SlideShare a Scribd company logo

Athenz introduction

D
Dũng Lê

Agenda: 1. What is Athenz? 2. Why we use it? 3. How to Athenz work? 4. Q&A

Technology
1 of 32
Download to read offline
Athenz introduction Update: 2018/05/13 Athenz introduction - ledung@yahoo-corp.jp
Agenda 1. What is Athenz? 2. Why we use it? 3. How to Athenz work? 4. Q&A Athenz introduction - ledung@yahoo-corp.jp
01 What is Athenz? Athenz introduction - ledung@yahoo-corp.jp
"Athenz" is the 'Auth' + the 'N' + 'Z' tokens O Open source of services and libraries supporting role-based access control (RBAC) Z Z-Token: Role Token represent an authoritative statement that a given principal may assume some number of roles in a domain for a limited period of time A Authorization system utilizes two types of tokens: Principal Tokens (N-Tokens) and RoleTokens (Z-Tokens) N N-Token: Principal Token can be thought of an identity token because it identifies either a user or a service Athenz introduction - ledung@yahoo-corp.jp
02 Why we use it? Athenz introduction - ledung@yahoo-corp.jp
Auth PaaS Service Faster Athenz introduction - ledung@yahoo-corp.jp
1 2 3 4 Service-based security profile Dynamic provisioning Self-Service Dynamic manageability. Single source of truth  We get advantages using Athenz
We get advantages using Athenz
1 2 3 4 Service-based security profile Dynamic provisioning Self-Service Dynamic manageability. Single source of truth  We get advantages using Athenz
1 2 3 4 Service-based security profile Dynamic provisioning Self-Service Dynamic manageability. Single source of truth  We get advantages using Athenz
1 2 3 4 Service-based security profile Dynamic provisioning Self-Service Dynamic manageability. Single source of truth  We get advantages using Athenz
1 2 3 4 Service-based security profile Dynamic provisioning Self-Service Dynamic manageability. Single source of truth  We get advantages using Athenz
03 How to Athenz work? Athenz introduction - ledung@yahoo-corp.jp
Data Model
Data Model • Domains are namespaces, strictly partitioned, providing a context. • Administrative tasks can be delegated to created sub-domains to avoid reliance on central “super user” administrative roles.
Data Model • As a group. Anyone in the group can assume the role that takes a particular action. • Every policy assertion describes what can be done by a role. • Delegate the determination of membership to another trusted domain.
Data Model • A resource is something that is “owned” and controlled in a specific domain while the operations one can perform against that resource are defined as actions. • A resource could be a concrete object like a machine or an abstract object like a security policy.
Data Model • A policy is a set of assertions (rules) about granting or denying an operation/action on a resource to all the members in the configured role.
Data Model • The actors in Athenz that can assume a role are called principals. • These principals are authenticated and can be users. • Principals can also be services that are authenticated by a service management system.
Data Model • Users are actually defined in some external authority, e.g. Unix or Kerberos system. • A special domain is reserved for the purpose of namespacing users; • the name of that domain is “user,”
Data Model • The concept of a Service Identity is introduced as the identity of independent agents of execution. • Services have a simple way of naming them, e.g. media.finance.storage identifies a service called “storage” in domain media.finance. • A Service may be used as a principal when specifying roles, just like a user.
Data Model
System Overview Centralization Decentralization
System Overview • ZMS is the source of truth for domains, roles, and policies for centralized authorization. • In addition to allowing CRUD operations on the basic entities, ZMS provides an API to replicate the entities, per domain, to ZTS. • ZMS supports a centralized call to check if a principal has access to a resource both for internal management system checks, as well as a simple centralized deployment.
System Overview • ZTS, the authentication token service, is only needed to support decentralized functionality. • ZTS is like a local replica of ZMS’s data to check a principal’s authentication and confirm membership in roles within a domain. • The authentication is in the form of a signed ZToken that can be presented to any decentralized service that wants to authorize access efficiently. • Multiple ZTS instances can be distributed to different locations as needed to scale for issuing tokens.
System Overview • Service Identity Agent is part of the container, although likely built with Athenz libraries. • Generate a NToken and sign it with the given private key so that the service can present that NToken to ZMS/ZTS as its identity credentials. • The corresponding public key must be registered in ZMS so Athenz services can validate the signature.
System Overview AuthZ Policy Engine • Support decentralized authorization. • The subsystem of Athenz that evaluates policies for a set of roles to yield an allowed or a denied response. • Library that your service calls and only refers to a local policy cache for your services domain.
System Overview AuthZ PolicyEngine Updater • Support decentralized authorization. • The policy updater is the utility that retrieves from ZTS the policy files for provisioned domains on a host, which ZPE uses to evaluate access requests
System Overview
04 Q&A? Athenz introduction - ledung@yahoo-corp.jp
Referrence Athenz Yahoo! Inc: • https://github.com/yahoo/athenz Athenz introduction - ledung@yahoo-corp.jp
THANK YOU ledung@yahoo-corp.jp

Recommended

Transparent Encryption in HDFS
Transparent Encryption in HDFSTransparent Encryption in HDFS
Transparent Encryption in HDFSDataWorks Summit
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applicationsArash Ramez
 
Keystone Federation
Keystone Federation Keystone Federation
Keystone Federation openstackindia
 
Null talk
Null talkNull talk
Null talkAgam Jain
 
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)gemziebeth
 
Aws security best practices
Aws security best practicesAws security best practices
Aws security best practicesSundeep Roxx
 
.NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19aminmesbahi
 
Common Data Model - A Business Database!
Common Data Model - A Business Database!Common Data Model - A Business Database!
Common Data Model - A Business Database!Pedro Azevedo
 

Recommended

Transparent Encryption in HDFS
Transparent Encryption in HDFSTransparent Encryption in HDFS
Transparent Encryption in HDFSDataWorks Summit
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applicationsArash Ramez
 
Keystone Federation
Keystone Federation Keystone Federation
Keystone Federation openstackindia
 
Null talk
Null talkNull talk
Null talkAgam Jain
 
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)gemziebeth
 
Aws security best practices
Aws security best practicesAws security best practices
Aws security best practicesSundeep Roxx
 
.NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19aminmesbahi
 
Common Data Model - A Business Database!
Common Data Model - A Business Database!Common Data Model - A Business Database!
Common Data Model - A Business Database!Pedro Azevedo
 
Win2KServer Active Directory
Win2KServer Active DirectoryWin2KServer Active Directory
Win2KServer Active DirectoryPhil Ashman
 
Building IAM for OpenStack
Building IAM for OpenStackBuilding IAM for OpenStack
Building IAM for OpenStackSteve Martinelli
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays
 
Ladies Be Architects: Integration Study Group: Security & State Management
Ladies Be Architects: Integration Study Group: Security & State ManagementLadies Be Architects: Integration Study Group: Security & State Management
Ladies Be Architects: Integration Study Group: Security & State Managementgemziebeth
 
PRShare: a framework for privacy-preserving, interorganizational data sharing.
PRShare: a framework for privacy-preserving, interorganizational data sharing.PRShare: a framework for privacy-preserving, interorganizational data sharing.
PRShare: a framework for privacy-preserving, interorganizational data sharing.Lihi Idan
 
Authentication Authorization-Lesson-2-Slides.ppt
Authentication Authorization-Lesson-2-Slides.pptAuthentication Authorization-Lesson-2-Slides.ppt
Authentication Authorization-Lesson-2-Slides.pptMuhammadAbdullah311866
 
Common Data Service – A Business Database!
Common Data Service – A Business Database!Common Data Service – A Business Database!
Common Data Service – A Business Database!Pedro Azevedo
 
Restful api
Restful apiRestful api
Restful apiAnurag Srivastava
 
Presentation
PresentationPresentation
PresentationLaxman Kumar
 
information security(authentication application, Authentication and Access Co...
information security(authentication application, Authentication and Access Co...information security(authentication application, Authentication and Access Co...
information security(authentication application, Authentication and Access Co...Zara Nawaz
 
Cloud Identity Management
Cloud Identity ManagementCloud Identity Management
Cloud Identity ManagementDamian T. Gordon
 
Attribute-Based Encryption for Cloud Security
Attribute-Based Encryption for Cloud SecurityAttribute-Based Encryption for Cloud Security
Attribute-Based Encryption for Cloud SecurityMphasis
 
Informatica powercenter8.x Aarchitecture
Informatica powercenter8.x AarchitectureInformatica powercenter8.x Aarchitecture
Informatica powercenter8.x AarchitectureRaj Ningthemcha
 
Federated and fabulous identity
Federated and fabulous identityFederated and fabulous identity
Federated and fabulous identityAndre N. Klingsheim
 
A New Security Model For Distributed System
A New Security Model For Distributed SystemA New Security Model For Distributed System
A New Security Model For Distributed SystemSanoj Kumar
 
Distributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfDistributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfNordic APIs
 
Business structure
Business structureBusiness structure
Business structureArshad Havaldar
 
Authentication and beyond, Atlassian aplications
Authentication and beyond, Atlassian aplicationsAuthentication and beyond, Atlassian aplications
Authentication and beyond, Atlassian aplicationsAmbientia
 
Windsor AWS UG Deep dive IAM 2 - no json101
Windsor AWS UG Deep dive IAM 2 - no json101Windsor AWS UG Deep dive IAM 2 - no json101
Windsor AWS UG Deep dive IAM 2 - no json101Goran Karmisevic
 
Cache Security- Configuring a Secure Environment
Cache Security- Configuring a Secure EnvironmentCache Security- Configuring a Secure Environment
Cache Security- Configuring a Secure EnvironmentInterSystems Corporation
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 

More Related Content

Similar to Athenz introduction

Win2KServer Active Directory
Win2KServer Active DirectoryWin2KServer Active Directory
Win2KServer Active DirectoryPhil Ashman
 
Building IAM for OpenStack
Building IAM for OpenStackBuilding IAM for OpenStack
Building IAM for OpenStackSteve Martinelli
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays
 
Ladies Be Architects: Integration Study Group: Security & State Management
Ladies Be Architects: Integration Study Group: Security & State ManagementLadies Be Architects: Integration Study Group: Security & State Management
Ladies Be Architects: Integration Study Group: Security & State Managementgemziebeth
 
PRShare: a framework for privacy-preserving, interorganizational data sharing.
PRShare: a framework for privacy-preserving, interorganizational data sharing.PRShare: a framework for privacy-preserving, interorganizational data sharing.
PRShare: a framework for privacy-preserving, interorganizational data sharing.Lihi Idan
 
Authentication Authorization-Lesson-2-Slides.ppt
Authentication Authorization-Lesson-2-Slides.pptAuthentication Authorization-Lesson-2-Slides.ppt
Authentication Authorization-Lesson-2-Slides.pptMuhammadAbdullah311866
 
Common Data Service – A Business Database!
Common Data Service – A Business Database!Common Data Service – A Business Database!
Common Data Service – A Business Database!Pedro Azevedo
 
information security(authentication application, Authentication and Access Co...
information security(authentication application, Authentication and Access Co...information security(authentication application, Authentication and Access Co...
information security(authentication application, Authentication and Access Co...Zara Nawaz
 
Attribute-Based Encryption for Cloud Security
Attribute-Based Encryption for Cloud SecurityAttribute-Based Encryption for Cloud Security
Attribute-Based Encryption for Cloud SecurityMphasis
 
Informatica powercenter8.x Aarchitecture
Informatica powercenter8.x AarchitectureInformatica powercenter8.x Aarchitecture
Informatica powercenter8.x AarchitectureRaj Ningthemcha
 
A New Security Model For Distributed System
A New Security Model For Distributed SystemA New Security Model For Distributed System
A New Security Model For Distributed SystemSanoj Kumar
 
Distributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfDistributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfNordic APIs
 
Authentication and beyond, Atlassian aplications
Authentication and beyond, Atlassian aplicationsAuthentication and beyond, Atlassian aplications
Authentication and beyond, Atlassian aplicationsAmbientia
 
Windsor AWS UG Deep dive IAM 2 - no json101
Windsor AWS UG Deep dive IAM 2 - no json101Windsor AWS UG Deep dive IAM 2 - no json101
Windsor AWS UG Deep dive IAM 2 - no json101Goran Karmisevic
 
Cache Security- Configuring a Secure Environment
Cache Security- Configuring a Secure EnvironmentCache Security- Configuring a Secure Environment
Cache Security- Configuring a Secure EnvironmentInterSystems Corporation
 

Similar to Athenz introduction (20)

Win2KServer Active Directory
Win2KServer Active DirectoryWin2KServer Active Directory
Win2KServer Active Directory
 
Building IAM for OpenStack
Building IAM for OpenStackBuilding IAM for OpenStack
Building IAM for OpenStack
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
 
Ladies Be Architects: Integration Study Group: Security & State Management
Ladies Be Architects: Integration Study Group: Security & State ManagementLadies Be Architects: Integration Study Group: Security & State Management
Ladies Be Architects: Integration Study Group: Security & State Management
 
PRShare: a framework for privacy-preserving, interorganizational data sharing.
PRShare: a framework for privacy-preserving, interorganizational data sharing.PRShare: a framework for privacy-preserving, interorganizational data sharing.
PRShare: a framework for privacy-preserving, interorganizational data sharing.
 
Authentication Authorization-Lesson-2-Slides.ppt
Authentication Authorization-Lesson-2-Slides.pptAuthentication Authorization-Lesson-2-Slides.ppt
Authentication Authorization-Lesson-2-Slides.ppt
 
Common Data Service – A Business Database!
Common Data Service – A Business Database!Common Data Service – A Business Database!
Common Data Service – A Business Database!
 
Restful api
Restful apiRestful api
Restful api
 
Presentation
PresentationPresentation
Presentation
 
information security(authentication application, Authentication and Access Co...
information security(authentication application, Authentication and Access Co...information security(authentication application, Authentication and Access Co...
information security(authentication application, Authentication and Access Co...
 
Cloud Identity Management
Cloud Identity ManagementCloud Identity Management
Cloud Identity Management
 
Attribute-Based Encryption for Cloud Security
Attribute-Based Encryption for Cloud SecurityAttribute-Based Encryption for Cloud Security
Attribute-Based Encryption for Cloud Security
 
Informatica powercenter8.x Aarchitecture
Informatica powercenter8.x AarchitectureInformatica powercenter8.x Aarchitecture
Informatica powercenter8.x Aarchitecture
 
Federated and fabulous identity
Federated and fabulous identityFederated and fabulous identity
Federated and fabulous identity
 
A New Security Model For Distributed System
A New Security Model For Distributed SystemA New Security Model For Distributed System
A New Security Model For Distributed System
 
Distributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfDistributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdf
 
Business structure
Business structureBusiness structure
Business structure
 
Authentication and beyond, Atlassian aplications
Authentication and beyond, Atlassian aplicationsAuthentication and beyond, Atlassian aplications
Authentication and beyond, Atlassian aplications
 
Windsor AWS UG Deep dive IAM 2 - no json101
Windsor AWS UG Deep dive IAM 2 - no json101Windsor AWS UG Deep dive IAM 2 - no json101
Windsor AWS UG Deep dive IAM 2 - no json101
 
Cache Security- Configuring a Secure Environment
Cache Security- Configuring a Secure EnvironmentCache Security- Configuring a Secure Environment
Cache Security- Configuring a Secure Environment
 

Recently uploaded

My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 

Recently uploaded (20)

My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 

Athenz introduction

  • 1. Athenz introduction Update: 2018/05/13 Athenz introduction - ledung@yahoo-corp.jp
  • 2. Agenda 1. What is Athenz? 2. Why we use it? 3. How to Athenz work? 4. Q&A Athenz introduction - ledung@yahoo-corp.jp
  • 3. 01 What is Athenz? Athenz introduction - ledung@yahoo-corp.jp
  • 4. "Athenz" is the 'Auth' + the 'N' + 'Z' tokens O Open source of services and libraries supporting role-based access control (RBAC) Z Z-Token: Role Token represent an authoritative statement that a given principal may assume some number of roles in a domain for a limited period of time A Authorization system utilizes two types of tokens: Principal Tokens (N-Tokens) and RoleTokens (Z-Tokens) N N-Token: Principal Token can be thought of an identity token because it identifies either a user or a service Athenz introduction - ledung@yahoo-corp.jp
  • 5. 02 Why we use it? Athenz introduction - ledung@yahoo-corp.jp
  • 6. Auth PaaS Service Faster Athenz introduction - ledung@yahoo-corp.jp
  • 7. 1 2 3 4 Service-based security profile Dynamic provisioning Self-Service Dynamic manageability. Single source of truth  We get advantages using Athenz
  • 8. We get advantages using Athenz
  • 9. 1 2 3 4 Service-based security profile Dynamic provisioning Self-Service Dynamic manageability. Single source of truth  We get advantages using Athenz
  • 10. 1 2 3 4 Service-based security profile Dynamic provisioning Self-Service Dynamic manageability. Single source of truth  We get advantages using Athenz
  • 11. 1 2 3 4 Service-based security profile Dynamic provisioning Self-Service Dynamic manageability. Single source of truth  We get advantages using Athenz
  • 12. 1 2 3 4 Service-based security profile Dynamic provisioning Self-Service Dynamic manageability. Single source of truth  We get advantages using Athenz
  • 13. 03 How to Athenz work? Athenz introduction - ledung@yahoo-corp.jp
  • 15. Data Model • Domains are namespaces, strictly partitioned, providing a context. • Administrative tasks can be delegated to created sub-domains to avoid reliance on central “super user” administrative roles.
  • 16. Data Model • As a group. Anyone in the group can assume the role that takes a particular action. • Every policy assertion describes what can be done by a role. • Delegate the determination of membership to another trusted domain.
  • 17. Data Model • A resource is something that is “owned” and controlled in a specific domain while the operations one can perform against that resource are defined as actions. • A resource could be a concrete object like a machine or an abstract object like a security policy.
  • 18. Data Model • A policy is a set of assertions (rules) about granting or denying an operation/action on a resource to all the members in the configured role.
  • 19. Data Model • The actors in Athenz that can assume a role are called principals. • These principals are authenticated and can be users. • Principals can also be services that are authenticated by a service management system.
  • 20. Data Model • Users are actually defined in some external authority, e.g. Unix or Kerberos system. • A special domain is reserved for the purpose of namespacing users; • the name of that domain is “user,”
  • 21. Data Model • The concept of a Service Identity is introduced as the identity of independent agents of execution. • Services have a simple way of naming them, e.g. media.finance.storage identifies a service called “storage” in domain media.finance. • A Service may be used as a principal when specifying roles, just like a user.
  • 24. System Overview • ZMS is the source of truth for domains, roles, and policies for centralized authorization. • In addition to allowing CRUD operations on the basic entities, ZMS provides an API to replicate the entities, per domain, to ZTS. • ZMS supports a centralized call to check if a principal has access to a resource both for internal management system checks, as well as a simple centralized deployment.
  • 25. System Overview • ZTS, the authentication token service, is only needed to support decentralized functionality. • ZTS is like a local replica of ZMS’s data to check a principal’s authentication and confirm membership in roles within a domain. • The authentication is in the form of a signed ZToken that can be presented to any decentralized service that wants to authorize access efficiently. • Multiple ZTS instances can be distributed to different locations as needed to scale for issuing tokens.
  • 26. System Overview • Service Identity Agent is part of the container, although likely built with Athenz libraries. • Generate a NToken and sign it with the given private key so that the service can present that NToken to ZMS/ZTS as its identity credentials. • The corresponding public key must be registered in ZMS so Athenz services can validate the signature.
  • 27. System Overview AuthZ Policy Engine • Support decentralized authorization. • The subsystem of Athenz that evaluates policies for a set of roles to yield an allowed or a denied response. • Library that your service calls and only refers to a local policy cache for your services domain.
  • 28. System Overview AuthZ PolicyEngine Updater • Support decentralized authorization. • The policy updater is the utility that retrieves from ZTS the policy files for provisioned domains on a host, which ZPE uses to evaluate access requests
  • 30. 04 Q&A? Athenz introduction - ledung@yahoo-corp.jp
  • 31. Referrence Athenz Yahoo! Inc: • https://github.com/yahoo/athenz Athenz introduction - ledung@yahoo-corp.jp