Skip to content

Warrant is a highly scalable, centralized authorization service based on Google Zanzibar. Use it to define, enforce, query, and audit application authorization and access control.

License

Notifications You must be signed in to change notification settings

difftim/warrant

Repository files navigation

Warrant

Website | Warrant Cloud | Docs | API Reference

GitHub GitHub release (latest by date) GitHub Workflow Status (with branch) Slack Community Twitter Follow Backed by Y Combinator

Warrant - Open Source Access Control Service

Warrant is an application access control service built for developers and product teams. It is a centralized authorization service (inspired by Google Zanzibar) designed to abstract away the complexity of managing user access control from teams building software products, so they can (1) offer best-in-class access control to customers from day one and (2) focus efforts on building their core product.

Warrant allows you to define, store, and manage your product's authorization model and access rules (we call these warrants), then check or query against these rules from your application at runtime. This allows you to easily implement any access control model from coarser role based access control (RBAC) (e.g. does [user:1] have [permission:view-billing-details]?) to fine grained relationship based access control (ReBAC) (e.g. is [user:1] an [editor] of [document:docA]?) and attribute based access control (ABAC) (e.g. is [user:1] in [department:accounting]?).

Features

  • A real-time, low latency check API to perform access checks in your application at runtime (e.g. is user:A editor of tenant:X?)
  • Built-in support for roles & permissions (RBAC) + API endpoints to create and manage custom roles & permissions from your application
  • Built-in support for multi-tenant access control
    • Define roles, permissions, access rules, etc. per tenant
    • Support scenarios where a user's level of access in your application is dependent on which tenant (or role) they're currently logged in as.
  • Built-in support for pricing tiers - control access to your application's features in real time based on your product's pricing plans (e.g. free-tier, growth, business, enterprise, etc)
  • Permission-aware front-end components to allow/deny access to specific pages/UI elements
  • Pre-built components & embeddable pages to build UIs that give customers the ability to manage roles, permissions, and other access rules for themselves and teammates
  • Integrates with in-house and third-party authn/identity providers like Auth0
  • A global event log that tracks all updates to authorization models and access rules, making auditing, alerting, and debugging simple
  • SDKs in the most popular languages and frameworks

Use Cases

Warrant is built specifically for application authorization and access control, particularly for product, security, and compliance use-cases. Examples of problems Warrant solves are:

  • Add role based access control (RBAC) to your SaaS application with the ability for your customers to self-manage their roles and permissions via the Warrant self service dashboard or your own custom dashboard built using Warrant's component library.
  • Allow your customers to define and manage their own roles & permissions for their tenant (organization)
  • Add 'fine grained RBAC' (role based access to specific resources)
  • Implement fine grained, object/resource-level authorization specific to your application's data model ([user:1] is an [editor] of [document:x])
  • Add centralized and auditable access control around your internal applications.
  • Implement 'approval flows' (i.e. request access to a resource from an admin -> admin approves access).
  • Add Google Docs-like sharing and permissioning for your application's resources and objects.
  • Gate access to SaaS features based on your product's pricing tiers and feature packages.
  • Satisfy auditing and compliance requirements of frameworks and standards such as SOC2, HIPAA, GDPR and CCPA.

Getting Started

Warrant Cloud

The quickest and easiest way to get started with Warrant is by using the managed cloud service. You can sign-up for a free account here.

Warrant Cloud is compatible with the same APIs as this open source version and provides additional functionality like:

  • An admin dashboard for quickly managing your authorization model and access rules via an intuitive, easy-to-use UI
  • A real-time query API to query and audit access rules for a given subject or object (e.g. which users in tenant:1 have access to object:A?)
  • Multi-region availability
  • Improved access check latency & throughput for large scale use cases.

Once you've created an account, refer to our docs to get started.

Self-hosting

To self-host or run Warrant locally, follow one of the guides below (select the guide for your database of choice).

SDKs

Warrant's native SDKs are compatible with both the cloud and open-source versions of Warrant. We currently support SDKs for:

Documentation

Visit our docs to learn more about Warrant's key concepts & architecture and view our quickstarts & API reference.

Support

Join our Slack community to ask questions and get support.

Contributing

To report a bug you found or request a feature that you'd like, open an issue. If you'd like to contribute, submit a PR to resolve the issue.

Contributions from the community are welcome! Just be sure to follow some ground rules:

  • Never submit a PR without an associated issue.
  • Issues should mention whether the issue is a bug or a feature.
  • Issues reporting a bug should describe (1) steps to reproduce the bug, (2) what the current behavior is, and (3) what the expected behavior should be.
  • Issues requesting a feature should (1) provide a description of the feature and (2) explain the intended use case for the feature.

About

Warrant is a highly scalable, centralized authorization service based on Google Zanzibar. Use it to define, enforce, query, and audit application authorization and access control.

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Go 89.8%
  • PLpgSQL 10.0%
  • Other 0.2%