Lightning fast, global scale authorization service without the overhead of yet another DSL1.
Sentium is an authorization service for securing your applications and services using zero trust2 fine-grained authorization (FGA).
We designed Sentium to be as powerful and scalable as Zanzibar β Googleβs Consistent, Global Authorization System yet simple enough to start using without the overhead of having to learn a new DSL to define authorization models or policies.
There are other open-source (and commercial) authorization services, some are inspired by Google Zanzibar while others tend to offer policy-as-code solutions. But almost all of these solutions require learning a new DSL to create authorization models or define policies, which adds unnecessary complexities.
Using an authorization service shouldn't come with a requirement to be an expert in building and maintaining authorization models or policies. It should be as easy as using an API.
Sentium lean on well known API design principals to provide an authorization service that's easy to integrate, quick to master and flexible enough to handle complex requirements.
- Schema-less fine-grained authorization (FGA)
- Zero-trust, least privilege architecture (ZTA)
- Predictable constant time authorization checks (O(1))
- Strongly consistent with no cache
- Cloud native at global scale3
- ABAC, RBAC & ReBAC4
- Multi-tenancy support, if you need it
- Not just authorization checks, list users, entities a user can access and users with access to an entity
- First class treatment for listing endpoints with pagination and limits to handle large datasets
- Built using the fastest gRPC server implementation5
- CMake (>= 3.23)
- Protobuf (>= 3.15)
- libpq
- PostgreSQL (or PostgreSQL protocol compatible server)
β― cmake -B .build -G Ninja \
-DCMAKE_BUILD_TYPE=Release \
-DPostgreSQL_ADDITIONAL_VERSIONS=16 \
-DSENTIUM_ENABLE_COVERAGE=OFF
β― cmake --build .build --target sentium
β― psql --dbname=postgres
psql (16.1)
Type "help" for help.
postgres=# create user sentium;
CREATE ROLE
postgres=# create database sentium owner sentium;
CREATE DATABASE
β― psql --username=sentium --dbname=sentium < db/schema.sql
β― PGDATABASE=sentium PGUSER=sentium ./.build/bin/sentium
Listening on [127.0.0.1:8080] ...
β― grpcurl \
-import-path proto \
-import-path ./.build/_deps/googleapis-src \
-proto proto/sentium/api/v1/principals.proto \
-plaintext \
localhost:8080 sentium.api.v1.Principals/Create
{
"id": "cn7qtdu56a1cqrj8kur0"
}
β― grpcurl \
-import-path proto \
-import-path ./.build/_deps/googleapis-src \
-proto proto/sentium/api/v1/authz.proto \
-plaintext \
-d '{
"principal_id": "cn7qtdu56a1cqrj8kur0",
"entity_type": "documents",
"entity_id": "65bd28aaa076ee8c8463cff8"
}' \
localhost:8080 sentium.api.v1.Authz/Grant
{}
β― grpcurl \
-import-path proto \
-import-path ./.build/_deps/googleapis-src \
-proto proto/sentium/api/v1/authz.proto \
-plaintext \
-d '{
"principal_id": "cn7qtdu56a1cqrj8kur0",
"entity_type": "documents",
"entity_id": "65bd28aaa076ee8c8463cff8"
}' \
localhost:8080 sentium.api.v1.Authz/Check
{
"ok": true
}
β― grpcurl \
-import-path proto \
-import-path ./.build/_deps/googleapis-src \
-proto proto/sentium/api/v1/principals.proto \
-plaintext \
localhost:8080 sentium.api.v1.Principals/List
{
"principals": [
{
"id": "cn7qtim56a1cqrj8kurg"
},
{
"id": "cn7qtdu56a1cqrj8kur0"
}
]
}
β― grpcurl \
-import-path proto \
-import-path ./.build/_deps/googleapis-src \
-proto proto/sentium/api/v1/entities.proto \
-plaintext \
-d '{
"principal_id": "cn7qtdu56a1cqrj8kur0",
"entity_type": "documents"
}' \
localhost:8080 sentium.api.v1.Entities/List
{
"entities": [
{
"id": "65bd28aaa076ee8c8463cff8",
"type": "documents"
}
]
}
β― grpcurl \
-import-path proto \
-import-path ./.build/_deps/googleapis-src \
-proto proto/sentium/api/v1/entities.proto \
-plaintext \
-d '{
"entity_type": "documents",
"entity_id": "65bd28aaa076ee8c8463cff8"
}' \
localhost:8080 sentium.api.v1.Entities/ListPrincipals
{
"principals": [
{
"id": "cn7qtdu56a1cqrj8kur0"
}
]
}
- fmt - For string formatting.
- googleapis - For annotations to help with gRPC/JSON transcoding.
- googletest - For tests.
- grpcxx - For the gRPC server.
- libpqxx - For PostgreSQL connections.
- libxid - For globally unique IDs.
- Thanks to @kw510, @neculalaura and @td0m
for their contributions on the
gatekeeperbranch.
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent