Skip to content
/ sentium Public
forked from uatuko/ruek

🔐 Lightning fast, global scale authorisation service without the overhead of yet another modelling language.

sentium.co

License

MIT license
0 stars 6 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Pr301/sentium

BranchesTags
 
 

Repository files navigation

🔐 Sentium

license codecov

Lightning fast, global scale authorisation service without the overhead of (yet another) modeling language.

What is Sentium?

Sentium is an authorisation service for securing your applications and services using zero trust1 fine-grained access control (FGA).

We designed Sentium to be as powerful and scalable as Zanzibar — Google’s Consistent, Global Authorization System yet simple enough to start using without the overhead of having to learn a new modeling language or a policy syntax.

Why Sentium?

There are other open-source (and commercial) authorisation services, some are inspired by Google Zanzibar while others tend to offer policy-as-code solutions. But these solutions require learning a new modeling language or a policy syntax creating unnecessary complexities.

Using an authorisation service shouldn't come with a requirement to be an expert in building and maintaining authorisation models or policies. It should be as easy as using an API.

Sentium lean on well known API design principals to provide an authorisation service that's easy to integrate, quick to master and flexible enough to handle complex requirements.

Features

  • Schema-less fine-grained access control (FGA)
  • Zero-trust, least privilege architecture (ZTA)
  • Predictable constant time authorisation checks (O(1))
  • Strongly consistent with no cache
  • Cloud native at global scale2
  • ABAC, RBAC & ReBAC (with constraints)
  • Multi-tenancy support, if you need it
  • Not just authorisation checks, list users, resources a user can access and users with access to a resource
  • First class treatment for listing endpoints with pagination and limits to handle large datasets
  • Built using the fastest gRPC server implementation3

Getting started

Prerequisites

Compiling

❯ cmake -B .build -G Ninja \
  -DCMAKE_BUILD_TYPE=Release \
  -DPostgreSQL_ADDITIONAL_VERSIONS=16 \
  -DSENTIUM_ENABLE_COVERAGE=OFF

❯ cmake --build .build --target sentium

Setting-up

❯ psql --dbname=postgres
psql (16.1)
Type "help" for help.

postgres=# create user sentium;
CREATE ROLE
postgres=# create database sentium owner sentium;
CREATE DATABASE

❯ psql --username=sentium --dbname=sentium < db/schema.sql

Running

❯ PGDATABASE=sentium PGUSER=sentium ./.build/bin/sentium
Listening on [127.0.0.1:8080] ...

Usage

Creating a user

❯ grpcurl \
  -import-path proto \
  -import-path ./.build/_deps/googleapis-src \
  -proto proto/sentium/api/v1/principals.proto \
  -plaintext \
  localhost:8080 sentium.api.v1.Principals/Create

{
  "id": "cn7qtdu56a1cqrj8kur0"
}

Granting access

❯ grpcurl \
  -import-path proto \
  -import-path ./.build/_deps/googleapis-src \
  -proto proto/sentium/api/v1/authz.proto \
  -plaintext \
  -d '{
    "principal_id": "cn7qtdu56a1cqrj8kur0",
    "resource_type": "documents",
    "resource_id": "65bd28aaa076ee8c8463cff8"
  }' \
  localhost:8080 sentium.api.v1.Authz/Grant

{}

Checking access

❯ grpcurl \
  -import-path proto \
  -import-path ./.build/_deps/googleapis-src \
  -proto proto/sentium/api/v1/authz.proto \
  -plaintext \
  -d '{
    "principal_id": "cn7qtdu56a1cqrj8kur0",
    "resource_type": "documents",
    "resource_id": "65bd28aaa076ee8c8463cff8"
  }' \
  localhost:8080 sentium.api.v1.Authz/Check

{
  "ok": true
}

Listing users

❯ grpcurl \
  -import-path proto \
  -import-path ./.build/_deps/googleapis-src \
  -proto proto/sentium/api/v1/principals.proto \
  -plaintext \
  localhost:8080 sentium.api.v1.Principals/List

{
  "principals": [
    {
      "id": "cn7qtim56a1cqrj8kurg"
    },
    {
      "id": "cn7qtdu56a1cqrj8kur0"
    }
  ]
}

Listing resources a user can access

❯ grpcurl \
  -import-path proto \
  -import-path ./.build/_deps/googleapis-src \
  -proto proto/sentium/api/v1/resources.proto \
  -plaintext \
  -d '{
    "principal_id": "cn7qtdu56a1cqrj8kur0",
    "resource_type": "documents"
  }' \
  localhost:8080 sentium.api.v1.Resources/List

{
  "resources": [
    {
      "id": "65bd28aaa076ee8c8463cff8",
      "type": "documents"
    }
  ]
}

Listing users that has access to a resource

❯ grpcurl \
  -import-path proto \
  -import-path ./.build/_deps/googleapis-src \
  -proto proto/sentium/api/v1/resources.proto \
  -plaintext \
  -d '{
    "resource_type": "documents",
    "resource_id": "65bd28aaa076ee8c8463cff8"
  }' \
  localhost:8080 sentium.api.v1.Resources/ListPrincipals

{
  "principals": [
    {
      "id": "cn7qtdu56a1cqrj8kur0"
    }
  ]
}

Built with

  • fmt - For string formatting.
  • googleapis - For annotations to help with gRPC/JSON transcoding.
  • googletest - For tests.
  • grpcxx - For the gRPC server.
  • libpqxx - For PostgreSQL connections.
  • libxid - For globally unique IDs.

Acknowledgments

Footnotes

  1. Zero trust architecture (ZTA)

  2. Scalability depends on underlying PostgreSQL protocol compatible database scalability.

  3. gRPCxx is benchmarked to be the fastest in February 2024.

About

🔐 Lightning fast, global scale authorisation service without the overhead of yet another modelling language.

sentium.co

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • C++ 86.2%
  • CMake 11.7%
  • Makefile 2.1%