SlideShare a Scribd company logo
1 of 29
Download to read offline
How Netflix is Solving Authorization
Across Their Cloud
Manish Mehta - Engineer @ Netflix
Torin Sandall - Tech Lead @ OPA Project
Manish Mehta
Senior Security Engineer @Netflix
mmehta@netflix.com
Projects:
• Bootstrapping Identities
• Secrets Management
• PKI
• Authentication
• Authorization
Torin Sandall
Software Engineer @ OPA project
@sometorin
Projects:
• Open Policy Agent
• Kubernetes
• Istio (security SIG)
• Likes: Go, Quality, Good abstractions
Background - Definitions
Transfer $1000 from Account X to Account Y
Me My Bank
These 2 steps do not need to be tied together !!
1. Verify the Identity of the Requester (Authentication or AuthN)
2. Verify that the Requestor is authorized to perform
the requested operation (Authorization or AuthZ)
Background - Netflix Architecture
Cloud Provider ResourcesNetflix Backend - Internal Resources
Customer
Employee
Partner Resources
CDN
AuthZ Problem
A way to define and enforce rules that read
Identity I
can/cannot perform
Operation O
on
Resource R
For ALL combinations of I, O, and R in the ecosystem.
Design Considerations
Company Culture
○ Freedom and Responsibility
Resource Types
○ REST endpoints, gRPC methods, SSH,
Crypto Keys, Kafka Topics, …
Identity Types
○ VM/Container Services, Batch Jobs,
Employees, Contractors, …
Underlying Protocols
○ HTTP(S), gRPC, Custom/Binary, ...
Implementation Languages
○ Java, Node JS, Python, Ruby, …
Latency
○ Call depth and Service rate
Flexibility of Rules
○ Hard-coded structure vs. language-based
Capture Intent
○ Did you actually do what you think you did?
○ Don’t just trust, verify !!
High-level Architecture
DistributorDistributor
Distributor
AuthZ Agent
App
Code
S
S
H
Policy
Portal
App CodeAuthZ Agent
DistributorDistributor
Aggregator
Employee
Management
System
Policy DB
Build Manifest
Service A
Service B
Application
Ownership
DB
Policy DB
High-level Architecture
DistributorDistributor
Distributor
AuthZ Agent
App
Code
S
S
H
Service A
App CodeAuthZ Agent
Service B
DistributorDistributor
Aggregator
Employee
Management
System
Build Manifest
Application
Ownership
DB
Policy
Portal
Policy DB
High-level Architecture
DistributorDistributor
Distributor
Policy
Portal
AuthZ Agent
App
Code
S
S
H
Service A
App CodeAuthZ Agent
Service B
DistributorDistributor
Aggregator
Employee
Management
System
Build Manifest
Application
Ownership
DB
Policy DB
High-level Architecture
Policy
Portal
AuthZ Agent
App
Code
S
S
H
Service A
App CodeAuthZ Agent
Service B
Employee
Management
System
Build Manifest
Application
Ownership
DB
DistributorDistributor
Distributor
Policy DB
DistributorDistributor
Aggregator
High-level Architecture
Policy
Portal
DistributorDistributor
Aggregator
Employee
Management
System
Build Manifest
Application
Ownership
DB
Policy DB
App
Code
S
S
H
App Code
DistributorDistributor
Distributor
AuthZ Agent
Service A
Service B
AuthZ Agent
High-level Architecture
Policy
Portal
DistributorDistributor
Aggregator
Employee
Management
System
Build Manifest
Application
Ownership
DB
Policy DB
DistributorDistributor
Distributor
AuthZ Agent
App
Code
S
S
H
Service A
App CodeAuthZ Agent
Service B
AuthZ Agent Internals
AuthZ Agent
API
Stager
Open Policy Agent Engine
Updater
Periodic updates
on policies
and associated data
Request
Decision
Example Setup
AuthZ Agent
App
Code
Payroll Service
GET
/getSalary/{user}
POST
/updateSalary/{user}
Performance
Review
Report
Generator
Bob
Alice
Access Policy
1. Employees can read their
own salary and the salary
of anyone who reports to
them.
2. Report Generator Job
should be able to Read all
users' salaries
3. Performance Review
Application should be able
to update all users'
salaries
/getSalary/alice
/getSalary/bob
/getSalary/bob
/getSalary/*
/updateSalary/*
Open Policy Agent (OPA)
Policy-based control for the cloud native environments
Open Policy Agent (OPA)
•Solve policy enforcement for any I, O, and R
• I = Identity
• O = Operation
• R = Resource
•Open source, general-purpose policy engine
• Written in Go, library/host-local agent, in-memory
•Declarative Policy Language (Rego)
• Can user X perform operation Y on resource Z?
Service
Policy
(Rego)
Data
(JSON)
Policy
Query
Policy
Decision
Example Policy (in English)
“Employees can read their own salary and the salary
of anyone who reports to them.”
OPA: Rules
“Employees can read their own salary and the salary of anyone who
reports to them.”
input
{
method: “GET”,
path: [“getSalary”, “bob”]
user: “bob”
}
allow = true {
input.method = “GET”
input.path = [“getSalary”, id]
input.user = id
}
OPA: Context-aware
“Employees can read their own salary and the salary of anyone who
reports to them.”
data
{
managers: {
bob: [“alice”, “ken”]
alice: [“ken”]
}
}
allow = true {
input.method = “GET”
input.path = [“getSalary”, id]
managers = data.managers[id]
input.user = managers[_]
}
OPA: Composable
“Employees can read their own salary and the salary of anyone who
reports to them.”
is_manager_of(a, b) = true {
managers = data.managers[b]
a = managers[_]
}
allow = true {
input.method = “GET”
input.path = [“getSalary”, id]
is_manager_of(input.user, id)
}
api_authz.rego org_chart.rego
OPA: Resource-agnostic
input (http) input (kafka) input (ssh)
{
method: POST
path: /salary/bob
body: 1,000,000
}
{
action: publish
service: reviews
topic: audit_log
}
{
login: root
host: i-012983928
identity: bob@acme.com
}
allow = true {
input.login = “root”
input.host = ...
}
allow = true {
input.action = “publish”
input.topic = ...
}
allow = true {
input.method = “POST”
input.path = ...
}
http_authz.rego kafka_authz.rego ssh_authz.rego
OPA: Performance
● Example: RBAC policy
Roles Bindings Latency (us) [worst]
20 20 ~10
2,000 2,000 ~20
Intel Core i7 @ 2.9 Ghz
Open Policy Agent
Policy
(Rego)
Data
(JSON)
● OPA provides a reusable building
block for enforcing policy across
the stack
● OPA helps solve fundamental
security problems like
authorization
Open Policy Agent
github.com/open-policy-agent/opa
Check out our demo booth!
Policy
(Rego)
Data
(JSON)
Capturing Intent
Capturing Intent
Summary
Resource types REST, gRPC method, SSH Login, Keys, Kafka Topics
Identity types VM/Container Services, Batch Jobs, FTEs, Contractors
Underlying Protocols HTTP, gRPC, SSH, Kafka Protocol
Implementation Languages Java, Node JS, Ruby, Python
Latency < 0.2 ms for basic policies
Flexibility of Rules OPA Policy Engine
Company Culture Policy Portal - Exercising Freedom, Responsibly
Capture Intent Policy Portal UI hides Policy Syntax
Take Away
• AuthZ is a fundamental security problem
• Comprehensive solution gives better Control and Visibility
• Get there faster with Open Source Tools (like OPA)
• Get involved in communities (like PADME)
Questions?
(We are hiring!) Torin Sandall
@sometorin
Manish Mehta
mmehta@netflix.com

More Related Content

What's hot

The Kubernetes Operator Pattern - ContainerConf Nov 2017
The Kubernetes Operator Pattern - ContainerConf Nov 2017The Kubernetes Operator Pattern - ContainerConf Nov 2017
The Kubernetes Operator Pattern - ContainerConf Nov 2017Jakob Karalus
 
카카오 광고 플랫폼 MSA 적용 사례 및 API Gateway와 인증 구현에 대한 소개
카카오 광고 플랫폼 MSA 적용 사례 및 API Gateway와 인증 구현에 대한 소개카카오 광고 플랫폼 MSA 적용 사례 및 API Gateway와 인증 구현에 대한 소개
카카오 광고 플랫폼 MSA 적용 사례 및 API Gateway와 인증 구현에 대한 소개if kakao
 
Building APIs with Apigee Edge and Microsoft Azure
Building APIs with Apigee Edge and Microsoft AzureBuilding APIs with Apigee Edge and Microsoft Azure
Building APIs with Apigee Edge and Microsoft AzureApigee | Google Cloud
 
Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018Torin Sandall
 
Amazon EKS - Elastic Container Service for Kubernetes
Amazon EKS - Elastic Container Service for KubernetesAmazon EKS - Elastic Container Service for Kubernetes
Amazon EKS - Elastic Container Service for KubernetesAmazon Web Services
 
Kubernetes day 2 Operations
Kubernetes day 2 OperationsKubernetes day 2 Operations
Kubernetes day 2 OperationsPaul Czarkowski
 
Policy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy AgentPolicy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy AgentVMware Tanzu
 
API Gateway How-To: The Many Ways to Apply the Gateway Pattern
API Gateway How-To: The Many Ways to Apply the Gateway PatternAPI Gateway How-To: The Many Ways to Apply the Gateway Pattern
API Gateway How-To: The Many Ways to Apply the Gateway PatternVMware Tanzu
 
Introduction to AWS Lambda and Serverless Applications
Introduction to AWS Lambda and Serverless ApplicationsIntroduction to AWS Lambda and Serverless Applications
Introduction to AWS Lambda and Serverless ApplicationsAmazon Web Services
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security JourneyJerry Jalava
 
Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API GatewayYohann Ciurlik
 
마이크로서비스 기반 클라우드 아키텍처 구성 모범 사례 - 윤석찬 (AWS 테크에반젤리스트)
마이크로서비스 기반 클라우드 아키텍처 구성 모범 사례 - 윤석찬 (AWS 테크에반젤리스트) 마이크로서비스 기반 클라우드 아키텍처 구성 모범 사례 - 윤석찬 (AWS 테크에반젤리스트)
마이크로서비스 기반 클라우드 아키텍처 구성 모범 사례 - 윤석찬 (AWS 테크에반젤리스트) Amazon Web Services Korea
 
Rest api standards and best practices
Rest api standards and best practicesRest api standards and best practices
Rest api standards and best practicesAnkita Mahajan
 
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)Michael Man
 
Kubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoKubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoOpsta
 

What's hot (20)

The Kubernetes Operator Pattern - ContainerConf Nov 2017
The Kubernetes Operator Pattern - ContainerConf Nov 2017The Kubernetes Operator Pattern - ContainerConf Nov 2017
The Kubernetes Operator Pattern - ContainerConf Nov 2017
 
카카오 광고 플랫폼 MSA 적용 사례 및 API Gateway와 인증 구현에 대한 소개
카카오 광고 플랫폼 MSA 적용 사례 및 API Gateway와 인증 구현에 대한 소개카카오 광고 플랫폼 MSA 적용 사례 및 API Gateway와 인증 구현에 대한 소개
카카오 광고 플랫폼 MSA 적용 사례 및 API Gateway와 인증 구현에 대한 소개
 
Building APIs with Apigee Edge and Microsoft Azure
Building APIs with Apigee Edge and Microsoft AzureBuilding APIs with Apigee Edge and Microsoft Azure
Building APIs with Apigee Edge and Microsoft Azure
 
API Governance
API Governance API Governance
API Governance
 
Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018
 
Open Policy Agent
Open Policy AgentOpen Policy Agent
Open Policy Agent
 
Amazon EKS - Elastic Container Service for Kubernetes
Amazon EKS - Elastic Container Service for KubernetesAmazon EKS - Elastic Container Service for Kubernetes
Amazon EKS - Elastic Container Service for Kubernetes
 
Kubernetes day 2 Operations
Kubernetes day 2 OperationsKubernetes day 2 Operations
Kubernetes day 2 Operations
 
Policy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy AgentPolicy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy Agent
 
API Gateway How-To: The Many Ways to Apply the Gateway Pattern
API Gateway How-To: The Many Ways to Apply the Gateway PatternAPI Gateway How-To: The Many Ways to Apply the Gateway Pattern
API Gateway How-To: The Many Ways to Apply the Gateway Pattern
 
infrastructure as code
infrastructure as codeinfrastructure as code
infrastructure as code
 
Introduction to AWS Lambda and Serverless Applications
Introduction to AWS Lambda and Serverless ApplicationsIntroduction to AWS Lambda and Serverless Applications
Introduction to AWS Lambda and Serverless Applications
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security Journey
 
Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API Gateway
 
Kong
KongKong
Kong
 
마이크로서비스 기반 클라우드 아키텍처 구성 모범 사례 - 윤석찬 (AWS 테크에반젤리스트)
마이크로서비스 기반 클라우드 아키텍처 구성 모범 사례 - 윤석찬 (AWS 테크에반젤리스트) 마이크로서비스 기반 클라우드 아키텍처 구성 모범 사례 - 윤석찬 (AWS 테크에반젤리스트)
마이크로서비스 기반 클라우드 아키텍처 구성 모범 사례 - 윤석찬 (AWS 테크에반젤리스트)
 
Rest api standards and best practices
Rest api standards and best practicesRest api standards and best practices
Rest api standards and best practices
 
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
 
Kong API
Kong APIKong API
Kong API
 
Kubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoKubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with Demo
 

Similar to How Netflix Solves Authorization Across Cloud with OPA

Externalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services worldExternalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services worldSitaraman Lakshminarayanan
 
MongoDB World 2019: Securing Application Data from Day One
MongoDB World 2019: Securing Application Data from Day OneMongoDB World 2019: Securing Application Data from Day One
MongoDB World 2019: Securing Application Data from Day OneMongoDB
 
AWS November meetup Slides
AWS November meetup SlidesAWS November meetup Slides
AWS November meetup SlidesJacksonMorgan9
 
Bootstrapping an App for Launch
Bootstrapping an App for LaunchBootstrapping an App for Launch
Bootstrapping an App for LaunchCraig Phares
 
Analytics, Authentication and Data with AWS Amplify - MBL403 - re:Invent 2017
Analytics, Authentication and Data with  AWS Amplify - MBL403 - re:Invent 2017Analytics, Authentication and Data with  AWS Amplify - MBL403 - re:Invent 2017
Analytics, Authentication and Data with AWS Amplify - MBL403 - re:Invent 2017Amazon Web Services
 
Bridging the Gap Between Real Time/Offline and AI/ML Capabilities in Modern S...
Bridging the Gap Between Real Time/Offline and AI/ML Capabilities in Modern S...Bridging the Gap Between Real Time/Offline and AI/ML Capabilities in Modern S...
Bridging the Gap Between Real Time/Offline and AI/ML Capabilities in Modern S...Amazon Web Services
 
[Hands-on] CQRS(Command Query Responsibility Segregation) 와 Event Sourcing 패턴 실습
[Hands-on] CQRS(Command Query Responsibility Segregation) 와 Event Sourcing 패턴 실습[Hands-on] CQRS(Command Query Responsibility Segregation) 와 Event Sourcing 패턴 실습
[Hands-on] CQRS(Command Query Responsibility Segregation) 와 Event Sourcing 패턴 실습Oracle Korea
 
CQRS and Event Sourcing
CQRS and Event Sourcing CQRS and Event Sourcing
CQRS and Event Sourcing Inho Kang
 
June 2023 Architect Group FTW.pdf
June 2023 Architect Group FTW.pdfJune 2023 Architect Group FTW.pdf
June 2023 Architect Group FTW.pdfAmeyKulkarni84
 
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
Build an AI/ML-driven image archive processing workflow: Image archive, analy...Build an AI/ML-driven image archive processing workflow: Image archive, analy...
Build an AI/ML-driven image archive processing workflow: Image archive, analy...wesley chun
 
MongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS's
MongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS'sMongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS's
MongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS'sMongoDB
 
Build a Social News App with Android and AWS (MOB307) - AWS re:Invent 2018
Build a Social News App with Android and AWS (MOB307) - AWS re:Invent 2018Build a Social News App with Android and AWS (MOB307) - AWS re:Invent 2018
Build a Social News App with Android and AWS (MOB307) - AWS re:Invent 2018Amazon Web Services
 
Boxcars and Cabooses: When one more XHR is too much - Peter Chittum - Codemot...
Boxcars and Cabooses: When one more XHR is too much - Peter Chittum - Codemot...Boxcars and Cabooses: When one more XHR is too much - Peter Chittum - Codemot...
Boxcars and Cabooses: When one more XHR is too much - Peter Chittum - Codemot...Codemotion
 
Event-Based API Patterns and Practices
Event-Based API Patterns and PracticesEvent-Based API Patterns and Practices
Event-Based API Patterns and PracticesLaunchAny
 
Evolving your Data Access with MongoDB Stitch - Drew Di Palma
Evolving your Data Access with MongoDB Stitch - Drew Di PalmaEvolving your Data Access with MongoDB Stitch - Drew Di Palma
Evolving your Data Access with MongoDB Stitch - Drew Di PalmaMongoDB
 
Creating a World-Class RESTful Web Services API
Creating a World-Class RESTful Web Services APICreating a World-Class RESTful Web Services API
Creating a World-Class RESTful Web Services APIDavid Keener
 
Preparing for Data Residency and Custom Domains
Preparing for Data Residency and Custom DomainsPreparing for Data Residency and Custom Domains
Preparing for Data Residency and Custom DomainsAtlassian
 
MongoDB Stich Overview
MongoDB Stich OverviewMongoDB Stich Overview
MongoDB Stich OverviewMongoDB
 

Similar to How Netflix Solves Authorization Across Cloud with OPA (20)

Externalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services worldExternalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services world
 
MongoDB World 2019: Securing Application Data from Day One
MongoDB World 2019: Securing Application Data from Day OneMongoDB World 2019: Securing Application Data from Day One
MongoDB World 2019: Securing Application Data from Day One
 
AWS November meetup Slides
AWS November meetup SlidesAWS November meetup Slides
AWS November meetup Slides
 
AWS User Group November
AWS User Group NovemberAWS User Group November
AWS User Group November
 
Bootstrapping an App for Launch
Bootstrapping an App for LaunchBootstrapping an App for Launch
Bootstrapping an App for Launch
 
Analytics, Authentication and Data with AWS Amplify - MBL403 - re:Invent 2017
Analytics, Authentication and Data with  AWS Amplify - MBL403 - re:Invent 2017Analytics, Authentication and Data with  AWS Amplify - MBL403 - re:Invent 2017
Analytics, Authentication and Data with AWS Amplify - MBL403 - re:Invent 2017
 
Bridging the Gap Between Real Time/Offline and AI/ML Capabilities in Modern S...
Bridging the Gap Between Real Time/Offline and AI/ML Capabilities in Modern S...Bridging the Gap Between Real Time/Offline and AI/ML Capabilities in Modern S...
Bridging the Gap Between Real Time/Offline and AI/ML Capabilities in Modern S...
 
[Hands-on] CQRS(Command Query Responsibility Segregation) 와 Event Sourcing 패턴 실습
[Hands-on] CQRS(Command Query Responsibility Segregation) 와 Event Sourcing 패턴 실습[Hands-on] CQRS(Command Query Responsibility Segregation) 와 Event Sourcing 패턴 실습
[Hands-on] CQRS(Command Query Responsibility Segregation) 와 Event Sourcing 패턴 실습
 
CQRS and Event Sourcing
CQRS and Event Sourcing CQRS and Event Sourcing
CQRS and Event Sourcing
 
Cqrs api v2
Cqrs api v2Cqrs api v2
Cqrs api v2
 
June 2023 Architect Group FTW.pdf
June 2023 Architect Group FTW.pdfJune 2023 Architect Group FTW.pdf
June 2023 Architect Group FTW.pdf
 
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
Build an AI/ML-driven image archive processing workflow: Image archive, analy...Build an AI/ML-driven image archive processing workflow: Image archive, analy...
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
 
MongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS's
MongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS'sMongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS's
MongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS's
 
Build a Social News App with Android and AWS (MOB307) - AWS re:Invent 2018
Build a Social News App with Android and AWS (MOB307) - AWS re:Invent 2018Build a Social News App with Android and AWS (MOB307) - AWS re:Invent 2018
Build a Social News App with Android and AWS (MOB307) - AWS re:Invent 2018
 
Boxcars and Cabooses: When one more XHR is too much - Peter Chittum - Codemot...
Boxcars and Cabooses: When one more XHR is too much - Peter Chittum - Codemot...Boxcars and Cabooses: When one more XHR is too much - Peter Chittum - Codemot...
Boxcars and Cabooses: When one more XHR is too much - Peter Chittum - Codemot...
 
Event-Based API Patterns and Practices
Event-Based API Patterns and PracticesEvent-Based API Patterns and Practices
Event-Based API Patterns and Practices
 
Evolving your Data Access with MongoDB Stitch - Drew Di Palma
Evolving your Data Access with MongoDB Stitch - Drew Di PalmaEvolving your Data Access with MongoDB Stitch - Drew Di Palma
Evolving your Data Access with MongoDB Stitch - Drew Di Palma
 
Creating a World-Class RESTful Web Services API
Creating a World-Class RESTful Web Services APICreating a World-Class RESTful Web Services API
Creating a World-Class RESTful Web Services API
 
Preparing for Data Residency and Custom Domains
Preparing for Data Residency and Custom DomainsPreparing for Data Residency and Custom Domains
Preparing for Data Residency and Custom Domains
 
MongoDB Stich Overview
MongoDB Stich OverviewMongoDB Stich Overview
MongoDB Stich Overview
 

Recently uploaded

Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 

How Netflix Solves Authorization Across Cloud with OPA

  • 1. How Netflix is Solving Authorization Across Their Cloud Manish Mehta - Engineer @ Netflix Torin Sandall - Tech Lead @ OPA Project
  • 2. Manish Mehta Senior Security Engineer @Netflix mmehta@netflix.com Projects: • Bootstrapping Identities • Secrets Management • PKI • Authentication • Authorization Torin Sandall Software Engineer @ OPA project @sometorin Projects: • Open Policy Agent • Kubernetes • Istio (security SIG) • Likes: Go, Quality, Good abstractions
  • 3. Background - Definitions Transfer $1000 from Account X to Account Y Me My Bank These 2 steps do not need to be tied together !! 1. Verify the Identity of the Requester (Authentication or AuthN) 2. Verify that the Requestor is authorized to perform the requested operation (Authorization or AuthZ)
  • 4. Background - Netflix Architecture Cloud Provider ResourcesNetflix Backend - Internal Resources Customer Employee Partner Resources CDN
  • 5. AuthZ Problem A way to define and enforce rules that read Identity I can/cannot perform Operation O on Resource R For ALL combinations of I, O, and R in the ecosystem.
  • 6. Design Considerations Company Culture ○ Freedom and Responsibility Resource Types ○ REST endpoints, gRPC methods, SSH, Crypto Keys, Kafka Topics, … Identity Types ○ VM/Container Services, Batch Jobs, Employees, Contractors, … Underlying Protocols ○ HTTP(S), gRPC, Custom/Binary, ... Implementation Languages ○ Java, Node JS, Python, Ruby, … Latency ○ Call depth and Service rate Flexibility of Rules ○ Hard-coded structure vs. language-based Capture Intent ○ Did you actually do what you think you did? ○ Don’t just trust, verify !!
  • 7. High-level Architecture DistributorDistributor Distributor AuthZ Agent App Code S S H Policy Portal App CodeAuthZ Agent DistributorDistributor Aggregator Employee Management System Policy DB Build Manifest Service A Service B Application Ownership DB Policy DB
  • 8. High-level Architecture DistributorDistributor Distributor AuthZ Agent App Code S S H Service A App CodeAuthZ Agent Service B DistributorDistributor Aggregator Employee Management System Build Manifest Application Ownership DB Policy Portal Policy DB
  • 9. High-level Architecture DistributorDistributor Distributor Policy Portal AuthZ Agent App Code S S H Service A App CodeAuthZ Agent Service B DistributorDistributor Aggregator Employee Management System Build Manifest Application Ownership DB Policy DB
  • 10. High-level Architecture Policy Portal AuthZ Agent App Code S S H Service A App CodeAuthZ Agent Service B Employee Management System Build Manifest Application Ownership DB DistributorDistributor Distributor Policy DB DistributorDistributor Aggregator
  • 11. High-level Architecture Policy Portal DistributorDistributor Aggregator Employee Management System Build Manifest Application Ownership DB Policy DB App Code S S H App Code DistributorDistributor Distributor AuthZ Agent Service A Service B AuthZ Agent
  • 12. High-level Architecture Policy Portal DistributorDistributor Aggregator Employee Management System Build Manifest Application Ownership DB Policy DB DistributorDistributor Distributor AuthZ Agent App Code S S H Service A App CodeAuthZ Agent Service B
  • 13. AuthZ Agent Internals AuthZ Agent API Stager Open Policy Agent Engine Updater Periodic updates on policies and associated data Request Decision
  • 14. Example Setup AuthZ Agent App Code Payroll Service GET /getSalary/{user} POST /updateSalary/{user} Performance Review Report Generator Bob Alice Access Policy 1. Employees can read their own salary and the salary of anyone who reports to them. 2. Report Generator Job should be able to Read all users' salaries 3. Performance Review Application should be able to update all users' salaries /getSalary/alice /getSalary/bob /getSalary/bob /getSalary/* /updateSalary/*
  • 15. Open Policy Agent (OPA) Policy-based control for the cloud native environments
  • 16. Open Policy Agent (OPA) •Solve policy enforcement for any I, O, and R • I = Identity • O = Operation • R = Resource •Open source, general-purpose policy engine • Written in Go, library/host-local agent, in-memory •Declarative Policy Language (Rego) • Can user X perform operation Y on resource Z? Service Policy (Rego) Data (JSON) Policy Query Policy Decision
  • 17. Example Policy (in English) “Employees can read their own salary and the salary of anyone who reports to them.”
  • 18. OPA: Rules “Employees can read their own salary and the salary of anyone who reports to them.” input { method: “GET”, path: [“getSalary”, “bob”] user: “bob” } allow = true { input.method = “GET” input.path = [“getSalary”, id] input.user = id }
  • 19. OPA: Context-aware “Employees can read their own salary and the salary of anyone who reports to them.” data { managers: { bob: [“alice”, “ken”] alice: [“ken”] } } allow = true { input.method = “GET” input.path = [“getSalary”, id] managers = data.managers[id] input.user = managers[_] }
  • 20. OPA: Composable “Employees can read their own salary and the salary of anyone who reports to them.” is_manager_of(a, b) = true { managers = data.managers[b] a = managers[_] } allow = true { input.method = “GET” input.path = [“getSalary”, id] is_manager_of(input.user, id) } api_authz.rego org_chart.rego
  • 21. OPA: Resource-agnostic input (http) input (kafka) input (ssh) { method: POST path: /salary/bob body: 1,000,000 } { action: publish service: reviews topic: audit_log } { login: root host: i-012983928 identity: bob@acme.com } allow = true { input.login = “root” input.host = ... } allow = true { input.action = “publish” input.topic = ... } allow = true { input.method = “POST” input.path = ... } http_authz.rego kafka_authz.rego ssh_authz.rego
  • 22. OPA: Performance ● Example: RBAC policy Roles Bindings Latency (us) [worst] 20 20 ~10 2,000 2,000 ~20 Intel Core i7 @ 2.9 Ghz
  • 23. Open Policy Agent Policy (Rego) Data (JSON) ● OPA provides a reusable building block for enforcing policy across the stack ● OPA helps solve fundamental security problems like authorization
  • 24. Open Policy Agent github.com/open-policy-agent/opa Check out our demo booth! Policy (Rego) Data (JSON)
  • 27. Summary Resource types REST, gRPC method, SSH Login, Keys, Kafka Topics Identity types VM/Container Services, Batch Jobs, FTEs, Contractors Underlying Protocols HTTP, gRPC, SSH, Kafka Protocol Implementation Languages Java, Node JS, Ruby, Python Latency < 0.2 ms for basic policies Flexibility of Rules OPA Policy Engine Company Culture Policy Portal - Exercising Freedom, Responsibly Capture Intent Policy Portal UI hides Policy Syntax
  • 28. Take Away • AuthZ is a fundamental security problem • Comprehensive solution gives better Control and Visibility • Get there faster with Open Source Tools (like OPA) • Get involved in communities (like PADME)
  • 29. Questions? (We are hiring!) Torin Sandall @sometorin Manish Mehta mmehta@netflix.com