The document discusses Netflix's approach to authorization across their cloud infrastructure. They use the Open Policy Agent (OPA) to define and enforce authorization policies for all identities, operations, and resources. OPA allows policies to be defined declaratively and enforced programmatically. It is flexible, high performance, and can be used across different protocols and languages. Netflix's authorization architecture includes OPA, a policy portal for rule definition, and authorization agents that enforce policies during requests using OPA.

1. How Netflix is Solving Authorization
Across Their Cloud
Manish Mehta - Engineer @ Netflix
Torin Sandall - Tech Lead @ OPA Project

2. Manish Mehta
Senior Security Engineer @Netflix
mmehta@netflix.com
Projects:
• Bootstrapping Identities
• Secrets Management
• PKI
• Authentication
• Authorization
Torin Sandall
Software Engineer @ OPA project
@sometorin
Projects:
• Open Policy Agent
• Kubernetes
• Istio (security SIG)
• Likes: Go, Quality, Good abstractions

3. Background - Definitions
Transfer $1000 from Account X to Account Y
Me My Bank
These 2 steps do not need to be tied together !!
1. Verify the Identity of the Requester (Authentication or AuthN)
2. Verify that the Requestor is authorized to perform
the requested operation (Authorization or AuthZ)

4. Background - Netflix Architecture
Cloud Provider ResourcesNetflix Backend - Internal Resources
Customer
Employee
Partner Resources
CDN

5. AuthZ Problem
A way to define and enforce rules that read
Identity I
can/cannot perform
Operation O
on
Resource R
For ALL combinations of I, O, and R in the ecosystem.

6. Design Considerations
Company Culture
○ Freedom and Responsibility
Resource Types
○ REST endpoints, gRPC methods, SSH,
Crypto Keys, Kafka Topics, …
Identity Types
○ VM/Container Services, Batch Jobs,
Employees, Contractors, …
Underlying Protocols
○ HTTP(S), gRPC, Custom/Binary, ...
Implementation Languages
○ Java, Node JS, Python, Ruby, …
Latency
○ Call depth and Service rate
Flexibility of Rules
○ Hard-coded structure vs. language-based
Capture Intent
○ Did you actually do what you think you did?
○ Don’t just trust, verify !!

7. High-level Architecture
DistributorDistributor
Distributor
AuthZ Agent
App
Code
S
S
H
Policy
Portal
App CodeAuthZ Agent
DistributorDistributor
Aggregator
Employee
Management
System
Policy DB
Build Manifest
Service A
Service B
Application
Ownership
DB
Policy DB

8. High-level Architecture
DistributorDistributor
Distributor
AuthZ Agent
App
Code
S
S
H
Service A
App CodeAuthZ Agent
Service B
DistributorDistributor
Aggregator
Employee
Management
System
Build Manifest
Application
Ownership
DB
Policy
Portal
Policy DB

9. High-level Architecture
DistributorDistributor
Distributor
Policy
Portal
AuthZ Agent
App
Code
S
S
H
Service A
App CodeAuthZ Agent
Service B
DistributorDistributor
Aggregator
Employee
Management
System
Build Manifest
Application
Ownership
DB
Policy DB

10. High-level Architecture
Policy
Portal
AuthZ Agent
App
Code
S
S
H
Service A
App CodeAuthZ Agent
Service B
Employee
Management
System
Build Manifest
Application
Ownership
DB
DistributorDistributor
Distributor
Policy DB
DistributorDistributor
Aggregator

11. High-level Architecture
Policy
Portal
DistributorDistributor
Aggregator
Employee
Management
System
Build Manifest
Application
Ownership
DB
Policy DB
App
Code
S
S
H
App Code
DistributorDistributor
Distributor
AuthZ Agent
Service A
Service B
AuthZ Agent

12. High-level Architecture
Policy
Portal
DistributorDistributor
Aggregator
Employee
Management
System
Build Manifest
Application
Ownership
DB
Policy DB
DistributorDistributor
Distributor
AuthZ Agent
App
Code
S
S
H
Service A
App CodeAuthZ Agent
Service B

13. AuthZ Agent Internals
AuthZ Agent
API
Stager
Open Policy Agent Engine
Updater
Periodic updates
on policies
and associated data
Request
Decision

14. Example Setup
AuthZ Agent
App
Code
Payroll Service
GET
/getSalary/{user}
POST
/updateSalary/{user}
Performance
Review
Report
Generator
Bob
Alice
Access Policy
1. Employees can read their
own salary and the salary
of anyone who reports to
them.
2. Report Generator Job
should be able to Read all
users' salaries
3. Performance Review
Application should be able
to update all users'
salaries
/getSalary/alice
/getSalary/bob
/getSalary/bob
/getSalary/*
/updateSalary/*

15. Open Policy Agent (OPA)
Policy-based control for the cloud native environments

16. Open Policy Agent (OPA)
•Solve policy enforcement for any I, O, and R
• I = Identity
• O = Operation
• R = Resource
•Open source, general-purpose policy engine
• Written in Go, library/host-local agent, in-memory
•Declarative Policy Language (Rego)
• Can user X perform operation Y on resource Z?
Service
Policy
(Rego)
Data
(JSON)
Policy
Query
Policy
Decision

17. Example Policy (in English)
“Employees can read their own salary and the salary
of anyone who reports to them.”

18. OPA: Rules
“Employees can read their own salary and the salary of anyone who
reports to them.”
input
{
method: “GET”,
path: [“getSalary”, “bob”]
user: “bob”
}
allow = true {
input.method = “GET”
input.path = [“getSalary”, id]
input.user = id
}

19. OPA: Context-aware
“Employees can read their own salary and the salary of anyone who
reports to them.”
data
{
managers: {
bob: [“alice”, “ken”]
alice: [“ken”]
}
}
allow = true {
input.method = “GET”
input.path = [“getSalary”, id]
managers = data.managers[id]
input.user = managers[_]
}

20. OPA: Composable
“Employees can read their own salary and the salary of anyone who
reports to them.”
is_manager_of(a, b) = true {
managers = data.managers[b]
a = managers[_]
}
allow = true {
input.method = “GET”
input.path = [“getSalary”, id]
is_manager_of(input.user, id)
}
api_authz.rego org_chart.rego

21. OPA: Resource-agnostic
input (http) input (kafka) input (ssh)
{
method: POST
path: /salary/bob
body: 1,000,000
}
{
action: publish
service: reviews
topic: audit_log
}
{
login: root
host: i-012983928
identity: bob@acme.com
}
allow = true {
input.login = “root”
input.host = ...
}
allow = true {
input.action = “publish”
input.topic = ...
}
allow = true {
input.method = “POST”
input.path = ...
}
http_authz.rego kafka_authz.rego ssh_authz.rego

22. OPA: Performance
● Example: RBAC policy
Roles Bindings Latency (us) [worst]
20 20 ~10
2,000 2,000 ~20
Intel Core i7 @ 2.9 Ghz

23. Open Policy Agent
Policy
(Rego)
Data
(JSON)
● OPA provides a reusable building
block for enforcing policy across
the stack
● OPA helps solve fundamental
security problems like
authorization

24. Open Policy Agent
github.com/open-policy-agent/opa
Check out our demo booth!
Policy
(Rego)
Data
(JSON)

25. Capturing Intent

26. Capturing Intent

27. Summary
Resource types REST, gRPC method, SSH Login, Keys, Kafka Topics
Identity types VM/Container Services, Batch Jobs, FTEs, Contractors
Underlying Protocols HTTP, gRPC, SSH, Kafka Protocol
Implementation Languages Java, Node JS, Ruby, Python
Latency < 0.2 ms for basic policies
Flexibility of Rules OPA Policy Engine
Company Culture Policy Portal - Exercising Freedom, Responsibly
Capture Intent Policy Portal UI hides Policy Syntax

28. Take Away
• AuthZ is a fundamental security problem
• Comprehensive solution gives better Control and Visibility
• Get there faster with Open Source Tools (like OPA)
• Get involved in communities (like PADME)

29. Questions?
(We are hiring!) Torin Sandall
@sometorin
Manish Mehta
mmehta@netflix.com