SlideShare a Scribd company logo

GDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization

KAI CHU CHUNG
KAI CHU CHUNG

Istio Security: API 認證機制 微服務 API 認證、存取權可以自己處理,不過每一個微服務都還會有包含非常多非商業邏輯的程式碼中,有 Istio 可我們可以將這些API 認證機制下放到 Istio 中,降低這些架構性與商業邏輯程式碼的隅合。本次分享將介紹基本 Istio Security 及與 OPA (open policy agent) 的應用整合實作

Technology
1 of 37
Download to read offline
KAI CHU CHUNG Cloud GDE GDG Cloud Taipei co-organizers @CageChung https://kaichu.io Istio Security: API Authorization GDG Cloud Taipei: Meetup #52
KAI CHU CHUNG Cloud GDE GDG Cloud Taipei co-organizers QNAP @CageChung https://kaichu.io
Agenda ● Microservice API authentication and authorization ● Istio security - API Authorization ● External Authorization ● OPA (open policy agent) ● Demo
Microservice API authentication and authorization
GoPherCon 2020 TW: 如何透過 Go-kit 快速 搭建微服務架構應用程 式實戰 https://kaichu.io/posts/gokit-engineering- operation/ - Go-kit - Layout - Test - Toolchain
Go-kit microservice Golang UK Conference 2015 - Peter Bourgon - Go Kit A Toolkit for Microservices - https://youtu.be/aL6sd4d4hxk?t=1022 auth
// Basic httptransport.NewServer( AuthMiddleware(cfg.auth.user, cfg.auth.password, "Example Realm")(makeUppercaseEndpoint()), decodeMappingsRequest, httptransport.EncodeJSONResponse, httptransport.ServerBefore(httptransport.PopulateRequestContext), ) // JWT var ep endpoint.Endpoint { kf := func(token *stdjwt.Token) (interface{}, error) { return []byte("SigningString"), nil } ep = MakeExampleEndpoint(service) ep = jwt.NewParser(kf, stdjwt.SigningMethodHS256, jwt.StandardClaimsFactory)(exampleEndpoint) Auth middleware - Basic Auth - JWT - Casbin/OPA
// Basic httptransport.NewServer( AuthMiddleware(cfg.auth.user, cfg.auth.password, "Example Realm")(makeUppercaseEndpoint()), decodeMappingsRequest, httptransport.EncodeJSONResponse, httptransport.ServerBefore(httptransport.PopulateRequestContext), ) // JWT var ep endpoint.Endpoint { kf := func(token *stdjwt.Token) (interface{}, error) { return []byte("SigningString"), nil } ep = MakeExampleEndpoint(service) ep = jwt.NewParser(kf, stdjwt.SigningMethodHS256, jwt.StandardClaimsFactory)(exampleEndpoint) Auth middleware - Basic Auth - JWT - Casbin/OPA
Microservice solve organizational problems ~ Microservice cause technical problems
Go-kit microservice + Istio Golang UK Conference 2015 - Peter Bourgon - Go Kit A Toolkit for Microservices - https://youtu.be/aL6sd4d4hxk?t=1022 auth +
Automatically secure your services through managed authentication, authorization, and encryption of communication between services. Istio security - API Authorization
Istio ● 1.8.0 (released 11/19) ● 1.7 (released 8/21) ● 1.6 (released 5/21) ● 1.5 (released 3/5) ● RequestAuthentication: 1.5 and above ● Mixer: default since Istio 1.3 and istio-telemetry is disabled by default in Istio 1.5. ● holdApplicationUntilProxyStarts: 1.7 and above Istio - https://istio.io/latest/
Istio / Istio in 2020 - Following the Trade Winds - https://istio.io/latest/blog/2020/tradewinds-2020/ Istio Architecture
Istio Security Architecture Istio / Security - https://istio.io/latest/docs/concepts/security/
Authentication Authorization Istio / Security - https://istio.io/latest/docs/concepts/security/ Istio Security
● Without Authorization header ● Authorization header with valid token ● Authorization header invalid token Istio - JWT {Header}.{Payload}.{Signature} apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata: name: require-jwt namespace: istio-system spec: selector: matchLabels: app: istio-ingressgateway jwtRules: - issuer: testing@secure.istio.io jwks: | {"keys":[{"kty":"RSA","kid":"GkNj4pf4WEojKjS1B8nvVceMoqlC8RqOwF5EhbHQ0Rk"... outputPayloadToHeader: X-Jwt-Playload
● Without Authorization header, 200 ● Authorization header with valid token, 200 ● Authorization header invalid token, 401 Istio - JWT {Header}.{Payload}.{Signature} apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata: name: require-jwt namespace: istio-system spec: selector: matchLabels: app: istio-ingressgateway jwtRules: - issuer: testing@secure.istio.io jwks: | {"keys":[{"kty":"RSA","kid":"GkNj4pf4WEojKjS1B8nvVceMoqlC8RqOwF5EhbHQ0Rk"... outputPayloadToHeader: X-Jwt-Playload
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: require-jwt namespace: istio-system spec: selector: matchLabels: app: istio-ingressgateway rules: - from: - source: requestPrincipals: ["*"] when: - key: request.auth.claims[iss] Istio - AuthorizationPolicy from.source requestPrincipals iss/sub from.source notRequestPrincipals iss/sub when.key request.auth.principal iss/sub when.key request.auth.audiences aud when.key request.auth.presenter azp when.key request.auth.claims[key] JWT All fields { "exp": 1904300334, "iat": 1604300334, "iss": "testing@secure.istio.io", "jti": "KaZRJOc68hCalhMMjr5ieA", "nbf": 1604300334, "roles": [ "owner" ], "sub": "owner@example.com", "userId": "eBenfKuCzAiAC_bfqETwY" }
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: require-jwt namespace: istio-system spec: selector: matchLabels: app: istio-ingressgateway rules: - from: - source: requestPrincipals: ["*"] when: - key: request.auth.claims[iss] Istio - AuthorizationPolicy from.source requestPrincipals iss/sub from.source notRequestPrincipals iss/sub when.key request.auth.principal iss/sub when.key request.auth.audiences aud when.key request.auth.presenter azp when.key request.auth.claims[key] JWT All fields { "exp": 1904300334, "iat": 1604300334, "iss": "testing@secure.istio.io", "jti": "KaZRJOc68hCalhMMjr5ieA", "nbf": 1604300334, "roles": [ "owner" ], "sub": "owner@example.com", "userId": "eBenfKuCzAiAC_bfqETwY" }
Request RequestAuthentication Request process AuthorizationPolicy istio-system istio-system401 403
filter calls an authorization service to check if the incoming request is authorized or not External Authorization
Envoy External Authorization cage1016/gokit-istio-security: demo how to implement Authentication by custom Authorization mixer adapter or envoy external authorization and Open Policy Agent
apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: extauth-tictac spec: workloadSelector: labels: app: tictac configPatches: - applyTo: HTTP_FILTER match: context: SIDECAR_INBOUND listener: filterChain: filter: name: envoy.http_connection_manager subFilter: name: envoy.router patch: operation: INSERT_BEFORE value: name: envoy.ext_authz typed_config: '@type': type.googleapis.com/envoy.config.filter.http.ext_authz.v2.ExtAuthz grpc_service: envoy_grpc: cluster_name: grpc-ext-auth-cluster - applyTo: CLUSTER match: context: SIDECAR_INBOUND patch: operation: ADD value: name: grpc-ext-auth-cluster type: STRICT_DNS connect_timeout: 0.25s http2_protocol_options: {} load_assignment: cluster_name: grpc-als-cluster endpoints: - lb_endpoints: - endpoint: address: socket_address: address: extauthz.default.svc.cluster.local port_value: 50051 Envoy filter - type.googleapis.com/ envoy.config.filter.http .ext_authz.v2.ExtAuthz - extauthz.default.svc. cluster.local:50051
type AuthorizationServer interface { // Performs authorization check based on the attributes associated with the // incoming request, and returns status `OK` or not `OK`. Check(context.Context, *CheckRequest) (*CheckResponse, error) } func (as *AuthorizationServer) Check(ctx context.Context, req *auth.CheckRequest) (*auth.CheckResponse, error) { h := req.GetAttributes().GetRequest().GetHttp() ... s := as.Verify(ctx, h.GetHeaders()["x-envoy-original-path"], h.Method, h.GetHeaders()["x-jwt-playload"]) return &auth.CheckResponse{ Status: s, }, nil } envoy.config.filter.http.ext_authz.v2.ExtAuthz AuthorizationServer is the server API for Authorization service. If the request is deemed unauthorized at the HTTP filter the request will be denied with 403 (Forbidden) response.
type AuthorizationServer interface { // Performs authorization check based on the attributes associated with the // incoming request, and returns status `OK` or not `OK`. Check(context.Context, *CheckRequest) (*CheckResponse, error) } func (as *AuthorizationServer) Check(ctx context.Context, req *auth.CheckRequest) (*auth.CheckResponse, error) { h := req.GetAttributes().GetRequest().GetHttp() ... s := as.Verify(ctx, h.GetHeaders()["x-envoy-original-path"], h.Method, h.GetHeaders()["x-jwt-playload"]) return &auth.CheckResponse{ Status: s, }, nil } envoy.config.filter.http.ext_authz.v2.ExtAuthz AuthorizationServer is the server API for Authorization service. - env: - name: QS_AUTHZ_URL value: "authz:8000"
Request RequestAuthentication Request process AuthorizationPolicy istio-system istio-system401 403 Pod Envoy Service Pod ext-Authz 50051 Envoy 403
extauthz https://github.com/cage1016/gokit-istio- security/blob/master/extauthz/README.md Envoy External Authorization
The Open Policy Agent (OPA) is an open source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack. Open Policy Agent
OPA (open policy agent) Declarative Policy, Context-aware, Expressive, Fast, Portable ● Cloud Native Computing Foundation incubating project ● Support ○ Kubernetes ■ Gatekeeper ○ Envoy ■ OPA Envoy plugin ○ Terraform ○ Kafka ○ SQL ○ Linux Open Policy Agent - https://www.openpolicyagent.org/
OPA cont. Gatekeeper OPA Envoy plugin open-policy-agent/gatekeeper: Gatekeeper - Policy Controller for Kubernetes - https://github.com/open-policy-agent/gatekeeper open-policy-agent/opa-envoy-plugin: A plugin to enforce OPA policies with Envoy - https://github.com/open-policy-agent/opa-envoy-plugin
Rego The Rego Playground - https://play.openpolicyagent.org/p/BYmNuNRZTs
gokit microservice demo - authz https://github.com/cage1016/ms-demo- authz authorization RBAC implementation by OPA (open policy agent)
{ "rolePermissions": { "editor": ... "owner": [ { "method": "POST", "path": "/api/([^/]+)/add/sum" }, { "method": "POST", "path": "/api/([^/]+)/tictac/tic" }, { "method": "GET", "path": "/api/([^/]+)/tictac/tac" }, { "method": "GET", "path": "/api/([^/]+)/authz/roles" }, { "method": "GET", "path": "/api/([^/]+)/authz/roles/[a-zA-Z0-9_-~]{21}" } ] OPA JSON Data - Generate from 6 RBAC DB tables - DB policy change notifier update
Request RequestAuthentication Request process AuthorizationPolicy istio-system istio-system401 403 Pod Envoy Service Pod ext-Authz 50051 Envoy 403 Authz Envoy Service DB
https://github.com/cage1016/gokit-istio-security Demo
Go-kit Istio Security https://github.com/cage1016/gokit-istio- security demo how to implement Authentication and custom Authorization with - Mixer - Envoy external and Open Policy Agent
KAI CHU CHUNG GDE Cloud GDG Cloud Taipei co-organizers @CageChung https://kaichu.io Q & A

Recommended

GDG Devfest 2019 - Build go kit microservices at kubernetes with ease
GDG Devfest 2019 - Build go kit microservices at kubernetes with easeGDG Devfest 2019 - Build go kit microservices at kubernetes with ease
GDG Devfest 2019 - Build go kit microservices at kubernetes with ease
KAI CHU CHUNG
 
COSCUP 2020 Google 技術 x 公共參與 x 開源 口罩地圖技術開源
COSCUP 2020 Google 技術 x 公共參與 x 開源 口罩地圖技術開源COSCUP 2020 Google 技術 x 公共參與 x 開源 口罩地圖技術開源
COSCUP 2020 Google 技術 x 公共參與 x 開源 口罩地圖技術開源
KAI CHU CHUNG
 
Hiveminder - Everything but the Secret Sauce
Hiveminder - Everything but the Secret SauceHiveminder - Everything but the Secret Sauce
Hiveminder - Everything but the Secret Sauce
Jesse Vincent
 
如何透過 Go-kit 快速搭建微服務架構應用程式實戰
如何透過 Go-kit 快速搭建微服務架構應用程式實戰如何透過 Go-kit 快速搭建微服務架構應用程式實戰
如何透過 Go-kit 快速搭建微服務架構應用程式實戰
KAI CHU CHUNG
 
Coscup x ruby conf tw 2021 google cloud buildpacks 剖析與實踐
Coscup x ruby conf tw 2021 google cloud buildpacks 剖析與實踐Coscup x ruby conf tw 2021 google cloud buildpacks 剖析與實踐
Coscup x ruby conf tw 2021 google cloud buildpacks 剖析與實踐
KAI CHU CHUNG
 
Dev fest 2020 taiwan how to debug microservices on kubernetes as a pros (ht...
Dev fest 2020 taiwan how to debug microservices on kubernetes as a pros (ht...Dev fest 2020 taiwan how to debug microservices on kubernetes as a pros (ht...
Dev fest 2020 taiwan how to debug microservices on kubernetes as a pros (ht...
KAI CHU CHUNG
 
Taking Jenkins Pipeline to the Extreme
Taking Jenkins Pipeline to the ExtremeTaking Jenkins Pipeline to the Extreme
Taking Jenkins Pipeline to the Extreme
yinonavraham
 
Gokit
GokitGokit
Gokit
MyoungSu Shin
 

Recommended

GDG Devfest 2019 - Build go kit microservices at kubernetes with ease
GDG Devfest 2019 - Build go kit microservices at kubernetes with easeGDG Devfest 2019 - Build go kit microservices at kubernetes with ease
GDG Devfest 2019 - Build go kit microservices at kubernetes with ease
KAI CHU CHUNG
 
COSCUP 2020 Google 技術 x 公共參與 x 開源 口罩地圖技術開源
COSCUP 2020 Google 技術 x 公共參與 x 開源 口罩地圖技術開源COSCUP 2020 Google 技術 x 公共參與 x 開源 口罩地圖技術開源
COSCUP 2020 Google 技術 x 公共參與 x 開源 口罩地圖技術開源
KAI CHU CHUNG
 
Hiveminder - Everything but the Secret Sauce
Hiveminder - Everything but the Secret SauceHiveminder - Everything but the Secret Sauce
Hiveminder - Everything but the Secret Sauce
Jesse Vincent
 
如何透過 Go-kit 快速搭建微服務架構應用程式實戰
如何透過 Go-kit 快速搭建微服務架構應用程式實戰如何透過 Go-kit 快速搭建微服務架構應用程式實戰
如何透過 Go-kit 快速搭建微服務架構應用程式實戰
KAI CHU CHUNG
 
Coscup x ruby conf tw 2021 google cloud buildpacks 剖析與實踐
Coscup x ruby conf tw 2021 google cloud buildpacks 剖析與實踐Coscup x ruby conf tw 2021 google cloud buildpacks 剖析與實踐
Coscup x ruby conf tw 2021 google cloud buildpacks 剖析與實踐
KAI CHU CHUNG
 
Dev fest 2020 taiwan how to debug microservices on kubernetes as a pros (ht...
Dev fest 2020 taiwan how to debug microservices on kubernetes as a pros (ht...Dev fest 2020 taiwan how to debug microservices on kubernetes as a pros (ht...
Dev fest 2020 taiwan how to debug microservices on kubernetes as a pros (ht...
KAI CHU CHUNG
 
Taking Jenkins Pipeline to the Extreme
Taking Jenkins Pipeline to the ExtremeTaking Jenkins Pipeline to the Extreme
Taking Jenkins Pipeline to the Extreme
yinonavraham
 
Gokit
GokitGokit
Gokit
MyoungSu Shin
 
Griffon @ Svwjug
Griffon @ SvwjugGriffon @ Svwjug
Griffon @ Svwjug
Andres Almiray
 
Gdg cloud taipei ddt meetup #53 buildpack
Gdg cloud taipei ddt meetup #53 buildpackGdg cloud taipei ddt meetup #53 buildpack
Gdg cloud taipei ddt meetup #53 buildpack
KAI CHU CHUNG
 
Global Interpreter Lock: Episode I - Break the Seal
Global Interpreter Lock: Episode I - Break the SealGlobal Interpreter Lock: Episode I - Break the Seal
Global Interpreter Lock: Episode I - Break the Seal
Tzung-Bi Shih
 
Asynchronní programování
Asynchronní programováníAsynchronní programování
Asynchronní programování
PeckaDesign.cz
 
Hacking pokemon go [droidcon tel aviv 2016]
Hacking pokemon go [droidcon tel aviv 2016]Hacking pokemon go [droidcon tel aviv 2016]
Hacking pokemon go [droidcon tel aviv 2016]
Guy Lis
 
Docker and Your Path to a Better Staging Environment - webinar by Gil Tayar
Docker and Your Path to a Better Staging Environment - webinar by Gil TayarDocker and Your Path to a Better Staging Environment - webinar by Gil Tayar
Docker and Your Path to a Better Staging Environment - webinar by Gil Tayar
Applitools
 
The Challenges of Container Configuration
The Challenges of Container ConfigurationThe Challenges of Container Configuration
The Challenges of Container Configuration
Gareth Rushgrove
 
How to send gzipped requests with boto3
How to send gzipped requests with boto3How to send gzipped requests with boto3
How to send gzipped requests with boto3
Luciano Mammino
 
The Gradle in Ratpack: Dissected
The Gradle in Ratpack: DissectedThe Gradle in Ratpack: Dissected
The Gradle in Ratpack: Dissected
David Carr
 
Gradle build tool that rocks with DSL JavaOne India 4th May 2012
Gradle build tool that rocks with DSL JavaOne India 4th May 2012Gradle build tool that rocks with DSL JavaOne India 4th May 2012
Gradle build tool that rocks with DSL JavaOne India 4th May 2012
Rajmahendra Hegde
 
Server Side Swift: Vapor
Server Side Swift: VaporServer Side Swift: Vapor
Server Side Swift: Vapor
Paweł Kowalczuk
 
The world of gradle - an introduction for developers
The world of gradle - an introduction for developersThe world of gradle - an introduction for developers
The world of gradle - an introduction for developers
Tricode (part of Dept)
 
Everything as a code
Everything as a codeEverything as a code
Everything as a code
Aleksandr Tarasov
 
Enterprise Guice 20090217 Bejug
Enterprise Guice 20090217 BejugEnterprise Guice 20090217 Bejug
Enterprise Guice 20090217 Bejugrobbiev
 
[Image Results] Java Build Tools: Part 2 - A Decision Maker's Guide Compariso...
[Image Results] Java Build Tools: Part 2 - A Decision Maker's Guide Compariso...[Image Results] Java Build Tools: Part 2 - A Decision Maker's Guide Compariso...
[Image Results] Java Build Tools: Part 2 - A Decision Maker's Guide Compariso...
ZeroTurnaround
 
pppr - 解決 JavaScript 無法被搜尋引擎正確索引的問題
pppr - 解決 JavaScript 無法被搜尋引擎正確索引的問題pppr - 解決 JavaScript 無法被搜尋引擎正確索引的問題
pppr - 解決 JavaScript 無法被搜尋引擎正確索引的問題
Mu Chun Wang
 
FwDays 2021: Metarhia Technology Stack for Node.js
FwDays 2021: Metarhia Technology Stack for Node.jsFwDays 2021: Metarhia Technology Stack for Node.js
FwDays 2021: Metarhia Technology Stack for Node.js
Timur Shemsedinov
 
Big query - Command line tools and Tips - (MOSG)
Big query - Command line tools and Tips - (MOSG)Big query - Command line tools and Tips - (MOSG)
Big query - Command line tools and Tips - (MOSG)
Soshi Nemoto
 
EWD 3 Training Course Part 22: Traversing Documents using DocumentNode Objects
EWD 3 Training Course Part 22: Traversing Documents using DocumentNode ObjectsEWD 3 Training Course Part 22: Traversing Documents using DocumentNode Objects
EWD 3 Training Course Part 22: Traversing Documents using DocumentNode Objects
Rob Tweed
 
Scripting GeoServer
Scripting GeoServerScripting GeoServer
Scripting GeoServer
Jared Erickson
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
Micron Technology
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
iMasters
 

More Related Content

What's hot

Griffon @ Svwjug
Griffon @ SvwjugGriffon @ Svwjug
Griffon @ Svwjug
Andres Almiray
 
Gdg cloud taipei ddt meetup #53 buildpack
Gdg cloud taipei ddt meetup #53 buildpackGdg cloud taipei ddt meetup #53 buildpack
Gdg cloud taipei ddt meetup #53 buildpack
KAI CHU CHUNG
 
Global Interpreter Lock: Episode I - Break the Seal
Global Interpreter Lock: Episode I - Break the SealGlobal Interpreter Lock: Episode I - Break the Seal
Global Interpreter Lock: Episode I - Break the Seal
Tzung-Bi Shih
 
Asynchronní programování
Asynchronní programováníAsynchronní programování
Asynchronní programování
PeckaDesign.cz
 
Hacking pokemon go [droidcon tel aviv 2016]
Hacking pokemon go [droidcon tel aviv 2016]Hacking pokemon go [droidcon tel aviv 2016]
Hacking pokemon go [droidcon tel aviv 2016]
Guy Lis
 
Docker and Your Path to a Better Staging Environment - webinar by Gil Tayar
Docker and Your Path to a Better Staging Environment - webinar by Gil TayarDocker and Your Path to a Better Staging Environment - webinar by Gil Tayar
Docker and Your Path to a Better Staging Environment - webinar by Gil Tayar
Applitools
 
The Challenges of Container Configuration
The Challenges of Container ConfigurationThe Challenges of Container Configuration
The Challenges of Container Configuration
Gareth Rushgrove
 
How to send gzipped requests with boto3
How to send gzipped requests with boto3How to send gzipped requests with boto3
How to send gzipped requests with boto3
Luciano Mammino
 
The Gradle in Ratpack: Dissected
The Gradle in Ratpack: DissectedThe Gradle in Ratpack: Dissected
The Gradle in Ratpack: Dissected
David Carr
 
Gradle build tool that rocks with DSL JavaOne India 4th May 2012
Gradle build tool that rocks with DSL JavaOne India 4th May 2012Gradle build tool that rocks with DSL JavaOne India 4th May 2012
Gradle build tool that rocks with DSL JavaOne India 4th May 2012
Rajmahendra Hegde
 
Server Side Swift: Vapor
Server Side Swift: VaporServer Side Swift: Vapor
Server Side Swift: Vapor
Paweł Kowalczuk
 
The world of gradle - an introduction for developers
The world of gradle - an introduction for developersThe world of gradle - an introduction for developers
The world of gradle - an introduction for developers
Tricode (part of Dept)
 
Everything as a code
Everything as a codeEverything as a code
Everything as a code
Aleksandr Tarasov
 
Enterprise Guice 20090217 Bejug
Enterprise Guice 20090217 BejugEnterprise Guice 20090217 Bejug
Enterprise Guice 20090217 Bejugrobbiev
 
[Image Results] Java Build Tools: Part 2 - A Decision Maker's Guide Compariso...
[Image Results] Java Build Tools: Part 2 - A Decision Maker's Guide Compariso...[Image Results] Java Build Tools: Part 2 - A Decision Maker's Guide Compariso...
[Image Results] Java Build Tools: Part 2 - A Decision Maker's Guide Compariso...
ZeroTurnaround
 
pppr - 解決 JavaScript 無法被搜尋引擎正確索引的問題
pppr - 解決 JavaScript 無法被搜尋引擎正確索引的問題pppr - 解決 JavaScript 無法被搜尋引擎正確索引的問題
pppr - 解決 JavaScript 無法被搜尋引擎正確索引的問題
Mu Chun Wang
 
FwDays 2021: Metarhia Technology Stack for Node.js
FwDays 2021: Metarhia Technology Stack for Node.jsFwDays 2021: Metarhia Technology Stack for Node.js
FwDays 2021: Metarhia Technology Stack for Node.js
Timur Shemsedinov
 
Big query - Command line tools and Tips - (MOSG)
Big query - Command line tools and Tips - (MOSG)Big query - Command line tools and Tips - (MOSG)
Big query - Command line tools and Tips - (MOSG)
Soshi Nemoto
 
EWD 3 Training Course Part 22: Traversing Documents using DocumentNode Objects
EWD 3 Training Course Part 22: Traversing Documents using DocumentNode ObjectsEWD 3 Training Course Part 22: Traversing Documents using DocumentNode Objects
EWD 3 Training Course Part 22: Traversing Documents using DocumentNode Objects
Rob Tweed
 
Scripting GeoServer
Scripting GeoServerScripting GeoServer
Scripting GeoServer
Jared Erickson
 

What's hot (20)

Griffon @ Svwjug
Griffon @ SvwjugGriffon @ Svwjug
Griffon @ Svwjug
 
Gdg cloud taipei ddt meetup #53 buildpack
Gdg cloud taipei ddt meetup #53 buildpackGdg cloud taipei ddt meetup #53 buildpack
Gdg cloud taipei ddt meetup #53 buildpack
 
Global Interpreter Lock: Episode I - Break the Seal
Global Interpreter Lock: Episode I - Break the SealGlobal Interpreter Lock: Episode I - Break the Seal
Global Interpreter Lock: Episode I - Break the Seal
 
Asynchronní programování
Asynchronní programováníAsynchronní programování
Asynchronní programování
 
Hacking pokemon go [droidcon tel aviv 2016]
Hacking pokemon go [droidcon tel aviv 2016]Hacking pokemon go [droidcon tel aviv 2016]
Hacking pokemon go [droidcon tel aviv 2016]
 
Docker and Your Path to a Better Staging Environment - webinar by Gil Tayar
Docker and Your Path to a Better Staging Environment - webinar by Gil TayarDocker and Your Path to a Better Staging Environment - webinar by Gil Tayar
Docker and Your Path to a Better Staging Environment - webinar by Gil Tayar
 
The Challenges of Container Configuration
The Challenges of Container ConfigurationThe Challenges of Container Configuration
The Challenges of Container Configuration
 
How to send gzipped requests with boto3
How to send gzipped requests with boto3How to send gzipped requests with boto3
How to send gzipped requests with boto3
 
The Gradle in Ratpack: Dissected
The Gradle in Ratpack: DissectedThe Gradle in Ratpack: Dissected
The Gradle in Ratpack: Dissected
 
Gradle build tool that rocks with DSL JavaOne India 4th May 2012
Gradle build tool that rocks with DSL JavaOne India 4th May 2012Gradle build tool that rocks with DSL JavaOne India 4th May 2012
Gradle build tool that rocks with DSL JavaOne India 4th May 2012
 
Server Side Swift: Vapor
Server Side Swift: VaporServer Side Swift: Vapor
Server Side Swift: Vapor
 
The world of gradle - an introduction for developers
The world of gradle - an introduction for developersThe world of gradle - an introduction for developers
The world of gradle - an introduction for developers
 
Everything as a code
Everything as a codeEverything as a code
Everything as a code
 
Enterprise Guice 20090217 Bejug
Enterprise Guice 20090217 BejugEnterprise Guice 20090217 Bejug
Enterprise Guice 20090217 Bejug
 
[Image Results] Java Build Tools: Part 2 - A Decision Maker's Guide Compariso...
[Image Results] Java Build Tools: Part 2 - A Decision Maker's Guide Compariso...[Image Results] Java Build Tools: Part 2 - A Decision Maker's Guide Compariso...
[Image Results] Java Build Tools: Part 2 - A Decision Maker's Guide Compariso...
 
pppr - 解決 JavaScript 無法被搜尋引擎正確索引的問題
pppr - 解決 JavaScript 無法被搜尋引擎正確索引的問題pppr - 解決 JavaScript 無法被搜尋引擎正確索引的問題
pppr - 解決 JavaScript 無法被搜尋引擎正確索引的問題
 
FwDays 2021: Metarhia Technology Stack for Node.js
FwDays 2021: Metarhia Technology Stack for Node.jsFwDays 2021: Metarhia Technology Stack for Node.js
FwDays 2021: Metarhia Technology Stack for Node.js
 
Big query - Command line tools and Tips - (MOSG)
Big query - Command line tools and Tips - (MOSG)Big query - Command line tools and Tips - (MOSG)
Big query - Command line tools and Tips - (MOSG)
 
EWD 3 Training Course Part 22: Traversing Documents using DocumentNode Objects
EWD 3 Training Course Part 22: Traversing Documents using DocumentNode ObjectsEWD 3 Training Course Part 22: Traversing Documents using DocumentNode Objects
EWD 3 Training Course Part 22: Traversing Documents using DocumentNode Objects
 
Scripting GeoServer
Scripting GeoServerScripting GeoServer
Scripting GeoServer
 

Similar to GDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization

2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
Micron Technology
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
iMasters
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
Erick Belluci Tedeschi
 
"Auth for React.js APP", Nikita Galkin
"Auth for React.js APP", Nikita Galkin"Auth for React.js APP", Nikita Galkin
"Auth for React.js APP", Nikita Galkin
Fwdays
 
IdM and AC
IdM and ACIdM and AC
IdM and AC
Fernando Lopez Aguilar
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
Codemotion
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
Abhishek Koserwal
 
Nk API - examples
Nk API - examplesNk API - examples
Nk API - examplesnasza-klasa
 
使用 Passkeys 打造無密碼驗證服務
使用 Passkeys 打造無密碼驗證服務使用 Passkeys 打造無密碼驗證服務
使用 Passkeys 打造無密碼驗證服務
升煌 黃
 
Drive chrome(headless) with puppeteer
Drive chrome(headless) with puppeteerDrive chrome(headless) with puppeteer
Drive chrome(headless) with puppeteer
VodqaBLR
 
FIWARE ID Management
FIWARE ID ManagementFIWARE ID Management
FIWARE ID Management
Miguel García González
 
RoadSec 2017 - Trilha AppSec - APIs Authorization
RoadSec 2017 - Trilha AppSec - APIs AuthorizationRoadSec 2017 - Trilha AppSec - APIs Authorization
RoadSec 2017 - Trilha AppSec - APIs Authorization
Erick Belluci Tedeschi
 
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
Hyperledger Korea User Group
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris Kellogg
StreamNative
 
Build resource server & client for OCF Cloud (2018.8.30)
Build resource server & client for OCF Cloud (2018.8.30)Build resource server & client for OCF Cloud (2018.8.30)
Build resource server & client for OCF Cloud (2018.8.30)
남균 김
 
Web Standards Support in WebKit
Web Standards Support in WebKitWeb Standards Support in WebKit
Web Standards Support in WebKit
Joone Hur
 
Deep Dive: Building external auth plugins for Gloo Enterprise
Deep Dive: Building external auth plugins for Gloo EnterpriseDeep Dive: Building external auth plugins for Gloo Enterprise
Deep Dive: Building external auth plugins for Gloo Enterprise
Christian Posta
 
Centralise legacy auth at the ingress gateway, SREday
Centralise legacy auth at the ingress gateway, SREdayCentralise legacy auth at the ingress gateway, SREday
Centralise legacy auth at the ingress gateway, SREday
Andrew Kirkpatrick
 
Centralise legacy auth at the ingress gateway
Centralise legacy auth at the ingress gatewayCentralise legacy auth at the ingress gateway
Centralise legacy auth at the ingress gateway
Andrew Kirkpatrick
 

Similar to GDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization (20)

2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
 
"Auth for React.js APP", Nikita Galkin
"Auth for React.js APP", Nikita Galkin"Auth for React.js APP", Nikita Galkin
"Auth for React.js APP", Nikita Galkin
 
IdM and AC
IdM and ACIdM and AC
IdM and AC
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
 
Nk API - examples
Nk API - examplesNk API - examples
Nk API - examples
 
使用 Passkeys 打造無密碼驗證服務
使用 Passkeys 打造無密碼驗證服務使用 Passkeys 打造無密碼驗證服務
使用 Passkeys 打造無密碼驗證服務
 
Drive chrome(headless) with puppeteer
Drive chrome(headless) with puppeteerDrive chrome(headless) with puppeteer
Drive chrome(headless) with puppeteer
 
FIWARE ID Management
FIWARE ID ManagementFIWARE ID Management
FIWARE ID Management
 
RoadSec 2017 - Trilha AppSec - APIs Authorization
RoadSec 2017 - Trilha AppSec - APIs AuthorizationRoadSec 2017 - Trilha AppSec - APIs Authorization
RoadSec 2017 - Trilha AppSec - APIs Authorization
 
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris Kellogg
 
Build resource server & client for OCF Cloud (2018.8.30)
Build resource server & client for OCF Cloud (2018.8.30)Build resource server & client for OCF Cloud (2018.8.30)
Build resource server & client for OCF Cloud (2018.8.30)
 
Web Standards Support in WebKit
Web Standards Support in WebKitWeb Standards Support in WebKit
Web Standards Support in WebKit
 
Deep Dive: Building external auth plugins for Gloo Enterprise
Deep Dive: Building external auth plugins for Gloo EnterpriseDeep Dive: Building external auth plugins for Gloo Enterprise
Deep Dive: Building external auth plugins for Gloo Enterprise
 
Centralise legacy auth at the ingress gateway, SREday
Centralise legacy auth at the ingress gateway, SREdayCentralise legacy auth at the ingress gateway, SREday
Centralise legacy auth at the ingress gateway, SREday
 
Centralise legacy auth at the ingress gateway
Centralise legacy auth at the ingress gatewayCentralise legacy auth at the ingress gateway
Centralise legacy auth at the ingress gateway
 

More from KAI CHU CHUNG

Devfest 2023 - Service Weaver Introduction - Taipei.pdf
Devfest 2023 - Service Weaver Introduction - Taipei.pdfDevfest 2023 - Service Weaver Introduction - Taipei.pdf
Devfest 2023 - Service Weaver Introduction - Taipei.pdf
KAI CHU CHUNG
 
DevFest 2022 - Skaffold 2 Deep Dive Taipei.pdf
DevFest 2022 - Skaffold 2 Deep Dive Taipei.pdfDevFest 2022 - Skaffold 2 Deep Dive Taipei.pdf
DevFest 2022 - Skaffold 2 Deep Dive Taipei.pdf
KAI CHU CHUNG
 
DevFest 2022 - Cloud Workstation Introduction TaiChung
DevFest 2022 - Cloud Workstation Introduction TaiChungDevFest 2022 - Cloud Workstation Introduction TaiChung
DevFest 2022 - Cloud Workstation Introduction TaiChung
KAI CHU CHUNG
 
Devfest 2021' - Artifact Registry Introduction (Taipei)
Devfest 2021' - Artifact Registry Introduction (Taipei)Devfest 2021' - Artifact Registry Introduction (Taipei)
Devfest 2021' - Artifact Registry Introduction (Taipei)
KAI CHU CHUNG
 
Velero search & practice 20210609
Velero search & practice 20210609Velero search & practice 20210609
Velero search & practice 20210609
KAI CHU CHUNG
 
Google App Engine: Basic
Google App Engine: BasicGoogle App Engine: Basic
Google App Engine: Basic
KAI CHU CHUNG
 
GDG Cloud Taipei meetup #50 - Build go kit microservices at kubernetes with ...
GDG Cloud Taipei meetup #50 - Build go kit microservices at kubernetes with ...GDG Cloud Taipei meetup #50 - Build go kit microservices at kubernetes with ...
GDG Cloud Taipei meetup #50 - Build go kit microservices at kubernetes with ...
KAI CHU CHUNG
 
Global GDG Leaders Summit, Google I/O 2018 經驗分享
Global GDG Leaders Summit, Google I/O 2018 經驗分享Global GDG Leaders Summit, Google I/O 2018 經驗分享
Global GDG Leaders Summit, Google I/O 2018 經驗分享
KAI CHU CHUNG
 
Google apps script introduction
Google apps script introductionGoogle apps script introduction
Google apps script introduction
KAI CHU CHUNG
 
Screenshot as a service
Screenshot as a serviceScreenshot as a service
Screenshot as a service
KAI CHU CHUNG
 
Nas 也可以揀土豆
Nas 也可以揀土豆Nas 也可以揀土豆
Nas 也可以揀土豆
KAI CHU CHUNG
 
60分鐘完送百萬edm,背後雲端ci/cd實戰大公開
60分鐘完送百萬edm,背後雲端ci/cd實戰大公開60分鐘完送百萬edm,背後雲端ci/cd實戰大公開
60分鐘完送百萬edm,背後雲端ci/cd實戰大公開
KAI CHU CHUNG
 
Django oscar introduction
Django oscar introductionDjango oscar introduction
Django oscar introduction
KAI CHU CHUNG
 
Continuous Integration & Continuous Delivery with GCP
Continuous Integration & Continuous Delivery with GCPContinuous Integration & Continuous Delivery with GCP
Continuous Integration & Continuous Delivery with GCP
KAI CHU CHUNG
 
Google apps script introduction
Google apps script introductionGoogle apps script introduction
Google apps script introduction
KAI CHU CHUNG
 
Gae managed vm introduction
Gae managed vm introductionGae managed vm introduction
Gae managed vm introduction
KAI CHU CHUNG
 
Google app engine (gae) 演進史
Google app engine (gae) 演進史Google app engine (gae) 演進史
Google app engine (gae) 演進史
KAI CHU CHUNG
 
痞客趴趴走 Waldo
痞客趴趴走 Waldo痞客趴趴走 Waldo
痞客趴趴走 Waldo
KAI CHU CHUNG
 
Waldo-gcp
Waldo-gcpWaldo-gcp
Waldo-gcp
KAI CHU CHUNG
 
Introduction to chrome extension development
Introduction to chrome extension developmentIntroduction to chrome extension development
Introduction to chrome extension development
KAI CHU CHUNG
 

More from KAI CHU CHUNG (20)

Devfest 2023 - Service Weaver Introduction - Taipei.pdf
Devfest 2023 - Service Weaver Introduction - Taipei.pdfDevfest 2023 - Service Weaver Introduction - Taipei.pdf
Devfest 2023 - Service Weaver Introduction - Taipei.pdf
 
DevFest 2022 - Skaffold 2 Deep Dive Taipei.pdf
DevFest 2022 - Skaffold 2 Deep Dive Taipei.pdfDevFest 2022 - Skaffold 2 Deep Dive Taipei.pdf
DevFest 2022 - Skaffold 2 Deep Dive Taipei.pdf
 
DevFest 2022 - Cloud Workstation Introduction TaiChung
DevFest 2022 - Cloud Workstation Introduction TaiChungDevFest 2022 - Cloud Workstation Introduction TaiChung
DevFest 2022 - Cloud Workstation Introduction TaiChung
 
Devfest 2021' - Artifact Registry Introduction (Taipei)
Devfest 2021' - Artifact Registry Introduction (Taipei)Devfest 2021' - Artifact Registry Introduction (Taipei)
Devfest 2021' - Artifact Registry Introduction (Taipei)
 
Velero search & practice 20210609
Velero search & practice 20210609Velero search & practice 20210609
Velero search & practice 20210609
 
Google App Engine: Basic
Google App Engine: BasicGoogle App Engine: Basic
Google App Engine: Basic
 
GDG Cloud Taipei meetup #50 - Build go kit microservices at kubernetes with ...
GDG Cloud Taipei meetup #50 - Build go kit microservices at kubernetes with ...GDG Cloud Taipei meetup #50 - Build go kit microservices at kubernetes with ...
GDG Cloud Taipei meetup #50 - Build go kit microservices at kubernetes with ...
 
Global GDG Leaders Summit, Google I/O 2018 經驗分享
Global GDG Leaders Summit, Google I/O 2018 經驗分享Global GDG Leaders Summit, Google I/O 2018 經驗分享
Global GDG Leaders Summit, Google I/O 2018 經驗分享
 
Google apps script introduction
Google apps script introductionGoogle apps script introduction
Google apps script introduction
 
Screenshot as a service
Screenshot as a serviceScreenshot as a service
Screenshot as a service
 
Nas 也可以揀土豆
Nas 也可以揀土豆Nas 也可以揀土豆
Nas 也可以揀土豆
 
60分鐘完送百萬edm,背後雲端ci/cd實戰大公開
60分鐘完送百萬edm,背後雲端ci/cd實戰大公開60分鐘完送百萬edm,背後雲端ci/cd實戰大公開
60分鐘完送百萬edm,背後雲端ci/cd實戰大公開
 
Django oscar introduction
Django oscar introductionDjango oscar introduction
Django oscar introduction
 
Continuous Integration & Continuous Delivery with GCP
Continuous Integration & Continuous Delivery with GCPContinuous Integration & Continuous Delivery with GCP
Continuous Integration & Continuous Delivery with GCP
 
Google apps script introduction
Google apps script introductionGoogle apps script introduction
Google apps script introduction
 
Gae managed vm introduction
Gae managed vm introductionGae managed vm introduction
Gae managed vm introduction
 
Google app engine (gae) 演進史
Google app engine (gae) 演進史Google app engine (gae) 演進史
Google app engine (gae) 演進史
 
痞客趴趴走 Waldo
痞客趴趴走 Waldo痞客趴趴走 Waldo
痞客趴趴走 Waldo
 
Waldo-gcp
Waldo-gcpWaldo-gcp
Waldo-gcp
 
Introduction to chrome extension development
Introduction to chrome extension developmentIntroduction to chrome extension development
Introduction to chrome extension development
 

Recently uploaded

PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 

Recently uploaded (20)

PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 

GDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization

  • 1. KAI CHU CHUNG Cloud GDE GDG Cloud Taipei co-organizers @CageChung https://kaichu.io Istio Security: API Authorization GDG Cloud Taipei: Meetup #52
  • 2. KAI CHU CHUNG Cloud GDE GDG Cloud Taipei co-organizers QNAP @CageChung https://kaichu.io
  • 3. Agenda ● Microservice API authentication and authorization ● Istio security - API Authorization ● External Authorization ● OPA (open policy agent) ● Demo
  • 5. GoPherCon 2020 TW: 如何透過 Go-kit 快速 搭建微服務架構應用程 式實戰 https://kaichu.io/posts/gokit-engineering- operation/ - Go-kit - Layout - Test - Toolchain
  • 6. Go-kit microservice Golang UK Conference 2015 - Peter Bourgon - Go Kit A Toolkit for Microservices - https://youtu.be/aL6sd4d4hxk?t=1022 auth
  • 7. // Basic httptransport.NewServer( AuthMiddleware(cfg.auth.user, cfg.auth.password, "Example Realm")(makeUppercaseEndpoint()), decodeMappingsRequest, httptransport.EncodeJSONResponse, httptransport.ServerBefore(httptransport.PopulateRequestContext), ) // JWT var ep endpoint.Endpoint { kf := func(token *stdjwt.Token) (interface{}, error) { return []byte("SigningString"), nil } ep = MakeExampleEndpoint(service) ep = jwt.NewParser(kf, stdjwt.SigningMethodHS256, jwt.StandardClaimsFactory)(exampleEndpoint) Auth middleware - Basic Auth - JWT - Casbin/OPA
  • 8. // Basic httptransport.NewServer( AuthMiddleware(cfg.auth.user, cfg.auth.password, "Example Realm")(makeUppercaseEndpoint()), decodeMappingsRequest, httptransport.EncodeJSONResponse, httptransport.ServerBefore(httptransport.PopulateRequestContext), ) // JWT var ep endpoint.Endpoint { kf := func(token *stdjwt.Token) (interface{}, error) { return []byte("SigningString"), nil } ep = MakeExampleEndpoint(service) ep = jwt.NewParser(kf, stdjwt.SigningMethodHS256, jwt.StandardClaimsFactory)(exampleEndpoint) Auth middleware - Basic Auth - JWT - Casbin/OPA
  • 9. Microservice solve organizational problems ~ Microservice cause technical problems
  • 10. Go-kit microservice + Istio Golang UK Conference 2015 - Peter Bourgon - Go Kit A Toolkit for Microservices - https://youtu.be/aL6sd4d4hxk?t=1022 auth +
  • 11. Automatically secure your services through managed authentication, authorization, and encryption of communication between services. Istio security - API Authorization
  • 12. Istio ● 1.8.0 (released 11/19) ● 1.7 (released 8/21) ● 1.6 (released 5/21) ● 1.5 (released 3/5) ● RequestAuthentication: 1.5 and above ● Mixer: default since Istio 1.3 and istio-telemetry is disabled by default in Istio 1.5. ● holdApplicationUntilProxyStarts: 1.7 and above Istio - https://istio.io/latest/
  • 13. Istio / Istio in 2020 - Following the Trade Winds - https://istio.io/latest/blog/2020/tradewinds-2020/ Istio Architecture
  • 14. Istio Security Architecture Istio / Security - https://istio.io/latest/docs/concepts/security/
  • 15. Authentication Authorization Istio / Security - https://istio.io/latest/docs/concepts/security/ Istio Security
  • 16. ● Without Authorization header ● Authorization header with valid token ● Authorization header invalid token Istio - JWT {Header}.{Payload}.{Signature} apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata: name: require-jwt namespace: istio-system spec: selector: matchLabels: app: istio-ingressgateway jwtRules: - issuer: testing@secure.istio.io jwks: | {"keys":[{"kty":"RSA","kid":"GkNj4pf4WEojKjS1B8nvVceMoqlC8RqOwF5EhbHQ0Rk"... outputPayloadToHeader: X-Jwt-Playload
  • 17. ● Without Authorization header, 200 ● Authorization header with valid token, 200 ● Authorization header invalid token, 401 Istio - JWT {Header}.{Payload}.{Signature} apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata: name: require-jwt namespace: istio-system spec: selector: matchLabels: app: istio-ingressgateway jwtRules: - issuer: testing@secure.istio.io jwks: | {"keys":[{"kty":"RSA","kid":"GkNj4pf4WEojKjS1B8nvVceMoqlC8RqOwF5EhbHQ0Rk"... outputPayloadToHeader: X-Jwt-Playload
  • 18. apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: require-jwt namespace: istio-system spec: selector: matchLabels: app: istio-ingressgateway rules: - from: - source: requestPrincipals: ["*"] when: - key: request.auth.claims[iss] Istio - AuthorizationPolicy from.source requestPrincipals iss/sub from.source notRequestPrincipals iss/sub when.key request.auth.principal iss/sub when.key request.auth.audiences aud when.key request.auth.presenter azp when.key request.auth.claims[key] JWT All fields { "exp": 1904300334, "iat": 1604300334, "iss": "testing@secure.istio.io", "jti": "KaZRJOc68hCalhMMjr5ieA", "nbf": 1604300334, "roles": [ "owner" ], "sub": "owner@example.com", "userId": "eBenfKuCzAiAC_bfqETwY" }
  • 19. apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: require-jwt namespace: istio-system spec: selector: matchLabels: app: istio-ingressgateway rules: - from: - source: requestPrincipals: ["*"] when: - key: request.auth.claims[iss] Istio - AuthorizationPolicy from.source requestPrincipals iss/sub from.source notRequestPrincipals iss/sub when.key request.auth.principal iss/sub when.key request.auth.audiences aud when.key request.auth.presenter azp when.key request.auth.claims[key] JWT All fields { "exp": 1904300334, "iat": 1604300334, "iss": "testing@secure.istio.io", "jti": "KaZRJOc68hCalhMMjr5ieA", "nbf": 1604300334, "roles": [ "owner" ], "sub": "owner@example.com", "userId": "eBenfKuCzAiAC_bfqETwY" }
  • 21. filter calls an authorization service to check if the incoming request is authorized or not External Authorization
  • 22. Envoy External Authorization cage1016/gokit-istio-security: demo how to implement Authentication by custom Authorization mixer adapter or envoy external authorization and Open Policy Agent
  • 23. apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: extauth-tictac spec: workloadSelector: labels: app: tictac configPatches: - applyTo: HTTP_FILTER match: context: SIDECAR_INBOUND listener: filterChain: filter: name: envoy.http_connection_manager subFilter: name: envoy.router patch: operation: INSERT_BEFORE value: name: envoy.ext_authz typed_config: '@type': type.googleapis.com/envoy.config.filter.http.ext_authz.v2.ExtAuthz grpc_service: envoy_grpc: cluster_name: grpc-ext-auth-cluster - applyTo: CLUSTER match: context: SIDECAR_INBOUND patch: operation: ADD value: name: grpc-ext-auth-cluster type: STRICT_DNS connect_timeout: 0.25s http2_protocol_options: {} load_assignment: cluster_name: grpc-als-cluster endpoints: - lb_endpoints: - endpoint: address: socket_address: address: extauthz.default.svc.cluster.local port_value: 50051 Envoy filter - type.googleapis.com/ envoy.config.filter.http .ext_authz.v2.ExtAuthz - extauthz.default.svc. cluster.local:50051
  • 24. type AuthorizationServer interface { // Performs authorization check based on the attributes associated with the // incoming request, and returns status `OK` or not `OK`. Check(context.Context, *CheckRequest) (*CheckResponse, error) } func (as *AuthorizationServer) Check(ctx context.Context, req *auth.CheckRequest) (*auth.CheckResponse, error) { h := req.GetAttributes().GetRequest().GetHttp() ... s := as.Verify(ctx, h.GetHeaders()["x-envoy-original-path"], h.Method, h.GetHeaders()["x-jwt-playload"]) return &auth.CheckResponse{ Status: s, }, nil } envoy.config.filter.http.ext_authz.v2.ExtAuthz AuthorizationServer is the server API for Authorization service. If the request is deemed unauthorized at the HTTP filter the request will be denied with 403 (Forbidden) response.
  • 25. type AuthorizationServer interface { // Performs authorization check based on the attributes associated with the // incoming request, and returns status `OK` or not `OK`. Check(context.Context, *CheckRequest) (*CheckResponse, error) } func (as *AuthorizationServer) Check(ctx context.Context, req *auth.CheckRequest) (*auth.CheckResponse, error) { h := req.GetAttributes().GetRequest().GetHttp() ... s := as.Verify(ctx, h.GetHeaders()["x-envoy-original-path"], h.Method, h.GetHeaders()["x-jwt-playload"]) return &auth.CheckResponse{ Status: s, }, nil } envoy.config.filter.http.ext_authz.v2.ExtAuthz AuthorizationServer is the server API for Authorization service. - env: - name: QS_AUTHZ_URL value: "authz:8000"
  • 26. Request RequestAuthentication Request process AuthorizationPolicy istio-system istio-system401 403 Pod Envoy Service Pod ext-Authz 50051 Envoy 403
  • 28. The Open Policy Agent (OPA) is an open source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack. Open Policy Agent
  • 29. OPA (open policy agent) Declarative Policy, Context-aware, Expressive, Fast, Portable ● Cloud Native Computing Foundation incubating project ● Support ○ Kubernetes ■ Gatekeeper ○ Envoy ■ OPA Envoy plugin ○ Terraform ○ Kafka ○ SQL ○ Linux Open Policy Agent - https://www.openpolicyagent.org/
  • 30. OPA cont. Gatekeeper OPA Envoy plugin open-policy-agent/gatekeeper: Gatekeeper - Policy Controller for Kubernetes - https://github.com/open-policy-agent/gatekeeper open-policy-agent/opa-envoy-plugin: A plugin to enforce OPA policies with Envoy - https://github.com/open-policy-agent/opa-envoy-plugin
  • 31. Rego The Rego Playground - https://play.openpolicyagent.org/p/BYmNuNRZTs
  • 32. gokit microservice demo - authz https://github.com/cage1016/ms-demo- authz authorization RBAC implementation by OPA (open policy agent)
  • 33. { "rolePermissions": { "editor": ... "owner": [ { "method": "POST", "path": "/api/([^/]+)/add/sum" }, { "method": "POST", "path": "/api/([^/]+)/tictac/tic" }, { "method": "GET", "path": "/api/([^/]+)/tictac/tac" }, { "method": "GET", "path": "/api/([^/]+)/authz/roles" }, { "method": "GET", "path": "/api/([^/]+)/authz/roles/[a-zA-Z0-9_-~]{21}" } ] OPA JSON Data - Generate from 6 RBAC DB tables - DB policy change notifier update
  • 34. Request RequestAuthentication Request process AuthorizationPolicy istio-system istio-system401 403 Pod Envoy Service Pod ext-Authz 50051 Envoy 403 Authz Envoy Service DB
  • 36. Go-kit Istio Security https://github.com/cage1016/gokit-istio- security demo how to implement Authentication and custom Authorization with - Mixer - Envoy external and Open Policy Agent
  • 37. KAI CHU CHUNG GDE Cloud GDG Cloud Taipei co-organizers @CageChung https://kaichu.io Q & A