SlideShare a Scribd company logo
Service Specific AuthZ In The
Cloud Infrastructure
Michael Hofmann
Hofmann IT-Consulting
info@hofmann-itconsulting.de
https://hofmann-itconsulting.de
AuthZ in Java (e.g. MicroProfile)
@LoginConfig(authMethod = "MP-JWT", realmName = "MY-REALM")
@DeclareRoles("edit-role, select-role")
@ApplicationPath("/")
public class MyApplication extends Application {
}
@Path("/myendpoint")
@DenyAll
public class MyEndpoint {
@Inject
private JsonWebToken jwt;
@Resource
Principal principal;
@RolesAllowed("edit-role")
@POST
...
}
●
MicroProfile JWT Spec
●
Role mapping on special JWT
claim: “groups“
●
JWT Validation against IDP
(JWKS in config of app-
server)
Programmatic vs. Declarative
●
Security Policy in
Deployment/Config
●
Limited to HTTP Headers (e.g.
Token, Path, …)
●
Not Applicable on HTTP Payload
●
Easier to Change and Test
●
Evaluated by Infrastructure
●
Security Checks in Code
●
Entry-Point in Code is declarative:
@DeclareRoles, @RolesAllowed
●
Hard to Change and Test
– Code change
– Maybe scattered
●
Works on parameters and result
values (e.g. from database)
●
Always necessary when declarative
is not enough
OWASP (Open Web Application Security Project)
●
Defense in Depth (Layered Defense)
●
Fail Safe
●
Least Privilege
●
Separation of Duties
●
Economy of Mechanism (Keep it
Simple, Stupid KISS)
●
Complete Mediation
https://github.com/OWASP/DevGuide/blob/master/02-Design/01-Principles%20of%20Security%20Engineering.md
●
Open Design
●
Least Common Mechanism
●
Psychological acceptability
●
Weakest Link
●
Leveraging Existing Components
Istio
Source: istio.io
JWT
●
HTTP Header
“Authorization: Bearer ey...“
●
Bearer → TLS must be set
●
Claims (Standard and
Individual)
●
Issued by IDP: iss-claim
(e.g. Keycloak, ...)
{
"typ": "JWT",
"alg": "RS256",
"kid": "xy-1234567890"
}
{
"iss":
"https://idp.mycompany.de",
"aud": "my-audience",
"exp": 1649516447,
"iat": 1649520047,
"sub": "user01",
"upn":
"user01@idp.mycompany.de",
"groups": ["admin", "power-
user", ...],
"myclaim01": "myvalue01"
}
Gateway with TLS Termination
apiVersion: v1
kind: Secret
metadata:
name: mytls-credential
type: kubernetes.io/tls
data:
tls.crt: |
XYZ...
tls.key: |
ABc...
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: mygateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: mytls-credential
hosts:
- myapp.mycompany.de
Nearly full functionality of API
Gateway with Istio
Entire Mesh mTLS
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: istio-system #entire mesh
spec:
mtls:
mode: STRICT #PERMISSIVE
Rotating certificate every 24h
Source: istio.io
AuthN
AuthN
●
Can be applied to every other workload (selector)
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: ingress-idp
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
jwtRules:
- issuer: "my-issuer"
jwksUri: https://idp.mycompany.de/.well-known/jwks.json
●
JWT issued by
specified IDP
●
Multiple issuers
possible
●
Applied to Istio
ingress gateway
AuthZ
●
Request without JWT
has no authentication
identity but is allowed
●
Allow-nothing rule for
complete mesh
●
Applied in root
namespace (istio-system)
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allow-nothing
namespace: istio-system
spec:
#action defaults to ALLOW if not specified
{}
AuthorizationPolicy
●
(Workload) Selector
●
Action
– ALLOW
– DENY
– AUDIT
– CUSTOM
●
Rules
Rules
●
From
– RequestPrincipal vs Principal
– Namespaces
– IP Blocks, Remote IP Blocks (X-
Forwarded-For)
●
To
– Host, Ports
– Methods (HTTP-Methods), Paths
●
When (Condition)
– Key and Values
AuthorizationPolicy Conditions
●
request.headers
●
source.namespace and source.principal
●
request.auth.*
●
source.ip and remote.ip
●
destination.ip and destination.port
●
connection.sni
AuthZ
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: my-app
namespace: my-namespace
spec:
selector:
matchLabels:
app: my-app
action: ALLOW
rules:
- from:
- source:
principals: ["cluster.local/ns/ns-xyz/sa/my-partner-app"]
- source:
namespaces: ["ns-abc", “ns-def”]
to:
- operation:
methods: ["GET"]
paths: ["/info*"]
- operation:
methods: ["POST"]
paths: ["/data"]
when:
- key: request.auth.claims[iss]
values: ["https://idp.my-company.de"]
AuthZ
Authz Service Specific
Explicit Deny
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: my-app-deny
namespace: my-namespace
spec:
selector:
matchLabels:
app: my-app
action: DENY
rules:
- from:
- source:
principals: ["cluster.local/ns/ns-xyz/sa/my-partner-app"]
to:
- operation:
methods: ["POST"]
paths: ["/admin"]
AuthZ Precedence
●
Rules can be very
fine grained
●
Multiple
combinations can be
possible
●
be aware of
complexity! (kiss)
JWT Claims per Path
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: my-app-deny
namespace: my-namespace
spec:
selector:
matchLabels:
app: my-app
action: ALLOW
rules:
- to:
- operation:
methods: ["POST"]
paths: ["/admin"]
when:
- key: request.auth.claims[groups]
values: ["admin"]
JWT Claim Based Routing
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: my-app
namespace: my-namespace
spec:
hosts:
- my-app.my-namespace.svc.cluster.local
gateways:
- secure-gateway
http:
- match:
- uri:
prefix: /admin
headers:
"@request.auth.claims.groups":
exact: admin
route:
- destination:
port:
number: 8000
host: my-app
●
AuthorizationPolicy and
VirtualService together
●
Combined with
dedicated ingress
gateway
●
Supports only Istio
Ingress Gateway
Dry Run
●
AuthorizationPolicy with annotation:
istio.io/dry-run: „true“
●
Test effect of policy before activating it (AuthPolicies can
have severe consequences)
●
Envoy sends a shadow request
●
Verify result
– in Prometheus as metric result or in Zipkin as trace output
– Envoy access log
●
shadow denied, matched policy ns[foo]-policy[deny-path-headers]-rule[0]
Authz
Customized
AuthZ Customized
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: external-authz
namespace: my-namespace
spec:
selector:
matchLabels:
app: my-app
action: CUSTOM
provider:
name: my-provider
rules:
- to:
- operation:
paths: ["/data",”/api”]
●
Provider must be defined in
mesh config
●
Can be applied on every workload
●
HTTP Status: 200, 403
●
Header transformations
extensionProviders:
- name: "my-provider"
envoyExtAuthzHttp:
service: "my-provider.foo.svc.cluster.local"
port: "8000"
includeHeadersInCheck: ["authorization", "cookie"]
headersToUpstreamOnAllow: ["authorization", "new-header"]
headersToDownstreamOnDeny: ["content-type", "deny-header"]
Summary
●
Only 1 rule for mTLS in whole cluster including certificate rotation
●
Only declarative part of AuthZ in infrastructure
●
JWT validation (in every sidecar)
– Fine grained authZ control by infrastructure: KISS
– ingress gateway
– every service
●
Dry Run and JWT-Claim based routing
●
Customizable authZ control
●
Defense in depth

More Related Content

Similar to Service Specific AuthZ In The Cloud Infrastructure

Cncf microservices security
Cncf microservices securityCncf microservices security
Cncf microservices security
Leonardo Gonçalves
 
Webinar: Architecting Secure and Compliant Applications with MongoDB
Webinar: Architecting Secure and Compliant Applications with MongoDBWebinar: Architecting Secure and Compliant Applications with MongoDB
Webinar: Architecting Secure and Compliant Applications with MongoDB
MongoDB
 
How to build a High Performance PSGI/Plack Server
How to build a High Performance PSGI/Plack Server How to build a High Performance PSGI/Plack Server
How to build a High Performance PSGI/Plack Server
Masahiro Nagano
 
RoadSec 2017 - Trilha AppSec - APIs Authorization
RoadSec 2017 - Trilha AppSec - APIs AuthorizationRoadSec 2017 - Trilha AppSec - APIs Authorization
RoadSec 2017 - Trilha AppSec - APIs Authorization
Erick Belluci Tedeschi
 
CONFidence 2014: Kiss, Zagon, Sseller: Scaling security
CONFidence 2014: Kiss, Zagon, Sseller: Scaling securityCONFidence 2014: Kiss, Zagon, Sseller: Scaling security
CONFidence 2014: Kiss, Zagon, Sseller: Scaling security
PROIDEA
 
Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security Hardening
Gerald Villorente
 
Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security Hardening
Gerald Villorente
 
Building Web Apps with Express
Building Web Apps with ExpressBuilding Web Apps with Express
Building Web Apps with Express
Aaron Stannard
 
Course_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptxCourse_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptx
ssuser020436
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLink
pigorcraveiro
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
 DDD17 - Web Applications Automated Security Testing in a Continuous Delivery... DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
Fedir RYKHTIK
 
Nko workshop - node js crud & deploy
Nko workshop - node js crud & deployNko workshop - node js crud & deploy
Nko workshop - node js crud & deploy
Simon Su
 
Android App Development 06 : Network & Web Services
Android App Development 06 : Network & Web ServicesAndroid App Development 06 : Network & Web Services
Android App Development 06 : Network & Web Services
Anuchit Chalothorn
 
Federated RBAC: Fortress, OAuth2 (Oltu), JWT, Java EE, and JASPIC
Federated RBAC: Fortress, OAuth2 (Oltu), JWT, Java EE, and JASPICFederated RBAC: Fortress, OAuth2 (Oltu), JWT, Java EE, and JASPIC
Federated RBAC: Fortress, OAuth2 (Oltu), JWT, Java EE, and JASPIC
JohnSmithto
 
Swift profiling middleware and tools
Swift profiling middleware and toolsSwift profiling middleware and tools
Swift profiling middleware and tools
zhang hua
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers
OWASP
 
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
Hyperledger Korea User Group
 
Architecting Secure and Compliant Applications with MongoDB
Architecting Secure and Compliant Applications with MongoDB        Architecting Secure and Compliant Applications with MongoDB
Architecting Secure and Compliant Applications with MongoDB
MongoDB
 
soft-shake.ch - Hands on Node.js
soft-shake.ch - Hands on Node.jssoft-shake.ch - Hands on Node.js
soft-shake.ch - Hands on Node.js
soft-shake.ch
 
Implementing Authorization
Implementing AuthorizationImplementing Authorization
Implementing Authorization
Torin Sandall
 

Similar to Service Specific AuthZ In The Cloud Infrastructure (20)

Cncf microservices security
Cncf microservices securityCncf microservices security
Cncf microservices security
 
Webinar: Architecting Secure and Compliant Applications with MongoDB
Webinar: Architecting Secure and Compliant Applications with MongoDBWebinar: Architecting Secure and Compliant Applications with MongoDB
Webinar: Architecting Secure and Compliant Applications with MongoDB
 
How to build a High Performance PSGI/Plack Server
How to build a High Performance PSGI/Plack Server How to build a High Performance PSGI/Plack Server
How to build a High Performance PSGI/Plack Server
 
RoadSec 2017 - Trilha AppSec - APIs Authorization
RoadSec 2017 - Trilha AppSec - APIs AuthorizationRoadSec 2017 - Trilha AppSec - APIs Authorization
RoadSec 2017 - Trilha AppSec - APIs Authorization
 
CONFidence 2014: Kiss, Zagon, Sseller: Scaling security
CONFidence 2014: Kiss, Zagon, Sseller: Scaling securityCONFidence 2014: Kiss, Zagon, Sseller: Scaling security
CONFidence 2014: Kiss, Zagon, Sseller: Scaling security
 
Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security Hardening
 
Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security Hardening
 
Building Web Apps with Express
Building Web Apps with ExpressBuilding Web Apps with Express
Building Web Apps with Express
 
Course_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptxCourse_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptx
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLink
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
 DDD17 - Web Applications Automated Security Testing in a Continuous Delivery... DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
 
Nko workshop - node js crud & deploy
Nko workshop - node js crud & deployNko workshop - node js crud & deploy
Nko workshop - node js crud & deploy
 
Android App Development 06 : Network & Web Services
Android App Development 06 : Network & Web ServicesAndroid App Development 06 : Network & Web Services
Android App Development 06 : Network & Web Services
 
Federated RBAC: Fortress, OAuth2 (Oltu), JWT, Java EE, and JASPIC
Federated RBAC: Fortress, OAuth2 (Oltu), JWT, Java EE, and JASPICFederated RBAC: Fortress, OAuth2 (Oltu), JWT, Java EE, and JASPIC
Federated RBAC: Fortress, OAuth2 (Oltu), JWT, Java EE, and JASPIC
 
Swift profiling middleware and tools
Swift profiling middleware and toolsSwift profiling middleware and tools
Swift profiling middleware and tools
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers
 
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
 
Architecting Secure and Compliant Applications with MongoDB
Architecting Secure and Compliant Applications with MongoDB        Architecting Secure and Compliant Applications with MongoDB
Architecting Secure and Compliant Applications with MongoDB
 
soft-shake.ch - Hands on Node.js
soft-shake.ch - Hands on Node.jssoft-shake.ch - Hands on Node.js
soft-shake.ch - Hands on Node.js
 
Implementing Authorization
Implementing AuthorizationImplementing Authorization
Implementing Authorization
 

More from Michael Hofmann

New Ways To Production - Stress-Free Evolution Of Your Cloud Applications
New Ways To Production - Stress-Free Evolution Of Your Cloud ApplicationsNew Ways To Production - Stress-Free Evolution Of Your Cloud Applications
New Ways To Production - Stress-Free Evolution Of Your Cloud Applications
Michael Hofmann
 
Developer Experience Cloud Native - Become Efficient and Achieve Parity
Developer Experience Cloud Native - Become Efficient and Achieve ParityDeveloper Experience Cloud Native - Become Efficient and Achieve Parity
Developer Experience Cloud Native - Become Efficient and Achieve Parity
Michael Hofmann
 
The Easy Way to Secure Microservices
The Easy Way to Secure MicroservicesThe Easy Way to Secure Microservices
The Easy Way to Secure Microservices
Michael Hofmann
 
Service Mesh vs. Frameworks: Where to put the resilience?
Service Mesh vs. Frameworks: Where to put the resilience?Service Mesh vs. Frameworks: Where to put the resilience?
Service Mesh vs. Frameworks: Where to put the resilience?
Michael Hofmann
 
Service Mesh vs. Frameworks: Where to put the resilience?
Service Mesh vs. Frameworks: Where to put the resilience?Service Mesh vs. Frameworks: Where to put the resilience?
Service Mesh vs. Frameworks: Where to put the resilience?
Michael Hofmann
 
Developer Experience Cloud Native - From Code Gen to Git Commit without a CI/...
Developer Experience Cloud Native - From Code Gen to Git Commit without a CI/...Developer Experience Cloud Native - From Code Gen to Git Commit without a CI/...
Developer Experience Cloud Native - From Code Gen to Git Commit without a CI/...
Michael Hofmann
 
Servicierung von Monolithen - Der Weg zu neuen Technologien bis hin zum Servi...
Servicierung von Monolithen - Der Weg zu neuen Technologien bis hin zum Servi...Servicierung von Monolithen - Der Weg zu neuen Technologien bis hin zum Servi...
Servicierung von Monolithen - Der Weg zu neuen Technologien bis hin zum Servi...
Michael Hofmann
 
Service Mesh mit Istio und MicroProfile - eine harmonische Kombination?
Service Mesh mit Istio und MicroProfile - eine harmonische Kombination?Service Mesh mit Istio und MicroProfile - eine harmonische Kombination?
Service Mesh mit Istio und MicroProfile - eine harmonische Kombination?
Michael Hofmann
 
Service Mesh - kilometer 30 in a microservice marathon
Service Mesh - kilometer 30 in a microservice marathonService Mesh - kilometer 30 in a microservice marathon
Service Mesh - kilometer 30 in a microservice marathon
Michael Hofmann
 
Service Mesh - Kilometer 30 im Microservices-Marathon
Service Mesh - Kilometer 30 im Microservices-MarathonService Mesh - Kilometer 30 im Microservices-Marathon
Service Mesh - Kilometer 30 im Microservices-Marathon
Michael Hofmann
 
API-Economy bei Financial Services – Kein Stein bleibt auf dem anderen
API-Economy bei Financial Services – Kein Stein bleibt auf dem anderenAPI-Economy bei Financial Services – Kein Stein bleibt auf dem anderen
API-Economy bei Financial Services – Kein Stein bleibt auf dem anderen
Michael Hofmann
 
Microprofile.io - Cloud Native mit Java EE
Microprofile.io - Cloud Native mit Java EEMicroprofile.io - Cloud Native mit Java EE
Microprofile.io - Cloud Native mit Java EE
Michael Hofmann
 
Microservices mit Java EE - am Beispiel von IBM Liberty
Microservices mit Java EE - am Beispiel von IBM LibertyMicroservices mit Java EE - am Beispiel von IBM Liberty
Microservices mit Java EE - am Beispiel von IBM Liberty
Michael Hofmann
 

More from Michael Hofmann (13)

New Ways To Production - Stress-Free Evolution Of Your Cloud Applications
New Ways To Production - Stress-Free Evolution Of Your Cloud ApplicationsNew Ways To Production - Stress-Free Evolution Of Your Cloud Applications
New Ways To Production - Stress-Free Evolution Of Your Cloud Applications
 
Developer Experience Cloud Native - Become Efficient and Achieve Parity
Developer Experience Cloud Native - Become Efficient and Achieve ParityDeveloper Experience Cloud Native - Become Efficient and Achieve Parity
Developer Experience Cloud Native - Become Efficient and Achieve Parity
 
The Easy Way to Secure Microservices
The Easy Way to Secure MicroservicesThe Easy Way to Secure Microservices
The Easy Way to Secure Microservices
 
Service Mesh vs. Frameworks: Where to put the resilience?
Service Mesh vs. Frameworks: Where to put the resilience?Service Mesh vs. Frameworks: Where to put the resilience?
Service Mesh vs. Frameworks: Where to put the resilience?
 
Service Mesh vs. Frameworks: Where to put the resilience?
Service Mesh vs. Frameworks: Where to put the resilience?Service Mesh vs. Frameworks: Where to put the resilience?
Service Mesh vs. Frameworks: Where to put the resilience?
 
Developer Experience Cloud Native - From Code Gen to Git Commit without a CI/...
Developer Experience Cloud Native - From Code Gen to Git Commit without a CI/...Developer Experience Cloud Native - From Code Gen to Git Commit without a CI/...
Developer Experience Cloud Native - From Code Gen to Git Commit without a CI/...
 
Servicierung von Monolithen - Der Weg zu neuen Technologien bis hin zum Servi...
Servicierung von Monolithen - Der Weg zu neuen Technologien bis hin zum Servi...Servicierung von Monolithen - Der Weg zu neuen Technologien bis hin zum Servi...
Servicierung von Monolithen - Der Weg zu neuen Technologien bis hin zum Servi...
 
Service Mesh mit Istio und MicroProfile - eine harmonische Kombination?
Service Mesh mit Istio und MicroProfile - eine harmonische Kombination?Service Mesh mit Istio und MicroProfile - eine harmonische Kombination?
Service Mesh mit Istio und MicroProfile - eine harmonische Kombination?
 
Service Mesh - kilometer 30 in a microservice marathon
Service Mesh - kilometer 30 in a microservice marathonService Mesh - kilometer 30 in a microservice marathon
Service Mesh - kilometer 30 in a microservice marathon
 
Service Mesh - Kilometer 30 im Microservices-Marathon
Service Mesh - Kilometer 30 im Microservices-MarathonService Mesh - Kilometer 30 im Microservices-Marathon
Service Mesh - Kilometer 30 im Microservices-Marathon
 
API-Economy bei Financial Services – Kein Stein bleibt auf dem anderen
API-Economy bei Financial Services – Kein Stein bleibt auf dem anderenAPI-Economy bei Financial Services – Kein Stein bleibt auf dem anderen
API-Economy bei Financial Services – Kein Stein bleibt auf dem anderen
 
Microprofile.io - Cloud Native mit Java EE
Microprofile.io - Cloud Native mit Java EEMicroprofile.io - Cloud Native mit Java EE
Microprofile.io - Cloud Native mit Java EE
 
Microservices mit Java EE - am Beispiel von IBM Liberty
Microservices mit Java EE - am Beispiel von IBM LibertyMicroservices mit Java EE - am Beispiel von IBM Liberty
Microservices mit Java EE - am Beispiel von IBM Liberty
 

Recently uploaded

一比一原版(USF毕业证)旧金山大学毕业证如何办理
一比一原版(USF毕业证)旧金山大学毕业证如何办理一比一原版(USF毕业证)旧金山大学毕业证如何办理
一比一原版(USF毕业证)旧金山大学毕业证如何办理
dakas1
 
Preparing Non - Technical Founders for Engaging a Tech Agency
Preparing Non - Technical Founders for Engaging  a  Tech AgencyPreparing Non - Technical Founders for Engaging  a  Tech Agency
Preparing Non - Technical Founders for Engaging a Tech Agency
ISH Technologies
 
The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...
The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...
The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...
kalichargn70th171
 
Energy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina JonuziEnergy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina Jonuzi
Green Software Development
 
Webinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for EmbeddedWebinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for Embedded
ICS
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
Remote DBA Services
 
What next after learning python programming basics
What next after learning python programming basicsWhat next after learning python programming basics
What next after learning python programming basics
Rakesh Kumar R
 
GreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-JurisicGreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-Jurisic
Green Software Development
 
Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query PerformanceUsing Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
Grant Fritchey
 
fiscal year variant fiscal year variant.
fiscal year variant fiscal year variant.fiscal year variant fiscal year variant.
fiscal year variant fiscal year variant.
AnkitaPandya11
 
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian CompaniesE-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
Quickdice ERP
 
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
safelyiotech
 
14 th Edition of International conference on computer vision
14 th Edition of International conference on computer vision14 th Edition of International conference on computer vision
14 th Edition of International conference on computer vision
ShulagnaSarkar2
 
zOS Mainframe JES2-JES3 JCL-JECL Differences
zOS Mainframe JES2-JES3 JCL-JECL DifferenceszOS Mainframe JES2-JES3 JCL-JECL Differences
zOS Mainframe JES2-JES3 JCL-JECL Differences
YousufSait3
 
All you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVMAll you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVM
Alina Yurenko
 
Oracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptxOracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptx
Remote DBA Services
 
Artificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension FunctionsArtificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension Functions
Octavian Nadolu
 
WWDC 2024 Keynote Review: For CocoaCoders Austin
WWDC 2024 Keynote Review: For CocoaCoders AustinWWDC 2024 Keynote Review: For CocoaCoders Austin
WWDC 2024 Keynote Review: For CocoaCoders Austin
Patrick Weigel
 
Project Management: The Role of Project Dashboards.pdf
Project Management: The Role of Project Dashboards.pdfProject Management: The Role of Project Dashboards.pdf
Project Management: The Role of Project Dashboards.pdf
Karya Keeper
 
E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
Hornet Dynamics
 

Recently uploaded (20)

一比一原版(USF毕业证)旧金山大学毕业证如何办理
一比一原版(USF毕业证)旧金山大学毕业证如何办理一比一原版(USF毕业证)旧金山大学毕业证如何办理
一比一原版(USF毕业证)旧金山大学毕业证如何办理
 
Preparing Non - Technical Founders for Engaging a Tech Agency
Preparing Non - Technical Founders for Engaging  a  Tech AgencyPreparing Non - Technical Founders for Engaging  a  Tech Agency
Preparing Non - Technical Founders for Engaging a Tech Agency
 
The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...
The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...
The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...
 
Energy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina JonuziEnergy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina Jonuzi
 
Webinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for EmbeddedWebinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for Embedded
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
 
What next after learning python programming basics
What next after learning python programming basicsWhat next after learning python programming basics
What next after learning python programming basics
 
GreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-JurisicGreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-Jurisic
 
Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query PerformanceUsing Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
 
fiscal year variant fiscal year variant.
fiscal year variant fiscal year variant.fiscal year variant fiscal year variant.
fiscal year variant fiscal year variant.
 
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian CompaniesE-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
 
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
 
14 th Edition of International conference on computer vision
14 th Edition of International conference on computer vision14 th Edition of International conference on computer vision
14 th Edition of International conference on computer vision
 
zOS Mainframe JES2-JES3 JCL-JECL Differences
zOS Mainframe JES2-JES3 JCL-JECL DifferenceszOS Mainframe JES2-JES3 JCL-JECL Differences
zOS Mainframe JES2-JES3 JCL-JECL Differences
 
All you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVMAll you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVM
 
Oracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptxOracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptx
 
Artificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension FunctionsArtificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension Functions
 
WWDC 2024 Keynote Review: For CocoaCoders Austin
WWDC 2024 Keynote Review: For CocoaCoders AustinWWDC 2024 Keynote Review: For CocoaCoders Austin
WWDC 2024 Keynote Review: For CocoaCoders Austin
 
Project Management: The Role of Project Dashboards.pdf
Project Management: The Role of Project Dashboards.pdfProject Management: The Role of Project Dashboards.pdf
Project Management: The Role of Project Dashboards.pdf
 
E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
 

Service Specific AuthZ In The Cloud Infrastructure

  • 1. Service Specific AuthZ In The Cloud Infrastructure Michael Hofmann Hofmann IT-Consulting info@hofmann-itconsulting.de https://hofmann-itconsulting.de
  • 2. AuthZ in Java (e.g. MicroProfile) @LoginConfig(authMethod = "MP-JWT", realmName = "MY-REALM") @DeclareRoles("edit-role, select-role") @ApplicationPath("/") public class MyApplication extends Application { } @Path("/myendpoint") @DenyAll public class MyEndpoint { @Inject private JsonWebToken jwt; @Resource Principal principal; @RolesAllowed("edit-role") @POST ... } ● MicroProfile JWT Spec ● Role mapping on special JWT claim: “groups“ ● JWT Validation against IDP (JWKS in config of app- server)
  • 3. Programmatic vs. Declarative ● Security Policy in Deployment/Config ● Limited to HTTP Headers (e.g. Token, Path, …) ● Not Applicable on HTTP Payload ● Easier to Change and Test ● Evaluated by Infrastructure ● Security Checks in Code ● Entry-Point in Code is declarative: @DeclareRoles, @RolesAllowed ● Hard to Change and Test – Code change – Maybe scattered ● Works on parameters and result values (e.g. from database) ● Always necessary when declarative is not enough
  • 4. OWASP (Open Web Application Security Project) ● Defense in Depth (Layered Defense) ● Fail Safe ● Least Privilege ● Separation of Duties ● Economy of Mechanism (Keep it Simple, Stupid KISS) ● Complete Mediation https://github.com/OWASP/DevGuide/blob/master/02-Design/01-Principles%20of%20Security%20Engineering.md ● Open Design ● Least Common Mechanism ● Psychological acceptability ● Weakest Link ● Leveraging Existing Components
  • 6. JWT ● HTTP Header “Authorization: Bearer ey...“ ● Bearer → TLS must be set ● Claims (Standard and Individual) ● Issued by IDP: iss-claim (e.g. Keycloak, ...) { "typ": "JWT", "alg": "RS256", "kid": "xy-1234567890" } { "iss": "https://idp.mycompany.de", "aud": "my-audience", "exp": 1649516447, "iat": 1649520047, "sub": "user01", "upn": "user01@idp.mycompany.de", "groups": ["admin", "power- user", ...], "myclaim01": "myvalue01" }
  • 7. Gateway with TLS Termination apiVersion: v1 kind: Secret metadata: name: mytls-credential type: kubernetes.io/tls data: tls.crt: | XYZ... tls.key: | ABc... apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: mygateway spec: selector: istio: ingressgateway servers: - port: number: 443 name: https protocol: HTTPS tls: mode: SIMPLE credentialName: mytls-credential hosts: - myapp.mycompany.de Nearly full functionality of API Gateway with Istio
  • 8. Entire Mesh mTLS apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: default namespace: istio-system #entire mesh spec: mtls: mode: STRICT #PERMISSIVE Rotating certificate every 24h Source: istio.io
  • 10. AuthN ● Can be applied to every other workload (selector) apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata: name: ingress-idp namespace: istio-system spec: selector: matchLabels: istio: ingressgateway jwtRules: - issuer: "my-issuer" jwksUri: https://idp.mycompany.de/.well-known/jwks.json ● JWT issued by specified IDP ● Multiple issuers possible ● Applied to Istio ingress gateway
  • 11. AuthZ ● Request without JWT has no authentication identity but is allowed ● Allow-nothing rule for complete mesh ● Applied in root namespace (istio-system) apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: allow-nothing namespace: istio-system spec: #action defaults to ALLOW if not specified {}
  • 12. AuthorizationPolicy ● (Workload) Selector ● Action – ALLOW – DENY – AUDIT – CUSTOM ● Rules Rules ● From – RequestPrincipal vs Principal – Namespaces – IP Blocks, Remote IP Blocks (X- Forwarded-For) ● To – Host, Ports – Methods (HTTP-Methods), Paths ● When (Condition) – Key and Values
  • 13. AuthorizationPolicy Conditions ● request.headers ● source.namespace and source.principal ● request.auth.* ● source.ip and remote.ip ● destination.ip and destination.port ● connection.sni
  • 14. AuthZ apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: my-app namespace: my-namespace spec: selector: matchLabels: app: my-app action: ALLOW rules: - from: - source: principals: ["cluster.local/ns/ns-xyz/sa/my-partner-app"] - source: namespaces: ["ns-abc", “ns-def”] to: - operation: methods: ["GET"] paths: ["/info*"] - operation: methods: ["POST"] paths: ["/data"] when: - key: request.auth.claims[iss] values: ["https://idp.my-company.de"] AuthZ
  • 16. Explicit Deny apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: my-app-deny namespace: my-namespace spec: selector: matchLabels: app: my-app action: DENY rules: - from: - source: principals: ["cluster.local/ns/ns-xyz/sa/my-partner-app"] to: - operation: methods: ["POST"] paths: ["/admin"]
  • 17. AuthZ Precedence ● Rules can be very fine grained ● Multiple combinations can be possible ● be aware of complexity! (kiss)
  • 18. JWT Claims per Path apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: my-app-deny namespace: my-namespace spec: selector: matchLabels: app: my-app action: ALLOW rules: - to: - operation: methods: ["POST"] paths: ["/admin"] when: - key: request.auth.claims[groups] values: ["admin"]
  • 19. JWT Claim Based Routing apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: my-app namespace: my-namespace spec: hosts: - my-app.my-namespace.svc.cluster.local gateways: - secure-gateway http: - match: - uri: prefix: /admin headers: "@request.auth.claims.groups": exact: admin route: - destination: port: number: 8000 host: my-app ● AuthorizationPolicy and VirtualService together ● Combined with dedicated ingress gateway ● Supports only Istio Ingress Gateway
  • 20. Dry Run ● AuthorizationPolicy with annotation: istio.io/dry-run: „true“ ● Test effect of policy before activating it (AuthPolicies can have severe consequences) ● Envoy sends a shadow request ● Verify result – in Prometheus as metric result or in Zipkin as trace output – Envoy access log ● shadow denied, matched policy ns[foo]-policy[deny-path-headers]-rule[0]
  • 22. AuthZ Customized apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: external-authz namespace: my-namespace spec: selector: matchLabels: app: my-app action: CUSTOM provider: name: my-provider rules: - to: - operation: paths: ["/data",”/api”] ● Provider must be defined in mesh config ● Can be applied on every workload ● HTTP Status: 200, 403 ● Header transformations extensionProviders: - name: "my-provider" envoyExtAuthzHttp: service: "my-provider.foo.svc.cluster.local" port: "8000" includeHeadersInCheck: ["authorization", "cookie"] headersToUpstreamOnAllow: ["authorization", "new-header"] headersToDownstreamOnDeny: ["content-type", "deny-header"]
  • 23. Summary ● Only 1 rule for mTLS in whole cluster including certificate rotation ● Only declarative part of AuthZ in infrastructure ● JWT validation (in every sidecar) – Fine grained authZ control by infrastructure: KISS – ingress gateway – every service ● Dry Run and JWT-Claim based routing ● Customizable authZ control ● Defense in depth