Google Zanzibar


Zanzibar is an authorization system developed by Google for managing access control. It was first described in a research paper presented at the 2019 USENIX Annual Technical Conference. Zanzibar supports authorization for several Google services, including Google Drive, Google Photos, and YouTube.

Overview

Zanzibar functions as an authorization service. It processes access control queries from client applications and stores access control lists expressed as relationship tuples under a relationship-based access control model. Each tuple represents a subject, a relation, and an object. The system is designed to provide consistency, fault tolerance, and scalability for applications with large user bases.

Architecture

Zanzibar's architecture includes several core components:Distributed database: Built on Google Spanner to maintain data consistency across data centers.Caching layers: Uses server-level and inter-service caching to reduce latency.Global replication: Replicates authorization data across geographic regions to improve availability.Namespace configuration: Client services define object types, relationships, and authorization rules.Decoupled logic: Queries such as "Does user X have permission Y on object Z?" return Boolean results.Zookies: Opaque consistency tokens used to ensure authorization checks are evaluated against a snapshot at least as recent as the version of the content being accessed.

Performance

The system uses techniques such as cache prefetching and selective invalidation of frequently accessed permissions to reduce latency.

Relationship to ReBAC

Zanzibar employs relationship-based access control, in which authorization decisions depend on relationships between entities rather than predefined roles. In contrast, role-based access control assigns permissions based on user roles. Zanzibar's use of ReBAC enables dynamic access control in collaborative environments such as document-sharing systems.

Industry influence

The Zanzibar research paper has influenced the design of other authorization systems based on ReBAC principles. Examples include Airbnb's internal system Himeji and several open-source projects that adopt similar models.

Limitations

Implementing a Zanzibar-like system requires substantial engineering and infrastructure resources. Maintaining replication, caching, and schema configurations adds operational complexity. The tuple-based relationship model may fail to capture certain policy logic, requiring integration with additional rule-based or policy engines.