https://www.youngju.dev/blog 천천히 올바르게. AI Researcher & DevOps Engineer Youngju's tech blog. GPU/CUDA, LLM, MLOps, Kubernetes AI workloads, distributed training, and data engineering. ko fjvbn2003@gmail.com (Youngju Kim) fjvbn2003@gmail.com (Youngju Kim) Mon, 25 May 2026 00:00:00 GMT https://www.youngju.dev/blog/culture/2026-05-25-authorization-fga-zanzibar-spicedb-permify-openfga-cerbos-cedar-oso-2026-deep-dive.en https://www.youngju.dev/blog/culture/2026-05-25-authorization-fga-zanzibar-spicedb-permify-openfga-cerbos-cedar-oso-2026-deep-dive.en Authorization no longer ends with one line of "if user.role == admin". Since Google's Zanzibar paper rewrote the industry's mental model, 2026 has more than a dozen FGA engines fighting it out — SpiceDB, OpenFGA (Auth0/Okta), Permify, Cerbos, Cedar (AWS), Casbin, Oso, Ory Keto, Warrant, Aserto, Topaz. This piece covers the difference between ReBAC, RBAC, and ABAC, the internals of the Zanzibar paper (snapshot reads, Leopard index, watch API), namespace/relation/condition schemas, Check API patterns, ListObjects vs ListRelations, multi-tenant isolation, Postgres RLS as a fallback, edge authorization (Cloudflare + OPA), and real-world deployments at Naver, Kakao, AWS Tokyo, and Cybozu. Mon, 25 May 2026 00:00:00 GMT fjvbn2003@gmail.com (Youngju Kim) authorizationfgazanzibarspicedbpermifyopenfgacerbosasertocasbinosocedarrebacrbacabacopa https://www.youngju.dev/blog/culture/2026-05-25-authorization-fga-zanzibar-spicedb-permify-openfga-cerbos-cedar-oso-2026-deep-dive.ja https://www.youngju.dev/blog/culture/2026-05-25-authorization-fga-zanzibar-spicedb-permify-openfga-cerbos-cedar-oso-2026-deep-dive.ja 認可(Authorization)は、もう if user.role == admin の一行で終わる時代ではない。Google の Zanzibar 論文が業界全体の発想を変えて以来、2026 年現在では SpiceDB、OpenFGA(Auth0/Okta)、Permify、Cerbos、AWS Cedar、Casbin、Oso、Ory Keto、Warrant、Aserto、Topaz まで十数の FGA エンジンが激突している。ReBAC と RBAC と ABAC の違い、Zanzibar 論文の内部(snapshot read、Leopard インデックス、watch API)、ネームスペース・リレーション・コンディションのスキーマ、Check API パターン、ListObjects と ListRelations、マルチテナント隔離、Postgres RLS のフォールバック、エッジ認可(Cloudflare + OPA)、そして Naver / Kakao / Cybozu の実際の導入事例まで一気通貫で整理する。 Mon, 25 May 2026 00:00:00 GMT fjvbn2003@gmail.com (Youngju Kim) authorizationfgazanzibarspicedbpermifyopenfgacerbosasertocasbinosocedarrebacrbacabacopa https://www.youngju.dev/blog/culture/2026-05-25-authorization-fga-zanzibar-spicedb-permify-openfga-cerbos-cedar-oso-2026-deep-dive https://www.youngju.dev/blog/culture/2026-05-25-authorization-fga-zanzibar-spicedb-permify-openfga-cerbos-cedar-oso-2026-deep-dive 인가(Authorization)는 더 이상 if user.role == admin 한 줄로 끝나지 않는다. 구글의 Zanzibar 논문이 산업 전체의 사고방식을 바꾼 이후 2026년 현재 SpiceDB, OpenFGA(Auth0/Okta), Permify, Cerbos, Cedar(AWS), Casbin, Oso, Ory Keto, Warrant, Aserto, Topaz까지 십수 개의 FGA 엔진이 격돌하고 있다. ReBAC vs RBAC vs ABAC의 차이, Zanzibar 논문 내부(snapshot read, Leopard index, watch API), 네임스페이스/릴레이션/컨디션 스키마, Check API 패턴, ListObjects vs ListRelations, 멀티테넌트 격리, Postgres RLS 폴백, 엣지 인가(Cloudflare + OPA), 그리고 네이버/카카오/Cybozu의 실제 도입 사례까지 한 번에 정리한다. Mon, 25 May 2026 00:00:00 GMT fjvbn2003@gmail.com (Youngju Kim) authorizationfgazanzibarspicedbpermifyopenfgacerbosasertocasbinosocedarrebacrbacabacopa https://www.youngju.dev/blog/culture/2026-05-25-container-security-trivy-grype-snyk-sysdig-tetragon-falco-cosign-sigstore-2026-deep-dive.en https://www.youngju.dev/blog/culture/2026-05-25-container-security-trivy-grype-snyk-sysdig-tetragon-falco-cosign-sigstore-2026-deep-dive.en After the 2024 xz backdoor and the 2025 entry into force of the EU Cyber Resilience Act, container supply-chain security is no longer "scan and forget". This is a May 2026 map of the full stack — Trivy/Grype/Snyk/Sysdig image scanners, Tetragon/Falco eBPF runtime security, Cosign/Sigstore keyless signing, in-toto/SLSA levels 1-4, CycloneDX/SPDX SBOMs, distroless images, gVisor/Kata sandboxes, and OPA Gatekeeper vs Kyverno admission controllers. Mon, 25 May 2026 00:00:00 GMT fjvbn2003@gmail.com (Youngju Kim) container-securitytrivygrypesnyksysdigtetragonfalcocosignsigstoresbomslsadistrolessgvisorkata-containersopakyverno https://www.youngju.dev/blog/culture/2026-05-25-container-security-trivy-grype-snyk-sysdig-tetragon-falco-cosign-sigstore-2026-deep-dive.ja https://www.youngju.dev/blog/culture/2026-05-25-container-security-trivy-grype-snyk-sysdig-tetragon-falco-cosign-sigstore-2026-deep-dive.ja 2024年のxzバックドア事件と2025年のEU CRA(サイバーレジリエンス法)施行を経て、コンテナのサプライチェーンセキュリティはもはや「スキャンして終わり」ではない。Trivy/Grype/Snyk/Sysdigイメージスキャナー、Tetragon/Falco eBPFランタイムセキュリティ、Cosign/Sigstoreキーレス署名、in-toto/SLSAレベル1〜4、CycloneDX/SPDX SBOM、distrolessイメージ、gVisor/Kataサンドボックス、OPA Gatekeeper対Kyvernoアドミッションコントローラまで——2026年5月時点のサプライチェーンセキュリティ・フルスタック地図。 Mon, 25 May 2026 00:00:00 GMT fjvbn2003@gmail.com (Youngju Kim) container-securitytrivygrypesnyksysdigtetragonfalcocosignsigstoresbomslsadistrolessgvisorkata-containersopakyverno https://www.youngju.dev/blog/culture/2026-05-25-container-security-trivy-grype-snyk-sysdig-tetragon-falco-cosign-sigstore-2026-deep-dive https://www.youngju.dev/blog/culture/2026-05-25-container-security-trivy-grype-snyk-sysdig-tetragon-falco-cosign-sigstore-2026-deep-dive 2024년 xz 백도어 사건과 2025년 EU CRA(Cyber Resilience Act) 발효 이후 컨테이너 공급망 보안은 더 이상 "scan하고 끝"이 아니다. Trivy/Grype/Snyk/Sysdig 이미지 스캐너, Tetragon/Falco eBPF 런타임 보안, Cosign/Sigstore 키리스 서명, in-toto/SLSA 1-4 단계, CycloneDX/SPDX SBOM, distroless 이미지, gVisor/Kata 샌드박스, OPA Gatekeeper vs Kyverno 어드미션 컨트롤러까지 — 2026년 5월 현재의 공급망 보안 풀스택 지도. Mon, 25 May 2026 00:00:00 GMT fjvbn2003@gmail.com (Youngju Kim) container-securitytrivygrypesnyksysdigtetragonfalcocosignsigstoresbomslsadistrolessgvisorkata-containersopakyverno