Casbin (https://github.com/casbin/casbin).
OPA (https://www.openpolicyagent.org/)
OSO (https://www.osohq.com/)
RLS (https://www.postgresql.org/docs/current/ddl-rowsecurity.html)
* = candidate
* * = discarded but interesting to watch
| Feature | Casbin* | OSO* | OPA | Postgres RLS** |
|---|---|---|---|---|
| Library or service? | Library/Service | Library | Library/Service | Database Feature |
| How to write policy? | Two parts: model and policy. Model is general authorization logic. Policy is concrete policy rule. | Single part: Polar | A single part: Rego | Single part: SQL expressions |
| RBAC hierarchy | Casbin supports role hierarchy (a role can have a sub-role) | Role hierarchies can be encoded in data. | Role hierarchies can be encoded in data. Also with the new graph.reachable() built-in function queries over those hierarchies are much more feasible now. |
Not directly supported, but can be implemented with additional tables and joins |
| RBAC separation of duties | Not supported | Supported: two roles cannot be assigned together | Supported: two roles cannot be assigned together | Not directly supported, but can be implemented with additional tables and joins |
| ABAC | Casbin supports to directly retrieve Golang struct's members as attributes | OSO supports retrieving attributes directly from Python objects | OPA needs to be provided with an attribute list (JSON) or Golang struct | RLS supports directly retrieving row's fields as attributes |
| Built-in functions | RESTful match, IP match, regex are supported. You can also write your own Golang function and let Casbin use it | Functions like 'in', 'matches', 'forall' are supported. You can also write your own built-in functions. | Functions like regex, max, min, count, type conversion are supported. You can write your own built-in functions. | SQL functions are supported |
| Policy storage | All common databases are supported by dozens of middlewares, like SQL, NoSQL, Key-Value, AWS S3, etc. | Built-in support for SQLAlchemy ORM. Other databases can be used by providing your own data loading functions. | Not supported, you need to write your own code if you want to use DB like MySQL. | Policies are stored directly in the PostgreSQL database |
| Conflict resolution | Allow-override, Deny-override, Allow-and-no-Deny, Priority are built-in supported. You can also write your own Effector logic (in code) to have a custom conflict resolution | Priority (using specializers and rule ordering) | Allow-override, Deny-override, Priority (but grammar is a little long). You can also resolve conflicts inside Rego itself. | No built-in conflict resolution mechanism |
| Distributed authorization | You can use multiple Casbin instances together. Sharding and policy change notification are supported | One single OSO service | One single OPA service | Depends on the PostgreSQL database setup |
| Other programming languages | Golang, Java, PHP, Node.JS, Python, .NET, Delphi, Rust and others are supported (> 8) | Python, Rust, NodeJS, Go, Java | Golang, WASM (NodeJS in progress) | SQL |
| Adopters | Intel, VMware, Docker, Cisco, Banzai Cloud, Orange, Tencent Cloud, Microsoft | Scribd, Tailscale | Netflix, Chef, SolarWinds, Cisco, Cloudflare, Pinterest, State Street Corporation | Any PostgreSQL users |
| UI Editor | Free rules editor and tester Casbin Editor | Paid rules editor and tester | ||
| Community | Casbin Discord | OSO Slack |
| Feature | Casbin | OPA | OSO | RLS |
|---|---|---|---|---|
| Performance | Designed for high performance | Designed for high performance | Designed for high performance | Performance depends on the PostgreSQL database setup and the complexity of the policies |
| Scalability | Designed for large-scale environments | Designed for large-scale environments | Should be able to handle a large number of policies and/or users | Scalability depends on the PostgreSQL database setup |
| Integration | Various integration options available | Various integration options available | Easy integration with Flask + SQLAlchemy | Integration depends on the ability to interact with a PostgreSQL database |
| Policy Debugging | Debugging capabilities can vary | Debugging capabilities can vary | Provides a REPL for interactive policy debugging | Debugging capabilities depend on SQL debugging tools |
| Policy Monitoring and Auditing | Monitoring and auditing mechanisms are available | Provides mechanisms for logging policy decisions | Mechanisms for logging policy decisions are available | Monitoring and auditing mechanisms depend on PostgreSQL database logs |
| Policy Testing | Testing support may vary | Support for policy testing | Support for policy testing | Testing support depends on SQL testing tools |
| Community and Support | Active open-source community. Commercial support available. | Active open-source community. Commercial support available. | Active open-source community. Commercial support available. | Supported by the PostgreSQL community |
| Pricing | Free to use. Cost for commercial support or additional features. | Free to use. Cost for commercial support or additional features. | Free to use. Cost for commercial support or additional features. | Free to use as a feature of PostgreSQL |
| Documentation | Comprehensive documentation available | Comprehensive documentation available | Comprehensive documentation available | Documented in the PostgreSQL manual |
| Learning Curve | Learning curve depends on familiarity with access control models and Golang | Learning curve depends on familiarity with Rego | Polar might be easier for developers with a background in Python or similar languages | Learning curve depends on familiarity with SQL and PostgreSQL |
| Library | Stars | Forks | Open Issues | Age | Last Commit | License | Language |
|---|---|---|---|---|---|---|---|
| osohq/oso | 3,152 | 158 | 110 | 3 years ago | 11 days ago | Apache-2.0 | Rust |
| casbin/casbin | 15,406 | 1,596 | 23 | 6 years ago | 7 days ago | Apache-2.0 | Go |
| open-policy-agent/opa | 8,290 | 1,162 | 313 | 8 years ago | a day ago | Apache-2.0 | Go |