Athenz - The Open-Source Solution to Provide Access Control in Dynamic Infrastructures - Tatsuya Yano, Yahoo Japan
0 likes572 views
Athenz is an open-source solution that provides access control for dynamic infrastructures. It offers service authentication through secure identity in the form of x.509 certificates for every service. It also provides fine-grained role-based access control (RBAC). Athenz aims to solve problems around identity and policy that are common in large infrastructures. It acts as a single source of truth for access control across multiple cloud computing environments like Kubernetes and OpenStack.
Athenz - The Open-Source Solution to Provide Access Control in Dynamic Infrastructures - Tatsuya Yano, Yahoo Japan
- 1. Athenz: The Open-Source Solution to Provide Access Control in Dynamic Infrastructures Tatsuya Yano / Yahoo Japan Corporation
- 2. Athenz: Open Source System Created by Yahoo Inc. • Service Authentication – Provide secure identity in the form x.509 certificate to every workload / service in modern environments • Authorization – Provides fine-grained Role Based Access Control (RBAC)
- 4. Authentication • User Authentication – AD / LDAP / Okta / etc • Service Authentication – Instances within a service with a unique identity to enable secure communication • IP / Networks ACLs / iptable • Mutual TLS with x.509 certificates
- 5. Why does this matter? • Many persistent large scale infrastructure problems are rooted in identity and policy – Network ACL complexity – Federated “Single” Sign On (SSO) systems – Headless/Automation users – Shared secrets
- 6. Certificate Based Authentication • Every instance / service in your cloud has its own identity • Stronger security by Mutual TLS Authentication • Short Lived Certificates
- 7. Copper Argos • Generalized model for authorized service providers to launch other service identities in an authorized way through a callback- based verification model. Providers OpenStack Kubernetes Screwdriver Amazon EC2 AWS ECS AWS Lambda
- 11. Single source of truth • Most infrastructures in Cloud computing environments (e.g. Kubernetes, OpenStack, AWS, etc) have their own system of access control. • Athenz provides interface to integrate with each infrastructure to run multi environments with a single access control model. Cloud computing environments OpenStack Kubernetes Screwdriver Amazon EC2 AWS ECS AWS Lambda
- 12. Authorization - Centralized Access Control
- 13. Authorization - Decentralized Access Control
- 14. Demo 14
- 15. Advantages of Athenz • To provide service identity X.509 certificates for services running in common providers like Kubernetes, OpenStack or AWS that can be used for mutual TLS authentication. • To have precise and frequently configurable access controls with single source of truth.
- 16. Future plans • To support SPIFFE ID in SAN field of x509 certificate • To integrate with Istio envoy for authorization
- 17. Resources • Athenz Website : http://www.athenz.io • Athenz Github: https://github.com/yahoo/athenz • Athenz Slack Channel: https://athenz.slack.com/ • Athenz Discussion Groups: – Google Group: Athenz-Users • Questions or Comments: – Tatsuya Yano: tatyano@yahoo-corp.jp
- 19. Q & A 19