// the find
ory/ladon
A SDK for access control policies: authorization for the microservice and IoT age. Inspired by AWS IAM policies. Written for Go.
Ladon is a Go library for AWS IAM-style access control policies — you define who can do what on which resources under what conditions, then call IsAllowed() at runtime. It sits at the policy evaluation layer only; you bring your own HTTP server, storage, and auth. Aimed at Go services that have outgrown simple RBAC but don't want a full external policy engine.
The policy model is genuinely expressive: subjects, resources, and actions all support embedded regexes inside <>, so one policy can cover a whole namespace without enumerating every resource. The condition system is clean and extensible — you implement a two-method interface and register it, and the JSON serialization just works. Deny-wins semantics (multiple matching policies, any deny wins) is the right default and it's not buried in config. The LRU cache for compiled regexes is a real engineering decision, not an afterthought — regex compilation is the hot path and this actually matters.
The SQL adapters are community-maintained third-party repos, not first-party — the official repo ships only an in-memory manager, which means anything production-scale requires you to trust code ORY doesn't own or maintain. The README's own benchmark admits SQL adapters run 1000x slower than in-memory, which is a rough number to hand to a team evaluating adoption. Ladon is in maintenance mode; ORY has moved on to Keto (OPA-style, with a server) and Ladon's issues reflect that — recent activity is mostly dependency bumps, not feature work. No built-in wildcard matching means regex overhead for every policy that covers a resource prefix, and there's no shipped solution for that despite the README flagging it as a known limitation for years.