Styra | Redwood City, CA | Full-time | Onsite
Styra is a stealth-startup working on simplifying authorization in cloud-native environments, and the proud contributor to the 'Cloud Native Computing Foundation' (CNCF) https://www.openpolicyagent.org project.
If you are a senior engineer and interested in solving challenging security and authorization problems:
The semantics of OPA's policy language are based on Datalog, a non-Turing complete subset of Prolog. This means that all policy queries in OPA are guaranteed to terminate (which makes it a good fit for problems like authorization.)
Beyond regular Datalog, OPA adds first-class support for querying complex/nested data structures like JSON.
As a side note, OPA was not developed at Netflix, but they were one of the early adopters and continue to use it today.
Thanks so much for the answer -- I thoroughly enjoyed the OPA talks I've seen[0][1]. I apologize for mistaking OPA as a netflix product, I think one of the first times I saw it was as it was being used by Netflix so I assumed it was one of their F/OSS projects or built by someone there.
Did you guys build your own engine? I took a quick look at the repo but don't see anything that looks like a datalog library in your glide package list.
Last but not least, thanks for making and open sourcing such an awesome tool! Will definitely be passing the word on about Styra[2], I had no idea there was a whole company/more efforts behind OPA. I plan on using OPA in a bunch of upcoming projects -- it looks like a fantastic, stable addition to the toolbox of people looking to build robust programs/services.
> Did you guys build your own engine? I took a quick look at the repo but don't see anything that looks like a datalog library in your glide package list.
Yes, the language implementation (parser/compiler/evaluator) is implemented from scratch.
> Last but not least, thanks for making and open sourcing such an awesome tool!
Thanks for the kind words! If you have questions or need help, feel free to file issues on Github or ask questions on Slack.
Styra is a stealth-startup working on simplifying authorization in cloud-native environments, and the proud contributor to the 'Cloud Native Computing Foundation' (CNCF) https://openpolicyagent.org project.
If you are a senior engineer and interested in solving challenging security and authorization problems:
"The Open Policy Agent (OPA) is an open source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack."
To someone who doesn't already know what a "policy engine" is, that intro is completely meaningless. Might want to at least move a tiny blurb from the later doc to that opening paragraph.
Howdy! This having looked through the repo and docs, this feels to be very Prolog-y, or more specifically a fairly domain specific implementation of a thing that's otherwise generalized typically by Prolog.
I'm really curious to hear if it was in any way informed or inspired by other logic programming systems, and/or what some of the more challenging aspects were of implementing a predicate logic system like this in Golang.
Hello! The semantics are based on Datalog--but we've added a few features that make it more expressive than just plain Datalog. For example, OPA has first-class support for accessing nested data structures like JSON. At the same time, OPA does not support recursion today, however we've found you can get quite far without it.
I don't think that Golang introduces any unique challenges for implementing a logic system, just the usual suspects like garbage collection, lack of generics, etc.
Is there any way of including an external data source, like a database, instead of data documents? For example, the management hierarchy for my company lives in an ERP system and I'd like the data to be as up to date as possible.
Also, are there any theoretical limits to how much data could be loaded in to OPA?
1. You can include JSON data as input when you execute a policy query. In your example, you could include the management hierarchy or a user in a JWT that's provided as input to the policy query.
2. You can load JSON data into OPA out-of-band. OPA will cache this data in-memory and you can refer to it in your policies. There are two ways to do this. (a) use OPA's REST API to push data into the engine (e.g., PUT /v1/data/management/hierarchy <JSON body>) or (b) use OPA's Bundle feature to pull down bundles of policy and data from a remote endpoint.
3. If providing the data as input or out-of-band will not work, we have an experimental HTTP built-in function that you can call inside your policies to query the external data source on-the-fly when the policy is evaluated. This feature is still experimental but over time we intend to improve support for it (e.g., currently you can't mock out these built-in calls, but it's on the ROADMAP.)
Regarding limits, OPA keeps policies and data in-memory, so you're limited by RAM on a single host.
What about translation of rule subsets to other enforcement mechanisms? ACLs and rules for physical infrastructure like switches and routers being one possible target where embedding the agent itself may be impractical. I understand that SDN dominates the core infrastructure, but more traditional infrastructure is frequently in place closer to enterprise users. The point being defense in depth, rather than relying on physical infrastructure as a sole enforcement mechanism.
Before OPA existed, what policy engine did you use and why weren't you happy with what you had? If you didn't use a policy engine, why did you decide to create one rather than use an existing one?
hi again, just watched the youtube where you presented OPA on KubeCon 2018. i'm interested in it, but it appears most of your use case is around infrastructure. do you have use cases where it is applied in the application itself? for example, you mentioned Netflix used it for their infrastructure -- would Netflix use this to manage all the paying subscriber functions too? I imagine functions such as
1. what movies are available to my region
2. is this profile allowed to watch a certain movie?
3. can i view my account settings?
may be a good fit, but just wanted to be sure. another area may be in gaming, where new functions such as:
1. am i allowed to access this weapon
2. am i allowed to be on this terrain map
3. who my team members are
may pop up.
I have some application use cases that are very similar along these lines, so I'd like to know more about this before going in deeper to evaluate OPA.
that being said, all looks positive and i thank you for the good work you have done, specially open sourcing it to make it available.
Hello! You can certainly use OPA to answer the kinds of policy questions in your examples. OPA is not tied to a particular domain (which is why we call it general-purpose.) Whether you're writing policy over movies, games, etc. it's all the same to OPA (JSON).
tks for getting back to me @tsandall. what i was wondering was OPA's performance scalability when it comes to millions of hits -- do you have any metrics or known implementations you can share with me?
OPA draws some inspiration from XACML. For example, OPA helps systems separate policy decision-making from policy enforcement. Decoupling means that policy decisions can be more easily updated and more readily understood.
XACML as a specification covers multiple things (e.g., access control language, overall architecture, etc.) If you wanted to map OPA to a component in XACML, it's closest to the PDP.
That being said, OPA gives you a more expressive language to author policy. Also, OPA is intended to be used as building block in other systems. OPA exposes APIs to offload policy decisions from services and manage the policies and data that are evaluated. One of the non-goals of OPA is management-plane concerns around policy storage, policy administration, etc.
Was curious if the OPA acronym for the project is an allusion to a often used word among Greeks.. an exclamation during celebration or when lighting this deep fried goat cheese called saganaki after it's been sprayed with alcohol.
Technically asking a question about the authors is a project question, so I'm not sure why I got downvoted :/.
We are looking for smart people to solve hard problems. You will handle a wide array of tasks ranging from prototyping new techniques and technologies, to developing test automation, and supporting our growing customer base.
You are expected to write quality code with high availability for large-scale applications in a carrier-class networking environment.
EXPERIENCE / SKILLS DESIRED
Cyan is looking to hire numerous developers with varying experience levels. Please apply if you satisfy most of the following:
* A solid foundation in computer science, with strong competencies in data structures, algorithms, and software design
* Experience with both static language and dynamic languages
* Experience with programming in Linux
* Experience in large systems software development or client application development
* Experience with database systems and multi-threaded / multi-process applications
* Proficiency in web server architectures is desired
* Experience in an Agile Development Methodology is desired
Cyan - Telecommute, Petaluma, San Francisco, Vancouver (Canada)
JOB TITLE: Application Software Developer
SUMMARY
As an application software developer at Cyan you work in an agile development environment and thus are enabled to make an immediate contribution to our products and customers. Newly developed features could be released to a live production site in a matter of days. We are looking for smart people to solve hard problems. You will handle a wide array of tasks ranging from prototyping new techniques and technologies, to developing test automation, and supporting our growing customer base. You are expected to write quality code with high availability for large-scale applications in a carrier-class networking environment. You will have the opportunity to work with newer technologies including Python/Django, Graph/NoSQL Databases, Google Web Toolkit (GWT) and HTML5.
EXPERIENCE / SKILLS DESIRED
Cyan is looking to hire numerous developers with varying experience levels. Please apply if you satisfy most of the following:
* A solid foundation in computer science, with strong competencies in data structures, algorithms, and software design
* Experience with both static language (e.g. C/C++/C#/Java) and dynamic languages (e.g. Python/Ruby/Perl/Lisp/JavaScript)
* Experience with programming in Linux Experience in large systems software development or client application development
* Experience with database systems and multi-threaded / multi-process applications
* Proficiency in web server architectures is desired
* Experience in an Agile Development Methodology is desired
Employment Visa Status: Candidates currently authorized to work in the US are encouraged to apply.
LOCATION: Telecommute, Petaluma, San Francisco, Vancouver (Canada)
DEPARTMENT: Engineering
SUMMARY
As an application software developer at Cyan you work in an agile development environment and thus are enabled to make an immediate contribution to our products and customers. Newly developed features could be released to a live production site in a matter of days. We are looking for smart people to solve hard problems. You will handle a wide array of tasks ranging from prototyping new techniques and technologies, to developing test automation, and supporting our growing customer base. You are expected to write quality code with high availability for large-scale applications in a carrier-class networking environment. You will have the opportunity to work with newer technologies including Python/Django, Graph/NoSQL Databases, Google Web Toolkit (GWT) and HTML5.
EXPERIENCE / SKILLS DESIRED
Cyan is looking to hire numerous developers with varying experience levels. Please apply if you satisfy most of the following:
* A solid foundation in computer science, with strong competencies in data structures, algorithms, and software design
* Experience with both static language (e.g. C/C++/C#/Java) and dynamic languages (e.g. Python/Ruby/Perl/Lisp/JavaScript)
* Experience with programming in Linux Experience in large systems software development or client application development
* Experience with database systems and multi-threaded / multi-process applications Proficiency in web server architectures is desired
* Experience in an Agile Development Methodology is desired
Employment Visa Status: Candidates currently authorized to work in the US are encouraged to apply.
LOCATION: Telecommute, Petaluma, San Francisco, Vancouver (Canada)
DEPARTMENT: Engineering
SUMMARY
As an application software developer at Cyan you work in an agile development environment and thus are enabled to make an immediate contribution to our products and customers. Newly developed features could be released to a live production site in a matter of days. We are looking for smart people to solve hard problems. You will handle a wide array of tasks ranging from prototyping new techniques and technologies, to developing test automation, and supporting our growing customer base. You are expected to write quality code with high availability for large-scale applications in a carrier-class networking environment. You will have the opportunity to work with newer technologies including Python/Django, Graph/NoSQL Databases, Google Web Toolkit (GWT) and HTML5.
EXPERIENCE / SKILLS DESIRED
Cyan is looking to hire numerous developers with varying experience levels. Please apply if you satisfy most of the following:
A solid foundation in computer science, with strong competencies in data structures, algorithms, and software design
Experience with both static language (e.g. C/C++/C#/Java) and dynamic languages (e.g. Python/Ruby/Perl/Lisp/JavaScript)
Experience with programming in Linux
Experience in large systems software development or client application development
Experience with database systems and multi-threaded / multi-process applications
Proficiency in web server architectures is desired
Experience in an Agile Development Methodology is desired
Employment Visa Status: Candidates currently authorized to work in the US are encouraged to apply.
> Employment Visa Status: Candidates currently authorized to work in the US are encouraged to apply.
For the Vancouver location, too? Also, I was unable to find the address of the Vancouver location on your website - can you share the address or at least the neighbourhood?
sure, theoretically speaking you can't figure out everything until runtime, however even with 'scripting language' code you can still get quite far with basic static analysis.
If you are a senior engineer and interested in solving challenging security and authorization problems:
https://styra.com/careers/
No recruiters.