I’m looking to add Access Control List authorization in a project and was looking for insight as to how others have approached such an authorization scheme in elixir apps? Looks like there are a few open source libs that provide some portion of the desired functionally that could be built on top of like bodyguard or some others that aren’t production ready like terminator. Has anybody implemented a robust ACL auth scheme that they’ve been super happy when in a production app?
Yea, it was definitely a ton of work. I left that company, but my understanding is that maintenance cost is high because of how it touches everything.
The hardest thing is knowing that your application ACLs are in use in all the right place. I don’t think that can be a “trust me” exercise, but rather guaranteed via query validation.
I implemented a lighter version of ACLs in my current product. It allows each object to have a string ACL like email::firstname.lastname@example.org or group_id::123. This ACL is stored directly on the record (text array) and is queried against using postgres & operator. Each user has a quick way to resolve all ACLs that apply to them and they’re passed into the queries.
The benefit of the “ACL stored on record” approach is that I can easily mirror the ACLs to another environment (Elasticsearch in my case) and apply the same ACLs in queries there. This translation is difficult if you were using joins or other SQL-specific query methods. The downside is that you wouldn’t want really large ACL entries or the records could get large.