Google's Zanzibar actually does both: for the vast majority of queries, it uses significant levels of caching and a permitted amount of staleness [1], allowing Spanner to return a (somewhat stale) copy of the relationship data from local nodes, rather than having to wait or coordinate with the other nodes.

However, some deeply recursive or wide relations can still be slow, so Zanzibar also has a pre-computation cache called Leopard that is used for a very specific subset of these relations [2]. For SpiceDB, we called our version of this cache Materialize and it is designed expressly for handling "Enterprise" levels of scale in a similar fashion, as sometimes it is simply too slow to walk these deep graphs in real-time.

[1]: https://zanzibar.tech/24uQOiQnVi:1T:4S [2]: https://zanzibar.tech/21tieegnDR:0.H1AowI3SG:2O

Ooh, and back when that was not a thing (iirc a few years back) me and a friend of mine had built a spiritually similar index for spicedb for our final year project at uni. We had a mini WAL and the ability to safely reject queries that specified a minimum update requirement after the index updation.

Sweet! I'd love to see it, if you have a link, or throw it in our Discord [1]!

[1]: https://discord.com/invite/GBeT3R4k84

Can you let me know how would you for example query all accessible resources for a user using Google's Zanzibar?

In SpiceDB, this is known as the LookupResources [1] API, which returns all resources (of a particular type) that a particular subject (user in this case) has a particular permission on.

We have a guide on doing ACL-aware filtering and listing [2] with this API and describing other approaches for larger Enterprise scales

Disclaimer: I'm the co-founder and CTO of AuthZed, we develop SpiceDB, and I wrote our most recent implementation of LookupResources

[1]: https://buf.build/authzed/api/docs/main:authzed.api.v1#authz... [2]: https://authzed.com/docs/spicedb/modeling/protecting-a-list-...

Related: if anyone has a method of achieving this query against GCP resources I'd be keen to learn that as well.

We actually have users that synchronize their resources from various sources (AWS, Kubernetes, etc) into SpiceDB, explicitly so they can perform these kinds of queries!

One of the major benefits of a centralized authorization system is allowing for permissions queries across resources and subjects from multiple different services/sources (of course, with the need to synchronize the data in)

Happy to expand on how some users do so, if you're curious.

If you are interested in Zanzibar and Relationship-Based Access Control (ReBAC) it’s worth taking a look at OpenFGA https://openfga.dev/

There are quite a few OSS Zanzibar-inspired authorization services/servers:

  - SpiceDB (https://github.com/authzed/spicedb)
  - Permify (https://github.com/Permify/permify)
  - Warrant (https://github.com/warrant-dev/warrant)
  - Ory Keto (https://github.com/ory/keto)

Worth mentioning Casbin as well (https://github.com/casbin/casbin) - it's been around for a while and takes a slightly different approach. Instead of being purely Zanzibar-inspired, it uses a PERM (Policy, Effect, Request, Matchers) metamodel that lets you implement RBAC, ABAC, or ReBAC depending on what fits your use case.

And https://projects.eclipse.org/projects/technology.biscuit