From OPA to our own engine - the Cerbos journey

When we started building Cerbos in January of 2021, we had a clear mission. We wanted to help developers separate their roles and permissions management from the core application code, creating a more scalable and future-proof way of handling permissions. This is the story of how we began with Open Policy Agent (OPA) and eventually built our own policy decision engine, and why that transition was crucial for our product's evolution.

Our starting point with OPA

When we initially surveyed the authorization landscape, OPA stood out as a well-designed and comprehensive rule engine. It could handle everything from application-level permissions to network-level stuff and Kubernetes deployments. We saw an opportunity to adapt it specifically for application permissions.

Starting with OPA turned out to be a good strategic decision for us. As a widely-adopted open source project within the CNCF ecosystem, it provided us with a strong foundation that allowed us to focus on building the core value propositions of Cerbos. Rather than immediately tackling the complexity of building a decision engine from scratch, we could concentrate on developing all the essential services and APIs around it. This gave us a significant head start and enabled us to prove the value of our broader vision for authorization.

We also identified a significant challenge. OPA uses Rego, a variant of Datalog, as its policy language. While powerful, our hypothesis was that the majority of developers either don't have the time or inclination to learn a new programming language just to write authorization policies.

This realization shaped our initial approach. We decided to create a simple, human-readable format for policies that would compile into Rego behind the scenes. We built the Cerbos Policy Decision Point (PDP) and wrapped it around OPA's decision engine, creating an API that developers would enjoy using.

Building for developer experience

Our focus has always been on creating an exceptional developer experience. We believe the best developer tools share one crucial characteristic - they offer simple, intuitive APIs that hide complexity. Think of Stripe handling complex payment processing through a clean API, or how Twilio abstracts away the complexities of SMS delivery across different mobile networks.

We applied this same philosophy to Cerbos. Rather than exposing developers to the underlying complexity, we created a straightforward API where developers simply specify three things:

• A principal (who is making the request);
• An action (what they want to do);
• And a resource (what they want to do it to).

Cerbos handles everything else (scaling, logging, metrics, etc.), returning a clear allow or deny decision.

The transition to our own engine

As we continued developing Cerbos and adding more features, we started hitting limitations with the OPA engine. We needed to introduce enhancements like detailed decision reasoning and custom output messages for front-end applications. While OPA is an excellent project, making these changes would have required either forking the project or waiting for our modifications to be accepted upstream.

After careful consideration, we decided to build our own specialized engine in October 2021. This wasn't about replacing OPA entirely - our goal was to create something purpose-built for application permissions. By focusing solely on this use case, we could optimize performance and add features that our customers need.

The benefits of going our own way

The transition to our own engine brought several significant advantages that have directly impacted both our development velocity and our customer's success.

First, we achieved dramatically better performance. Our specialized engine, focused solely on application permissions, performs up to 17x faster than our previous OPA-based implementation. In the world of authorization, where every decision blocks subsequent operations, this speed improvement matters significantly. For our customers, this means their applications respond faster, their systems can handle more concurrent requests, and their end users experience less latency.

Second, we gained complete control over our technology stack. We can now quickly implement new features and optimizations without depending on external projects. This has allowed us to add capabilities like detailed decision explanations (audit logs), helping users understand exactly why a particular access decision was made. When a customer needs to debug a permission issue, they can now see the exact policy rules that triggered the decision, making troubleshooting significantly easier.

Third, we've optimized the memory and CPU footprint, making Cerbos more efficient in production environments. Our engine is streamlined for exactly what our users need, without carrying the overhead of supporting additional use cases. This translates to lower infrastructure costs for our customers and better resource utilization in containerized environments.

Looking back and forward

Starting with OPA was the right decision for us. It gave us a solid foundation and allowed us to prove our core value proposition while we built out the rest of the Cerbos ecosystem. The transition to our own engine wasn't about replacing OPA entirely, it was about creating something specialized for our specific use case.

Today, our own decision engine powers Cerbos installations across numerous organizations, delivering fast, reliable, and feature-rich authorization decisions - and is completely open source too, with an Apache 2 license. We're proud of this evolution in our technology stack, as it enables us to serve our users better and continue innovating in the authorization space.

The authorization space continues to evolve, with different approaches emerging from various providers. But our focus remains constant providing our users with the simplest, most powerful way to implement and manage authorization in their applications. Our journey from OPA to our own engine reflects this, and we're excited about the possibilities it opens up for the future.

Cerbos makes fine-grained access controls easy to implement and manage, making authorization more secure and more adaptable to changing requirements, while saving months of developer time. If you’re interested in implementing authorization - try out Cerbos Hub or book a call with a Cerbos engineer to see how our solution can help streamline access control in your applications.