1/ Last week we did a deep dive of @github's authorization model and the problems they solve

In this thread we'll focus on another well known product: @googledrive a great example of a collaboration platform.

📊How is gdrive "authorization at scale"?
2/ Well, in 2018 they:
- hit 1B users
- 2 trillion files


🔐 Review their permission model
🔍Go over their "search" story and how authz fits in it
🎯Analyze examples of why "correctness" () is important
3/ Like github, @googledrive has B2C and B2B models. However, @googledrive's sharing model is the same for B2C and B2B. The difference is who you can share files with.
4/ For both models you can have:
- Restricted sharing, i.e.: with a google account that you allow
- Anyone with the link sharing

🏢The B2B model includes
- the ability of link sharing within your organization
- the option to restrict sharing publicly
5/ There are five concentric roles a user might have on an object (file or folder):
- Owner/Organizer
- File organizer (shared drive only)
- Editor
- Commenter (for files)
- Viewer
6/ Permission propagation happens between folders and files (developers.google.com/drive/api/v3/m…): if you are a viewer in a folder, you can view its documents. This applies even when you are not explicitly a viewer in a document.
7/ As we mentioned last time, flexibility is 🔑: . Document level granularity + ancestor propagation is a powerful combination.

You can remove some abilities on a specific doc for ALL users: support.google.com/drive/answer/2…

And grant permissions on file "views"
8/ 🔍A big part of @googledrive's value prop is "search". Drive's search UX is great. Have you ever thought about what search's needs are from Authz?

You shouldn't get any results back if you don't have permissions for them.
9/ If a file's name is "Plan to fire Sue" and you're Sue, not only should you not be able to access it, but it should not show up in search results 😅

In a workspace with 100k+ documents, each search request has perms checked for all potential matches. That is scale! 🚀
10/ Checking one permission at a time for each user operation is simple compared to the massive burden of hundreds/thousands of requests per search.

🔑 Any system that solves "authorization at scale" needs to solve the search problem!
11/ On a different note, @googledrive has done a great job at spoiling us with its sharing UX. You share a file with someone, send them a link half way across the world and they will be able to open it immediately!

This has important implications from a security perspective.
11/ Imagine if this wasn't the case, and instead it took 5 minutes to propagate changes. Some interesting (and potentially uncomfortable/insecure) situations could arise.
12/ Let's analyze some potential edge case problems considering a distributed workforce (and a thus a VERY distributed system):
🇺🇸 Anne lives in LA
🇧🇷 Bela and Caio live in São Paulo. They report to Anne
13/ Situation 1️⃣: Anne
1. Removes Caio from the document "Confidential" as a viewer.
2. Adds Bea as a document writer.
3. Bea makes an update to the document that Caio should not be able to see.
14/ What happens if the update for 2 is replicated from the US to Brazil before permission update 1? Under a simple eventual consistency model, there are no guarantees for causal ordering in replication.
15/ Thus: *Caio might be able to read data he is not supposed to* because "from Brazil's datacenter perspective Bea can write in before Caio has been removed as a reader".

⚠️Problem 1: replication with no notion of causal ordering might lead to security issues.
16/ But, if we solve causal ordering in replication but keep eventual consistency we are not safe:

Situation 2️⃣: Anne fires Bea. She lets her know at 5:00 PM and removes her permissions.

If propagation takes "at most" 5 mins, Bea could delete company data at 5:02 PM UTC.
17/ ‼️ Once Anne gets confirmation that Bea's permissions have been removed, Bea should no longer be able to access documents.

⚠️Problem 2: eventual consistency in permission replication can lead to security issues.
18/ 🔑To solve distributed authorization at scale, a system must support strong consistency when necessary, allowing for more lenient models when business cases allow it. We'll refer to this characteristic as "correctness".
19/ If you are interested in more details about how @google's permission system works (including @googledrive) the Zanzibar paper is a great resource: research.google/pubs/pub48190/.
20/ 👋We hope you found these analysis of different products from an AuthZ perspective interesting. We'd love to hear your thoughts here or @discord discord.gg/XbQpZSF2Ys

Later this week, we'll share a bit of what we are seeing in the authorization market. Stay tuned!

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with The Auth0 Lab

The Auth0 Lab Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @Auth0Lab

11 Nov
1/ Having analyzed the @github and @googledrive #fgaatscale cases, we'll share our view on the authz market.

We'll go over what is currently being addressed and what the gaps are👇
As we've mentioned before, solving #fgaatscale requires:
1️⃣ Permission modelling flexibility
2️⃣ Auditing capabilities
3️⃣ Correctness: no invalid permissions are granted
4️⃣ Low Latency
5️⃣ High availability
3/ Solving #fgaatscale is becoming a need because:
☝️ Users expect collaboration features in most products they used, and that requires FGA
✌️ Increasing privacy and compliance regulations require companies in different verticals to restrict access as much as possible
Read 21 tweets
5 Nov
1/ Last time explained why we are exploring fine grained authorization:

In this thread explore we'll the problems of authorization at scale using a real world, well known example
2/ This is a key part of product development, especially when building infrastructure. We want to understand what our customers will eventually build with our service.

Our analysis case is @github.
3/ @github is an interesting example as it’s a *collaboration* platform built on top of git.

We believe collaboration and authorization are two sides of the same coin
Read 19 tweets
30 Oct
1/ On Wed, we posted about why we are doing this and what we expect.

We also promised to unveil this week the problem we want to dive into 🥁...
2/ The area we'd like to explore is: *fine-grained authorization*

Why this? And why now?👇
3/ Large scale fine-grained authorization as a building block is an unsolved problem. Just like authentication was ~8 years ago. We implement it in every app we build, over and over. There is no generic, cross-platform, cross-domain solution.
Read 8 tweets
28 Oct
1/ Kicking off this experiment!

First thing, we want to share *why* we are doing this and set some expectations.

Thread 👇
2/ Building new products is a messy process. There is no manual. But one thing we know is if we focus on learning and iterating, we can get somewhere. Worst case we learn that an idea is not worth it, the best case we find a product. Either case we learn.

3/ This is an experiment 🧪. We've never done this before.

Auth0 has a mature and defined prod dev process. We are a small team focusing on exploring product adjacencies and that gives us room to be more experimental.

Bear with us and embrace experimentation.
Read 9 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!