Athenz- The Open-Source Solution to Provide Access Control in Dynamic Infrastructures

2.9K Views

February 25, 21

スライド概要

Open Source Summit Japan 2018
https://events19.linuxfoundation.org/events/open-source-summit-japan-2018/program/slides/

profile-image

2023年10月からSpeaker Deckに移行しました。最新情報はこちらをご覧ください。 https://speakerdeck.com/lycorptech_jp

シェア

またはPlayer版

埋め込む »CMSなどでJSが使えない場合

(ダウンロード不可)

関連スライド

各ページのテキスト
1.

Athenz: The Open-Source Solution to Provide Access Control in Dynamic Infrastructures Tatsuya Yano / Yahoo Japan Corporation

2.

Athenz: Open Source System Created by Yahoo Inc. • Service Authentication – Provide secure identity in the form x.509 certificate to every workload / service in modern environments • Authorization – Provides fine-grained Role Based Access Control (RBAC)

3.

Service Authentication 3

4.

Authentication • User Authentication – AD / LDAP / Okta / etc • Service Authentication – Instances within a service with a unique identity to enable secure communication • IP / Networks ACLs / iptable • Mutual TLS with x.509 certificates

5.

Why does this matter? • Many persistent large scale infrastructure problems are rooted in identity and policy – – – – Network ACL complexity Federated “Single” Sign On (SSO) systems Headless/Automation users Shared secrets

6.

Certificate Based Authentication • Every instance / service in your cloud has its own identity • Stronger security by Mutual TLS Authentication • Short Lived Certificates

7.

Copper Argos • Generalized model for authorized service providers to launch other service identities in an authorized way through a callbackbased verification model. Providers OpenStack Amazon EC2 Kubernetes AWS ECS Screwdriver AWS Lambda

8.

Bootstrapping Athenz Identity

9.

Authorization 9

10.

Athenz Data Model

11.

Single source of truth • • Most infrastructures in Cloud computing environments (e.g. Kubernetes, OpenStack, AWS, etc) have their own system of access control. Athenz provides interface to integrate with each infrastructure to run multi environments with a single access control model. Cloud computing environments OpenStack Amazon EC2 Kubernetes AWS ECS Screwdriver AWS Lambda

12.

Authorization - Centralized Access Control

13.

Authorization - Decentralized Access Control

14.

Demo 14

15.

Advantages of Athenz • To provide service identity X.509 certificates for services running in common providers like Kubernetes, OpenStack or AWS that can be used for mutual TLS authentication. • To have precise and frequently configurable access controls with single source of truth.

16.

Future plans • To support SPIFFE ID in SAN field of x509 certificate • To integrate with Istio envoy for authorization

17.

Resources • Athenz Website : http://www.athenz.io • Athenz Github: https://github.com/yahoo/athenz • Athenz Slack Channel: https://athenz.slack.com/ • Athenz Discussion Groups: – • Google Group: Athenz-Users Questions or Comments: – Tatsuya Yano: [email protected]

18.

Join US http://www.athenz.io

19.

Q&A 19