Zanzibar Implementation SpiceDB Is Open Source
Zanzibar offers a uniform data model and configuration language to enforce a wide range of access control policies from hundreds of client services. Google uses it across services including Cloud, Drive, Calendar, Maps, YouTube and Photos.
Authzed is a commercial implementation of Zanzibar, presented as a permissions-as-a-service company. Its version, called SpiceDB, is an open source implementation of Zanzibar in the same way CockroachDB is an open source implementation of Spanner.
Zanzibar was designed for high availability and low latency, based on unified storage for access control lists and a remote procedure call (RPC)-based API.
“Having permissions centralized and quickly available is central to service-oriented architectures and functions-as-a-service as you can no longer rely on a single piece of code in a monolith for evaluating permissions stored in your database,” co-founder Jake Moshenko said.
He, Joey Schorr and Jimmy Zelinskie come from Quay, CoreOS and Red Hat. They call it “the most complete implementation of Zanzibar outside of Google,” where Moshenko and Schorr also previously worked.
Moshenko said that as co-founders of Quay, a service specializing in hosting private Docker repositories, he and Schorr discovered the problem early on.
“As part of building that Docker registry, we needed to check complex permissions. And the way that we chose to do it, it was very similar to what a lot of developers do today, which is to store relationships in their database, and then interpret those relationships using their source code,” he said.
“…We eventually ran into problems when we had recursive relationships. So things like groups being part of groups or namespaces being parts of other namespaces. And we actually couldn’t model those things. And we had to cancel those features just because of the difficulty of building the permissions.”
Zanzibar, and by extension SpiceDB, keeps all those relationships in a directed graph.
Most Generic Use Cases
“It basically sets up the problem as a graph traversal. If you can find a valid traversal through the graph between the object and the access that the user is trying to have and the user itself, then that’s considered a successful permission check, and the user is allowed to perform the action,” he said. “So it’s easy to see that you could have groups be part of other groups and users be members of those groups and a document be shared with a number of groups very easily just by adding edges and nodes to the graph.”
Authzed is focused on the most general use cases for Zanzibar, while users such as Airbnb and capitalization table management startup Carta have customized Zanzibar to address their own specific needs. Airbnb, for instance, with its Himeji version made a tradeoff favoring higher availability versus the consistency originally described in the Zanzibar paper, he said.
In its effort to build a solution for the largest variety of use cases possible, it won’t make such a tradeoff, he said.
“Our implementation of Zanzibar lets you model the users yourself,” he said. “And you can bring in different users from different user sources. For example, if you use multiple identity providers. You could use, for example, Auth0 and Google OAuth together and talk about different heterogeneous user sets. That’s something that’s not possible in the Zanzibar paper as written.
“So we kind of had to take a step back and say, ‘What would Zanzibar look like as tailored toward the largest number of use cases without some of the assumptions and restrictions that Google infrastructure brings to their implementation?’”
In a blog post, Moshenko addresses why users would choose SpiceDB:
“SpiceDB is scalable, has support for globally replicated backends, and is available under the permissive Apache 2 license. We achieve scalability through implementing the best scaling concepts from the Zanzibar paper, such as distributed caching and parallel execution. With support for CockroachDB, your storage backend has a Spanner equivalent which gives you globally distributed data with ACID semantics.”
It also has multiple data backends including Postgres and CockroachDB for durable storage, and an in-memory data store for testing and development.
In the commercial offering, the company will be providing a hosted version, which it hopes will make the technology more accessible to small and mid-size companies.
“We plan to run this service all over the globe [as] a single globally deployed permissions database all over the planet. For most of our smaller adopters, that would be cost-prohibitive. But because we can sort of share that single cluster with everybody and federated out into smaller chunks, they get the benefits of being globally deployed without having to pay the costs,” Moshenko said.
Basically, users just have to tell SpiceDB about the relationships being developed as they’re being built on their site.
“So every time they share a document with a user or every time they add a user to a role in an RBAC system, they [add] that new relationship. And then it’s pretty simple to query based on those existing relationships and a pretty simple schema to determine if the user in question has the permission.”
The company’s motivation for open sourcing SpiceDB is to increase adoption of the technology, Moshenko said, and with all open source projects is encouraging contributors. The early-stage startup raised $3.9 million in a seed round in April.
Their previous startup, Quay.io, a service specializing in hosting private Docker repositories, sold to CoreOS in 2014. Red Hat then acquired CoreOS in 2018, and IBM purchased Red Hat the same year. The open source Project Quay container registry was launched the following year.
Tim Hinrichs, co-founder of the Open Policy Agent and CTO of Styra, recently wrote about the need to rethink authorization for the cloud native stack. And Mary Branscombe outlined the differences between authentication and authorization.
Google’s Zanzibar paper was published in 2019, yet there’s been a bit of new interest in it of late.
One of its original creators, Lea Kissner, recently tweeted about the “reverse-index” property of Zanzibar, which allows you to look up what a person has access to rather than the access control rules by name of the object.
I realized today that I had never talked publicly about something really important about the design of access control systems: design their semantics to be reverse-indexable.
This is a much spicier take than it sounds like, but there’s a good reason. 🧵 [1/]
— Lea Kissner (@LeaKissner) June 29, 2021