant:

await warrant.authorize(
  userId,
  "read",
  {
    type: "post",
    id: postId
  }
);

Summary

Oso is a more feature-rich and flexible authorization solution supporting multiple languages and offering a custom DSL for complex rules. Warrant provides a simpler, more straightforward approach focused on JSON-based policies and a REST API. Oso may be better suited for larger, multi-language projects with complex authorization needs, while Warrant offers a quicker setup and easier integration for simpler use cases or projects primarily using JavaScript/TypeScript.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Warrant

Website | Warrant Cloud | Docs | API Reference

GitHub GitHub release (latest by date) GitHub Workflow Status (with branch) Twitter Follow Backed by Y Combinator

Warrant - Google Zanzibar-inspired, Fine-Grained Authorization Service

Warrant is a highly scalable, centralized, fine-grained authorization service for defining, storing, querying, checking, and auditing application authorization models and access rules. At its core, Warrant is a relationship based access control (ReBAC) engine (inspired by Google Zanzibar) capable of enforcing any authorization paradigm, including role based access control (RBAC) (e.g. [user:1] has [permission:view-billing-details]), attribute based access control (ABAC) (e.g. [user:1] can [view] [department:accounting] if [geo == "us"]), and relationship based access control (ReBAC) (e.g. [user:1] is an [editor] of [document:docA]). It is especially useful for implementing fine-grained access control (FGAC) in internal and/or customer-facing applications.

Features

  • HTTP APIs for managing your authorization model, access rules, and other Warrant resources (roles, permissions, features, tenants, users, etc.) from an application, a CLI tool, etc.
  • Real-time, low-latency API for performing access checks in your application(s) at runtime (e.g. is [user:A] an [editor] of [tenant:X]?)
  • Integrates with in-house and third-party authn/identity providers like Auth0, Firebase, and more
  • Officially supported SDKs for popular languages and frameworks (backend and frontend)
  • Support for a number of databases, including: MySQL, Postgres, and SQLite (in-memory or file)

Use Cases

Warrant is built specifically for application authorization and access control, particularly for product, security, and compliance use-cases. Examples of problems Warrant solves are:

  • Add role based access control (RBAC) to your SaaS application with the ability for your customers to self-manage their roles and permissions via the Warrant self-service dashboard or your own custom dashboard built using Warrant's component library.
  • Allow customers to define and manage their own roles & permissions for their tenant (organization)
  • Add 'fine-grained role-based access control' (role based access to specific resources)
  • Implement fine-grained, object/resource-level authorization specific to your application's data model ([user:1] is an [editor] of [document:x])
  • Add centralized and auditable access control around your internal applications and tools.
  • Implement 'approval flows' (i.e. request access to a resource from an admin -> admin approves access).
  • Add Google Docs-like sharing and permissioning for your application's resources and objects.
  • Gate access to SaaS features based on your product's pricing tiers and feature packages.
  • Satisfy auditing and compliance requirements of frameworks and standards such as SOC2, HIPAA, GDPR and CCPA.

Getting Started

Check out the development guide to learn how to run Warrant locally and refer to the deployment examples for examples of self-hosting Warrant using Docker or Kubernetes.

Resources

SDKs

Warrant's native SDKs are compatible with both the cloud and open-source versions of Warrant. We currently support SDKs for:

Documentation

Visit our docs to learn more about Warrant's key concepts & architecture and view our quickstarts & API reference.

Limitations

Serving check and query requests with low latency at high throughput requires running Warrant as a distributed service with the use of Warrant-Tokens (also referred to as Zookies in Google Zanzibar). As a result, this open source version of Warrant is only capable of handling low-to-moderate throughput and is best suited for POCs, development/test environments, and low throughput use-cases.

Get <10ms Latency at Scale

Warrant Cloud

The quickest and easiest way to get low-latency performance for high-throughput production usage is to use Warrant Cloud, a fully managed, serverless offering of Warrant. With Warrant Cloud, you don't need to worry about managing multiple instances of Warrant or its underlying datastore (e.g. Postgres, MySQL, etc). It can scale to millions of warrants and hundreds of millions of check and query requests while still providing <10ms latencies. You can sign up for a free account here.

Warrant Cloud is compatible with the same APIs as this open source version and provides additional functionality like:

  • An admin dashboard for quickly managing your authorization model and access rules via an intuitive, easy-to-use UI
  • Batch endpoints
  • Multi-region availability
  • Improved access check latency & throughput for large scale use cases

Once you've created an account, refer to our docs to get started.

Enterprise Self-Hosted

Customers looking to self-host Warrant for low-latency, high-throughput production use cases can run a licensed version of Warrant Cloud themselves. To learn more about this option, schedule a call or contact us.

Contributing

Contributions are welcome. Please see our contributing guide for more details.