Hello! I am one of the maintainers of Ory Keto. We spent a lot of time and effort to read, learn, and analyse the Google Zanzibar paper (https://research.google/pubs/pub48190/) and the release brings that all together. There are still many things missing, but with a great community we hope to build the “Kubernetes” of permissions and access control! If you have any questions, I am here to help
Full Disclosure: I'm a YC W21 founder that's built authzed, which is effectively Zanzibar as a Service, but anything that gets mindshare towards using ACL services is huge.
How close do ya'll plan to follow the paper? At a glance, I noticed a few of differences.
It'd be amazing if we had API compatibility across our products.
We tried to follow as close as possible, but left out all optimizations and cluster inter-node messaging for now. The data structures and APIs are followed 1:1.
In some places it was hard to follow the paper as they leave out important details, but you probably experienced that as well ;)
Your APIs look quite compatible, as you probably also stayed very close to the paper.
Amazing, I was going to start such endeavour, Zanzibar is to me that best of the ACL system that I know of, from a theoretical flexibility perspective. However, I was thinking of taking the principles but actually represent the triples as RDF and use SparQL to represent policies, to use the power of graph engines rather than building my own triple store & query engine. Any reason you went for SQL storage and a custom query engine/language on top?
I don't work at ORY, but I do work on a Zanzibar implementation.
Basically, what you're describing is called "GBAC".
GBAC can be great if you need the full power of a typical Graph API, but Zanzibar-like services are focused on solving the problem of finding a path between two edges[1] and doing everything you can to optimize that operation for latency.
GBAC is flexible, but at the cost of performance compared to something more structured.
How did you land on the Zanzibar architecture over other choices?
Full disclosure: I'm cofounder/CEO of Oso (https://www.osohq.com/), a library for authorization. Overall, it's incredible to see all the activity around authorization recently.
@gneray we started ory/keto with the OPA implementation, then added AWS IAM conventions. Last year we started with Zanzibar since we appreciate the powerful simplicity and the architecture pattern for wide scale geographic deployment. With the previous approached there were some scaleability problems. Now ory/keto evolution does all of the above. check it out on GitHub.
how do you see zanzibar being able to complement kubernetes? what if any integration points will there be? or does ory keto &c intend to provide only application level permissions & access, not ops permissions & access?
We see it as a very universal service, so integration with k8s is definitely on our list, but there are no concrete plans yet. The ACLs are just so generic, you can describe anything with it.
