Why Google Zanzibar shines at building authorization
Learn what makes Google Zanzibar the best authorization solution and how WorkOS FGA builds on top of these features.
Over the last couple of years, authorization (aka “authZ”) has become a hot topic of debate. Proponents of various authorization frameworks, libraries, and philosophies have voiced their opinions on how it should be implemented, jockeying for position to become the de facto way to implement authorization. Among the contestants in this debate, Google’s Zanzibar has recently emerged as a popular way of modeling and enforcing authorization for modern, fine-grained use cases and scaling to meet the requirements of today’s large-scale, cloud-native applications.
WorkOS FGA's core authorization engine is based on many of the concepts described in the seminal Zanzibar paper (e.g. tuples, namespaces, zookies, etc. – more on these concepts later). In this post, we’ll explain why we believe Zanzibar is a great foundation for implementing authorization, discuss some areas where it falls short, and share how we’ve addressed those shortcomings with our own enhancements.
ReBAC: a flexible, uniform data model for authorization
Zanzibar provides an intuitive and (more importantly) uniform data model for representing authorization. Its authorization paradigm, known as relationship based access control (ReBAC), is based on the following principles:
- All resources in an application are related to each other via directed relationships (e.g.
[user:123] is [owner] of [report:abc]
). - The application’s authorization rules (i.e. the abilities granted to users of the application) flow from these relationships either explicitly or implicitly.
Representing authorization in this way feels intuitive because it’s similar to how most of us already design data models (e.g. relational database schemas) for our own applications, making it easy to understand and reason about authorization models in Zanzibar. ReBAC is also extremely flexible, capable of representing any authorization model you can throw at it, including other paradigms like role based access control (RBAC) and attribute based access control (ABAC).
In practice, each relationship between two resources is represented as a “tuple” composed of three parts:
- The resource on which the relationship is being specified.
- The relationship being specified.
- The subject (a resource or group of resources) that will possess the specified relationship on the resource.
Together, the set of all tuples makes up a big graph of relationships in which the resources and subjects are the nodes, and the relationships between them are the edges. This graph is powerful because it can be traversed in various ways to determine the capabilities of users in an application.
For example, a path between a user and a resource might mean that the user has write privileges on the resource. In another scenario, it might mean that the user is not allowed to perform writes on a different resource. To dictate how the graph can be traversed and to assign semantic meaning to the relationships it represents, Zanzibar provides us with namespaces.
Authorization logic decoupled from application logic
Namespaces allow us to assign meaning to the relationships represented by our graph for the purpose of authorization. Each namespace defines the available relationships (e.g. admin, writer, reader) on a type of resource (e.g. report), and optionally, a set of logical rules that specify how each relationship can be inferred from others (e.g. an [editor] of a [report] is also a [viewer] of that report
).
They are similar to database schemas in that they allow us to define the structure of an authorization model, but unlike database schemas, namespaces also allow us to express logic on top of that structure. For example, the namespace for a report resource type might define three relationships: admin
, editor
, and viewer
.
In addition to defining these relationships, the namespace can also specify:
- A subject can only have the admin relationship on a report explicitly.
- A subject can have the editor relationship on a report explicitly OR implicitly if it has the admin relationship on that report.
- A subject can have the viewer relationship on a report explicitly OR implicitly if it has the editor relationship on that report.
The ability for namespaces to specify logical rules (or policies) like these between relationships makes it possible to separate authorization logic from application logic. This makes application code much simpler. The application only needs to confirm that a user has a particular capability (e.g. editor) before executing a section of code (e.g. persisting a proposed edit on a document).
Stateful, centralized, query-able permissions
While modern, policy-driven authorization solutions like Open Policy Agent (OPA) offer some of the features and benefits described so far, one thing remains unique to Zanzibar. It’s a stateful, centralized service, meaning that all tuples (the relationship graph) and namespaces are pieces of data that are stored and updated centrally.
A major benefit of this design is the ability to query the data, not only to check if a particular subject has access to a specific resource, but also to get the list of resources a particular subject has access to. This is extremely useful in practice, for example, to audit a user’s privileges for regulatory compliance or to understand the impact of a change to the authorization model before applying it.
In our opinion, having the ability to query permissions like this should be a requirement in any authorization system and can only be done in a stateful system with a global view of all authorization data. However, as with any system design decision, this approach comes with its trade-offs.
Global scale, low latency
Since Zanzibar stores all authorization data centrally, client applications must make requests to it to check permissions, making it a potential performance bottleneck for those applications. To minimize the end-to-end response times of authorization queries, Zanzibar is distributed globally (as close to client applications as possible) and utilizes aggressive caching, responding to queries from cache (in single milliseconds) whenever possible.
Because access patterns and freshness requirements for authorization data vary from application to application, Zanzibar has the concept of a “zookie” – a global, incrementing version number for each change made to the authorization data. Zookies make caching feasible while still allowing client applications to dictate when they favor correctness over speed.
Our take on Zanzibar
While the concepts and features of Zanzibar are great, Google never built a publicly available implementation because they built Zanzibar to solve their own authorization needs for services like Drive, Docs, YouTube, and more. Fortunately, WorkOS Fine-Grained Authorization (FGA) implements all of the concepts we’ve discussed so far, many of them with slight variations intended to either improve developer experience or add functionality that we feel Zanzibar lacks.
In FGA, tuples are known as warrants. A warrant includes the same three major components (resource, relationship, and subject) as a tuple but can also include an optional component that we call a policy. The policy component is a user-defined boolean expression that is evaluated at query-time to determine whether the warrant is available to the query or not. If a warrant matches a query and its policy evaluates to true
, that warrant is considered during the query. Otherwise, the warrant is ignored.
Policies can reference dynamic contextual data that is passed in by the query (e.g. [user:123] is an [approver] of [transaction:abc] [if transaction.amount <= 100]
). Having the ability to do this makes FGA capable of modeling attribute based access control (ABAC) scenarios in which external data (e.g. the transaction amount) is required to make an authorization decision, something Zanzibar’s purely ReBAC approach struggles with. You can learn more about warrants in our documentation.
Namespaces, as described in Zanzibar, are known as resource types in FGA. Resource types are represented as JSON and conform to a JSON schema specification. Unlike Zanzibar’s namespaces, resource types support the ability to restrict the types of resource that can possess each relationship, making it easier for developers to reason about the scope of each resource type’s relationships.
WorkOS FGA aims to provide a generic and scalable authorization service capable of modeling diverse use cases and performing access checks globally with low latency.