Authorization
RBAC, ABAC, PBAC, policy-as-code (OPA, Cedar)
Authorization determines what an authenticated identity is permitted to do. RBAC (Role-Based Access Control) assigns permissions to roles and users to roles — simple, auditable, but inflexible for fine-grained decisions. ABAC (Attribute-Based Access Control) evaluates attributes of the user, resource, and environment against a policy — more expressive but complex. PBAC (Policy-Based Access Control) externalises policy into a dedicated policy engine like OPA (Open Policy Agent) or AWS Cedar, enabling version-controlled, testable, centrally-audited authorisation logic.
Key Points
- RBAC role explosion: as applications grow, the number of roles explodes (100s of fine-grained roles) — use role hierarchies (admin inherits developer permissions) or switch to ABAC for fine-grained decisions.
- ABAC policy example: `ALLOW if user.department == resource.ownerDepartment AND resource.classification != "SECRET" AND time.hour BETWEEN 9 AND 17` — evaluated at runtime against current attributes.
- OPA (Open Policy Agent): policies are written in Rego language, stored in Git, and evaluated via a sidecar or centralized service (OPA Gatekeeper for Kubernetes admission control) — decouples policy from application code.
- AWS Cedar: purpose-built authorization policy language by AWS (open-source); used in Amazon Verified Permissions — designed for high-performance, verified authorization decisions with formal reasoning support.
- ReBAC (Relationship-Based Access Control): Google Zanzibar model — authorization decisions based on object relationships (user owns document, group is member of organization); implemented by Airbnb's Himeji, Google Docs sharing.
- Kubernetes RBAC: ClusterRole `view` (read-only cluster resources), `edit` (modify workloads), `admin` (full namespace), `cluster-admin` (unrestricted cluster) — never bind `cluster-admin` to service accounts used by applications.
- Least privilege principle: grant the minimum permissions required for the specific task; review and prune permissions quarterly using AWS IAM Access Analyzer or Entra ID Access Reviews.
- Policy-as-code (OPA, Cedar, Sentinel) enables authorisation policies to go through code review, version control, unit testing, and CI/CD pipelines — the same engineering rigour applied to application code.
Real-World Example
Airbnb uses Google Zanzibar-inspired ReBAC (their Himeji system) to model complex host-guest-listing relationships — a host can edit their listing, a guest can view it after booking, and an admin can see all — expressed as relationship tuples evaluated at query time.