Introduction: The Hidden Complexity of “Sharing”
You decide to share a specific photo album with your family but want to keep your other vacation pictures private. You remove a former colleague from a shared project folder in Google Drive. These everyday actions feel simple, but they represent one of the most complex challenges in modern computing: managing permissions.
Now, imagine this problem at Google’s scale, a company that manages billions of objects—documents, photos, videos, and maps—for billions of users. Every second, millions of decisions must be made about who is authorized to see what. How does Google ensure that when you revoke someone’s access, it takes effect instantly and correctly, everywhere in the world?
The answer is Zanzibar, Google’s elegant and unified solution to this global authorization challenge. It’s the invisible infrastructure that ensures your privacy settings are respected with mind-boggling speed and accuracy. Here are the four biggest takeaways from how it works.
It Operates at a Mind-Boggling Scale
The numbers behind Zanzibar are staggering. The system stores over two trillion access control lists (ACLs) and handles millions of authorization requests per second, peaking at over 10 million client queries per second.
To manage this immense global load, Zanzibar runs on more than 10,000 servers and replicates all of its data across tens of geographically distributed data centers. To put that in perspective, this single authorization system operates on a server fleet larger than the entire infrastructure of many well-known tech companies. Operating at this scale while ensuring every permission check is both fast and correct is a monumental engineering feat, as a single slow or incorrect check could break user trust or render a core product feature unusable.
It Solves the “New Enemy” Problem to Protect Your Privacy
The “new enemy” problem describes a security flaw where a permission check uses outdated information, accidentally granting access to someone who was just removed—the “new enemy”—because the system hasn’t fully processed the change yet. Zanzibar is explicitly designed to prevent it. Consider these two examples:
• Example A: Alice removes Bob from a shared folder’s access list. A moment later, Charlie adds new documents to that folder. Bob should not be able to see these new documents.
• Example B: Alice removes Bob from a document’s access list. She then adds new, sensitive content to it. Bob should not be able to see the new content.
In a less sophisticated system, a stale or outdated permission list could be used, accidentally giving Bob access. Zanzibar solves this by ensuring its decisions respect the causal ordering of user actions. It uses a system of “causally meaningful timestamps” and special consistency tokens called “zookies” to guarantee that an authorization check for new content is always evaluated against the most up-to-date permissions.
When a client modifies content, it first asks Zanzibar for a ‘zookie,’ which contains a timestamp of that moment. The client saves this zookie alongside the new content. For all future permission checks on that content, the client presents the zookie, guaranteeing that Zanzibar’s decision is based on a view of the world at least as new as the content itself. For a system built on user trust, solving this is a non-negotiable requirement.
It’s Blazing Fast and Almost Never Fails
Despite its global scale and consistency guarantees, Zanzibar’s performance is astonishing. Over three years of production use, it has maintained:
• A 95th-percentile latency of less than 10 milliseconds.
• An availability of greater than 99.999%.
This is surprising because massive distributed systems usually force engineers to make a trade-off between consistency, scale, and performance. Engineers are typically forced to sacrifice strict consistency to gain global scale and speed, or vice-versa. Zanzibar’s ability to deliver all three is what makes it a landmark system, as it refuses to compromise on correctness even at planetary scale. This low latency is especially critical for features like Google Drive search results, which can require tens to hundreds of individual permission checks just to display a single page of results. A slow authorization system would make such features unusable.
It’s the Single Source of Truth for Products You Use Every Day
Zanzibar is not a one-off solution for a single product. It is the unified authorization backbone for many of Google’s flagship services, including Calendar, Cloud, Drive, Maps, Photos, and YouTube.
Instead of each product building its own separate permission system, Zanzibar provides a single, central source of truth. The strategic value of this unified approach is immense:
• It establishes consistent semantics and user experience across all of Google’s applications.
• It makes it easier for applications to interoperate (for example, embedding a YouTube video in a Google Doc).
• It enables the creation of common infrastructure, like a cross-application search index that correctly respects all permissions.
• It saves engineering resources by solving the complex challenges of consistency and scale only once.
As the system’s creators state, the rationale is clear and powerful:
A unified authorization system offers important advantages over maintaining separate access control mechanisms for individual applications.
Conclusion: The Foundation You Never See
Zanzibar is the perfect example of foundational infrastructure: a globally-scaled, ultra-fast, and rigorously consistent system that solves a fundamental problem of digital life. It works invisibly in the background, ensuring that every time you click “share,” your intentions are respected precisely and reliably.
It leaves one to wonder: How many other invisible, planet-scale systems like Zanzibar are required to make our daily digital lives possible?