2.9K Views
February 25, 21
スライド概要
Open Source Summit Japan 2018
https://events19.linuxfoundation.org/events/open-source-summit-japan-2018/program/slides/
2023年10月からSpeaker Deckに移行しました。最新情報はこちらをご覧ください。 https://speakerdeck.com/lycorptech_jp
Athenz: The Open-Source Solution to Provide Access Control in Dynamic Infrastructures Tatsuya Yano / Yahoo Japan Corporation
Athenz: Open Source System Created by Yahoo Inc. • Service Authentication – Provide secure identity in the form x.509 certificate to every workload / service in modern environments • Authorization – Provides fine-grained Role Based Access Control (RBAC)
Service Authentication 3
Authentication • User Authentication – AD / LDAP / Okta / etc • Service Authentication – Instances within a service with a unique identity to enable secure communication • IP / Networks ACLs / iptable • Mutual TLS with x.509 certificates
Why does this matter? • Many persistent large scale infrastructure problems are rooted in identity and policy – – – – Network ACL complexity Federated “Single” Sign On (SSO) systems Headless/Automation users Shared secrets
Certificate Based Authentication • Every instance / service in your cloud has its own identity • Stronger security by Mutual TLS Authentication • Short Lived Certificates
Copper Argos • Generalized model for authorized service providers to launch other service identities in an authorized way through a callbackbased verification model. Providers OpenStack Amazon EC2 Kubernetes AWS ECS Screwdriver AWS Lambda
Bootstrapping Athenz Identity
Authorization 9
Athenz Data Model
Single source of truth • • Most infrastructures in Cloud computing environments (e.g. Kubernetes, OpenStack, AWS, etc) have their own system of access control. Athenz provides interface to integrate with each infrastructure to run multi environments with a single access control model. Cloud computing environments OpenStack Amazon EC2 Kubernetes AWS ECS Screwdriver AWS Lambda
Authorization - Centralized Access Control
Authorization - Decentralized Access Control
Demo 14
Advantages of Athenz • To provide service identity X.509 certificates for services running in common providers like Kubernetes, OpenStack or AWS that can be used for mutual TLS authentication. • To have precise and frequently configurable access controls with single source of truth.
Future plans • To support SPIFFE ID in SAN field of x509 certificate • To integrate with Istio envoy for authorization
Resources • Athenz Website : http://www.athenz.io • Athenz Github: https://github.com/yahoo/athenz • Athenz Slack Channel: https://athenz.slack.com/ • Athenz Discussion Groups: – • Google Group: Athenz-Users Questions or Comments: – Tatsuya Yano: [email protected]
Join US http://www.athenz.io
Q&A 19