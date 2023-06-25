



Authorization (aka authz) has been a hot topic of discussion for the last few years. Proponents of various authentication frameworks, libraries, and philosophies are voicing their opinions on how authentication should be implemented, vying to be the de facto way of implementing authentication. Among the participants in this discussion, Google’s Zanzibar recently announced that it would not only model and enforce authorization for modern, fine-grained use cases, but also extend it to meet the requirements of today’s large-scale cloud-native applications. emerging as a method.

When we launched Warrant in 2021, we set out to build a developer-friendly authentication infrastructure that all engineering teams could use. We knew Warrant was core to our infrastructure for our customers. As such, the authentication service had to be (1) generic enough to model all use cases, and (2) scalable enough to support access checks across authentication models around the world. and low latency. After reading the seminal Zanzibar paper, we built the Warrants Core Authorization on many of the concepts explained in the paper (tuples, namespaces, zookies, etc., which we will discuss in more detail later). I decided to build the engine. We believed Zanzibar focused on a set of foundational concepts and patterns that would help us build generic solutions to any application’s authentication challenges.

After much discussion and debate, we launched Warrant and since then have worked on various authentication challenges and helped many companies build production-ready authentication. In this post, we discuss why we think Zanzibar is a good foundation for implementing authorization, describe some areas where Zanzibar falls short, and how we can address those shortcomings with our own enhancements. Share how you dealt with it.

Zanzibar provides an intuitive (and more importantly) uniform data model for representing authorization. Its authorization paradigm, known as relationship-based access control (ReBAC), states that all resources within an application are represented by directed relationships (e.g. [user:123] teeth [owner] of [report:abc]), the application authorization rules (that is, the capabilities granted to users of the application) flow either explicitly or implicitly from these relationships. Expressing authentication in this way is similar to the way most people have already designed data models (such as relational database schemas) for their own applications, so it feels intuitive and a good fit for authentication in Zanzibar. It makes it easier to understand and reason about the model. ReBAC is very flexible and can represent any authentication model you can throw at it, including other authentication paradigms such as role-based access control (RBAC) and attribute-based access control (ABAC).

Zanzibar provides a uniform data model and configuration language for expressing a wide range of access control policies from Google’s hundreds of client services.[…]

From Zanzibar: Google’s Consistent Global Authenticator

In practice, each relationship between two resources is represented as a tuple with three parts:

The object (resource) to which the relationship is specified. specified relationship. The subject (resource or group of resources) that owns the relationship specified on the object.

The set of all tuples constitutes a large graph of relations where the objects and subjects are the nodes and the relations between them are the edges. This graph is powerful because it can be examined in many ways to determine the user’s capabilities within the application. For example, the path between user and resource may imply that the user has write permission on the resource. Another scenario might mean that the user cannot write to another resource. Zanzibar provides namespaces to direct how the graph is navigated and to assign semantic meaning (for authentication) to the relationships that the graph represents.

Namespaces allow you to assign meaning to the relationships represented in the graph for authorization purposes. Each namespace defines the relationships (administrator, writer, reader, etc.) available to a type of resource (e.g., report) and optionally a set of logical rules that specify how each relationship is inferred from the others. (example: [editor] of [report] is also [viewer] of that report). They are similar to database schemas in that they allow you to define the structure of your authorization model, but unlike database schemas, namespaces also allow you to express logic on top of that structure. For example, a report object type namespace might define three relationships for her: manager, editor, and reader. In addition to defining these relationships, namespaces can also specify:

A subject can only have an explicit manager relationship to a report. A subject can have an explicit editor relationship to a report, or an implicit manager relationship to that report. A subject can have an explicit reader relationship to a report or implicitly in the following cases: There is an editorial relationship for that report.

Namespaces allow you to specify such logical rules (or policies) between relationships, allowing you to separate authorization logic from application logic. This greatly simplifies your application code. Applications only need to ensure that the user has certain capabilities (such as an editor) before executing a section of code (such as persisting suggested edits on the document).

Modern policy-driven authentication solutions like Open Policy Agent (OPA) offer some of the features and benefits discussed above, but one is unique to Zanzibar. This is a stateful centralized service. In other words, all tuples (relationship graphs) and namespaces are pieces of data that are stored and updated centrally. The main advantage of this design is that you can query the data to see if a particular subject has access to a particular resource, as well as get a list of resources that a particular subject has access to. In practice, this can be very useful, for example, to audit user entitlements for regulatory compliance or to understand the impact of changes to authorization models before they are applied. In our opinion, the ability to query permissions like this should be mandatory in any authentication system and can only be done in a stateful system with a global view of all authentication data. However, like any system design decision, this approach comes with trade-offs.

Because Zanzibar stores all authentication data centrally, client applications must make requests to Zanzibar to check permissions, which is a potential performance bottleneck for those applications. To minimize the end-to-end response time of authentication queries, Zanzibar is globally distributed (as close to the client application as possible) and leverages aggressive caching to ensure queries are sent out of cache whenever possible. (in 1 millisecond). Because different applications have different access patterns and freshness requirements for authentication data, Zanzibar has a global zouki concept where the version number is incremented with each change made to the authentication data. Zookies make caching feasible while allowing client applications to dictate when correctness should be favored over speed.

Zanzibar’s concepts and features are great, but Google built Zanzibar to solve unique authentication needs for services like Drive, Docs, YouTube, etc., so they never built a public-facing implementation. . Luckily, Warrant implements all the concepts discussed so far, many of them aimed at improving the developer experience or adding features that Zanzibar seems to be missing. A slight change has been made.

In Warrant, tuples are known as warrants. A warrant contains the same three main components as a tuple (object, relationship, and subject), but can also contain an optional component called a policy. A policy component is a user-defined boolean expression that is evaluated at query time to determine if warrants are available for the query. If a warrant matches a query and its policy evaluates to true, the warrant is considered during the query. Otherwise, the warrant will be ignored.

Policies can reference dynamic contextual data passed by queries (e.g. [user:123] is [approver] of [transaction:abc] [if transaction.amount <= 100]). The ability to do this enables Warrant to model attribute-based access control (ABAC) scenarios where external data (such as transaction amounts) are required to make authorization decisions, but this is not the case in Zanzibar. A pure ReBAC approach is difficult. For warranty details, please see our documentation.

Namespace : Tuple :: ObjectType : Guarantee

The namespaces described in Zanzibar are known as object types in Warrant. Object types are represented as JSON and conform to the JSON Schema specification. Unlike the Zanzibars namespace, object types support the ability to restrict the types of objects that can have each relationship, making it easier for developers to reason about the scope of relationships for each object type. increase. Warrant also provides various pre-built object types to standardize and simplify the implementation of common authentication use cases such as his RBAC, functional entitlements, and multi-tenancy within Zanzibar’s ReBAC paradigm. To do. For more information on object types and the various built-in models Warrant offers, please refer to our documentation.

It has been over two years since we chose to build our warrants on Zanzibar ground rules and we were very happy with our decision. This provided a solid technical foundation for tackling a variety of complex authentication challenges facing enterprises today. As we continue to come across new scenarios and use cases, Warrant iterations to ensure it is the most functional authorization service. To share what we learn and build with the developer community, we recently open sourced the core authentication engine that powers Warrant Cloud, our fully managed authentication platform. If you are interested in licensing (or Zanzibar) please check and star.

