A Globally Distributed Authorization System

Zanzibar handles authorization for YouTube, Drive, Google Cloud and all of Google's other products

See how it worksRead the paper

Zanzibar is flexible, global and fast.

Zanzibar allows Google teams to specify their unique authorization models, globally replicates authorization data and responds to access checks blazing fast.

1
Basics
Basics
2
Editors -> Viewer
3
Groups
4
Folders
Namespace configurations specify the types of objects in a system and how users (or other objects) can relate to them. Relation tuples represent the current state of the system.

Namespace

name: "doc"
relation { name: "editor" }
relation { name: "viewer" }
relation { name: "owner" }

Previewer

Tuples

kim
Kim
is
owner
of the
doc:roadmap
ben
Ben
is
editor
of the
doc:roadmap
carl
Carl
is
viewer
of the
doc:slides

Query

Is
carl
Carl
a
viewer
of
doc:slides
?
Yes, Carl -> viewer of doc:slides
user
relation
object
Step
01
/
06

Architecture

Global and Consistent

Zanzibar globally replicates data using Google Spanner, allowing it to run on all geographic regions where Google products run without sacrificing (external) consistency.

Scalable

Zanzibar scales to trillions of objects, billions of users and millions of authorization requests per second.

Fast

Zanzibar runs geographically close to its clients, and uses techniques such as secondary indexing for heavily nested groups, request hedging and distributed caching to keep tail latencies low.

community

Join our community to learn more, share your thoughts and stay up to date on all things Zanzibar.

Follow us on TwitterFollow us on TwitterJoin us on DiscordJoin us on Discord

Auth0 is building the next generation access control SaaS based on Google Zanzibar.