Do Developers Dream of Google Zanzibar?
As close as a backend engineer building auth is going to get to a tropical vacation
Hi again! Daniel here with another digest 💌
Let’s talk a bit about open source -
In the past few months, we've seen some major companies change their open-source licenses (Redis, Terraform). VCs tend to see open-core models as unsustainable, and, to be fair, these models do have their fair share of issues.
To the D&D nerds reading this, this might spark a bit of a PTSD response after the Wizards of the Coast Open Game License saga last year.
That being true, it's worth noting that the shift in open-source licensing reflects a broader conversation within the tech community about sustainability, fairness, and collaboration.
Ultimately, the evolution of open-source licensing reflects a tension between the ideals of openness and the realities of sustaining projects in a competitive market. Any way we look at it, finding the right balance will involve ongoing experimentation, dialogue, and adaptation.
When it comes to open-source authorization, one major asset has changed the face of IAM - Google Zanzibar. In 2019, this white paper presented at USENIX marked the beginning of a giant open-source movement.
Google's vast and diverse ecosystem encompasses a multitude of distributed applications serving various purposes, including B2B, B2C, and advertising platforms (Think of a YouTuber who manages their own channel, has a specific type of access to a ‘Google Drive’ based storage through their workplace, and can edit the reviews they posted on Google maps, all using a single identity).
As you can probably figure, this poses a significant application-level authorization challenge. With all these applications relying on a single unified identity system, ensuring that users and services have the appropriate permissions and access privileges becomes an almost ridiculously complex endeavor.
Renowned for its distributed, scalable, and consistent architecture, Google Zanzibar was conceived as Google's gatekeeper for access control.
Over 10 implementations based on Google Zanzibar are already on GitHub, with notable ones being OpenFGA and Spice DB. You can read more about these in this comprehensive list of 12 open-source Auth tools that (we think) can help you build better applications.
Taking a step back, let’s look at some context for how big this thing really is -
For a really long time, the go-to solution for complex policy requirements was using Attribute-Based Access Control (ABAC). Using attributes of in-app entities helps build very complex permission models based on comparing attributes in real time.
While ABAC can function well, when you want to give the user the best UX for managing their own permissions, it can be complex to manage and audit.
If we want to go even simpler, Role-Based Access Control (RBAC) is probably the most user-friendly and approachable permission model out there. In RBAC, the ability to assign users roles and then assign those roles with access to resources is pretty straightforward and approachable.
Graph-based authorization systems, like the one created by Google with Zanzibar, employ a graphical representation to illustrate relationships between users and resources. These excel at mapping hierarchies and nested relationships, offering a natural avenue for Relationship-based Access Control (ReBAC).
Given their ability to manage high volumes of data while maintaining consistency, these systems prove far more effective in large-scale environments than a classic RBAC or ABAC implementation.
Even non-native implementations of Google Zanzibar can be inspired by Zanzibar's simplicity; Google’s forward-thinking approach was a key factor in allowing us to implement ReBAC on top of Open Policy Agent, a policy engine traditionally used for more ABAC/PBAC-oriented systems.
To better understand how Google Zanzibar came to be the impressive solution it is today, we’ll be hosting a live stream with Dr. Rohit Khare, Ex. Product Manager & Software Architect at Google and Jonathan Whitaker, Staff Software Engineer at Auth0 (OKTA). We’ll dive into this Google Zanzibar and discuss its creation process, popularity among developers, challenges, and open-source implementations. Sign up for it here: https://lu.ma/4dzwgs9c
That’s it for this week, folks!
As always, it’s been a pleasure, and I hope to see you in our Slack Community!
See you in two weeks 🌈✨
❤️, Daniel