Athenz- The Open-Source Solution to Provide Access Control in Dynamic Infrastructures

1.5K Views

February 25, 21

スライド概要

Open Source Summit Japan 2018
https://events19.linuxfoundation.org/events/open-source-summit-japan-2018/program/slides/

Yahoo!デベロッパーネットワーク

@ydnjp

スライド一覧

2023年10月からSpeaker Deckに移行しました。最新情報はこちらをご覧ください。 https://speakerdeck.com/lycorptech_jp

またはPlayer版

埋め込む »CMSなどでJSが使えない場合

関連スライド

深層学習による自然言語処理入門: word2vecからBERT, GPT-3まで

Yahoo!デベロッパーネットワーク 134.8K

ゼロから始める転移学習

Yahoo!デベロッパーネットワーク 75.5K

ヤフーにおける WebAuthn と Passkey の UX の紹介と考察 #idcon #fidcon

idcon fidcon

Yahoo!デベロッパーネットワーク 65.1K

OpenID Connectとネイティブアプリを取り巻く仕様と動向 Yahoo! JAPANの取り組み #openid #openid_tokyo

openid openid_tokyo

Yahoo!デベロッパーネットワーク 52.6K

運用業務とスクラムは本当に組み合わせにくいのか︖運用業務が大半を占めるプロダクト開発での試行錯誤

devsumi

Yahoo!デベロッパーネットワーク 28.2K

ヤフーのオンプレ機械学習基盤AIPFについて #ml_kubernetes

ml_kubernetes

Yahoo!デベロッパーネットワーク 26K

各ページのテキスト

Athenz: The Open-Source Solution to Provide Access Control in Dynamic Infrastructures Tatsuya Yano / Yahoo Japan Corporation

Athenz: Open Source System Created by Yahoo Inc. • Service Authentication – Provide secure identity in the form x.509 certificate to every workload / service in modern environments • Authorization – Provides fine-grained Role Based Access Control (RBAC)

Service Authentication 3

Authentication • User Authentication – AD / LDAP / Okta / etc • Service Authentication – Instances within a service with a unique identity to enable secure communication • IP / Networks ACLs / iptable • Mutual TLS with x.509 certificates

Why does this matter? • Many persistent large scale infrastructure problems are rooted in identity and policy – – – – Network ACL complexity Federated “Single” Sign On (SSO) systems Headless/Automation users Shared secrets

Certificate Based Authentication • Every instance / service in your cloud has its own identity • Stronger security by Mutual TLS Authentication • Short Lived Certificates

Copper Argos • Generalized model for authorized service providers to launch other service identities in an authorized way through a callbackbased verification model. Providers OpenStack Amazon EC2 Kubernetes AWS ECS Screwdriver AWS Lambda

Bootstrapping Athenz Identity

Authorization 9

10.

Athenz Data Model

11.

Single source of truth • • Most infrastructures in Cloud computing environments (e.g. Kubernetes, OpenStack, AWS, etc) have their own system of access control. Athenz provides interface to integrate with each infrastructure to run multi environments with a single access control model. Cloud computing environments OpenStack Amazon EC2 Kubernetes AWS ECS Screwdriver AWS Lambda

12.

Authorization - Centralized Access Control

13.

Authorization - Decentralized Access Control

14.

Demo 14

15.

Advantages of Athenz • To provide service identity X.509 certificates for services running in common providers like Kubernetes, OpenStack or AWS that can be used for mutual TLS authentication. • To have precise and frequently configurable access controls with single source of truth.

16.

Future plans • To support SPIFFE ID in SAN field of x509 certificate • To integrate with Istio envoy for authorization

17.

Resources • Athenz Website : http://www.athenz.io • Athenz Github: https://github.com/yahoo/athenz • Athenz Slack Channel: https://athenz.slack.com/ • Athenz Discussion Groups: – • Google Group: Athenz-Users Questions or Comments: – Tatsuya Yano: tatyano@yahoo-corp.jp

18.

Join US http://www.athenz.io

http://www.athenz.io

19.

Q&A 19

20.