🔐 Sentium

Lightning fast, global scale authorization service without the overhead of yet another DSL¹.

What is Sentium?

Sentium is an authorization service for securing your applications and services using zero trust² fine-grained authorization (FGA).

We designed Sentium to be as powerful and scalable as Zanzibar — Google’s Consistent, Global Authorization System yet simple enough to start using without the overhead of having to learn a new DSL to define authorization models or policies.

Why Sentium?

There are other open-source (and commercial) authorization services, some are inspired by Google Zanzibar while others tend to offer policy-as-code solutions. But almost all of these solutions require learning a new DSL to create authorization models or define policies, which adds unnecessary complexities.

Using an authorization service shouldn't come with a requirement to be an expert in building and maintaining authorization models or policies. It should be as easy as using an API.

Sentium lean on well known API design principals to provide an authorization service that's easy to integrate, quick to master and flexible enough to handle complex requirements.

Features

Schema-less fine-grained authorization (FGA)
Zero-trust, least privilege architecture (ZTA)
Predictable constant time authorization checks (O(1))
Strongly consistent with no cache
Cloud native at global scale³
ABAC, RBAC & ReBAC⁴
Multi-tenancy support, if you need it
Not just authorization checks, list users, entities a user can access and users with access to an entity
First class treatment for listing endpoints with pagination and limits to handle large datasets
Built using the fastest gRPC server implementation⁵

Getting started

Prerequisites

CMake (>= 3.23)
Protobuf (>= 3.15)
libpq
PostgreSQL (or PostgreSQL protocol compatible server)

Compiling

❯ cmake -B .build -G Ninja \
  -DCMAKE_BUILD_TYPE=Release \
  -DPostgreSQL_ADDITIONAL_VERSIONS=16 \
  -DSENTIUM_ENABLE_COVERAGE=OFF

❯ cmake --build .build --target sentium

Setting-up

❯ psql --dbname=postgres
psql (16.1)
Type "help" for help.

postgres=# create user sentium;
CREATE ROLE
postgres=# create database sentium owner sentium;
CREATE DATABASE

❯ psql --username=sentium --dbname=sentium < db/schema.sql

Running

❯ PGDATABASE=sentium PGUSER=sentium ./.build/bin/sentium
Listening on [127.0.0.1:8080] ...

Usage

Creating a user

❯ grpcurl \
  -import-path proto \
  -import-path ./.build/_deps/googleapis-src \
  -proto proto/sentium/api/v1/principals.proto \
  -plaintext \
  localhost:8080 sentium.api.v1.Principals/Create

{
  "id": "cn7qtdu56a1cqrj8kur0"
}

Granting access

❯ grpcurl \
  -import-path proto \
  -import-path ./.build/_deps/googleapis-src \
  -proto proto/sentium/api/v1/authz.proto \
  -plaintext \
  -d '{
    "principal_id": "cn7qtdu56a1cqrj8kur0",
    "entity_type": "documents",
    "entity_id": "65bd28aaa076ee8c8463cff8"
  }' \
  localhost:8080 sentium.api.v1.Authz/Grant

{}

Checking access

❯ grpcurl \
  -import-path proto \
  -import-path ./.build/_deps/googleapis-src \
  -proto proto/sentium/api/v1/authz.proto \
  -plaintext \
  -d '{
    "principal_id": "cn7qtdu56a1cqrj8kur0",
    "entity_type": "documents",
    "entity_id": "65bd28aaa076ee8c8463cff8"
  }' \
  localhost:8080 sentium.api.v1.Authz/Check

{
  "ok": true
}

Listing users

❯ grpcurl \
  -import-path proto \
  -import-path ./.build/_deps/googleapis-src \
  -proto proto/sentium/api/v1/principals.proto \
  -plaintext \
  localhost:8080 sentium.api.v1.Principals/List

{
  "principals": [
    {
      "id": "cn7qtim56a1cqrj8kurg"
    },
    {
      "id": "cn7qtdu56a1cqrj8kur0"
    }
  ]
}

Listing entities a user can access

❯ grpcurl \
  -import-path proto \
  -import-path ./.build/_deps/googleapis-src \
  -proto proto/sentium/api/v1/entities.proto \
  -plaintext \
  -d '{
    "principal_id": "cn7qtdu56a1cqrj8kur0",
    "entity_type": "documents"
  }' \
  localhost:8080 sentium.api.v1.Entities/List

{
  "entities": [
    {
      "id": "65bd28aaa076ee8c8463cff8",
      "type": "documents"
    }
  ]
}

Listing users that has access to an entity

❯ grpcurl \
  -import-path proto \
  -import-path ./.build/_deps/googleapis-src \
  -proto proto/sentium/api/v1/entities.proto \
  -plaintext \
  -d '{
    "entity_type": "documents",
    "entity_id": "65bd28aaa076ee8c8463cff8"
  }' \
  localhost:8080 sentium.api.v1.Entities/ListPrincipals

{
  "principals": [
    {
      "id": "cn7qtdu56a1cqrj8kur0"
    }
  ]
}

Built with

fmt - For string formatting.
googleapis - For annotations to help with gRPC/JSON transcoding.
googletest - For tests.
grpcxx - For the gRPC server.
libpqxx - For PostgreSQL connections.
libxid - For globally unique IDs.

Acknowledgments

Thanks to @kw510, @neculalaura and @td0m for their contributions on the gatekeeper branch.

Domain-Specific Language ↩
Zero trust architecture (ZTA) ↩
Scalability depends on underlying PostgreSQL protocol compatible database scalability. ↩
RFC #72 ↩
gRPCxx is benchmarked to be the fastest in February 2024. ↩

Name		Name	Last commit message	Last commit date
Latest commit History 287 Commits
.github/workflows		.github/workflows
bench		bench
cmake		cmake
db		db
examples/fileshare		examples/fileshare
proto		proto
src		src
.clang-format		.clang-format
.containerignore		.containerignore
.gitignore		.gitignore
CMakeLists.txt		CMakeLists.txt
Containerfile		Containerfile
LICENSE		LICENSE
Makefile		Makefile
NOTICE		NOTICE
README.md		README.md
changelog.md		changelog.md

License

uatuko/sentium

Folders and files

Latest commit

History

Repository files navigation