ELI5: What is Zanzibar?

jakemoshenko · on Sept 30, 2021

Jake, Authzed co-founder here.

Zanzibar is a global highly available distributed permissions system used within Google to power application permissions for things like Maps, YouTube, Calendar, Doc/Drive, etc. They wrote about it in a paper[0] that was widely discussed on HN at the time[1].

The service stores relationships between people, other people, and data, in a giant directed graph. There are primitives for querying and processing that graph to make permissions decisions. The majority of the rest of the engineering effort is spent on replicating the data globally and caching permissions decisions regionally and locally, since permissions don't lend themselves very well to sharding or siloing along service boundaries.

For the 5+ explanation, I wrote a little bit about my digestion of the paper and what the important parts are here[2].

[0] https://research.google/pubs/pub48190/

[1] https://news.ycombinator.com/item?id=20132520

[2] https://authzed.com/blog/what-is-zanzibar/

aidenn0 · on Sept 30, 2021

going from link #2 it sounds like it is a highly scalable engine that does the following:

1. Stores arbitrary state related to permissions

2. Customizable rules that may refer to any state in #1

3. A service which allows clients to query if User U should be given permission P on artifact A, based upon #2

[edit]

Actually it sounds like #1 is actually a directed graph, not arbitrary state.

rshm · on Sept 30, 2021

https://storage.googleapis.com/pub-tools-public-publication-...

The paper itself is also good.

ImJasonH · on Sept 30, 2021

I found this to be a good, concise description of the problem space, and Zanzibar's approach: https://www.youtube.com/watch?v=1nbSbe3kw2U

kondro · on Sept 30, 2021

An easy to digest article: https://authzed.com/blog/what-is-zanzibar/

tl;dr: Highly scalable RBAC/ABAC