Comparison with Hashicorp Vault, Open Policy Agent (OPA), and/or Speedle+?

[heyakyra]

Also asked here: https://forum.golangbridge.org/t/auth-services-comparison-ory-keto-vs-speedle-vs-hashicorp-vault/23052

Looking into services to help with providing a login service which also stores identity and access management. Anyone familiar with more than one of these that could give some pros and cons between them?

There have also been discussions about extra functionality such as provided by OPA or integration with OPA as tthese apparently serve different purposes, but I don't quite understand how. #318

[tacurran]

@heyakyra "help with providing a login service which also stores identity and access management". The comparison would also include Ory Kratos for credentials and Ory Keto for access control. Perhaps you can add some of the features that you want to compare? For example to begin:
Technical

• Open source
• Programming language
• Encryption
• Key size , footprint
• Github Stars
• API
• Containerisation

Functional

• Login process support e.g. email, magic link
• Password process e.g. reset,
• Verification e.g. MFA
• Profile management
• ID data model
• Access control language, e.g. verbose, OPA
• Access control model e.g. zookies, pairing, hierarchy
• Roles based access management
• Import/export/exchange

[heyakyra]

Are there major differences in the open source aspect? As far as programming language, I thought they all were written in Go. As far as the specific aspects go, I'm interested in the differences existing devs see as significant. Oherwise, ID data model, RBAC and access control language/model aspects would be of particular interest. Also, how difficult is it to deploy Ory Kratos/Keto in HA setups on Consul?

[aeneasr]

Vault is a system to store credentials in. For example, you have an AWS API Key to manage some S3 things and you don't want to share this with all your developers. You store this in Vault and create Vault Credentials for each developer and assign them roles / give them access to certain keys.

OPA is a system which let's you define policies for permissions / access control. So for example "Bob is allowed to access document Foo when he's in the network 192.168.0.1/23 and for as long as he's in department Bar". But you need to learn the OPA policy programming language called "Rego" which is based on an academic programming query language (think XPath).

Speedle I personally don't know so I can't say anything about it, but it looks similar to OPA with a different policy language.

Ory Keto is an implementation of Google Zanzibar. While probably not as flexible as a full-fleged programming language such as Rego (OPA) or SPDL (Speedle) it is optimized for HA, performance, reliability, scale, global distribution.

For everything else, please check the individual project's home pages and documentations. Personally, I only know OPA well and have never used Vault or Speedle.

[heyakyra]

Thank you! Where can I read more about the "optimized for HA" bit specifically? This is important to us as we're currently using pacemaker but migrating to Consul

[aeneasr]

The best source is probably the research paper: https://research.google/pubs/pub48190/

[caiwl]

well, I know it's probably too late to join the discussion. but Speedle is doing good in terms of performance, reliability, scale, global distribution as well. Please let me know if you are interested in a comparison/benchmark testing among all the projects mentioned above. :-)

[Monccef]

Hello, Can you give show more details of the comparison between OPA & KETO ?