Information in this Gist originally from this github issue, which is outdated.
As @RomanMinkin mentioned, you can also consider Casbin (https://github.com/casbin/casbin). It is the most starred authorization library in Golang. There are several differences between Casbin and OPA.
| Feature | Casbin | OPA |
|---|---|---|
| Library or service? | Library/Service | Library/Service |
| How to write policy? | Two parts: model and policy. Model is general authorization logic. Policy is concrete policy rule. | A single part: Rego |
| RBAC hierarchy | Casbin supports role hierarchy (a role can have a sub-role) | Role hierarchies can be encoded in data. Also with the new graph.reachable() built-in function queries over those hierarchies are much more feasible now. |
| RBAC separation of duties | Not supported | Supported: two roles cannot be assigned together |
| ABAC | Casbin supports to directly retrieve Golang struct's members as attributes | OPA needs to be provided with an attribute list (JSON) or Golang struct |
| Built-in functions | RESTful match, IP match, regex are supported. You can also write your own Golang function and let Casbin use it | Functions like regex, max, min, count, type conversion are supported. You can write your own built-in functions. |
| Policy storage | All common databases are supported by dozens of middlewares, like SQL, NoSQL, Key-Value, AWS S3, etc. | Not supported, you need to write your own code if you want to use DB like MySQL. |
| Conflict resolution | Allow-override, Deny-override, Allow-and-no-Deny, Priority are built-in supported. You can also write your own Effector logic (in code) to have a custom conflict resolution | Allow-override, Deny-override, Priority (but grammar is a little long). You can also resolve conflicts inside Rego itself. |
| Distributed authorization | You can use multiple Casbin instances together. Sharding and policy change notification are supported | One single OPA service |
| Other programming languages | Golang, Java, PHP, Node.JS, Python, .NET, Delphi, Rust and others are supported (> 8) | Golang, WASM (NodeJS in progress) |
| Adopters | Intel, VMware, Docker, Cisco, Banzai Cloud, Orange, Tencent Cloud, Microsoft | Netflix, Chef, SolarWinds, Cisco, Cloudflare, Pinterest, State Street Corporation |
(let me know if the above table is not accurate)
| Metric | casbin | OPA |
|---|---|---|
| Page rank | 6.756345697844901e-05 | 2.1407964930428962e-05 |
| Stars | 6783 | 3413 |
| Order by page rank | 246 | 744 |
| Order by page rank in github repos | 133 | 583 |
| Order by stars | 166 | 436 |
| Imported by | 73 repos | 23 repos |
| Imports | 16 repos | 71 repos |
OPA is primarily developed by Styra Inc. Styra is building "authorization as a service" which is backed by OPA. The marketing is slicker, and it appears a little more focussed on commercial service integrations.
Casbin's originator works for Microsoft Research, it doesn't have a group of sales people, but it appears more popular at a grassroots level.
I belive that knowing what animals you own isnt the responsibility of the auth service nor policy. The database itself shoud keep record on pet ownership and policy should be use to istruct service over joining the tables and filtering results. (Should user read only his own animals? Then use specific implementation. Shoud user get access to other animals, lets say Georges animals, than querying shoud be performed as all animals owned by george and the user.
The db dont understand why this user is allowed to query Georges animals. It is in the policy that user can query animals of direct employees.