|
| 1 | +0004: Authorization Technology Selection |
| 2 | +######################################### |
| 3 | + |
| 4 | +Status |
| 5 | +****** |
| 6 | + |
| 7 | +**Accepted** *2025-09-22* |
| 8 | + |
| 9 | +Context |
| 10 | +******* |
| 11 | + |
| 12 | +Authorization is a common challenge across software platforms, and many open-source communities have already built frameworks to address it. To understand what could work for Open edX, we reviewed a range of existing technologies and compared them against `a consistent set of evaluation criteria`_, to: |
| 13 | + |
| 14 | +* Avoid reinventing the wheel by leveraging proven approaches. |
| 15 | +* Learn from established patterns (RBAC, ABAC, ReBAC, policy-based models). |
| 16 | +* Choose solutions that balance flexibility with maintainability. |
| 17 | +* Ensure long-term scalability and alignment with modern best practices. |
| 18 | + |
| 19 | +We analyzed a variety of authorization technologies, including Django permissions, Django-guardian, Django-prbac, Bridgekeeper, Edx-rbac, Casbin, Spicedb, Keycloak, Cerbos/Permguard. The complete analysis of these solutions can be found here: `Authorization Technologies Reviewed`_. |
| 20 | + |
| 21 | +Following this preliminary assessment, we determined that Django-prbac, Casbin, and OpenFGA were the solutions most closely aligned with the requirements. We create a comparison table to decide which one is more suitable for our use case, taking into account factors such as integration fit, permission management, performance, extensibility, maturity, security, learning curve, total cost of operations, and other relevant considerations. Here you can find the `Authorization Technologies Comparison Table`_. |
| 22 | + |
| 23 | +Decision |
| 24 | +******** |
| 25 | + |
| 26 | +* We choose to use `Casbin`_ as the authorization engine for Open edX, which allows us to have a robust foundation, enabling long-term evolution; improves security because it enforce the principle of least privilege; help us maintain a centrilize logic, making it easier to manage and update; and promotes best practice because has support for multiple well-understood authorization models. This decision of using Casbin is also aligned with the `Authorization Model Foundations ADR`_. |
| 27 | + |
| 28 | +* We will integrate Casbin as a library (using the production-ready Python library, `PyCasbin`_) within our services to avoid introducing a new service. |
| 29 | + |
| 30 | +* We'll use a centralized policy enforcement, which means all access requests are evaluated against a unified set of policies before granting or denying access. |
| 31 | + |
| 32 | +Consequences |
| 33 | +************ |
| 34 | + |
| 35 | +* Additional Layer: An abstraction layer will need to be created to shield stakeholders (including Open edX services) from the complexities of direct Casbin policy management (with APIs, enforcement utilities, etc). |
| 36 | + |
| 37 | +* Casbin as a default dependency: Casbin will be included as a default dependency in our services, ensuring that it is available for authorization tasks. |
| 38 | + |
| 39 | +* Performance considerations: We need to consider how policy loading, matching, and enforcement affect the overall performance. |
| 40 | + |
| 41 | +* Data consistency: Watchers and robust strategies are required to ensure that the authorization policies are consistent across different services. |
| 42 | + |
| 43 | + |
| 44 | +Rejected Alternatives |
| 45 | +********************* |
| 46 | + |
| 47 | +Permission-centric approach |
| 48 | +============================ |
| 49 | + |
| 50 | +* Strengths: This approach is simple and easy to understand for basic use cases and static permissions. |
| 51 | + |
| 52 | +* Limitations: Managing thousands of individual permissions is not scalable and can lead to unmanageable complexity and security vulnerabilities. |
| 53 | + |
| 54 | + |
| 55 | +Policy Decision Points (PDPs) like Cerbos and Permguard |
| 56 | +======================================================== |
| 57 | + |
| 58 | +* Model: Stateless Policy Decision Points (PDPs). Evaluate requests against policies (YAML/JSON) and return allow/deny. |
| 59 | + |
| 60 | +* Strengths: Clean separation of logic; ABAC-friendly; flexible deployment modes (service, sidecar, embedded). |
| 61 | + |
| 62 | +* Limitations: Do not manage users or roles; must be combined with another system. |
| 63 | + |
| 64 | + |
| 65 | +Django-prbac |
| 66 | +============== |
| 67 | + |
| 68 | +* Model: Built around Role and Grant, it creates a graph of roles connected by privileges. Role definitions can be parameterized (e.g., by organization or course), enabling scoped RBAC and a limited form of ABAC. |
| 69 | + |
| 70 | +* Strengths: Native to Django, intuitive for developers familiar with Django patterns, and simple to use. |
| 71 | + |
| 72 | +* Limitations: Incomplete query/filtering layer, and centralization remains within each service. |
| 73 | + |
| 74 | + |
| 75 | +ReBAC Solutions (SpiceDB, OpenFGA) |
| 76 | +=================================== |
| 77 | + |
| 78 | +* Model: These are centralized, Zanzibar-inspired systems that model permissions as a graph of relationships (ReBAC). They are designed to run as a dedicated, standalone service that the application connects to. |
| 79 | + |
| 80 | +* Strengths: Both are highly powerful and expressive, built for large-scale, complex relationship-based access control. They are battle-tested technologies with strong open-source support. |
| 81 | + |
| 82 | +* Limitations: These solutions were considered overly complex for our current needs, which RBAC and ABAC primarily meet. Running a separate service introduces significant operational overhead and a steeper learning curve. |
| 83 | + |
| 84 | + |
| 85 | +References |
| 86 | +********** |
| 87 | + |
| 88 | +* `Authorization Model Foundations ADR`_ |
| 89 | +* `Authorization Technologies Reviewed`_ |
| 90 | +* `Authorization Technologies Comparison Table`_ |
| 91 | +* `Casbin`_ |
| 92 | +* `PyCasbin`_ |
| 93 | + |
| 94 | + |
| 95 | +.. _a consistent set of evaluation criteria: https://openedx.atlassian.net/wiki/spaces/OEPM/pages/5179179033/AuthZ+Technologies+Comparison#Framework-for-Evaluation |
| 96 | + |
| 97 | +.. _Authorization Model Foundations ADR: https://github.com/openedx/openedx-authz/blob/main/docs/decisions/0002-authorization-model-foundation.rst |
| 98 | + |
| 99 | +.. _Authorization Technologies Comparison Table: https://openedx.atlassian.net/wiki/spaces/OEPM/pages/5179179033/AuthZ+Technologies+Comparison#Comparison-Table |
| 100 | + |
| 101 | +.. _Authorization Technologies Reviewed: https://openedx.atlassian.net/wiki/spaces/OEPM/pages/5179179033/AuthZ+Technologies+Comparison#Authorization-Technologies-Reviewed |
| 102 | + |
| 103 | +.. _Casbin: https://casbin.org/ |
| 104 | + |
| 105 | +.. _PyCasbin: https://github.com/casbin/pycasbin |
0 commit comments