Google Zanzibar

Zanzibar is an authorization system developed by Google for managing access control. It was first described in a research paper presented at the 2019 USENIX Annual Technical Conference. Zanzibar supports authorization for several Google services, including Google Drive, Google Photos, and YouTube.^[1]

Overview

Zanzibar functions as an authorization service. It processes access control queries from client applications and stores access control lists (ACLs) expressed as relationship tuples under a relationship-based access control (ReBAC) model. Each tuple represents a subject, a relation, and an object. The system is designed to provide consistency, fault tolerance, and scalability for applications with large user bases.^[1]

Architecture

Zanzibar’s architecture includes several core components:^[1]

Distributed database: Built on Google Spanner to maintain data consistency across data centers.
Caching layers: Uses server-level and inter-service caching to reduce latency.
Global replication: Replicates authorization data across geographic regions to improve availability.
Namespace configuration: Client services define object types, relationships, and authorization rules.
Decoupled logic: Queries such as "Does user X have permission Y on object Z?" return Boolean results.

Performance

The system uses techniques such as cache prefetching and selective invalidation of frequently accessed permissions to reduce latency.^[1]

Relationship to ReBAC

Zanzibar employs relationship-based access control (ReBAC), in which authorization decisions depend on relationships between entities rather than predefined roles. In contrast, role-based access control (RBAC) assigns permissions based on the roles assigned to users. In the case of Google Zanzibar, ReBAC enables dynamic access control, which can be used in collaborative environments such as file-sharing and document management systems.^[1]

Industry influence

The Zanzibar research paper has influenced the design of other authorization systems based on ReBAC principles. Examples include Airbnb’s internal system Himeji and several open-source projects that adopt similar models.^[1]

Limitations

Implementing a Zanzibar-like system requires substantial engineering and infrastructure resources. Maintaining replication, caching, and schema configurations adds operational complexity. The relationship model may fail to capture policy logic, which can require integration with additional policy or rule-based engines.^[1]

References

↑ ^1.0 ^1.1 ^1.2 ^1.3 ^1.4 ^1.5 ^1.6 Pang, Ruoming; Caceres, Ramon; Burrows, Mike; Chen, Zhifeng; Dave, Pratik; Germer, Nathan; Golynski, Alexander; Graney, Kevin et al. (2019). "Zanzibar: Google's Consistent, Global Authorization System". 2019 USENIX Annual Technical Conference (USENIX ATC '19) (Renton, WA). https://research.google/pubs/pub48190/.

0.00

(0 votes)

Original source: https://en.wikipedia.org/wiki/Google Zanzibar. Read more

[:0-1] 1.0 ^1.1 ^1.2 ^1.3 ^1.4 ^1.5 ^1.6 Pang, Ruoming; Caceres, Ramon; Burrows, Mike; Chen, Zhifeng; Dave, Pratik; Germer, Nathan; Golynski, Alexander; Graney, Kevin et al. (2019). "Zanzibar: Google's Consistent, Global Authorization System". 2019 USENIX Annual Technical Conference (USENIX ATC '19) (Renton, WA). https://research.google/pubs/pub48190/.

[1]

Anonymous

Search

Google Zanzibar

Namespaces

More

Page actions

Contents

Overview

Architecture

Performance

Relationship to ReBAC

Industry influence

Limitations

See also

References

Navigation

Navigation

Resources

Help

googletranslator

Navigation

Wiki tools

Wiki tools

Anonymous

Search

Google Zanzibar

Overview

Architecture

Performance

Relationship to ReBAC

Industry influence

Limitations

See also

References

Navigation

Wiki tools

Page tools

Other projects

Categories