You answer is just about a discussion we had yesterday about the race between 'let build a standard that will allow the LLM to get programmatic decisions' and 'let build something that works'
Most of the standard and implementation is focused in the vision of models and clients that automatically handle the tool overhead, while in reality everything that is related to MCP requires tons of boilerplate/middleware/garbage code.
During our work in the Policy as Code open source project OPAL, we discovered that AdTech is one of the most complex industries to implement fine-grained authorization. In this article, we will be sharing how Reddit developed their own authorization system for Ads using OSS and advanced policy engines.
In the debate between policy as code and policy as graph, Reddit chose a unique approach. They used OPA (code) as a model and a centralized (Zanzibar) service.
Writing JS/TS for browsers and backend applications is an entirely different skill. The only similarities are syntax. From the organization's perspective, the developer's primary expertise is a platform/framework, not a language syntax.
The point of the article is right for the indie developer who wants to stick with one language as a "mother language" and be able to produce any kind of software in no time. For scale, it is not the case.
I'm a big fan of JS/TS, but there are absolutely significantly better choices for many backend applications.
In 2021, when Permit.io launched, we anchored our authorization framework on Policy as Code with a specific focus on OPA/Rego. We believed, and still do, that Policy as Code approach is key to scalable authorization.
While policy engines solve the challenge of decoupling policy and code, the challenge of scaling them and loading them with the right policy and data remains strong - especially for event driven systems.
We reviewed how Netlfix used OPA with a a replication pattern; and decided to create a similar yet more extensible and event-driven solution - and so OPAL (Open Policy Administration Layer) was born - creating a scalable, zero-trust way to manage policy engines and their policy/data at scale.
Fast forward two years, and the landscape has evolved. New policies as code languages and standards have emerged (Cedar, OpenFGA, etc.), and in this evolving market, OPAL has positioned itself as a leading solution for synchronizing policy as code with policy data, particularly for self-hosted environments.
What truly differentiates OPAL from other solutions like Topaz and Permify is its flexibility. OPAL is not limited to a single policy engine; it supports a variety, making it a versatile tool for authorization applications. Using a single Helm chart or Dockerfile, one can deploy a full-fledged authorization system, customized to specific policy models, languages, and engines.
As we look to the future, we're keen to gather insights from the HackerNews community. What features would you like to see in OPAL? How can we make it more robust and efficient for your authorization needs?
We value your feedback and are excited to see how your suggestions can shape OPAL's roadmap.
P.S. As with any open-source project, your support on GitHub, especially stars, helps us a lot. Thanks in advance for your backing!
Actually, Permit does support OPA. In fact, about 15% of our large customers came from StyraDAS and use Permit as their enterprise OPA solution.
On top of that, we offer OPAL+, which is already adopted by Fortune 100 companies as a production-grade OPA framework.