Cloud native authorization

Abstract: In the cloud native development approach, a single application can be developed with multiple self-contained services. Each service might be developed by different teams with different programming languages. Each service needs its authorization module. Teams have to spend significant time solving the recurring problem of authorization logic associated with every microservice. Their solutions are very specialized to certain applications or structures of Access Control List (ACL) representations which are very hard to reuse with other applications. This has increased development and maintenance costs with no standardization of authorization logic.  With the use of Open Policy Agent (OPA), we were able to express all existing authorization logic using the Rego language.  Regardless of what technical stack our service relied on, the versatility of OPA allowed us to unify all the authorization logic with one programming language called Rego. In comparison to the existing authorization system, it was observed that there was a small difference in latency i.e. 10% slower latency when the service was integrated with OPA as a Sidecar. But in the caseof fine-grained authorization, where large data needs to be filtered out based on policy, Wasm-based implementation performed 30% faster than the existing authorization system. Among all the approaches, we found that Distributed PDP i.e integration of OPA via Unix domain socket had lower overhead and faster response than Central PDP i.e integration of OPA via HTTP with service.