Show HN: EACL – ReBAC Authorization in Clojure and Datomic Based on SpiceDB

Hi HN, Petrus here from Cape Town, South Africa. I spent the better half of 2024 integrating our Clojure-based cloud provisioning platform at CloudAfrica[^1] with SpiceDB[^2], a scalable ReBAC based authorization system based on Zanzibar, Google's globally-consistent authorization system.

The problem with any external authorization system is modelling & synchronization: SpiceDB has a text-based schema DSL to define Relations & Permissions and models Relationships as 3-tuples of `[subject relation resource]`.

However, in Datomic we have attributes like `:account/owner`, `:server/account`, `:vpc/account` and `:vpc/viewers`. Figuring out which Relationships to create or delete in SpiceDB when anything changes becomes a diffing + batched sync problem, especially when you have an impedance mismatch between your data model and your permission schema.

I realized that if we modelled our AuthZ Relationships directly in Datomic, all our syncing problems would go away: you can simply tail the Datomic transactor queue and instantly create or delete Spice relationships in real-time. But once you do that, you might as well model the permission schema as well, and if you go one step further, you can implement the permission graph traversal directly in Clojure to avoid a network hop. And that is exactly what EACL is.

EACL (Enterprise Access ControL) is an embedded authorization library that lives next to your data in Datomic and avoids an external network hop. EACL is suitable for small-to-medium scale, while giving you the option to migrate to SpiceDB in future when you need more scale and consistency semantics.

EACL implements the SpiceDB gRPC API as an idiomatic Clojure protocol (`IAuthorization`), using Datomic as a backing graph store. So you can add sophisticated authorization to your Clojure project on day one and migrate to SpiceDB later.

Internally, EACL recursively traverses the permission graph using direct index-based calls (via `datomic.api/index-range`) to efficiently answer `CheckPermission`, `LookupSubjects` and `LookupResources` queries.

The goal for EACL is to provide best-in-class authorization for Clojure & Datomic applications with <10M entities. It is especially suited to Electric Clojure[^3]. EACL has been open-sourced under the AGPL, but we are likely to relicense it under a more permissive licence. EACL is used at CloudAfrica, a regional cloud host based in South Africa.

[^1]: https://cloudafrica.net

[^2]: https://authzed.com/spicedb

[^3]: https://electric.hyperfiddle.net/