How do you enable rapid deployment of innovative applications on top of Docker containers while still satisfying strict requirements from your InfoSec and compliance departments? The Open Policy Agent (OPA), an open-source tool, enables you to update and enforce policies without slowing down developers or modifying application code. In this talk, Justin Cormack (Security Engineer at Docker) and Torin Sandall (Co-founder of the OPA project) will show how you can leverage the integrations between Docker and OPA to enforce fine-grained policies in your organization's container platform while still allowing your developers to move quickly. This talk is targeted at engineers building and operating container platforms who are interested in security and policy enforcement. The audience can expect to take aware fresh ideas about how to enforce fine-grained security policies across their container platform.
The Istio service mesh provides a highly extensible platform to connect, manage, and secure microservices. Istio’s highly extensible nature is one of the main selling points as it allows you to enforce your own organization-specific policies across large fleets of microservices. At the same time, new technology always has a learning curve, and with all this extensibility and generality the task can be quite daunting.
In this talk, Limin Wang (Software Engineer at Google) and Torin Sandall (Technical Lead of the Open Policy Agent project) explain how Istio’s Mixer works and lead a deep dive into Mixer Adapter development. The talk shows (with demos) how the Mixer Adapter model enables custom policy enforcement and how the model is used to integrate third party policy engines like the Open Policy Agent.
This talk is targeted at platform engineers interested in using the Istio service mesh to enforce custom policies in their microservices. The talk also provides new ideas about the kinds of policies that can be enforced in Istio today.
Whether you build software for enterprises, mobile, or internal microservices, security is important. Standards like SAML, OIDC, and SPIFFE help you solve identity and authentication, but for them authorization is out of scope. When you need to control "who can do what" in your app, you are on your own.
To solve authorization, you may be tempted to hardcode logic against SAML assertions, scopes, or X.509 certificate attributes. But, approaches like this lead to systems that are hard to understand and painful to maintain.
This talk shows how to leverage the Open Policy Agent (which is used by companies like Netflix and Chef) to build a powerful authorization system on top of industry-standard authentication protocols. The talk showcases how decoupling leads to authorization solutions that are easier to understand while enabling fine-grained control over the app.
Slides for the CloudNativeCon EU 2018 talk. https://youtu.be/4mBJSIhs2xQ
This talk introduces the Open Policy Agent (OPA) project and goes into detail on how you can use OPA to enforce various kinds of policy across the stack.
Open Policy Agent Deep Dive Seattle 2018Torin Sandall
Topics:
* Background on Open Policy Agent project: users, use cases, and stats.
* How OPA works (decoupling policy decision-making from enforcement)
* Hands-on example: Users can view their own account details and support staff can view accounts they have are assigned to via a ticketing system.
* SQL data filtering use case: writing policy in OPA and enforcing policy in SQL.
* WebAssembly compiler.
These are the slides for the Rego deep dive session from CloudNativeCon EU 2018: https://youtu.be/4mBJSIhs2xQ
These slides explain how the Open Policy Agent policy language works. The slides walk through the fundamentals of the language and then cover a few miscellaneous topics like composition, negation, etc.
Enforcing Bespoke Policies in KubernetesTorin Sandall
Kubernetes enables fully-automated, self-service management of large-scale, heterogenous deployments. These deployments are often managed by distributed engineering teams that have unique requirements for how the platform treats their workloads, but at the same time, they must conform to organization-wide constraints around cost, security, and performance. As Kubernetes matures, extensibility has become a critical feature that organizations can leverage to enforce their organization’s bespoke policies.
In this talk, Torin explains how to use extensibility features in Kubernetes (e.g., External Admission Control) to enforce custom policies over workloads. The talk shows how to build custom admission controllers using Initializers and Webhooks, and shows how the same features lay the groundwork for policy-based control through integration with third party policy engines like the Open Policy Agent project.
The Istio service mesh provides a highly extensible platform to connect, manage, and secure microservices. Istio’s highly extensible nature is one of the main selling points as it allows you to enforce your own organization-specific policies across large fleets of microservices. At the same time, new technology always has a learning curve, and with all this extensibility and generality the task can be quite daunting.
In this talk, Limin Wang (Software Engineer at Google) and Torin Sandall (Technical Lead of the Open Policy Agent project) explain how Istio’s Mixer works and lead a deep dive into Mixer Adapter development. The talk shows (with demos) how the Mixer Adapter model enables custom policy enforcement and how the model is used to integrate third party policy engines like the Open Policy Agent.
This talk is targeted at platform engineers interested in using the Istio service mesh to enforce custom policies in their microservices. The talk also provides new ideas about the kinds of policies that can be enforced in Istio today.
Whether you build software for enterprises, mobile, or internal microservices, security is important. Standards like SAML, OIDC, and SPIFFE help you solve identity and authentication, but for them authorization is out of scope. When you need to control "who can do what" in your app, you are on your own.
To solve authorization, you may be tempted to hardcode logic against SAML assertions, scopes, or X.509 certificate attributes. But, approaches like this lead to systems that are hard to understand and painful to maintain.
This talk shows how to leverage the Open Policy Agent (which is used by companies like Netflix and Chef) to build a powerful authorization system on top of industry-standard authentication protocols. The talk showcases how decoupling leads to authorization solutions that are easier to understand while enabling fine-grained control over the app.
Slides for the CloudNativeCon EU 2018 talk. https://youtu.be/4mBJSIhs2xQ
This talk introduces the Open Policy Agent (OPA) project and goes into detail on how you can use OPA to enforce various kinds of policy across the stack.
Open Policy Agent Deep Dive Seattle 2018Torin Sandall
Topics:
* Background on Open Policy Agent project: users, use cases, and stats.
* How OPA works (decoupling policy decision-making from enforcement)
* Hands-on example: Users can view their own account details and support staff can view accounts they have are assigned to via a ticketing system.
* SQL data filtering use case: writing policy in OPA and enforcing policy in SQL.
* WebAssembly compiler.
These are the slides for the Rego deep dive session from CloudNativeCon EU 2018: https://youtu.be/4mBJSIhs2xQ
These slides explain how the Open Policy Agent policy language works. The slides walk through the fundamentals of the language and then cover a few miscellaneous topics like composition, negation, etc.
Enforcing Bespoke Policies in KubernetesTorin Sandall
Kubernetes enables fully-automated, self-service management of large-scale, heterogenous deployments. These deployments are often managed by distributed engineering teams that have unique requirements for how the platform treats their workloads, but at the same time, they must conform to organization-wide constraints around cost, security, and performance. As Kubernetes matures, extensibility has become a critical feature that organizations can leverage to enforce their organization’s bespoke policies.
In this talk, Torin explains how to use extensibility features in Kubernetes (e.g., External Admission Control) to enforce custom policies over workloads. The talk shows how to build custom admission controllers using Initializers and Webhooks, and shows how the same features lay the groundwork for policy-based control through integration with third party policy engines like the Open Policy Agent project.
Fine-grained Authorization in a Containerized WorldAshutosh Narkar
Talk from Open Source Summit San Diego 2019, showing how the Open Policy Agent can help to enforce fine-grained security policies in a Kubernetes cluster through Admission Control.
The Open Policy Agent (OPA) is an open source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack.
Kubernetes Security with Calico and Open Policy AgentCloudOps2005
Ray Kao and Kevin Harris from Microsoft presenting ‘Kubernetes Security with Calico and Open Policy Agent’ at the spring 2019 Kubernetes and Cloud Native meetup in Toronto.
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)Michael Man
In just a few years, Open Policy Agent (OPA) has established itself as the de-facto standard for policy based guard rails around kubernetes clusters - now it's moving into our microservices! In this talk we'll explore the benefits of decoupling policy from application logic, and how OPA can help bring order to an increasingly distributed, heterogeneous and complex tech stack.
How Netflix Is Solving Authorization Across Their CloudTorin Sandall
Since 2008, Netflix has been on the cutting edge of cloud-based microservices deployments. In 2017, Netflix is recognized as one of the industry leaders at building and operating “cloud native” systems at scale. Like many organizations, Netflix has unique security requirements for many of their workloads. This variety requires a holistic approach to authorization to address “who can do what” across a range of resources, enforcement points, and execution environments.
In this talk, Manish Mehta (Senior Security Software Engineer at Netflix) and Torin Sandall (Technical Lead of the Open Policy Agent project) will present how Netflix is solving authorization across the stack in cloud native environments. The presentation shows how Netflix enforces authorization decisions at scale across various kinds of resources (e.g., HTTP APIs, gRPC methods, SSH), enforcement points (e.g., microservices, proxies, host-level daemons), and execution environments (e.g., VMs, containers) without introducing unreasonable latency. The presentation includes a deep dive into the architecture of the cloud native authorization system at Netflix as well as how authorization decisions can be offloaded to an open source, general-purpose policy engine (Open Policy Agent).
This talk is targeted at engineers building and operating cloud native systems who are interested in security and authorization. The audience can expect to take away fresh ideas about how to enforce fine-grained authorization policies across stackthe cloud environment.
In just a few years, Open Policy Agent (OPA) has emerged as one of the hotter technologies for policy management and fine grained access control in the cloud native ecosystem. Now it’s coming for your APIs!
In this session we will explore the underlying concepts and some of the components involved in OPA before we get hands on in live coding test driven authorization policies to protect API endpoints.
Access Control for HTTP Operations on Linked DataLuca Costabello
Shi3ld is an access control module for enforcing authorization on triple stores. Shi3ld protects SPARQL queries and HTTP operations on Linked Data and relies on attribute-based access policies.
http://wimmics.inria.fr/projects/shi3ld-ldp/
Shi3ld comes in two flavours: Shi3ld-SPARQL, designed for SPARQL endpoints, and Shi3ld-HTTP, designed for HTTP operations on triples.
SHI3LD for HTTP offers authorization for read/write HTTP operations on Linked Data. It supports the SPARQL 1.1 Graph Store Protocol, and the Linked Data Platform specifications.
Using Screaming Frog to crawl a website
Using R for SEO Analysis
Using PaasLogs to centralize logs
Using Kibana to build fancy dashboards
Tutorial : www.data-seo.com
Use Cases for Elastic Search PercolatorMaxim Shelest
Overview of possible Use Cases for Elastic Search Percolator. Deep dive into Percolator feature of Elasticsearch with various examples for source code, HTTP requests and architecture.
Finding the right stuff, an intro to Elasticsearch (at Rug::B) Michael Reinsch
Searching through a dataset can provide quite interesting challenges, especially when natural languages are involved. Elasticsearch is a very powerful yet also at times quite complex solution.
In this talk I'll give an intro on using Elasticsearch from within Ruby/Rails, discussing some of the general principles, starting with a simple example and then expanding into more complex topics such as multi-language search, search on data from multiple different objects, integration testing and production use.
This talk discusses the principles of RESTful design and what it means to be HATEOAS. It concludes by demonstrating how to implement a simple RESTful API on top of ASP.NET Core.
Query DSL in Elasticsearch is a way to perform query on elasticsearch cluster.It is rich flexible query language
We can define queries of elasticsearch in JSON format.In this presentation we will see type of query dsl and its usage.
Elasticsearch Distributed search & analytics on BigData made easyItamar
Elasticsearch is a cloud-ready, super scalable search engine which is gaining a lot of popularity lately. It is mostly known for being extremely easy to setup and integrate with any technology stack.In this talk we will introduce Elasticdearch, and start by looking at some of its basic capabilities. We will demonstrate how it can be used for document search and even log analytics for DevOps and distributed debugging, and peek into more advanced usages like the real-time aggregations and percolation. Obviously, we will make sure to demonstrate how Elasticsearch can be scaled out easily to work on a distributed architecture and handle pretty much any load.
Talk from KubeCon EU 2019, showing how the Open Policy Agent can help to enforce custom security policies in a Data Lake Platform comprising of Kafka, Ceph and Elasticsearch.
Accelerate Your Analytic Queries with Amazon Aurora Parallel Query (DAT362) -...Amazon Web Services
Amazon Aurora with MySQL compatibility includes several features to improve query performance, while still maintaining full MySQL compatibility. One such feature is Parallel Query, which provides faster analytic queries over current data by pushing query processing down to thousands of CPUs in the storage layer, achieving performance gains of up to two orders of magnitude. Learn how to take advantage of this and other recent Aurora features to implement high performance distributed queries for your MySQL-based applications.
Fine-grained Authorization in a Containerized WorldAshutosh Narkar
Talk from Open Source Summit San Diego 2019, showing how the Open Policy Agent can help to enforce fine-grained security policies in a Kubernetes cluster through Admission Control.
The Open Policy Agent (OPA) is an open source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack.
Kubernetes Security with Calico and Open Policy AgentCloudOps2005
Ray Kao and Kevin Harris from Microsoft presenting ‘Kubernetes Security with Calico and Open Policy Agent’ at the spring 2019 Kubernetes and Cloud Native meetup in Toronto.
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)Michael Man
In just a few years, Open Policy Agent (OPA) has established itself as the de-facto standard for policy based guard rails around kubernetes clusters - now it's moving into our microservices! In this talk we'll explore the benefits of decoupling policy from application logic, and how OPA can help bring order to an increasingly distributed, heterogeneous and complex tech stack.
How Netflix Is Solving Authorization Across Their CloudTorin Sandall
Since 2008, Netflix has been on the cutting edge of cloud-based microservices deployments. In 2017, Netflix is recognized as one of the industry leaders at building and operating “cloud native” systems at scale. Like many organizations, Netflix has unique security requirements for many of their workloads. This variety requires a holistic approach to authorization to address “who can do what” across a range of resources, enforcement points, and execution environments.
In this talk, Manish Mehta (Senior Security Software Engineer at Netflix) and Torin Sandall (Technical Lead of the Open Policy Agent project) will present how Netflix is solving authorization across the stack in cloud native environments. The presentation shows how Netflix enforces authorization decisions at scale across various kinds of resources (e.g., HTTP APIs, gRPC methods, SSH), enforcement points (e.g., microservices, proxies, host-level daemons), and execution environments (e.g., VMs, containers) without introducing unreasonable latency. The presentation includes a deep dive into the architecture of the cloud native authorization system at Netflix as well as how authorization decisions can be offloaded to an open source, general-purpose policy engine (Open Policy Agent).
This talk is targeted at engineers building and operating cloud native systems who are interested in security and authorization. The audience can expect to take away fresh ideas about how to enforce fine-grained authorization policies across stackthe cloud environment.
In just a few years, Open Policy Agent (OPA) has emerged as one of the hotter technologies for policy management and fine grained access control in the cloud native ecosystem. Now it’s coming for your APIs!
In this session we will explore the underlying concepts and some of the components involved in OPA before we get hands on in live coding test driven authorization policies to protect API endpoints.
Access Control for HTTP Operations on Linked DataLuca Costabello
Shi3ld is an access control module for enforcing authorization on triple stores. Shi3ld protects SPARQL queries and HTTP operations on Linked Data and relies on attribute-based access policies.
http://wimmics.inria.fr/projects/shi3ld-ldp/
Shi3ld comes in two flavours: Shi3ld-SPARQL, designed for SPARQL endpoints, and Shi3ld-HTTP, designed for HTTP operations on triples.
SHI3LD for HTTP offers authorization for read/write HTTP operations on Linked Data. It supports the SPARQL 1.1 Graph Store Protocol, and the Linked Data Platform specifications.
Using Screaming Frog to crawl a website
Using R for SEO Analysis
Using PaasLogs to centralize logs
Using Kibana to build fancy dashboards
Tutorial : www.data-seo.com
Use Cases for Elastic Search PercolatorMaxim Shelest
Overview of possible Use Cases for Elastic Search Percolator. Deep dive into Percolator feature of Elasticsearch with various examples for source code, HTTP requests and architecture.
Finding the right stuff, an intro to Elasticsearch (at Rug::B) Michael Reinsch
Searching through a dataset can provide quite interesting challenges, especially when natural languages are involved. Elasticsearch is a very powerful yet also at times quite complex solution.
In this talk I'll give an intro on using Elasticsearch from within Ruby/Rails, discussing some of the general principles, starting with a simple example and then expanding into more complex topics such as multi-language search, search on data from multiple different objects, integration testing and production use.
This talk discusses the principles of RESTful design and what it means to be HATEOAS. It concludes by demonstrating how to implement a simple RESTful API on top of ASP.NET Core.
Query DSL in Elasticsearch is a way to perform query on elasticsearch cluster.It is rich flexible query language
We can define queries of elasticsearch in JSON format.In this presentation we will see type of query dsl and its usage.
Elasticsearch Distributed search & analytics on BigData made easyItamar
Elasticsearch is a cloud-ready, super scalable search engine which is gaining a lot of popularity lately. It is mostly known for being extremely easy to setup and integrate with any technology stack.In this talk we will introduce Elasticdearch, and start by looking at some of its basic capabilities. We will demonstrate how it can be used for document search and even log analytics for DevOps and distributed debugging, and peek into more advanced usages like the real-time aggregations and percolation. Obviously, we will make sure to demonstrate how Elasticsearch can be scaled out easily to work on a distributed architecture and handle pretty much any load.
Talk from KubeCon EU 2019, showing how the Open Policy Agent can help to enforce custom security policies in a Data Lake Platform comprising of Kafka, Ceph and Elasticsearch.
Accelerate Your Analytic Queries with Amazon Aurora Parallel Query (DAT362) -...Amazon Web Services
Amazon Aurora with MySQL compatibility includes several features to improve query performance, while still maintaining full MySQL compatibility. One such feature is Parallel Query, which provides faster analytic queries over current data by pushing query processing down to thousands of CPUs in the storage layer, achieving performance gains of up to two orders of magnitude. Learn how to take advantage of this and other recent Aurora features to implement high performance distributed queries for your MySQL-based applications.
Cloud Foundry Cookbook: Recipes for a Successful Cloud Foundry Deployment in ...VMware Tanzu
Technical Track presented by Vinícius Carvalho, Senior Field Engineer at Pivotal.
Cloud Foundry provides the foundation for your PaaS infrastructure. It streamlines deployment and turns your developers and your ops into super heroes when it comes to time to market. But what about your architecture? How should you build your services (or microservices)? How can you guarantee security is being enforced on every layer of your architecture? How can you solve cross-service dependencies? How can services discover each other? How could developers leverage an API explorer to test your services and build apps on top of it? How could you leverage a data pipeline to solve polyglot persistence and cascading operations on diverse persistence technologies? How can you monetize on top of your public services? How could you use a service registry to boost your models with extended metadata?
This session presents a few recipes to demonstrate how to solve some of the problems found when applying cloud patterns to real business scenarios.
Recipes for a successful production cloudfoundry deployment - CF Summit 2014Vinícius Carvalho
How to be successful on a PCF deployment into production. This deck shows lessons learned while pushing to production a revamped platform on a large media company. It shows a few things I've learned as chief architect while deploying apps using the microservices strategy
Description of some of the elements that go in to creating a PostgreSQL-as-a-Service for organizations with many teams and a diverse ecosystem of applications and teams.
Real-time Analytics with Trino and Apache PinotXiang Fu
Trino summit 2021:
Overview of Trino Pinot Connector, which bridges the flexibility of Trino's full SQL support to the power of Apache Pinot's realtime analytics, giving you the best of both worlds.
How Open Policy Agent (OPA) helps in externalizing authorization from Code in Micro Services world. Before that let's look how Authorization evolved in last decade.
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...Amazon Web Services
Performing forensics on AWS resources is a new experience for many customers who might have older runbooks based on on-premises workflows using manual steps, or perhaps no processes in place at all. In this session, get a deeper insight into the various runbooks to perform practical forensic tasks on AWS resources like Amazon EC2 instances, using a combination of industry tooling, AWS serverless services like AWS Lambda and AWS Step Functions, and managed services like Amazon Athena.
In this Meetup Arik Lerner – Liveperson Team lead of Java Automation, Performance & Resilience , will talk about How we measure our services, By End2End testing which become one of the most critical Monitor tool in LP .
Over 200K tests runs per day providing statistics and insights into the problem as they happen.
Arik will go through different topics and stages of the journey and share details that led to current results .
Part of the menu topics are : The Awakens of the End2End Insights
• How we measure our services using synthetic user experience
• Measuring through analytics & insights
• How we collect our data
• How we debug our services? Hint: video recording, HAR (Http archive), KIbana , Dashboard analytics & insights
• Future logs App correlation with End2End data
• Our tools: Selenium, Jenkins and cutting edge technologies such as Kafka & ELK (Elastic search, Logstash and Kibana)
In this Meetup, Arik will host Ali AbuAli- NOC Team Leader , who will talk about the e2e usage on his day 2 day work.
In this Meetup Arik Lerner – Liveperson Team lead of Java Automation, Performance & Resilience , will talk about How we measure our services, By End2End testing which become one of the most critical Monitor tool in LP .
Over 200K tests runs per day providing statistics and insights into the problem as they happen.
Arik will go through different topics and stages of the journey and share details that led to current results .
Part of the menu topics are : The Awakens of the End2End Insights
• How we measure our services using synthetic user experience
• Measuring through analytics & insights
• How we collect our data
• How we debug our services? Hint: video recording, HAR (Http archive), KIbana , Dashboard analytics & insights
• Future logs App correlation with End2End data
• Our tools: Selenium, Jenkins and cutting edge technologies such as Kafka & ELK (Elastic search, Logstash and Kibana)
In this Meetup, Arik will host Ali AbuAli- NOC Team Leader , who will talk about the e2e usage on his day 2 day work.
Preparing for Data Residency and Custom DomainsAtlassian
Atlassian customers have long requested the ability to control where they host their content in Atlassian Cloud. They’ve also long desired the ability to configure their cloud products to be accessible via a custom domain. These features are coming soon to Jira and Confluence Cloud! What will this mean for Marketplace app developers?
Join Nuwan Ginige, Principal Product Manager on the Cloud Platform team, as he walks through how the evolution of Atlassian’s cloud platform has shaped the development of these capabilities. Learn how these changes will impact Marketplace apps, and how you can get involved in app vendor early access progress before general availability.
Similar to Dynamic Authorization & Policy Control for Docker Environments (20)
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™UiPathCommunity
In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalità di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni.
📕 Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath:
Autopilot per Studio Web
Autopilot per Studio
Autopilot per Apps
Clipboard AI
GenAI applicata alla Document Understanding
👨🏫👨💻 Speakers:
Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant
Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath
Andrei Tasca, RPA Solutions Team Lead @NTT Data
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
6. ● Heterogeneity: many languages, protocols,
systems
● Dynamism: system changing, policies
changing
● How do you enforce and audit policy?
● Correctness, performance, cost
Challenges
7. Today we are going to talk about tools and
approaches for solving this problem!
Computers can help!
14. Example Implementation
business logic
authorization logic
def get_user_account(req):
if not authorized(req):
raise status(403)
return db.read_user_account(req.id)
def authorized(req):
if "support" in req.subject.groups:
for ticket in get_open_tickets(req.id):
if req.subject.user == ticket.assignee:
return True
return False
# other authorization logic...
15. Obvious questions...
def get_user_account(req):
if not authorized(req):
raise status(403)
return db.read_user_account(req.id)
def authorized(req):
if "support" in req.subject.groups:
for ticket in get_open_tickets(req.id):
if req.subject.user == ticket.assignee:
return True
return False
# other authorization logic...
What happens when the policy changes...
What if the policy requires additional context...
What if the customer requires control of the policy...
What if the policy was not implemented correctly...
What if you have 100+ services written in N langs...
17. OPA: general-purpose policy engine
Inception
Project started in 2016 at
Styra.
Goal
Unify policy enforcement
across the stack.
Use Cases
Admission control
Authorization
ACLs
RBAC
IAM
ABAC
Risk management
Data Protection
Data Filtering
Users
Netflix
Chef
Medallia
Cloudflare
State Street
Pinterest
Intuit
...and many more.
Today
CNCF project (Sandbox)
36 contributors
1.5K stars
400 slack members
20+ integrations
Open Policy Agent
18. OPA: general-purpose policy engine
Service
OPA
Policy
(Rego)
Data
(JSON)
Policy
Query
Policy
Decision
Enforcement
Request
21. OPA: general-purpose policy engine
Service
OPA
Policy
(Rego)
Data
(JSON)
Policy
Query
Policy
Decision
Enforcement
Request
Service refers to any one of:
● Custom service
● Kubernetes API server
● Message broker
● SSH daemon
● CI/CD pipeline script
22. OPA: general-purpose policy engine
Service
OPA
Policy
(Rego)
Data
(JSON)
Policy
Query
Policy
Decision
Enforcement
Request
Service refers to any one of:
● Custom service
● Kubernetes API server
● Message broker
● SSH daemon
● CI/CD pipeline script
Input can be any JSON value:
"alice"
["v1", "users", "bob"]
{"kind": "Pod", "spec": …}
Output can be any JSON value:
true
"request rejected"
{"servers": ["web1", "web2"]}
26. ● write rules not code
● re-use same policy across all applications and
languages
● support audit and testing
A better way to build policy
27. OPA: Integrations
Data Filtering
Admission Control “Restrict ingress hostnames for payments team.”
“Ensure container images come from corporate repo.”
API Authorization
“Deny test scripts access to production services.”
“Allow analysts to access APIs serving anonymized data.”
Data Protection
Linux PAM
SSH & sudo “Only allow on-call engineers to SSH into production servers.”
"Trades exceeding $10M must be executed between 9AM and
5PM and require MFA."
"Users can access files for past 6 months related to the region
they licensed."
28. ● allow developers to see effect of policy earlier
● show effect of policy as soon as possible
● have ability to move point of enforcement
around if it improves code
● test policy was enforced in production as well
“Shift left”
31. OPA: general-purpose policy engine
Service
OPA
Policy
(rego)
Data
(json)
Policy
Query
Policy
Decision
Enforcement
● Declarative Policy Language (Rego)
○ Can identity I do operation O on resource R?
■ ACLs, RBAC, IAM, ABAC
○ What invariants does workload W violate?
■ Enforce, audit, dry-run
○ Which records should bob be allowed to see?
■ Constraints on data
32. OPA: general-purpose policy engine
Service
OPA
Policy
(rego)
Data
(json)
Policy
Query
Policy
Decision
Enforcement
● Declarative Policy Language (Rego)
○ Can identity I do operation O on resource R?
■ ACLs, RBAC, IAM, ABAC
○ What invariants does workload W violate?
■ Enforce, audit, dry-run
○ Which records should bob be allowed to see?
■ Constraints on data
● Library, sidecar, host-level daemon
○ Policy and data are kept in-memory
○ Zero decision-time dependencies
33. OPA: general-purpose policy engine
Service
OPA
Policy
(rego)
Data
(json)
Policy
Query
Policy
Decision
Enforcement
● Declarative Policy Language (Rego)
○ Can identity I do operation O on resource R?
■ ACLs, RBAC, IAM, ABAC
○ What invariants does workload W violate?
■ Enforce, audit, dry-run
○ Which records should bob be allowed to see?
■ Constraints on data
● Library, sidecar, host-level daemon
○ Policy and data are kept in-memory
○ Zero decision-time dependencies
● Management APIs for control & observability
○ Bundle service API for sending policy & data to OPA
○ Status service API for receiving status from OPA
○ Log service API for receiving audit log from OPA
34. OPA: general-purpose policy engine
Service
OPA
Policy
(rego)
Data
(json)
Policy
Query
Policy
Decision
Enforcement
● Declarative Policy Language (Rego)
○ Can identity I do operation O on resource R?
■ ACLs, RBAC, IAM, ABAC
○ What invariants does workload W violate?
■ Enforce, audit, dry-run
○ Which records should bob be allowed to see?
■ Constraints on data
● Library, sidecar, host-level daemon
○ Policy and data are kept in-memory
○ Zero decision-time dependencies
● Management APIs for control & observability
○ Bundle service API for sending policy & data to OPA
○ Status service API for receiving status from OPA
○ Log service API for receiving audit log from OPA
● Tooling to build, test, and debug policy
○ opa run, opa test, opa fmt, opa deps, opa check, etc.
○ VS Code plugin, Tracing, Profiling, etc.
35. Hands on example with OPA
Accounts
OPA Bundle
Server
Policy + Tickets
GET /accounts/alice HTTP/1.1
Authorization: Bearer ...
Input
{
method: GET
path: [accounts, alice]
subject: {
user: janet
groups: [support]
}
}
Result
true (allow) or false (deny)
Data
{
tickets: {
alice: [
{assignee: janet},
{assignee: bob}
],
ken: [
{assignee: janet}
]
}
}
39. For example:
● valuable data on PVs must be retained 6 months after app is undeployed
● default reclaim policy is "delete" because clean-up is annoying
● admins want to grant exceptions for specific apps to use "retain" policy
Beyond the app
40. Kubernetes Admission Policy
package kubernetes.admission
import data.kubernetes.storageclasses
reclaim_exceptions = {"payments", "clickstream"}
# Generate an admission control violation error if...
deny["invalid reclaim policy requested by app"] {
# Input object is a PVC and ...
input.kind = "PersistentVolumeClaim"
# StorageClass specifies the "Retain" reclaim policy and...
name = input.spec.storageClassName
storageclasses[name].reclaimPolicy = "Retain"
# The app that owns the PVC is not whitelisted.
not reclaim_exceptions[input.labels["app"]]
}