Google Zanzibar implementations

Robin-Manuel Thiel - May 8 - - Dev Community

Authentication is hard. Implementing fine-grained access control is even harder. Whoever tried to build a sophisticated authentication system themselves knows that. And those who didn't are well advised by not trying to. Proper Authentication is so hard, that 2020 Google published a research paper about the numerous challenges and complexity they faced when implementing a global permission system for YouTube, Google Drive and Google Photos. This research paper is called "Zanzibar".

What the paper is lacking are implementation details. And since its release, some brave developers tried to implement an Authentication system along Google's findings. Here is a list of Google Zanzibar implementations:

1. Space Blocks Permissions

Space Blocks has built the most complete implementation of the Google Zanzibar research paper. It supports hierarchical permission trees, inheritance of access rights and custom roles. It can be hosted on your own servers or in the Space Blocks Cloud, where it provides high-availability and short response times.

Pros:

  • Completeness: Most complete and feature-rich Zanzibar implementation.
  • Easy to integrate: Permissions checks are integrated with a few lines of code.
  • GUI: Graphical Editor for designing and visualizing permission trees.
  • Low Learning Curve: No proprietary modeling language. ****

Cons:

  • SDK Availability: Only for .NET, JavaScript and React. Other platforms need to use the REST-API
  • Additional API endpoint required: Your backend might need to implement additional API endpoints for your frontend

2. OpenFGA

Auth0’s OpenFGA project focuses on delivering a universal authorization system. The name stands for “Fine Grained Authorization,” emphasizing a granular approach to modeling authorization that can handle diverse use cases. It is owned by the Cloud Native Foundation.

Pros:

  • Granularity: Allows fine-grained control over permissions, catering to complex authorization scenarios.
  • Open-Source Community: Community contributions and improvements are encouraged.
  • Performance: OpenFGA aims for reliability and performance.

Cons:

  • Missing Features: Operation for Listing all items a user has access to is incomplete
  • Steep Learning Curve: Understanding the modeling language schema may require some effort.

3. ORY Keto

An open-source implementation of the Google Zanzibar paper exists in the form of the ****ORY Keto project. The first working version was released, aiming to bring the concepts from the paper to practical use. It can be employed to manage permissions and roles in various applications and websites.

Pros:

  • Open-Source Community: Being open source, it benefits from community contributions and improvements.
  • Fast and Efficient: ORY Keto aims for high performance, ensuring rapid decision-making.

Cons:

  • Steep Learning Curve: The granular permission language might require some learning and understanding.

4. Permify

Permify is another open-source authorization service for creating and managing scalable authorization systems using fine-grained permissions. It draws inspiration from Google’s Zanzibar paper and offers various binding and crafting options, allowing engineers to work with performant, observable, and secure permission systems.

Pros:

  • Integration: Integrates into many Identity Providers like Okta and Azure Active Directory
  • Granularity: Allows fine-grained control over permissions, catering to complex authorization scenarios.
  • Open-Source Community: Benefits from community contributions.

Cons:

  • Steep Learning Curve: Understanding the modeling schema may require effort.
. . .