Google Zanzibar

Zanzibar is Google's globally distributed authorization system designed to provide consistent, scalable access control for large-scale applications. First described in a 2019 research paper, Zanzibar handles authorization decisions for many of Google's services including Google Drive, Google Photos, and YouTube.^[1]

Zanzibar is a centralized authorization database built to handle authorization queries from high-traffic applications and return authorization decisions with low latency. The system is designed to be error-free, fast (targeting sub-10ms response times), highly available, and capable of high throughput to support billions of users across hundreds of client services.

The system stores and evaluates access control lists (ACLs) expressed as relationship tuples, implementing a relationship-based access control (ReBAC) model. Zanzibar's data model consists of namespace configurations and relationship data expressed as triples in the format (subject, relation, object).

Zanzibar's architecture includes several key components:

• Distributed database: Built on Google's Spanner database to provide strong consistency guarantees and prevent the application of stale permissions to new content.
• Multi-layer caching: Includes Leopard (an indexing system for fast authorization checks), server-level caching for read requests, and inter-service call caching to reduce latency.
• Global replication: Data is replicated across multiple geographic regions, similar to a content delivery network (CDN), to move authorization data closer to access points.
• Namespace configuration: Defines the schema for relationship data and authorization policies for each client service.

Zanzibar is designed to handle massive scale:

• Stores trillions of access control rules
• Processes millions of authorization requests per second
• Maintains sub-10 milliseconds query response times
• Supports services used by billions of people globally

The system achieves this performance through careful optimization including cache prefetching for frequently accessed permissions and hand-tuning of performance hotspots.

Zanzibar represents one of the most prominent implementations of relationship-based access control (ReBAC) principles. Unlike traditional role-based access control (RBAC) systems that assign permissions through roles, Zanzibar makes authorization decisions by traversing graphs of relationships between users and resources.

This approach is particularly well-suited for applications with complex data hierarchies and sharing patterns, such as document management systems where access permissions can be inherited through folder structures or organizational hierarchies.

Since the publication of Google's Zanzibar paper, the system has inspired numerous commercial and open-source authorization systems. Companies including Airbnb have developed similar systems (such as Airbnb's Himeji)^[2], and several authorization-as-a-service providers offer Zanzibar-inspired solutions.

The success of Zanzibar has helped establish ReBAC as a viable alternative to traditional authorization models for large-scale applications requiring fine-grained access control.

While powerful, Zanzibar-like systems requires significant engineering investment:

• Building a Zanzibar-like system typically requires at least a year of dedicated engineering effort, and operating the system requires ongoing support from full-time engineering teams
• The system requires centralizing all authorization data, which may necessitate data duplication between the authorization system and application databases^[3]
• The flat relationship model may require additional policy engines for complex authorization logic that cannot be easily expressed as relationships

• Relationship-based access control
• Role-based access control
• Attribute-based access control
• Google Spanner