How to integrate Ladon into a Go microservice for authorization?

Implement a manager for policy storage (e.g., in-memory or community adapter), define policies using Ladon's structs, and call the warden's IsAllowed method in your code. For HTTP, you must create custom endpoints to handle policy management and access requests.

Ladon vs Casbin: which is better for access control in Go?

Ladon focuses on AWS IAM-like, fine-grained policy-based control with extensible conditions in Go, while Casbin supports multiple models including RBAC and ABAC across languages. Choose Ladon for IAM flexibility in Go ecosystems, but Casbin might offer broader pre-built integrations.

Can Ladon work with OAuth2 and OpenID Connect?

Yes, Ladon can be integrated with OAuth2/OpenID Connect servers like ORY Hydra, which uses Ladon for access control. You'll need to map tokens to subjects and contexts in your Ladon policies within your application logic.

How to add a custom condition in Ladon?

Implement the ladon.Condition interface in Go with Fulfills and GetName methods, then register it in ladon.ConditionFactories. For example, create a struct and add it to the factory map to use in policies.

What databases can I use to store Ladon policies?

Officially, only an in-memory manager is provided. Community adapters exist for CockroachDB, Redis, RethinkDB, and SQL databases via third-party libraries, but availability and stability may vary.

Is Ladon suitable for high-performance applications?

Ladon performs well with in-memory storage, but with SQL backends, performance degrades due to regex matching. The README notes significant overhead, so for high-traffic systems, consider caching or in-memory solutions to mitigate bottlenecks.

Open-Awesome

Ladon

Apache-2.0Gov1.3.0

A Go library for fine-grained, policy-based access control inspired by AWS IAM, designed for microservices and IoT.

Visit Website GitHub

2.5k stars224 forks0 contributors

What is Ladon?

ORY Ladon is a Go library for implementing fine-grained, policy-based access control systems. It solves authorization challenges in distributed environments like microservices and IoT by allowing developers to define who can perform what actions on which resources under specific conditions. Inspired by AWS IAM policies, it provides a flexible alternative to traditional RBAC or ACL models.

Target Audience

Go developers building secure, distributed applications that require complex authorization logic, such as microservices architectures, multi-tenant SaaS platforms, or IoT ecosystems.

Value Proposition

Developers choose Ladon for its AWS IAM-like flexibility, fine-grained policy model, and extensibility through custom conditions and storage adapters, all while being a lightweight, protocol-agnostic library written in Go.

Overview

A SDK for access control policies: authorization for the microservice and IoT age. Inspired by AWS IAM policies. Written for Go.

Use Cases

Best For

Implementing authorization in microservices architectures
Building multi-tenant applications with complex access rules
Adding fine-grained, context-aware access control to IoT systems
Creating custom IAM-like systems for on-premises or cloud-native apps
Replacing or augmenting traditional RBAC/ACL with policy-based models
Developing security-first Go applications that need audit logging and metrics for access decisions

Not Ideal For

Projects requiring out-of-the-box HTTP APIs or RESTful endpoints for authorization without implementing custom servers
Teams without Go programming expertise, as Ladon requires custom code for conditions, storage adapters, and integration
Applications with simple, static access control needs where traditional RBAC or ACL solutions would suffice without policy overhead
High-throughput systems relying heavily on SQL databases for policy storage, due to performance degradation with regular expression matching

Pros & Cons

Pros

Fine-Grained Policy Model

Inspired by AWS IAM, it allows defining complex rules with subjects, actions, resources, effects, and conditions for precise access control in distributed environments like microservices.

Extensible Conditional Logic

Includes built-in conditions like CIDR and string matching, plus support for custom conditions via Go programming, enabling context-aware authorization decisions.

Built-In Audit and Metrics

Provides audit logging and a metrics interface for tracking authorization grants, denials, and errors, essential for security monitoring and compliance.

Protocol and Storage Agnostic

Does not impose a specific protocol or storage, giving developers full control over implementation, though it requires custom work for persistence and APIs.

Cons

No Built-In Server

Ladon is a library only; developers must implement their own HTTP or other protocol layers for API access, increasing integration effort and time.

SQL Performance Limitations

The README admits regular expressions in policies cause O(n) complexity and poor performance with SQL adapters, with about a 1000:1 slowdown compared to in-memory storage.

Limited Official Persistence

Only ships with an in-memory manager; persistent storage relies on community-supported adapters for databases like CockroachDB, which may lack maturity or comprehensive support.

Open Source Alternative To

Ladon is an open-source alternative to the following products:

AWS IAM

AWS Identity and Access Management (IAM) enables you to manage access to AWS services and resources securely, allowing you to create and manage AWS users and groups and use permissions to allow and deny their access to AWS resources.

Frequently Asked Questions

Related Projects

Casbin

Apache Casbin: an authorization library that supports access control models like ACL, RBAC, ABAC.

Stars20,028

Forks1,731

Last commit4 days ago

Open Policy Agent

Open Policy Agent (OPA) is an open source, general-purpose policy engine.

Stars11,629

Forks1,554

Last commit2 days ago

keto

The most scalable and customizable permission server on the market. Fix your slow or broken permission system with Google's proven "Zanzibar" approach. Supports ACL, RBAC, and more. Written in Go, cloud native, headless, API-first. Available as a service on Ory Network and for self-hosters.

Stars5,318

Forks381