Session Deep Dive Into Google Zanzibar and its Concepts for Authorization Scenarios #identiverse

Principal Architect at Auth0/Okta Damian Schenkelman #identiverse

Agenda #identiverse • Authorization Background • Intro to Zanzibar • How it works • How to get started • When to use it

Authorization #identiverse

For scale: • Access Review • Change Management • Auditable • Reliable • Fast Developer Requirements #identiverse

Typical Approaches #identiverse

Too coarse, imagine Instagram with role "Picture Viewer" Role Explosion Token bloat RBAC #identiverse

ABAC #identiverse 01 02 03 04 05 06 07 08 09 enum Decision { Allow, Deny, … } Decision {policyName}(sub, action, obj, ctx) { … }

#identiverse ABAC Architecture

How ABAC meets Dev Requirements #identiverse For scale Access Review Change Management Auditable Reliable Fast

Google Zanzibar #identiverse

Used for #identiverse

Middle ground #identiverse Google Zanzibar (Authorization "as a Service” ) DBaaS (handles data) Policies (Authorization needs)

Relationship based access control (ReBAC) #identiverse

"Does user S have relationship A to object O?" "Can subject S perform action A on object O?" Rephrase the question #identiverse

Rephrase the question #identiverse Request: check("anne", "viewer", "doc:roadmap") --- Response: true "Does user S have relationship A to object O?" "Can subject S perform action A on object O?"

How do Zanzibar-like systems work? #identiverse

01 02 03 04 05 06 07 08 09 10 11 12 13 14 Namespaces #identiverse name: "doc" relation { name: "owner" } relation { name: "editor" userset_rewrite { union { child { _this {} } child { computed_userset { relation: "owner" } } }}} relation { name: "viewer" ... }

01 02 03 04 05 06 07 08 09 10 11 12 13 14 Namespaces #identiverse name: "doc" relation { name: "owner" } relation { name: "editor" userset_rewrite { union { child { _this {} } child { computed_userset { relation: "owner" } } }}} relation { name: "viewer" ... }

01 02 03 04 05 06 07 08 09 10 11 12 13 14 type doc relations define owner as self define editor as self or owner define viewer as self or editor A "translation" #identiverse 01 02 03 04 05 06 07 08 09 10 11 12 13 14 name: "doc" relation { name: "owner" } relation { name: "editor" userset_rewrite { union { child {_this {}} child {computed_userset { relation: "owner"}} }}} relation { name: "viewer" ... }

01 02 03 04 05 06 07 08 09 10 11 12 type doc relations define owner as self define editor as self or owner define viewer as self or editor {u: "anne", r: "viewer", o: "doc:roadmap"} 01 02 03 Tuples Namespaces / Authorization Model Tuples #identiverse

01 02 03 04 05 06 07 08 09 10 11 12 type doc relations define owner as self define editor as self or owner define viewer as self or editor Tuples #identiverse Request: check("anne", "editor", "doc:roadmap") --- Response: false {u: "anne", r: "viewer", o: "doc:roadmap"} 01 02 03 Tuples Namespaces / Authorization Model

01 02 03 04 05 06 07 08 09 10 11 12 01 02 03 type doc relations define owner as self define editor as self or owner define viewer as self or editor Tuples #identiverse Request: check("anne", "viewer", "doc:roadmap") --- Response: true {u: "anne", r: "viewer", o: "doc:roadmap"} Tuples Namespaces / Authorization Model

01 02 03 01 02 03 04 05 06 07 08 09 10 11 12 type doc relations define owner as self define editor as self or owner define viewer as self or editor type group relations define member as self Groups = Sets of users #identiverse Tuples Namespaces / Authorization Model

01 02 03 04 05 06 07 08 09 10 11 12 01 02 03 type doc relations define owner as self define editor as self or owner define viewer as self or editor type group relations define member as self Groups = Sets of users #identiverse {u: "beth", r: "member", o: "group:a"} Tuples Namespaces / Authorization Model

Groups = Sets of users #identiverse 01 02 03 {u: "beth", r: "member", o: "group:a"} {u: "group:a#member", r: "editor", o: "doc:roadmap"} 01 02 03 04 05 06 07 08 09 10 11 12 type doc relations define owner as self define editor as self or owner define viewer as self or editor type group relations define member as self Tuples Namespaces / Authorization Model

Groups = Sets of users #identiverse 01 02 03 04 05 06 07 08 09 10 11 12 Namespaces / Authorization Model type doc relations define owner as self define editor as self or owner define viewer as self or editor type group relations define member as self Request: check("beth", "editor", "doc:roadmap") --- Response: true 01 02 03 Tuples {u: "beth", r: "member", o: "group:a"} {u: "group:a#member", r: "editor", o: "doc:roadmap"}

Groups = Sets of users #identiverse 01 02 03 04 05 06 07 08 09 10 11 12 Namespaces / Authorization Model type doc relations define owner as self define editor as self or owner define viewer as self or editor type group relations define member as self 01 02 03 Tuples {u: "beth", r: "member", o: "group:a"} {u: "group:a#member", r: "editor", o: "doc:roadmap"} Request: check("beth", "viewer", "doc:roadmap") --- Response: true

Relationships between objects #identiverse 01 02 03 Tuples 01 02 03 04 05 06 07 08 09 10 11 12 13 Namespaces / Authorization Model type doc relations define owner as self define editor as self or owner define viewer as self or editor or viewer from parent define parent as self type group relations define member as self type folder relations define viewer as self

01 02 03 Tuples Relationships between objects #identiverse {u: "folder:2022", r: "parent", o: "doc:roadmap"} 01 02 03 04 05 06 07 08 09 10 11 12 13 Namespaces / Authorization Model type doc relations define owner as self define editor as self or owner define viewer as self or editor or viewer from parent define parent as self type group relations define member as self type folder relations define viewer as self

Relationships between objects #identiverse 01 02 03 {u: "folder:2022", r: "parent", o: "doc:roadmap"} {u: "cris", r: "viewer", o: "folder:2022"} Tuples 01 02 03 04 05 06 07 08 09 10 11 12 13 Namespaces / Authorization Model type doc relations define owner as self define editor as self or owner define viewer as self or editor or viewer from parent define parent as self type group relations define member as self type folder relations define viewer as selfa

Relationships between objects #identiverse 01 02 03 04 05 06 07 08 09 10 11 12 13 Namespaces / Authorization Model type doc relations define owner as self define editor as self or owner define viewer as self or editor or viewer from parent define parent as self type group relations define member as self type folder relations define viewer as selfa Request: check("cris", "viewer", "doc:roadmap") --- Response: true 01 02 03 {u: "folder:2022", r: "parent", o: "doc:roadmap"} {u: "cris", r: "viewer", o: "folder:2022"} Tuples

• Global Spanner • Distributed Cache • Special index for deep group nesting • Search with permissions • Reverse-indexable grammar • Ability to watch changes to build indexes Reliability & Latency #identiverse

#identiverse Getting Started

Pick an implementation #identiverse Open Source spicedb SaaS

Integrate #identiverse • Define your authorization model • SaaS provide tests/assertions for this, good to learn and iterate • Shadow writes and reads • Test for latency at scale • Optional: integrate with policies • Ship it :)

When to use Zanzibar like systems? #identiverse

• Enables secure, privacy friendly sharing and collaboration • More likely useful in B2B* or B2C scenarios Summary #identiverse

Things to look for • Flexible for new features • Low latency, reliable • Authorization data • Granular: does not fit in a token • Dynamic: changes often • Search with permissions #identiverse

Thank you! #identiverse

References #identiverse

• External consistency https://cloud.google.com/spanner/docs/true-time-external-consistency • Himeji Airbnb https://medium.com/airbnb-engineering/himeji-a-scalable-centralized-system-for-authorization-at-airbnb-341664924574 https://medium.com/airbnb-engineering/how-airbnb-supports-co-hosting-edfb11d88575 https://authorizationinsoftware.auth0.com/public/49/Authorization-in-Software-f9b69587/9ae303a5 • Spanner https://static.googleusercontent.com/media/research.google.com/en//archive/spanner-osdi2012.pdf • Carta Authz https://medium.com/building-carta/authz-cartas-highly-scalable-permissions-system-782a7f2c840f https://medium.com/building-carta/user-authorization-in-less-than-10-milliseconds-f20d277fec47 TODO: References (1) #identiverse

Appendix #identiverse

Can be done with more work ● What subjects can perform action A on object O? (with nested groups) ● What objects can subject S perform actions {A1, A2, …} on? Optimize for ● Can subject S perform action A on object O? By-product ● What subjects can perform action A on object O? (no nested groups) Design #identiverse

Global Spanner #identiverse

Distributed Cache #identiverse

Leopard #identiverse

Results returned by query Objects a user can access % of objects a user can access Example How to solve? LOW N/A N/A Search by title exact match MULTIPLE CHECKS HIGH HIGH (5k+) LOW/MEDIUM A company's Google Drive INDEX FROM WATCH + CHECK HIGH HIGH (5k+) HIGH Twitter Search MULTIPLE CHECK or INDEX FROM WATCH + CHECK N/A LOW (100) LOW/MEDIUM RETURN LIST OF OBJECTS N/A LOW (100) HIGH Not an FGA case MULTIPLE CHECKS Search #identiverse

Title of next section of this slide #identiverse

Title of next section of this slide #identiverse

This is a basic info slide. Insert session copy here. Insert session copy here. Insert session copy here. Insert session copy here. Insert session copy here. Insert session copy here. Insert session copy here. Insert session copy here. Insert session copy here. Insert session copy here. #identiverse

Insert session copy here. Insert session copy here. Insert session copy here. Insert session copy here. Insert session copy here. Insert session copy here. Insert session copy here. Insert session copy here. Insert session copy here. Insert session copy here. This is a basic info slide. #identiverse

Developer Requirements Insert session copy here •Insert session copy here. •Insert session copy here. •Insert session copy here. •Insert session copy here. #identiverse