[HN Gopher] Why Google Zanzibar shines at building authorization ___________________________________________________________________ Why Google Zanzibar shines at building authorization Author : kkajla Score : 100 points Date : 2023-06-25 17:59 UTC (5 hours ago) (HTM) web link (blog.warrant.dev) (TXT) w3m dump (blog.warrant.dev) | deanCommie wrote: | Can anyone who's taken a close look at both Zanzibar and Amazon's | IAM compare and contrast them? | s09dfhks wrote: | Not trying to be snarky, but what are the chances google kills | this off within the next 5 years because some engineer wants a | promo and decides it's taking too much of their time | jsnell wrote: | If you genuinely aren't trying to be snarky, then what was the | point of this post? You clearly don't even know what Zanzibar | is. If you were trying to find out more about it there would be | hundreds of more useful questions to ask. | kkajla wrote: | Google doesn't actually offer Zanzibar as a product/service (in | GCP or otherwise) to customers. However, they do use it | internally to manage permissions across their various products | (Google Docs, Drive, YouTube, etc.) and have had a lot of | success doing so. Because of that, there are many open source | implementations of Zanzibar out there (as others have | commented). Warrant also maintains our own open source | implementation of Zanzibar[1] which powers our managed cloud | offering, Warrant Cloud[2]. | | [1] https://github.com/warrant-dev/warrant | | [2] https://warrant.dev | rzzzt wrote: | The actual implementation is closed source. The backing idea is | described in the inaugural paper which third parties have used | to build hosted and open source alternatives that you can try. | sowbug wrote: | This tired trope has jumped the shark with this comment. Not | only is it off topic, but even if it did refer to an actual | Google product, it's disingenuous because its only point was to | be snarky. | ec109685 wrote: | Yeah, it's really frustrating when Google EOL's a paper they | published. | sulam wrote: | I was super curious to hear how Zanzibar is being used to control | access to buildings. Don't be fooled, this is not that post. ;) | alxcb wrote: | hahah, exactly, tought the same. | ants_everywhere wrote: | I wouldn't be surprised if it is somewhere. Just have the smart | card system use Cloud IAM for access control decisions. | amelius wrote: | I was super curious to hear why the Zanzibar office of Google | was somehow better at authorization than e.g. their Mountain | View office. | kkajla wrote: | Apologies for the confusion! Maybe an interesting idea for us | to explore next :P | seymon wrote: | One thing I find difficult using access control systems as a | distributed service like Zanzibar is a convenient and performant | way to search and filter resource data using permissions. For | example defining database queries that should only return | resources a subject has access to based on Zanzibar permissions. | rektide wrote: | SpiceDB/Authzed has "Lookup"s. There's LookupResources for | finding what a user has access to, and LookupSubjects now too | to see who has access to a resource. Great capability. | https://authzed.com/blog/lookup-subjects | kkajla wrote: | At Google, I believe some client applications build and | maintain "permission-aware" search indexes based on the | permissions in Zanzibar. In essence, Zanzibar can be queried to | figure out the object ids a particular subject has access to. | These object ids can then be hydrated via a database query or | separate service call. | | At Warrant, we're experimenting with allowing customers to | maintain searchable metadata in Warrant and exposing a "query" | API[1] that can automatically hydrate objects based on that | metadata. | | [1] https://docs.warrant.dev/warrants/query-warrants/ | fiddlerwoaroof wrote: | How does Zanzibar relate to capability-based schemes? | leetrout wrote: | Have you seen authzed's caveats? | | https://authzed.com/blog/caveats | kkajla wrote: | As I understand it, "capabilities" in capability-based schemes | uniquely reference an object and specify a list of access | rights on that object. This seems fairly similar to tuples in | Zanzibar, which reference a unique object, an access right, and | a unique subject whom the access right belongs to. You can | think of Zanzibar as a layer used for defining, storing, and | querying for capabilities. | hamburglar wrote: | Yeah, I believe capability/verb simply maps directly to | relation in Zanzibar speak. "Can edit" vs "is an editor". I'm | more accustomed to the verb style, so whenever I read about | authz systems that use relations or roles, I'm constantly | mapping the concepts in my head to try to find examples where | they _aren 't_ 1:1 and have yet to think of any. | kkajla wrote: | Another interesting feature of capability-based systems (that | is outside Zanzibar's scope) is that capabilities can | themselves be used to gain access to an object. This is because | they are unforgeable tokens, meaning they essentially have | authentication baked into them. Zanzibar leaves the | authentication piece to an external service and focuses on | providing the ability to define, store, and query access rights | for subjects. | scarmig wrote: | It's exciting to see so much action in this space. | | How would you compare Warrant to other Zanzibar (ZaaS?) | offerings? Particularly Ory and Authzed/SpiceDb. | smarx007 wrote: | Very happy to see industry discover the power of graphs and | especially, a triple-based representation (cf. RDF [0]; subjects | are "subjects", relationships are "predicates", and objects are | "objects"). | | Now, a genuine question: why try to shoehorn a freeform graph | (because the list of relationships is not hardcoded) into a | relational DB instead of using a graph DBMS like Neo4j, Apache | Jena (Fuseki) etc. From looking at the source code briefly, I | didn't see any extreme SQL optimizations. This indicates to me | that Warrant would either support a very limited set of query | types, or be very slow on quite a few types of them. Also see | "billion triple challenge" in the academia around this. | | Good luck with your startup! | | [0]: https://www.w3.org/TR/rdf11-primer/ | sails wrote: | > A Flexible, Uniform Data Model for Authorization | | Are there good examples of similar applications of data modules | for similarly niche use cases? I get that there are obviously | endless data models, but this seems to extend beyond that into a | more integrated concept and I don't quite know why that seems to | be the case. | kkajla wrote: | I think GraphQL might be a good example. Some might not | consider it to be very niche, but its intention is to | consolidate dependent API queries such that the client can | fetch all the data it needs in a single request. In both | Zanzibar and GraphQL, the idea behind the schema/modeling | language is to provide a layer where logic specific to | relationships between data (in the case of GraphQL) or logic | specific to authorization (in the case of Zanzibar) can be | specified such that neither the server nor the client need to | worry about it and can instead query for data in a simpler way. | susscrofa wrote: | The Zanzibar paper has a section on the consistency model, which | says that the race conditions outlined are solved by respecting | update order. It then solves it by using Spanner as underlying | storage (which is kind of lazy). | | How does Warrant deal with consistency? | noah_buddy wrote: | Why is it lazy? Seems like leveraging a tool Google built for | distributed systems specifically for consistency guarantees. | sunk1st wrote: | As I understood it from context, the word lazy was being used | to complain that the reference to Spanner wasn't in-lined. | aseipp wrote: | The fact they did it that way is actually a perfect example of | why Google is considered so far ahead of competitors | technologically and operationally by their engineers. When you | have a powerful building block like Spanner that engineers can | use, they then can work on the product instead of wasting time | on brittle consistency models, custom storage layers, and | providing their own uptime guarantees. | | This goes for every part of their stack. As a result, things | like Colossus, BigTable, and Spanner effectively act like force | multipliers for their engineers, because they provide the | guarantees they can't get elsewhere. The fact other people at | other random companies can't do that? Not their problem in the | slightest, actually. | kjgkjhfkjf wrote: | Ironically, by the time Spanner became generally available, | Google had largely lost their appetite for launching new | products. | kkajla wrote: | You've highlighted a very important part of the paper. A lot of | the external consistency guarantees provided by Zanzibar are | facilitated by Spanner and its TrueTime mechanism. Warrant | doesn't currently support/use Spanner. However, for the | databases we do support (MySQL and Postgres - which are both | ACID compliant), we've implemented the zookie protocol using | the incrementing transaction ids they provide. This approach | works for single writer deployments of these databases, so know | that write throughput and overall availability will be lower. | We started with this approach because most teams still use | MySQL/Postgres. Warrant is built to support running on | different types of databases, so we will be working on support | for Spanner and other multi-writer distributed databases like | Cockroach and Yugabyte in the future. I hope that helps. | gneray wrote: | Is anyone here using Warrant or other Zanzibar-like services? | | If so, how did you evaluate them relative to each other and/or | building yourselves? | AndreasHae wrote: | We successfully used a Relationship-based Authorization System | based on the Zanzibar paper at my last job building a B2B SaaS | leaning heavily on cross-company integration. | | The flexibility in defining rules through tuples helped us | iterate rapidly on new product features. We used self-hosted Ory | Keto [0] instances as the implementation, though we would have | preferred a managed solution. We were checking out Auth0 Fine | Grained Authorization [1] but it was still in Alpha back then. | | [0]: https://www.ory.sh/keto/ [1]: | https://auth0.com/developers/lab/fine-grained-authorization | comboy wrote: | Can anybody explain me why there seem to be much focus on | scalability in this context? I mean we have 8 billion people. | If the whole planet registers, home PC can handle it, plus it | partitions beautifully if necessary in case of authentication. | So what am I missing? | kkajla wrote: | > though we would have preferred a managed solution | | We completely agree here, which is why we initially started out | with our managed cloud offering, Warrant Cloud[1]. While | Zanzibar is powerful, operating it with solid | latency/availability can be quite challenging. | | [1] https://warrant.dev/ ___________________________________________________________________ (page generated 2023-06-25 23:00 UTC)