Google Zanzibar Deep Dive: Handling 2 Trillion ACLs in Under 10ms

Introduction Spend any time in the authorization space and you'll notice that SpiceDB and OpenFGA both claim to be "inspired by Google Zanzibar." I got curious and pulled up the 2019 USENIX ATC paper — "Zanzibar: Google's Consistent, Global Authorization System" — to see what the fuss was about. My first reaction after reading it: the data model is almost offensively simple. Over two trillion ACLs, ten million authorization checks per second, p95 latency under 10ms — and the whole thing runs on a single string: object#relation@user. Why does something this minimal hold up at planetary scale without falling apart? This post is my attempt to answer that. Scope First, let's place Zanzibar in the authorization stack. Layer What it does Examples Authentication Verifies who the user is OpenID Connect, SAML Token issuance Hands out access tokens OAuth 2.0 (RFC 6749) Authorization "Can this user access this resource?" Zanzibar (this post), XACML, OPA Zanzibar is purely about authorization deci