Advertisement
Check these out next
How Netflix Is Solving Authorization Across Their Cloud
Dec. 18, 2017•0 likes•10,485 views
12 likes
Be the first to like this
Show More
views
Total views
0
On Slideshare
0
From embeds
0
Number of embeds
0
Download to read offline
Report
Technology
Since 2008, Netflix has been on the cutting edge of cloud-based microservices deployments. In 2017, Netflix is recognized as one of the industry leaders at building and operating “cloud native” systems at scale. Like many organizations, Netflix has unique security requirements for many of their workloads. This variety requires a holistic approach to authorization to address “who can do what” across a range of resources, enforcement points, and execution environments. In this talk, Manish Mehta (Senior Security Software Engineer at Netflix) and Torin Sandall (Technical Lead of the Open Policy Agent project) will present how Netflix is solving authorization across the stack in cloud native environments. The presentation shows how Netflix enforces authorization decisions at scale across various kinds of resources (e.g., HTTP APIs, gRPC methods, SSH), enforcement points (e.g., microservices, proxies, host-level daemons), and execution environments (e.g., VMs, containers) without introducing unreasonable latency. The presentation includes a deep dive into the architecture of the cloud native authorization system at Netflix as well as how authorization decisions can be offloaded to an open source, general-purpose policy engine (Open Policy Agent). This talk is targeted at engineers building and operating cloud native systems who are interested in security and authorization. The audience can expect to take away fresh ideas about how to enforce fine-grained authorization policies across stackthe cloud environment.
Torin SandallFollow
Advertisement
How Netflix Is Solving Authorization Across Their Cloud
- How Netflix is Solving Authorization Across Their Cloud Manish Mehta - Engineer @ Netflix Torin Sandall - Tech Lead @ OPA Project
- Manish Mehta Senior Security Engineer @Netflix mmehta@netflix.com Projects: • Bootstrapping Identities • Secrets Management • PKI • Authentication • Authorization Torin Sandall Software Engineer @ OPA project @sometorin Projects: • Open Policy Agent • Kubernetes • Istio (security SIG) • Likes: Go, Quality, Good abstractions
- Background - Definitions Transfer $1000 from Account X to Account Y Me My Bank These 2 steps do not need to be tied together !! 1. Verify the Identity of the Requester (Authentication or AuthN) 2. Verify that the Requestor is authorized to perform the requested operation (Authorization or AuthZ)
- Background - Netflix Architecture Cloud Provider ResourcesNetflix Backend - Internal Resources Customer Employee Partner Resources CDN
- AuthZ Problem A way to define and enforce rules that read Identity I can/cannot perform Operation O on Resource R For ALL combinations of I, O, and R in the ecosystem.
- Design Considerations Company Culture ○ Freedom and Responsibility Resource Types ○ REST endpoints, gRPC methods, SSH, Crypto Keys, Kafka Topics, … Identity Types ○ VM/Container Services, Batch Jobs, Employees, Contractors, … Underlying Protocols ○ HTTP(S), gRPC, Custom/Binary, ... Implementation Languages ○ Java, Node JS, Python, Ruby, … Latency ○ Call depth and Service rate Flexibility of Rules ○ Hard-coded structure vs. language-based Capture Intent ○ Did you actually do what you think you did? ○ Don’t just trust, verify !!
- High-level Architecture DistributorDistributor Distributor AuthZ Agent App Code S S H Policy Portal App CodeAuthZ Agent DistributorDistributor Aggregator Employee Management System Policy DB Build Manifest Service A Service B Application Ownership DB Policy DB
- High-level Architecture DistributorDistributor Distributor AuthZ Agent App Code S S H Service A App CodeAuthZ Agent Service B DistributorDistributor Aggregator Employee Management System Build Manifest Application Ownership DB Policy Portal Policy DB
- High-level Architecture DistributorDistributor Distributor Policy Portal AuthZ Agent App Code S S H Service A App CodeAuthZ Agent Service B DistributorDistributor Aggregator Employee Management System Build Manifest Application Ownership DB Policy DB
- High-level Architecture Policy Portal AuthZ Agent App Code S S H Service A App CodeAuthZ Agent Service B Employee Management System Build Manifest Application Ownership DB DistributorDistributor Distributor Policy DB DistributorDistributor Aggregator
- High-level Architecture Policy Portal DistributorDistributor Aggregator Employee Management System Build Manifest Application Ownership DB Policy DB App Code S S H App Code DistributorDistributor Distributor AuthZ Agent Service A Service B AuthZ Agent
- High-level Architecture Policy Portal DistributorDistributor Aggregator Employee Management System Build Manifest Application Ownership DB Policy DB DistributorDistributor Distributor AuthZ Agent App Code S S H Service A App CodeAuthZ Agent Service B
- AuthZ Agent Internals AuthZ Agent API Stager Open Policy Agent Engine Updater Periodic updates on policies and associated data Request Decision
- Example Setup AuthZ Agent App Code Payroll Service GET /getSalary/{user} POST /updateSalary/{user} Performance Review Report Generator Bob Alice Access Policy 1. Employees can read their own salary and the salary of anyone who reports to them. 2. Report Generator Job should be able to Read all users' salaries 3. Performance Review Application should be able to update all users' salaries /getSalary/alice /getSalary/bob /getSalary/bob /getSalary/* /updateSalary/*
- Open Policy Agent (OPA) Policy-based control for the cloud native environments
- Open Policy Agent (OPA) •Solve policy enforcement for any I, O, and R • I = Identity • O = Operation • R = Resource •Open source, general-purpose policy engine • Written in Go, library/host-local agent, in-memory •Declarative Policy Language (Rego) • Can user X perform operation Y on resource Z? Service Policy (Rego) Data (JSON) Policy Query Policy Decision
- Example Policy (in English) “Employees can read their own salary and the salary of anyone who reports to them.”
- OPA: Rules “Employees can read their own salary and the salary of anyone who reports to them.” input { method: “GET”, path: [“getSalary”, “bob”] user: “bob” } allow = true { input.method = “GET” input.path = [“getSalary”, id] input.user = id }
- OPA: Context-aware “Employees can read their own salary and the salary of anyone who reports to them.” data { managers: { bob: [“alice”, “ken”] alice: [“ken”] } } allow = true { input.method = “GET” input.path = [“getSalary”, id] managers = data.managers[id] input.user = managers[_] }
- OPA: Composable “Employees can read their own salary and the salary of anyone who reports to them.” is_manager_of(a, b) = true { managers = data.managers[b] a = managers[_] } allow = true { input.method = “GET” input.path = [“getSalary”, id] is_manager_of(input.user, id) } api_authz.rego org_chart.rego
- OPA: Resource-agnostic input (http) input (kafka) input (ssh) { method: POST path: /salary/bob body: 1,000,000 } { action: publish service: reviews topic: audit_log } { login: root host: i-012983928 identity: bob@acme.com } allow = true { input.login = “root” input.host = ... } allow = true { input.action = “publish” input.topic = ... } allow = true { input.method = “POST” input.path = ... } http_authz.rego kafka_authz.rego ssh_authz.rego
- OPA: Performance ● Example: RBAC policy Roles Bindings Latency (us) [worst] 20 20 ~10 2,000 2,000 ~20 Intel Core i7 @ 2.9 Ghz
- Open Policy Agent Policy (Rego) Data (JSON) ● OPA provides a reusable building block for enforcing policy across the stack ● OPA helps solve fundamental security problems like authorization
- Open Policy Agent github.com/open-policy-agent/opa Check out our demo booth! Policy (Rego) Data (JSON)
- Capturing Intent
- Capturing Intent
- Summary Resource types REST, gRPC method, SSH Login, Keys, Kafka Topics Identity types VM/Container Services, Batch Jobs, FTEs, Contractors Underlying Protocols HTTP, gRPC, SSH, Kafka Protocol Implementation Languages Java, Node JS, Ruby, Python Latency < 0.2 ms for basic policies Flexibility of Rules OPA Policy Engine Company Culture Policy Portal - Exercising Freedom, Responsibly Capture Intent Policy Portal UI hides Policy Syntax
- Take Away • AuthZ is a fundamental security problem • Comprehensive solution gives better Control and Visibility • Get there faster with Open Source Tools (like OPA) • Get involved in communities (like PADME)
- Questions? (We are hiring!) Torin Sandall @sometorin Manish Mehta mmehta@netflix.com
Advertisement