Over the last couple years, authorization (AKA “authz”) has become a hot topic of debate. Proponents of various authz frameworks, libraries, and philosophies have voiced their opinions on how it should be implemented, jockeying for position to become the de facto way to implement authz. Among the contestants in this debate, Google’s Zanzibar has recently emerged as a popular way of not only modeling and enforcing authorization for modern, fine grained use cases, but also of scaling to meet the requirements of today’s large-scale, cloud-native applications.
.github View code
Ory Keto is the first and only open source implementation of Zanzibar: Google s
Consistent, Global Authorization System :
Determining whether online users are authorized to access digital objects is
central to preserving privacy. This paper presents the design, implementation,
and deployment of Zanzibar, a global system for storing and evaluating access
control lists. Zanzibar provides a uniform data model and configuration
language for expressing a wide range of access control policies from hundreds
of client services at Google, including Calendar, Cloud, Drive, Maps, Photos,
and YouTube. Its authorization decisions respect causal ordering of user
actions and thus provide external consistency amid changes to access control