![@sometorin
Authentication standards
{
"iss": https://example.com
"sub": bob
"aud": retail
"nbf": 123456789,
"exp": 123456789,
"amr": ["password", "otp"]
}
<saml:Assertion>
<saml:Subject>
<saml:NameID abcdef>
</saml:NameID>
<saml:SubjectConfirmation
Method="urn:...:bearer">
<saml:SubjectConfirmation
Data NotOnOrAfter=../>
</saml:SubjectConfirmation>
<saml:Conditions>...
spiffe://acmecorp/a/b/c
SAML OpenID Connect SPIFFE
Enterprise Consumer Infrastructure](https://image.slidesharecdn.com/implementingauthorization-181115144530/85/Implementing-Authorization-9-320.jpg)
![@sometorin
Authentication verifies identity & produces attributes.
Human
Machine
Authentication Verified Identity
{
iss: acmecorp
sub: bob
aud: retail
nbf: 123456789
exp: 123456789
amr: [
password
otp
]
}
credentials](https://image.slidesharecdn.com/implementingauthorization-181115144530/85/Implementing-Authorization-10-320.jpg)
![@sometorin@sometorin
Attribute
semantics are
beyond the
scope of the
specification.
### 2.2. Path
The path component of a SPIFFE ID allows for the
unique identification of a given workload. The
meaning behind the path is left open ended and the
responsibility of the administrator to define.
Paths MAY be hierarchical - similar to filesystem
paths. The specific meaning of paths is reserved as
an exercise to the implementer and are outside the
SVID specification. However some examples and
conventions are expressed below.
2. ID Token [...]
The definition of particular values to be used in the amr
Claim is beyond the scope of this specification. Parties
using this claim will need to agree upon the meanings of
the values used, which may be context-specific. [...]
ID Tokens MAY contain other Claims.](https://image.slidesharecdn.com/implementingauthorization-181115144530/85/Implementing-Authorization-11-320.jpg)
Implementing Authorization
- 2. @sometorin@sometorin Torin Sandall ● Engineer @ Styra ● Co-founder @ Open Policy Agent
- 3. @sometorin "Undifferentiated Heavy Lifting" - Jeff Bezos (Amazon CEO, 2006)
- 4. @sometorin Authorization is heavy lifting.
- 5. @sometorin ...but every app needs authorization.
- 6. @sometorin Rethink how you implement authorization.
- 7. @sometorin Ship secure projects faster.
- 8. @sometorin Authentication != Authorization Verify identity Verify permission (auth/n) (auth/z)
- 9. @sometorin Authentication standards { "iss": https://example.com "sub": bob "aud": retail "nbf": 123456789, "exp": 123456789, "amr": ["password", "otp"] } <saml:Assertion> <saml:Subject> <saml:NameID abcdef> </saml:NameID> <saml:SubjectConfirmation Method="urn:...:bearer"> <saml:SubjectConfirmation Data NotOnOrAfter=../> </saml:SubjectConfirmation> <saml:Conditions>... spiffe://acmecorp/a/b/c SAML OpenID Connect SPIFFE Enterprise Consumer Infrastructure
- 10. @sometorin Authentication verifies identity & produces attributes. Human Machine Authentication Verified Identity { iss: acmecorp sub: bob aud: retail nbf: 123456789 exp: 123456789 amr: [ password otp ] } credentials
- 11. @sometorin@sometorin Attribute semantics are beyond the scope of the specification. ### 2.2. Path The path component of a SPIFFE ID allows for the unique identification of a given workload. The meaning behind the path is left open ended and the responsibility of the administrator to define. Paths MAY be hierarchical - similar to filesystem paths. The specific meaning of paths is reserved as an exercise to the implementer and are outside the SVID specification. However some examples and conventions are expressed below. 2. ID Token [...] The definition of particular values to be used in the amr Claim is beyond the scope of this specification. Parties using this claim will need to agree upon the meanings of the values used, which may be context-specific. [...] ID Tokens MAY contain other Claims.
- 12. @sometorin App must decide how identity attributes map to functionality, privileges, etc.
- 13. @sometorin@sometorin What about OAuth? RFC 6749 The OAuth 2.0 Authorization Framework Abstract The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.
- 14. @sometorin@sometorin OAuth 2.0 enables delegation. "Power of Attorney" for web and mobile applications. Source: https://backstage.forgerock.com/docs/am/5/oauth2-guide/
- 15. @sometorin@sometorin Application of access tokens is beyond the scope of the specification. RFC 6749 Section 7 The client accesses protected resources by presenting the access token to the resource server. The resource server MUST validate the access token and ensure that it has not expired and that its scope covers the requested resource. The methods used by the resource server to validate the access token (as well as any error responses) are beyond the scope of this specification but generally involve an interaction or coordination between the resource server and the authorization server.
- 16. @sometorin How does the app decide what to do with incoming requests, identity attributes, and access tokens?
- 17. @sometorin Can identity I do operation O on resource R? Authorization: Problem Statement
- 18. @sometorin Example Authorization Scenario "Employees should be able to read their own salary and the salary of employees they manage." HTTP API GET /salary/bob Authorization: alice
- 19. @sometorin @route("GET", "/salaries/{employee_id}") def get_salary(req): if not authorized(req): return error(403) return db.read_salary(req.emp_id) def authorized(req): if req.user == req.emp_id: return True if req.user in managers_of(req.emp_id): return True return False app code authorization code
- 20. @sometorin @route("GET", "/salaries/{employee_id}") def get_salary(req): if not authorized(req): return error(403) return db.read_salary(req.emp_id) def authorized(req): if req.user == req.emp_id: return True if req.user in managers_of(req.emp_id): return True return False This code raises questions! ● How do you enforce policies from security or legal departments? ● How do you delegate control to your end-users? ● How do you roll-out policy changes? ● How do you access HR database or other sources of context? ● How do you render the UI based on the user's permissions? ● How do you audit and test your policies for correctness? ● How do you audit enforcement of the policies? ● What about 100+ other services written in Java, Go, and Ruby?
- 21. @sometorin Can identity I do operation O on resource R? Authorization: Problem Statement Goal: Solve for any combination of I, O, and R. Enforce in any language, framework, or environment.
- 22. @sometorin Authorization: Common Approaches ACLs - deny by default - admin controlled - user, action, resource
- 23. @sometorin RBAC - deny by default - group users - grant groups permissions - inheritance - separation of duty (SOD) Authorization: Common Approaches ACLs - deny by default - admin controlled - user, action, resource
- 24. @sometorin RBAC - deny by default - group users - grant groups permissions - inheritance - separation of duty (SOD) Authorization: Common Approaches IAM - allow and deny - users, groups, resources - negation & built-ins ACLs - deny by default - admin controlled - user, action, resource
- 25. @sometorin RBAC - deny by default - group users - grant groups permissions - inheritance - separation of duty (SOD) Authorization: Common Approaches IAM - allow and deny - users, groups, resources - negation & built-ins ACLs - deny by default - admin controlled - user, action, resource ABAC - boolean logic - context - relationships
- 26. @sometorin Authorization: Trade-offs ACLs RBAC IAM ABAC Ease of use Flexibility
- 27. @sometorin ACLs, RBAC, and IAM are not enough. "QA must sign-off on images deployed to the production namespace." "Analysts can read client data but PII must be redacted." "Restrict employees from accessing the service outside of work hours." "Allow all HTTP requests from 10.1.2.0/24." "Restrict ELB changes to senior SREs that are on-call." "Give developers SSH access to machines listed in JIRA tickets assigned to them." "Prevent developers from running containers with privileged security contexts in the production namespace." "Workloads for euro-bank must be deployed on PCI-certified clusters in the EU."
- 28. @sometorin Open Policy Agent (OPA) is a general-purpose policy engine. Service OPA Policy (rego) Data (json) Policy Query Policy Decision Enforcement
- 29. @sometorin Service OPA Policy (rego) Data (json) Policy Query Policy Decision Enforcement Decouple policy decisions from enforcement and codify decisions using a declarative language. Open Policy Agent (OPA)
- 30. @sometorin Open Policy Agent (OPA) Service OPA Policy (rego) Data (json) Policy Query Policy Decision Enforcement Supports multiple authorization models like ACLs, RBAC, IAM, and ABAC.
- 31. @sometorin Demo
- 32. @sometorin Authorization: Where does OPA stand? ACLs RBAC IAM ABAC Ease of use Flexibility
- 33. @sometorin Authorization: Where does OPA stand? ACLs RBAC IAM ABAC Ease of use Flexibility
- 34. @sometorin Petdetails GET /pets Authorization: bob SELECT * FROM pets DB name owner age Fluffy Bob 7 Muffin Alice 3 King Janet 12
- 35. @sometorin Petdetails GET /pets Authorization: bob SELECT * FROM pets DB Policy name owner age Fluffy Bob 7 Muffin Alice 3 King Janet 12
- 36. @sometorin Petdetails GET /pets Authorization: bob SELECT * FROM pets DB Policy Example Policy "Users should only be allowed to see details of pets they own."
- 37. @sometorin SELECT * FROM pets Petdetails GET /pets Authorization: bob DB Policy WHERE pets.owner = "bob" Example Policy "Users should only be allowed to see details of pets they own."
- 38. @sometorin SELECT * FROM pets Petdetails GET /pets Authorization: bob DB Policy WHERE pets.owner = "bob" AND pets.location = "EU" Policy Example Policy "Users should only be allowed to see details of pets they own."
- 39. @sometorin Petdetails OPA policy query allow or deny DB GET /pets Authorization: bob SELECT * FROM pets Policy (rego)
- 40. @sometorin Petdetails OPA allow or deny DB Requires OPA to have access to the data. GET /pets Authorization: bob SELECT * FROM pets policy query Policy (rego)
- 41. @sometorin Petdetails OPA conditions (SQL predicate) DB GET /pets Authorization: bob SELECT * FROM pets WHERE pets.owner = "bob" policy query Policy (rego) Partially Evaluate Rego & Translate into SQL.
- 42. @sometorin Demo
- 43. @sometorin Petdetails OPA conditions (SQL predicate) DB GET /pets Authorization: bob SELECT * FROM pets WHERE pets.owner = "bob" policy query Policy (rego) Partially Evaluate Rego & Translate into SQL. See blog.openpolicyagent.org for details.
- 44. @sometorin Authorization is heavy lifting.
- 45. @sometorin@sometorin Rethink how you implement authorization. openpolicyagent.org Integrated with... ...and more.