An implementation of a distributed access-control server that is based on Google Zanzibar - "Google's Consistent, Global Authorization System".

An instance of an access-controller is similar to the aclserver implementation called out in the paper. A cluster of access-controllers implement the functional equivalent of the Zanzibar aclserver cluster.

If you want to setup an instance of the Authorizer platform as a whole, browse the API References, or just brush up on the concepts and design of the platform, take a look at the official platform documentation. If you're only interested in running the access-controller then continue on.

An access-controller server supports single node or multi-node (clustered) topologies. Instructions for running the server with these topologies are outlined below.

To gain the benefits of the distributed query model that the access-controller implements, it is recommend to run a large cluster. Doing so will help distribute query load across more nodes within the cluster. The underlying cluster membership list is based on Hashicorp's memberlist

a library that manages cluster membership and member failure detection using a gossip based protocol.

A cluster should be able to suport hundreds of nodes. If you find otherwise, please submit an issue.

docker-compose.yml provides an example of how to setup a multi-node cluster using Docker and is a great way to get started quickly.

$ docker compose -f docker/docker-compose.yml up

Take a look at our official Helm chart.

Download the latest release and extract it.

To run an access-controller you must have a running CockroachDB database. Take a look at setting up CockroachDB with Docker.

$ ./bin/access-controller

Start a multi-node cluster by starting multiple independent servers and use the -join flag to join the node to an existing cluster.

$ ./bin/access-controller -node-port 7946 -grpc-port 50052
$ ./bin/access-controller -node-port 7947 -grpc-port 50053 -join 127.0.0.1:7946
$ ./bin/access-controller -node-port 7948 -grpc-port 50054 -join 127.0.0.1:7947

Take a look at the examples of how to:

• Add a Namespace Configuration
• Write a Relation Tuple
• Check a Subject's Access

Don't hesitate to browse the official Documentation, API Reference and Examples.

The access-controller is an open-source project and we value and welcome new contributors and members of the community. Here are ways to get in touch with the community:

• Slack: #authorizer-tech
• Issue Tracker: GitHub Issues