We just led a webinar on How Google handles Authorization at scale with my teammate Greg Sarjeant. Watch the video below to learn about:
- How Google handles authorization at scale
- Whether it is the best approach to secure your application permissions
- How Oso approaches the authorization implementation
TL;DR: The webinar focused on the Zanzibar paper from 2019, highlighting the complexities of implementing and scaling authorization in applications. We explored Zanzibar's data model, relation tuples, and the Check API, which evaluates user relationships to objects. We also discussed how, with Oso Cloud, we made different design decisions, diverging from the prescriptive Zanzibar approach in favor of greater flexibility. Our data model, called facts, represents authorization-relevant information, such as user roles, resource attributes, or relationships, which policies reference to make authorization decisions. Additionally, we compared the configuration languages used in Zanzibar and Oso, and introduced our in-house logic programming language, Polar. Polar enables developers to define who can perform specific actions on resources through simple, human-readable rules.
Webinar Highlights
- Oso uses Polar, a declarative language, focusing on facts for defining permissions instead of relational tuples.
- Zanzibar employs a centralized relational model with emphasis on relationships between entities.
Additional Resources
For a deeper dive into the topic, you can explore the following resources:
- Read the Zanzibar paper: Zanzibar: Google’s Consistent, Global Authorization System
- Check out our blog post summarizing Zanzibar’s prescriptive approach: Google Zanzibar Isn’t Flexible
- Read our interview with Abhishek Parmar, co-creator of Google Zanzibar: Abhishek Parmar on Google Zanzibar
- Learn more about Google Zanzibar, its architecture and use cases: Oso’s Guide to Google Zanzibar
And if you have any questions, join us on Slack, we'd love to hear from you!
