Hi HN! Jake, Joey, and Jimmy here, founders of Authzed (W21). Today we’re open sourcing our production-ready Zanzibar paper[0] implementation for the world to use. Zanzibar is a centralized relationship based authorization system that Google uses to manage permissions for most of their core cloud products (Docs, YouTube, Calendar, Maps, etc). It is an incredibly flexible, robust, and performant service, with 99.999% uptime and 20ms 99th %ile latency for permissions checks.<p>We’re the core team behind Red Hat’s (nee-CoreOS, nee-Quay) Quay[1] image registry, and while building out that product as well as a number of others at CoreOS and Red Hat, we continually ran into challenges with authorization systems that were either inflexible, slow, or wouldn’t scale. We have actually had to cancel features in the past due the limitations in the permissions system.<p>That’s why we set out to build Authzed.com[2], a hosted, managed permissions platform to put an end to this madness! SpiceDB, the fundamental permissions database and access computation platform, is the central component of that platform. Today, we’re making it available under the permissive Apache 2 license for you to integrate with your own projects! We’re already using SpiceDB to power Authzed.com, but are still looking for feedback about our APIs and service.<p>As of today, the software already has:
Expressive APIs[3] for checking permissions, listing access[4], and powering devtools
An architecture faithful to Google's Zanzibar paper[5], including resistance to the New Enemy Problem[6]
An intuitive and expressive schema language[7] complete with a playground[8] dev environment
A powerful graph engine that supports distributed, parallel evaluation
Pluggable storage that supports in-memory, PostgreSQL, and CockroachDB
Deep observability with Prometheus metrics, structured logging, and distributed tracing<p>We will be hanging out in the comments section today, so please leave your feedback, criticisms, or just say hi!<p>[0]: <a href="https://research.google/pubs/pub48190/" rel="nofollow">https://research.google/pubs/pub48190/</a><p>[1]: <a href="https://www.projectquay.io/" rel="nofollow">https://www.projectquay.io/</a><p>[2]: <a href="https://authzed.com/" rel="nofollow">https://authzed.com/</a><p>[3]: <a href="https://buf.build/authzed/api" rel="nofollow">https://buf.build/authzed/api</a><p>[4]: <a href="https://docs.authzed.com/concepts/authz#what-is-acl-filtering" rel="nofollow">https://docs.authzed.com/concepts/authz#what-is-acl-filterin...</a><p>[5]: <a href="https://authzed.com/blog/what-is-zanzibar/" rel="nofollow">https://authzed.com/blog/what-is-zanzibar/</a><p>[6]: <a href="https://authzed.com/blog/new-enemies/" rel="nofollow">https://authzed.com/blog/new-enemies/</a><p>[7]: <a href="https://docs.authzed.com/guides/schema" rel="nofollow">https://docs.authzed.com/guides/schema</a><p>[8]: <a href="https://play.authzed.com/" rel="nofollow">https://play.authzed.com/</a>