2. Agenda
1. What is Athenz?
2. Why we use it?
3. How to Athenz work?
4. Q&A
Athenz introduction - ledung@yahoo-corp.jp
3. 01 What is Athenz?
Athenz introduction - ledung@yahoo-corp.jp
4. "Athenz" is the 'Auth' + the 'N' + 'Z' tokens
O
Open source of services and
libraries supporting role-based
access control (RBAC)
Z
Z-Token: Role Token
represent an authoritative
statement that a given principal
may assume some number of
roles in a domain for a limited
period of time
A
Authorization system utilizes
two types of tokens: Principal
Tokens (N-Tokens) and RoleTokens
(Z-Tokens)
N
N-Token: Principal Token
can be thought of an identity token
because it identifies either a user or
a service
Athenz introduction - ledung@yahoo-corp.jp
5. 02 Why we use it?
Athenz introduction - ledung@yahoo-corp.jp
15. Data Model
• Domains are namespaces, strictly partitioned,
providing a context.
• Administrative tasks can be delegated to
created sub-domains to avoid reliance on
central “super user” administrative roles.
16. Data Model
• As a group. Anyone in the group can assume
the role that takes a particular action.
• Every policy assertion describes what can be
done by a role.
• Delegate the determination of membership
to another trusted domain.
17. Data Model
• A resource is something that is “owned” and
controlled in a specific domain while the
operations one can perform against that
resource are defined as actions.
• A resource could be a concrete object like a
machine or an abstract object like a security
policy.
18. Data Model
• A policy is a set of assertions (rules) about
granting or denying an operation/action on a
resource to all the members in the configured
role.
19. Data Model
• The actors in Athenz that can assume a role
are called principals.
• These principals are authenticated and can be
users.
• Principals can also be services that are
authenticated by a service management
system.
20. Data Model
• Users are actually defined in some external
authority, e.g. Unix or Kerberos system.
• A special domain is reserved for the purpose
of namespacing users;
• the name of that domain is “user,”
21. Data Model
• The concept of a Service Identity is
introduced as the identity of independent
agents of execution.
• Services have a simple way of naming them,
e.g. media.finance.storage identifies a service
called “storage” in domain media.finance.
• A Service may be used as a principal when
specifying roles, just like a user.
24. System Overview
• ZMS is the source of truth for domains, roles, and policies
for centralized authorization.
• In addition to allowing CRUD operations on the basic
entities, ZMS provides an API to replicate the entities, per
domain, to ZTS.
• ZMS supports a centralized call to check if a principal has
access to a resource both for internal management system
checks, as well as a simple centralized deployment.
25. System Overview
• ZTS, the authentication token service, is only needed to
support decentralized functionality.
• ZTS is like a local replica of ZMS’s data to check a principal’s
authentication and confirm membership in roles within a
domain.
• The authentication is in the form of a signed ZToken that
can be presented to any decentralized service that wants
to authorize access efficiently.
• Multiple ZTS instances can be distributed to different
locations as needed to scale for issuing tokens.
26. System Overview
• Service Identity Agent is part of the container, although
likely built with Athenz libraries.
• Generate a NToken and sign it with the given private key so
that the service can present that NToken to ZMS/ZTS as its
identity credentials.
• The corresponding public key must be registered in ZMS so
Athenz services can validate the signature.
27. System Overview
AuthZ Policy Engine
• Support decentralized authorization.
• The subsystem of Athenz that evaluates policies
for a set of roles to yield an allowed or a denied
response.
• Library that your service calls and only refers to a
local policy cache for your services domain.
28. System Overview
AuthZ PolicyEngine Updater
• Support decentralized authorization.
• The policy updater is the utility that retrieves from
ZTS the policy files for provisioned domains on a
host, which ZPE uses to evaluate access requests