Slide 1

Slide 1 text

Session Deep Dive Into Google Zanzibar and its Concepts for Authorization Scenarios #identiverse

Slide 2

Slide 2 text

Principal Architect at Auth0/Okta Damian Schenkelman #identiverse

Slide 3

Slide 3 text

Agenda #identiverse • Authorization Background • Intro to Zanzibar • How it works • How to get started • When to use it

Slide 4

Slide 4 text

Authorization #identiverse

Slide 5

Slide 5 text

For scale: • Access Review • Change Management • Auditable • Reliable • Fast Developer Requirements #identiverse

Slide 6

Slide 6 text

Typical Approaches #identiverse

Slide 7

Slide 7 text

Too coarse, imagine Instagram with role "Picture Viewer" Role Explosion Token bloat RBAC #identiverse

Slide 8

Slide 8 text

ABAC #identiverse 01 02 03 04 05 06 07 08 09 enum Decision { Allow, Deny, … } Decision {policyName}(sub, action, obj, ctx) { … }

Slide 9

Slide 9 text

#identiverse ABAC Architecture

Slide 10

Slide 10 text

How ABAC meets Dev Requirements #identiverse For scale Access Review Change Management Auditable Reliable Fast

Slide 11

Slide 11 text

Google Zanzibar #identiverse

Slide 12

Slide 12 text

Used for #identiverse

Slide 13

Slide 13 text

Middle ground #identiverse Google Zanzibar (Authorization "as a Service” ) DBaaS (handles data) Policies (Authorization needs)

Slide 14

Slide 14 text

Relationship based access control (ReBAC) #identiverse

Slide 15

Slide 15 text

"Does user S have relationship A to object O?" "Can subject S perform action A on object O?" Rephrase the question #identiverse

Slide 16

Slide 16 text

Rephrase the question #identiverse Request: check("anne", "viewer", "doc:roadmap") --- Response: true "Does user S have relationship A to object O?" "Can subject S perform action A on object O?"

Slide 17

Slide 17 text

How do Zanzibar-like systems work? #identiverse

Slide 18

Slide 18 text

01 02 03 04 05 06 07 08 09 10 11 12 13 14 Namespaces #identiverse name: "doc" relation { name: "owner" } relation { name: "editor" userset_rewrite { union { child { _this {} } child { computed_userset { relation: "owner" } } }}} relation { name: "viewer" ... }

Slide 19

Slide 19 text

01 02 03 04 05 06 07 08 09 10 11 12 13 14 Namespaces #identiverse name: "doc" relation { name: "owner" } relation { name: "editor" userset_rewrite { union { child { _this {} } child { computed_userset { relation: "owner" } } }}} relation { name: "viewer" ... }

Slide 20

Slide 20 text

01 02 03 04 05 06 07 08 09 10 11 12 13 14 type doc relations define owner as self define editor as self or owner define viewer as self or editor A "translation" #identiverse 01 02 03 04 05 06 07 08 09 10 11 12 13 14 name: "doc" relation { name: "owner" } relation { name: "editor" userset_rewrite { union { child {_this {}} child {computed_userset { relation: "owner"}} }}} relation { name: "viewer" ... }

Slide 21

Slide 21 text

01 02 03 04 05 06 07 08 09 10 11 12 type doc relations define owner as self define editor as self or owner define viewer as self or editor {u: "anne", r: "viewer", o: "doc:roadmap"} 01 02 03 Tuples Namespaces / Authorization Model Tuples #identiverse

Slide 22

Slide 22 text

01 02 03 04 05 06 07 08 09 10 11 12 type doc relations define owner as self define editor as self or owner define viewer as self or editor Tuples #identiverse Request: check("anne", "editor", "doc:roadmap") --- Response: false {u: "anne", r: "viewer", o: "doc:roadmap"} 01 02 03 Tuples Namespaces / Authorization Model

Slide 23

Slide 23 text

01 02 03 04 05 06 07 08 09 10 11 12 01 02 03 type doc relations define owner as self define editor as self or owner define viewer as self or editor Tuples #identiverse Request: check("anne", "viewer", "doc:roadmap") --- Response: true {u: "anne", r: "viewer", o: "doc:roadmap"} Tuples Namespaces / Authorization Model

Slide 24

Slide 24 text

01 02 03 01 02 03 04 05 06 07 08 09 10 11 12 type doc relations define owner as self define editor as self or owner define viewer as self or editor type group relations define member as self Groups = Sets of users #identiverse Tuples Namespaces / Authorization Model

Slide 25

Slide 25 text

01 02 03 04 05 06 07 08 09 10 11 12 01 02 03 type doc relations define owner as self define editor as self or owner define viewer as self or editor type group relations define member as self Groups = Sets of users #identiverse {u: "beth", r: "member", o: "group:a"} Tuples Namespaces / Authorization Model

Slide 26

Slide 26 text

Groups = Sets of users #identiverse 01 02 03 {u: "beth", r: "member", o: "group:a"} {u: "group:a#member", r: "editor", o: "doc:roadmap"} 01 02 03 04 05 06 07 08 09 10 11 12 type doc relations define owner as self define editor as self or owner define viewer as self or editor type group relations define member as self Tuples Namespaces / Authorization Model

Slide 27

Slide 27 text

Groups = Sets of users #identiverse 01 02 03 04 05 06 07 08 09 10 11 12 Namespaces / Authorization Model type doc relations define owner as self define editor as self or owner define viewer as self or editor type group relations define member as self Request: check("beth", "editor", "doc:roadmap") --- Response: true 01 02 03 Tuples {u: "beth", r: "member", o: "group:a"} {u: "group:a#member", r: "editor", o: "doc:roadmap"}

Slide 28

Slide 28 text

Groups = Sets of users #identiverse 01 02 03 04 05 06 07 08 09 10 11 12 Namespaces / Authorization Model type doc relations define owner as self define editor as self or owner define viewer as self or editor type group relations define member as self 01 02 03 Tuples {u: "beth", r: "member", o: "group:a"} {u: "group:a#member", r: "editor", o: "doc:roadmap"} Request: check("beth", "viewer", "doc:roadmap") --- Response: true

Slide 29

Slide 29 text

Relationships between objects #identiverse 01 02 03 Tuples 01 02 03 04 05 06 07 08 09 10 11 12 13 Namespaces / Authorization Model type doc relations define owner as self define editor as self or owner define viewer as self or editor or viewer from parent define parent as self type group relations define member as self type folder relations define viewer as self

Slide 30

Slide 30 text

01 02 03 Tuples Relationships between objects #identiverse {u: "folder:2022", r: "parent", o: "doc:roadmap"} 01 02 03 04 05 06 07 08 09 10 11 12 13 Namespaces / Authorization Model type doc relations define owner as self define editor as self or owner define viewer as self or editor or viewer from parent define parent as self type group relations define member as self type folder relations define viewer as self

Slide 31

Slide 31 text

Relationships between objects #identiverse 01 02 03 {u: "folder:2022", r: "parent", o: "doc:roadmap"} {u: "cris", r: "viewer", o: "folder:2022"} Tuples 01 02 03 04 05 06 07 08 09 10 11 12 13 Namespaces / Authorization Model type doc relations define owner as self define editor as self or owner define viewer as self or editor or viewer from parent define parent as self type group relations define member as self type folder relations define viewer as selfa

Slide 32

Slide 32 text

Relationships between objects #identiverse 01 02 03 04 05 06 07 08 09 10 11 12 13 Namespaces / Authorization Model type doc relations define owner as self define editor as self or owner define viewer as self or editor or viewer from parent define parent as self type group relations define member as self type folder relations define viewer as selfa Request: check("cris", "viewer", "doc:roadmap") --- Response: true 01 02 03 {u: "folder:2022", r: "parent", o: "doc:roadmap"} {u: "cris", r: "viewer", o: "folder:2022"} Tuples

Slide 33

Slide 33 text

• Global Spanner • Distributed Cache • Special index for deep group nesting • Search with permissions • Reverse-indexable grammar • Ability to watch changes to build indexes Reliability & Latency #identiverse

Slide 34

Slide 34 text

#identiverse Getting Started

Slide 35

Slide 35 text

Pick an implementation #identiverse Open Source spicedb SaaS

Slide 36

Slide 36 text

Integrate #identiverse • Define your authorization model • SaaS provide tests/assertions for this, good to learn and iterate • Shadow writes and reads • Test for latency at scale • Optional: integrate with policies • Ship it :)

Slide 37

Slide 37 text

When to use Zanzibar like systems? #identiverse

Slide 38

Slide 38 text

• Enables secure, privacy friendly sharing and collaboration • More likely useful in B2B* or B2C scenarios Summary #identiverse

Slide 39

Slide 39 text

Things to look for • Flexible for new features • Low latency, reliable • Authorization data • Granular: does not fit in a token • Dynamic: changes often • Search with permissions #identiverse

Slide 40

Slide 40 text

Thank you! #identiverse

Slide 41

Slide 41 text

References #identiverse

Slide 42

Slide 42 text

• External consistency https://cloud.google.com/spanner/docs/true-time-external-consistency • Himeji Airbnb https://medium.com/airbnb-engineering/himeji-a-scalable-centralized-system-for-authorization-at-airbnb-341664924574 https://medium.com/airbnb-engineering/how-airbnb-supports-co-hosting-edfb11d88575 https://authorizationinsoftware.auth0.com/public/49/Authorization-in-Software-f9b69587/9ae303a5 • Spanner https://static.googleusercontent.com/media/research.google.com/en//archive/spanner-osdi2012.pdf • Carta Authz https://medium.com/building-carta/authz-cartas-highly-scalable-permissions-system-782a7f2c840f https://medium.com/building-carta/user-authorization-in-less-than-10-milliseconds-f20d277fec47 TODO: References (1) #identiverse

Slide 43

Slide 43 text

Appendix #identiverse

Slide 44

Slide 44 text

Can be done with more work ● What subjects can perform action A on object O? (with nested groups) ● What objects can subject S perform actions {A1, A2, …} on? Optimize for ● Can subject S perform action A on object O? By-product ● What subjects can perform action A on object O? (no nested groups) Design #identiverse

Slide 45

Slide 45 text

Global Spanner #identiverse

Slide 46

Slide 46 text

Distributed Cache #identiverse

Slide 47

Slide 47 text

Leopard #identiverse

Slide 48

Slide 48 text

Results returned by query Objects a user can access % of objects a user can access Example How to solve? LOW N/A N/A Search by title exact match MULTIPLE CHECKS HIGH HIGH (5k+) LOW/MEDIUM A company's Google Drive INDEX FROM WATCH + CHECK HIGH HIGH (5k+) HIGH Twitter Search MULTIPLE CHECK or INDEX FROM WATCH + CHECK N/A LOW (100) LOW/MEDIUM RETURN LIST OF OBJECTS N/A LOW (100) HIGH Not an FGA case MULTIPLE CHECKS Search #identiverse

Slide 49

Slide 49 text

Title of next section of this slide #identiverse

Slide 50

Slide 50 text

Title of next section of this slide #identiverse

Slide 51

Slide 51 text

This is a basic info slide. Insert session copy here. Insert session copy here. Insert session copy here. Insert session copy here. Insert session copy here. Insert session copy here. Insert session copy here. Insert session copy here. Insert session copy here. Insert session copy here. #identiverse

Slide 52

Slide 52 text

Insert session copy here. Insert session copy here. Insert session copy here. Insert session copy here. Insert session copy here. Insert session copy here. Insert session copy here. Insert session copy here. Insert session copy here. Insert session copy here. This is a basic info slide. #identiverse

Slide 53

Slide 53 text

Developer Requirements Insert session copy here •Insert session copy here. •Insert session copy here. •Insert session copy here. •Insert session copy here. #identiverse