SlideShare a Scribd company logo

Athenz introduction

D
Dũng Lê

Athenz is an open source system for role-based access control (RBAC) that uses two token types - principal tokens (N-Tokens) that identify users or services, and role tokens (Z-Tokens) that represent roles a principal can assume. It provides advantages like service-based security profiles, dynamic provisioning, and single source of truth for access management. Athenz works using a centralized authorization server (ZMS) that issues tokens, and decentralized token servers (ZTS) that verify tokens. Services are assigned identities and roles via tokens to control access in a decentralized manner according to policies managed in Athenz domains.

Technology
1 of 32
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
Athenz introduction Update: 2018/05/13 Athenz introduction - ledung@yahoo-corp.jp
Agenda 1. What is Athenz? 2. Why we use it? 3. How to Athenz work? 4. Q&A Athenz introduction - ledung@yahoo-corp.jp
01 What is Athenz? Athenz introduction - ledung@yahoo-corp.jp
"Athenz" is the 'Auth' + the 'N' + 'Z' tokens O Open source of services and libraries supporting role-based access control (RBAC) Z Z-Token: Role Token represent an authoritative statement that a given principal may assume some number of roles in a domain for a limited period of time A Authorization system utilizes two types of tokens: Principal Tokens (N-Tokens) and RoleTokens (Z-Tokens) N N-Token: Principal Token can be thought of an identity token because it identifies either a user or a service Athenz introduction - ledung@yahoo-corp.jp
02 Why we use it? Athenz introduction - ledung@yahoo-corp.jp
Auth PaaS Service Faster Athenz introduction - ledung@yahoo-corp.jp
1 2 3 4 Service-based security profile Dynamic provisioning Self-Service Dynamic manageability. Single source of truth  We get advantages using Athenz
We get advantages using Athenz
1 2 3 4 Service-based security profile Dynamic provisioning Self-Service Dynamic manageability. Single source of truth  We get advantages using Athenz
1 2 3 4 Service-based security profile Dynamic provisioning Self-Service Dynamic manageability. Single source of truth  We get advantages using Athenz
1 2 3 4 Service-based security profile Dynamic provisioning Self-Service Dynamic manageability. Single source of truth  We get advantages using Athenz
1 2 3 4 Service-based security profile Dynamic provisioning Self-Service Dynamic manageability. Single source of truth  We get advantages using Athenz
03 How to Athenz work? Athenz introduction - ledung@yahoo-corp.jp
Data Model
Data Model • Domains are namespaces, strictly partitioned, providing a context. • Administrative tasks can be delegated to created sub-domains to avoid reliance on central “super user” administrative roles.
Data Model • As a group. Anyone in the group can assume the role that takes a particular action. • Every policy assertion describes what can be done by a role. • Delegate the determination of membership to another trusted domain.
Data Model • A resource is something that is “owned” and controlled in a specific domain while the operations one can perform against that resource are defined as actions. • A resource could be a concrete object like a machine or an abstract object like a security policy.
Data Model • A policy is a set of assertions (rules) about granting or denying an operation/action on a resource to all the members in the configured role.
Data Model • The actors in Athenz that can assume a role are called principals. • These principals are authenticated and can be users. • Principals can also be services that are authenticated by a service management system.
Data Model • Users are actually defined in some external authority, e.g. Unix or Kerberos system. • A special domain is reserved for the purpose of namespacing users; • the name of that domain is “user,”
Data Model • The concept of a Service Identity is introduced as the identity of independent agents of execution. • Services have a simple way of naming them, e.g. media.finance.storage identifies a service called “storage” in domain media.finance. • A Service may be used as a principal when specifying roles, just like a user.
Data Model
System Overview Centralization Decentralization
System Overview • ZMS is the source of truth for domains, roles, and policies for centralized authorization. • In addition to allowing CRUD operations on the basic entities, ZMS provides an API to replicate the entities, per domain, to ZTS. • ZMS supports a centralized call to check if a principal has access to a resource both for internal management system checks, as well as a simple centralized deployment.
System Overview • ZTS, the authentication token service, is only needed to support decentralized functionality. • ZTS is like a local replica of ZMS’s data to check a principal’s authentication and confirm membership in roles within a domain. • The authentication is in the form of a signed ZToken that can be presented to any decentralized service that wants to authorize access efficiently. • Multiple ZTS instances can be distributed to different locations as needed to scale for issuing tokens.
System Overview • Service Identity Agent is part of the container, although likely built with Athenz libraries. • Generate a NToken and sign it with the given private key so that the service can present that NToken to ZMS/ZTS as its identity credentials. • The corresponding public key must be registered in ZMS so Athenz services can validate the signature.
System Overview AuthZ Policy Engine • Support decentralized authorization. • The subsystem of Athenz that evaluates policies for a set of roles to yield an allowed or a denied response. • Library that your service calls and only refers to a local policy cache for your services domain.
System Overview AuthZ PolicyEngine Updater • Support decentralized authorization. • The policy updater is the utility that retrieves from ZTS the policy files for provisioned domains on a host, which ZPE uses to evaluate access requests
System Overview
04 Q&A? Athenz introduction - ledung@yahoo-corp.jp
Referrence Athenz Yahoo! Inc: • https://github.com/yahoo/athenz Athenz introduction - ledung@yahoo-corp.jp
THANK YOU ledung@yahoo-corp.jp

More Related Content

PDF
Best Practices for Becoming an Exceptional Postgres DBA
EDB
 
PPTX
Seamless replication and disaster recovery for Apache Hive Warehouse
DataWorks Summit
 
PPTX
Unix OS & Commands
Mohit Belwal
 
PPTX
Meet Apache HBase - 2.0
DataWorks Summit
 
PPTX
Introduction to KSQL: Streaming SQL for Apache Kafka®
confluent
 
PPTX
Apache Phoenix and Apache HBase: An Enterprise Grade Data Warehouse
Josh Elser
 
PPTX
Lactate dehydrogenase assays
kakavietnam
 
PPTX
PMM database open source monitoring solution
Lior Altarescu
 
Best Practices for Becoming an Exceptional Postgres DBA
EDB
 
Seamless replication and disaster recovery for Apache Hive Warehouse
DataWorks Summit
 
Unix OS & Commands
Mohit Belwal
 
Meet Apache HBase - 2.0
DataWorks Summit
 
Introduction to KSQL: Streaming SQL for Apache Kafka®
confluent
 
Apache Phoenix and Apache HBase: An Enterprise Grade Data Warehouse
Josh Elser
 
Lactate dehydrogenase assays
kakavietnam
 
PMM database open source monitoring solution
Lior Altarescu
 

What's hot (19)

PDF
Load Balancing with Nginx
Marian Marinov
 
PPTX
Order of draw in phlebotomy section
SOLOMON SUASB
 
PPTX
“Alexa, be quiet!”: End-to-end near-real time model building and evaluation i...
Flink Forward
 
PDF
How to use histograms to get better performance
MariaDB plc
 
PPTX
Practical learnings from running thousands of Flink jobs
Flink Forward
 
PPTX
Haemoglobin estimation bishwas neupane b.sc mlt part i
globalsoin
 
PDF
New Generation Oracle RAC Performance
Anil Nair
 
PDF
HbA1c : glycosylated hemoglobin
endodiabetes
 
PPTX
Peritoneal Fluid Analysis
Crisbert Cualteros
 
PPTX
Glycated haemoglobin ppt by Basalingappa BG
BASALINGAPPA GUTTEDAR
 
PPTX
HBase Accelerated: In-Memory Flush and Compaction
DataWorks Summit/Hadoop Summit
 
PPTX
Off-heaping the Apache HBase Read Path
HBaseCon
 
PDF
Oracle R12 EBS Performance Tuning
Scott Jenner
 
PPTX
Common Wild Edibles
Linna Ferguson
 
PDF
Oracle database 12c data masking and subsetting guide
bupbechanhgmail
 
PDF
USENIX ATC 2017: Visualizing Performance with Flame Graphs
Brendan Gregg
 
PPTX
Jaundice and case discussion
Dr. S P SRINIVAS NAYAK
 
PPTX
Alfresco tuning part2
Luis Cabaceira
 
PDF
Histology
SyedaSadafWajahat
 
Load Balancing with Nginx
Marian Marinov
 
Order of draw in phlebotomy section
SOLOMON SUASB
 
“Alexa, be quiet!”: End-to-end near-real time model building and evaluation i...
Flink Forward
 
How to use histograms to get better performance
MariaDB plc
 
Practical learnings from running thousands of Flink jobs
Flink Forward
 
Haemoglobin estimation bishwas neupane b.sc mlt part i
globalsoin
 
New Generation Oracle RAC Performance
Anil Nair
 
HbA1c : glycosylated hemoglobin
endodiabetes
 
Peritoneal Fluid Analysis
Crisbert Cualteros
 
Glycated haemoglobin ppt by Basalingappa BG
BASALINGAPPA GUTTEDAR
 
HBase Accelerated: In-Memory Flush and Compaction
DataWorks Summit/Hadoop Summit
 
Off-heaping the Apache HBase Read Path
HBaseCon
 
Oracle R12 EBS Performance Tuning
Scott Jenner
 
Common Wild Edibles
Linna Ferguson
 
Oracle database 12c data masking and subsetting guide
bupbechanhgmail
 
USENIX ATC 2017: Visualizing Performance with Flame Graphs
Brendan Gregg
 
Jaundice and case discussion
Dr. S P SRINIVAS NAYAK
 
Alfresco tuning part2
Luis Cabaceira
 
Histology
SyedaSadafWajahat
 
Ad

Similar to Athenz introduction (20)

PDF
Keystone Federation
openstackindia
 
PDF
Null talk
Agam Jain
 
PPTX
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
gemziebeth
 
PPTX
Aws security best practices
Sundeep Roxx
 
PDF
.NET Core, ASP.NET Core Course, Session 19
Amin Mesbahi
 
PPTX
Common Data Model - A Business Database!
Pedro Azevedo
 
PDF
09-01-services-slides.pdf for educations
katariraju71
 
PPTX
Alec MacEachern - Scaling Enterprise Agents
AWS Chicago
 
PPTX
Alec MacEachern - Scaling Enterprise Agents
AWS Chicago
 
PPT
Win2KServer Active Directory
Phil Ashman
 
PPTX
Building IAM for OpenStack
Steve Martinelli
 
PDF
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays
 
PPTX
Ladies Be Architects: Integration Study Group: Security & State Management
gemziebeth
 
PPTX
PRShare: a framework for privacy-preserving, interorganizational data sharing.
Lihi Idan
 
PPT
Authentication Authorization-Lesson-2-Slides.ppt
MuhammadAbdullah311866
 
PPTX
Common Data Service – A Business Database!
Pedro Azevedo
 
PPTX
Restful api
Anurag Srivastava
 
PPTX
Presentation
Laxman Kumar
 
PPTX
information security(authentication application, Authentication and Access Co...
Zara Nawaz
 
PPTX
Cloud Identity Management
Damian T. Gordon
 
Keystone Federation
openstackindia
 
Null talk
Agam Jain
 
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
gemziebeth
 
Aws security best practices
Sundeep Roxx
 
.NET Core, ASP.NET Core Course, Session 19
Amin Mesbahi
 
Common Data Model - A Business Database!
Pedro Azevedo
 
09-01-services-slides.pdf for educations
katariraju71
 
Alec MacEachern - Scaling Enterprise Agents
AWS Chicago
 
Alec MacEachern - Scaling Enterprise Agents
AWS Chicago
 
Win2KServer Active Directory
Phil Ashman
 
Building IAM for OpenStack
Steve Martinelli
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays
 
Ladies Be Architects: Integration Study Group: Security & State Management
gemziebeth
 
PRShare: a framework for privacy-preserving, interorganizational data sharing.
Lihi Idan
 
Authentication Authorization-Lesson-2-Slides.ppt
MuhammadAbdullah311866
 
Common Data Service – A Business Database!
Pedro Azevedo
 
Restful api
Anurag Srivastava
 
Presentation
Laxman Kumar
 
information security(authentication application, Authentication and Access Co...
Zara Nawaz
 
Cloud Identity Management
Damian T. Gordon
 
Ad

Recently uploaded (20)

PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PPTX
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Teaching material agriculture food technology
LiaRayya
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Approach and Philosophy of On baking technology
30anthuong17
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 

Athenz introduction

  • 1. Athenz introduction Update: 2018/05/13 Athenz introduction - ledung@yahoo-corp.jp
  • 2. Agenda 1. What is Athenz? 2. Why we use it? 3. How to Athenz work? 4. Q&A Athenz introduction - ledung@yahoo-corp.jp
  • 3. 01 What is Athenz? Athenz introduction - ledung@yahoo-corp.jp
  • 4. "Athenz" is the 'Auth' + the 'N' + 'Z' tokens O Open source of services and libraries supporting role-based access control (RBAC) Z Z-Token: Role Token represent an authoritative statement that a given principal may assume some number of roles in a domain for a limited period of time A Authorization system utilizes two types of tokens: Principal Tokens (N-Tokens) and RoleTokens (Z-Tokens) N N-Token: Principal Token can be thought of an identity token because it identifies either a user or a service Athenz introduction - ledung@yahoo-corp.jp
  • 5. 02 Why we use it? Athenz introduction - ledung@yahoo-corp.jp
  • 6. Auth PaaS Service Faster Athenz introduction - ledung@yahoo-corp.jp
  • 7. 1 2 3 4 Service-based security profile Dynamic provisioning Self-Service Dynamic manageability. Single source of truth  We get advantages using Athenz
  • 8. We get advantages using Athenz
  • 9. 1 2 3 4 Service-based security profile Dynamic provisioning Self-Service Dynamic manageability. Single source of truth  We get advantages using Athenz
  • 10. 1 2 3 4 Service-based security profile Dynamic provisioning Self-Service Dynamic manageability. Single source of truth  We get advantages using Athenz
  • 11. 1 2 3 4 Service-based security profile Dynamic provisioning Self-Service Dynamic manageability. Single source of truth  We get advantages using Athenz
  • 12. 1 2 3 4 Service-based security profile Dynamic provisioning Self-Service Dynamic manageability. Single source of truth  We get advantages using Athenz
  • 13. 03 How to Athenz work? Athenz introduction - ledung@yahoo-corp.jp
  • 15. Data Model • Domains are namespaces, strictly partitioned, providing a context. • Administrative tasks can be delegated to created sub-domains to avoid reliance on central “super user” administrative roles.
  • 16. Data Model • As a group. Anyone in the group can assume the role that takes a particular action. • Every policy assertion describes what can be done by a role. • Delegate the determination of membership to another trusted domain.
  • 17. Data Model • A resource is something that is “owned” and controlled in a specific domain while the operations one can perform against that resource are defined as actions. • A resource could be a concrete object like a machine or an abstract object like a security policy.
  • 18. Data Model • A policy is a set of assertions (rules) about granting or denying an operation/action on a resource to all the members in the configured role.
  • 19. Data Model • The actors in Athenz that can assume a role are called principals. • These principals are authenticated and can be users. • Principals can also be services that are authenticated by a service management system.
  • 20. Data Model • Users are actually defined in some external authority, e.g. Unix or Kerberos system. • A special domain is reserved for the purpose of namespacing users; • the name of that domain is “user,”
  • 21. Data Model • The concept of a Service Identity is introduced as the identity of independent agents of execution. • Services have a simple way of naming them, e.g. media.finance.storage identifies a service called “storage” in domain media.finance. • A Service may be used as a principal when specifying roles, just like a user.
  • 24. System Overview • ZMS is the source of truth for domains, roles, and policies for centralized authorization. • In addition to allowing CRUD operations on the basic entities, ZMS provides an API to replicate the entities, per domain, to ZTS. • ZMS supports a centralized call to check if a principal has access to a resource both for internal management system checks, as well as a simple centralized deployment.
  • 25. System Overview • ZTS, the authentication token service, is only needed to support decentralized functionality. • ZTS is like a local replica of ZMS’s data to check a principal’s authentication and confirm membership in roles within a domain. • The authentication is in the form of a signed ZToken that can be presented to any decentralized service that wants to authorize access efficiently. • Multiple ZTS instances can be distributed to different locations as needed to scale for issuing tokens.
  • 26. System Overview • Service Identity Agent is part of the container, although likely built with Athenz libraries. • Generate a NToken and sign it with the given private key so that the service can present that NToken to ZMS/ZTS as its identity credentials. • The corresponding public key must be registered in ZMS so Athenz services can validate the signature.
  • 27. System Overview AuthZ Policy Engine • Support decentralized authorization. • The subsystem of Athenz that evaluates policies for a set of roles to yield an allowed or a denied response. • Library that your service calls and only refers to a local policy cache for your services domain.
  • 28. System Overview AuthZ PolicyEngine Updater • Support decentralized authorization. • The policy updater is the utility that retrieves from ZTS the policy files for provisioned domains on a host, which ZPE uses to evaluate access requests
  • 30. 04 Q&A? Athenz introduction - ledung@yahoo-corp.jp
  • 31. Referrence Athenz Yahoo! Inc: • https://github.com/yahoo/athenz Athenz introduction - ledung@yahoo-corp.jp