With no built-in solutions for managing user accounts, Kubernetes has to rely on external systems for this. Can we use one UAA solution for both Cloud Foundry and Kubernetes authentication while building a hybrid deployment?
Troubleshooting .NET Applications on Cloud FoundryAltoros
These slides overview how logs can be employed to troubleshoot .NET app on Cloud Foundry, as well as how to use metrics to enable preventive maintenance.
Impala: A Modern, Open-Source SQL Engine for HadoopAll Things Open
All Things Open 2014 - Day 1
Wednesday, October 22nd, 2014
Ricky Saltzer
Software Engineer of Internal Tools for Cloudera
Big Data
Impala: A Modern, Open-Source SQL Engine for Hadoop
Logging. Everyone does it. Many don't know why they do it. It is often considered a boring chore. A chore that is done by habit rather than for a purpose. But it doesn't have to be! Learn how to build a powerful, scalable open source logging environment with LogStash.
The slides from my talk at PHPUK2015.
The comapniuon code can be found at: https://github.com/LoveSoftware/application-logging-with-logstash
If you saw it, please rate it!
https://joind.in/talk/view/13369
Troubleshooting .NET Applications on Cloud FoundryAltoros
These slides overview how logs can be employed to troubleshoot .NET app on Cloud Foundry, as well as how to use metrics to enable preventive maintenance.
Impala: A Modern, Open-Source SQL Engine for HadoopAll Things Open
All Things Open 2014 - Day 1
Wednesday, October 22nd, 2014
Ricky Saltzer
Software Engineer of Internal Tools for Cloudera
Big Data
Impala: A Modern, Open-Source SQL Engine for Hadoop
Logging. Everyone does it. Many don't know why they do it. It is often considered a boring chore. A chore that is done by habit rather than for a purpose. But it doesn't have to be! Learn how to build a powerful, scalable open source logging environment with LogStash.
The slides from my talk at PHPUK2015.
The comapniuon code can be found at: https://github.com/LoveSoftware/application-logging-with-logstash
If you saw it, please rate it!
https://joind.in/talk/view/13369
Relayd is a daemon to relay and dynamically redirect incoming connections to a target host.
Its main purposes are to run as a load-balancer, application layer gateway, or transparent proxy.
WebCamp: Developer Day: Web Security: Cookies, Domains and CORS - Юрий Чайков...GeeksLab Odessa
Web Security: Cookies, Domains and CORS
Юрий Чайковский
О предложенном еще в 1995 году и актуальным до сегодняшнего дня принципе одинакового источника (Same-origin policy) и о применении и ограничениях при междоменных запросах. Пример CSRF атак, а также правила конфигурации сервера для защиты от них. О последних нововведениях, касающихся контроля происхождения контента для предотвращения XSS атак. Кроме того:
- Принцип одинакового источника.
- Использование междоменных запросов.
- CSRF атаки (с демонстрацией).
- Классификация браузерных запросов.
- Ограничения междоменных запросов.
- Серверный контроль доступа.
- Особенности Internet Explorer 8, 9.
- Принцип безопасности контента (CSP).
In the Apple ecosystem, everyone has their own way of implementing a network stack. Many end up with a large `WebService` class where everything gets dumped. These classes, like massive view controllers, expose broad interfaces that are hard to understand, unwieldy to use, and difficult to test.
But network stacks don't have to be like this! Let's talk about how you can use the Swish framework to build a protocol-oriented and testable networking stack in Swift that will make you happy.
Presented at the Swift Language User Group in SF at Realm.
http://www.meetup.com/swift-language/events/232911843/
Vert.X: Microservices Were Never So Easy (Clement Escoffier)Red Hat Developers
Vert.x 3 is a framework to create reactive applications on the Java Virtual Machine. Vert.x 3 takes the JVM to new levels of performance yet having a small API. It lets you build scalable microservice-based applications transparently distributed and packaged as a single jar file. Due to this simplicity, deploying and managing Vert.x applications on OpenShift 3 is a breeze, upload your jar and Vert.x internal cluster manager will connect all your pods in single distributed network. Several examples are shown during the talk and demonstrate how Vert.x can simplify DevOps daily job when working together with OpenShift 3.
WebSockets is an emerging standard that enables real-time and bidirectional communication across the Web. You will learn how HTML5 web applications can make dramatic improvements in terms of user experience and performance by taking advantage of this technology. In this session we will focus on the new WCF 4.5 and ASP.NET 4.5 APIs supporting this standard.
What the Heck is OAuth and OpenID Connect - DOSUG 2018Matt Raible
OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTPS and authorizes devices, APIs, servers, and applications with access tokens rather than credentials, which we will go over in depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user and to obtain their basic profile information.
This session covers how OAuth/OIDC works, when to use them, and frameworks/services that simplify authentication.
Companion blog post: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
Relayd is a daemon to relay and dynamically redirect incoming connections to a target host.
Its main purposes are to run as a load-balancer, application layer gateway, or transparent proxy.
WebCamp: Developer Day: Web Security: Cookies, Domains and CORS - Юрий Чайков...GeeksLab Odessa
Web Security: Cookies, Domains and CORS
Юрий Чайковский
О предложенном еще в 1995 году и актуальным до сегодняшнего дня принципе одинакового источника (Same-origin policy) и о применении и ограничениях при междоменных запросах. Пример CSRF атак, а также правила конфигурации сервера для защиты от них. О последних нововведениях, касающихся контроля происхождения контента для предотвращения XSS атак. Кроме того:
- Принцип одинакового источника.
- Использование междоменных запросов.
- CSRF атаки (с демонстрацией).
- Классификация браузерных запросов.
- Ограничения междоменных запросов.
- Серверный контроль доступа.
- Особенности Internet Explorer 8, 9.
- Принцип безопасности контента (CSP).
In the Apple ecosystem, everyone has their own way of implementing a network stack. Many end up with a large `WebService` class where everything gets dumped. These classes, like massive view controllers, expose broad interfaces that are hard to understand, unwieldy to use, and difficult to test.
But network stacks don't have to be like this! Let's talk about how you can use the Swish framework to build a protocol-oriented and testable networking stack in Swift that will make you happy.
Presented at the Swift Language User Group in SF at Realm.
http://www.meetup.com/swift-language/events/232911843/
Vert.X: Microservices Were Never So Easy (Clement Escoffier)Red Hat Developers
Vert.x 3 is a framework to create reactive applications on the Java Virtual Machine. Vert.x 3 takes the JVM to new levels of performance yet having a small API. It lets you build scalable microservice-based applications transparently distributed and packaged as a single jar file. Due to this simplicity, deploying and managing Vert.x applications on OpenShift 3 is a breeze, upload your jar and Vert.x internal cluster manager will connect all your pods in single distributed network. Several examples are shown during the talk and demonstrate how Vert.x can simplify DevOps daily job when working together with OpenShift 3.
WebSockets is an emerging standard that enables real-time and bidirectional communication across the Web. You will learn how HTML5 web applications can make dramatic improvements in terms of user experience and performance by taking advantage of this technology. In this session we will focus on the new WCF 4.5 and ASP.NET 4.5 APIs supporting this standard.
What the Heck is OAuth and OpenID Connect - DOSUG 2018Matt Raible
OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTPS and authorizes devices, APIs, servers, and applications with access tokens rather than credentials, which we will go over in depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user and to obtain their basic profile information.
This session covers how OAuth/OIDC works, when to use them, and frameworks/services that simplify authentication.
Companion blog post: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
What the Heck is OAuth and OpenID Connect - RWX 2017Matt Raible
OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTP and authorizes Devices, APIs, Servers and Applications with access tokens rather than credentials, which we will go over in depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user and, as well as to obtain their basic profile information.
This session covers how OAuth/OIDC works, when to use them, and frameworks/services that simplify authentication.
Blog post: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
Securing Your Containerized Applications with NGINXDocker, Inc.
Kevin Jones, NGNIX -
NGINX is one of the most popular images on Docker Hub and has been at the forefront of the web since the early 2000's. In this talk we will discuss how and why NGINX's lightweight and powerful architecture makes it a very popular choice for securing containerized applications as a sidecar reverse proxy within containers. We will highlight important aspects of application security that NGINX can help with, such as TLS, HTTP, AuthN, AuthZ and traffic control.
This is my first public speech about way to secure your API. Interective presentation you could find here - https://sergeypodgornyy.github.io/oauth-webbylab-presentation/
Security is something you want to get right. If you need to secure an API right now, I imagine you are worrying about how, exactly, to do it. It is to my surprise that JSON Web Tokens is a topic not often talked about, and I think it deserves to be in the spotlight today. We will see how easy it is to integrate it in an API authentication mechanism. If you want simple stateless HTTP authentication to an API, then JWT is just fine and relatively quick to implement. But JWT is a simple authentication protocol, OAuth is an authentication framework, that enables a third-party application to obtain limited access to an HTTP service. OAuth is a simple way to publish and interact with protected data. It's also a safer and more secure way for people to give you access.
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, offer endless extensions, and almost seem designed to deliberately confuse. With an eye on architectural impact, actual HTTP messages, and aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. It then explores a competing Amazon-style approach called HTTP Signatures, ideal for B2B APIs. Finally, it discusses a new internet draft launched this year that combines them both into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios.
If you've ever written any code to authenticate wtih Twitter, you may have been confused by all the signature methods and base strings. You'll be happy to know that OAuth 2 has vastly simplified the process, but at what cost?
This talk will give an overview of the OAuth 2 spec, starting with the various options the standard gives to developers for building web apps and native apps. We'll look at what the end user sees, work our way to what developers using an OAuth 2 API deal with, and we’ll end up at what developers of OAuth-2-compliant APIs will need to know to successfully implement the standard.
Many large providers have recently deployed APIs using OAuth 2, including Facebook, Foursquare, Google, and more. But since OAuth 2 is technically still a "draft," many aspects of the spec change from month to month and it's sometimes hard to keep up. We'll cover the commonalities and differences between some of the major providers and draft versions. The security implications of some of the changes between versions 1 and 2 will be covered, along with recommendations for best practices. You'll also get a glimpse of the debates currently raging on the internal OAuth 2 mailing list.
Presented at Open Source Bridge 2011
http://opensourcebridge.org/sessions/686
Current list of OAuth 2 Providers
http://aaronparecki.com/The_Current_State_of_OAuth_2
What the Heck is OAuth and Open ID Connect? - UberConf 2017Matt Raible
OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTP and authorizes Devices, APIs, Servers and Applications with access tokens rather than credentials, which we will go over in depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user and, as well as to obtain their basic profile information.
This session covers how OAuth/OIDC work, when to use them, and frameworks/services that simplify authentication.
Blog post: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
Whether you build software for enterprises, mobile, or internal microservices, security is important. Standards like SAML, OIDC, and SPIFFE help you solve identity and authentication, but for them authorization is out of scope. When you need to control "who can do what" in your app, you are on your own.
To solve authorization, you may be tempted to hardcode logic against SAML assertions, scopes, or X.509 certificate attributes. But, approaches like this lead to systems that are hard to understand and painful to maintain.
This talk shows how to leverage the Open Policy Agent (which is used by companies like Netflix and Chef) to build a powerful authorization system on top of industry-standard authentication protocols. The talk showcases how decoupling leads to authorization solutions that are easier to understand while enabling fine-grained control over the app.
Pentesting RESTful webservices talks about problems penetration testers face while testing RESTful Webservices and REST based web applications. The presentation also talks about tools and techniques to do pentesting of RESTful webservices.
Building Secure User Interfaces With JWTs (JSON Web Tokens)Stormpath
With new tools like Angular.js and Node.js, it is easier than ever to build User Interfaces and Single-Page Applications (SPAs) backed by APIs.
But how to do it securely? Web browsers are woefully insecure, and hand-rolled APIs are risky.
In this presentation, Robert Damphousse, lead front-end developer at Stormpath, covers web browser security issues, technical best practices and how you can mitigate potential risks. Enjoy!
Topics Covered:
1. Security Concerns for Modern Web Apps
2. Cookies, The Right Way
3. Session ID Problems
4. Token Authentication to the rescue!
5. Angular Examples
2018 colombia deconstruyendo y evolucionando la seguridad en servicios restCésar Hernández
La curva de aprendizaje para la seguridad es severa e implacable. Las especificaciones prometen una flexibilidad infinita y habitualmente dan nuevos nombres a los conceptos antiguos. Esta sesión profundiza el estado actual y evolución que la seguridad en arquitecturas basadas en servicios REST han requerido con conceptos competitivos como OAuth 2.0 en el mundo mobile y HTTP signatures utilizado por Amazon en API's B2B. Finalmente, se analiza un nuevo borrador de Internet lanzado este año que los combina a ambos en el sistema perfecto de dos factores que podría proporcionar una consolidación para los escenarios de REST mobile y de negocios.
Blockchain. Everyone talks about it, but how does it really work?
This talk covers the fundamentals and discusses real world examples of how blockchain is being used to transform healthcare, real estate, humanitarian aid, governance and other domains.
See the original talk at: https://www.facebook.com/thekasbahhub/videos/1875008969491362/
Securing Web Applications with Token AuthenticationStormpath
In this presentation, Java Developer Evangelist Micah Silverman demystifies HTTP Authentication and explains how the Next Big Thing - Token Authentication - can be used to secure web applications on the JVM, REST APIs, and 'unsafe' clients while supporting security best practices and even improving your application's performance and scale.
Topics Covered:
Security Concerns for Modern Web Apps
Cross-Site Scripting Prevention
Working with 'Untrusted Clients'
Securing API endpoints
Cookies
Man in the Middle (MitM) Attacks
Cross-Site Request Forgery
Session ID Problems
Token Authentication
JWTs
Working with the JJWT library
End-to-end example with Spring Boot
This talk is about how to secure your frontend+backend applications using a RESTful approach. As opposed to traditional and monolithic server-side applications (where the HTTP session is used), when your frontend application is running on a browser and not securely from the server, there are few things you need to consider.
In this session Alvaro will explore standards like OAuth or JWT to achieve a stateless, token-based authentication using frameworks like Angular JS on the frontend and Spring Security on the backend.
Video available at https://skillsmatter.com/skillscasts/6058-stateless-authentication-for-microservices
AtlasCamp 2014: Building a Connect Add-on With Your Own StackAtlassian
Atlassian provides two easy-to-use frameworks for getting a Connect add-on up and running quickly – atlassian-connect-express and ac-play. But what if these frameworks don't quite fit your bill? What does it mean to build a Connect add-on with your own stack? What components do you need to write? And how does it all fit together? Attending this talk will give you enough background information to implement an add-on in the language and technology stack of your choice.
In this webinar we will discuss:
- The profile of an organization that is Expert at Kubernetes on Azure and AKS
- How to get to Expert status
- The challenges along the way and how embracing Azure services can help
- A demo of deploying applications with velocity on AKS
Journey Through Four Stages of Kubernetes Deployment MaturityAltoros
In this webinar we will discuss a crawl, walk, run approach to continuous delivery (CD) for applications, point by point:
Where to start, how to advance, and how to reach the level of maximum automation.
How to orchestrate CI/CD processes along with routing and business continuity.
When the automation level is sufficient.
GitOps principles and their benefits.
What tools should be used to automate CI, CD, GitOps, Container Registry, Secrets management, etc
SGX: Improving Privacy, Security, and Trust Across Blockchain NetworksAltoros
These slides explain how to use Intel Software Garden Extensions (SGX) to improve privacy, security, trust, and transparency across blockchain networks that store sensitive data.
Using the Cloud Foundry and Kubernetes Stack as a Part of a Blockchain CI/CD ...Altoros
These slides exemplify how to employ the tools available through Cloud Foundry and Kubernetes to enable a continuous integration and continuous delivery pipeline on blockchain.
The combination of StackPointCloud with NetApp creates NetApp Kubernetes Service, the industry’s first complete Kubernetes platform for multi-cloud deployments and a complete cloud-based stack for Azure, Google Cloud, AWS, and NetApp HCI. Further, Trident is a fully supported open source project maintained by NetApp, designed from the ground up to help meet the sophisticated persistence demands of containerized applications.
Continuous Integration and Deployment with Jenkins for PCFAltoros
Jenkins has been the preferred tool for continuous integration and deployment for many years already due to it's smooth user experience, easy configuration, abundance of available plugins and integrations. During the talk we will tell about best practices on using Jenkins together with Cloud Foundry installations, accelerating cloud-native application delivery and packaging using combination of Docker and Jenkins and thoughtful configuration of CI/CD pipelines and keeping apps up-to-date on all CF environments.
At the Cloud Foundry Summit 2017 in Santa Clara, Altoros and GE Digital talked about a sensor-based solution for tracking luggage from registration to claim belt.
Navigating the Ecosystem of Pivotal Cloud Foundry TilesAltoros
For application developers, PCF tiles are arguably the easiest way to run Redis, Elasticsearch, Cassandra, or any other backing service with applications in the cloud.
Integrating AI into IoT networks is becoming a prerequisite for success in today’s data-driven digital ecosystems. The only way to keep up with IoT-generated data and gain the hidden insights it holds is using AI as the catalyst of IoT. Watch this slides to understand how IoT and AI may work together.
Over-Engineering: Causes, Symptoms, and TreatmentAltoros
If your are using Cloud Foundry, you are most obviously into the microservices architecture and cloud-native app development approach. These are definitely best practices in modern application development, but too much of a good thing is good for nothing. Overuse of these principles may lead to over-engineering, when an application is split into too much microservices and, as such, gets hard to maintain and support. This presentation highlights how far overuse of the microservices concept can go, what issues exist, and how these issues can be avoided.
A lot has changed in the Cloud Foundry ecosystem in the recent year. But how have these changes influenced the everyday life of the platform operations engineer? What has changed in the developer’s workflow? describe the changes accommodated by our engineers interacting with Cloud Foundry on a day-to-day basis. In this presentation, Altoros shares what features saved it most time and increased its confidence in the platform’s ability to self-heal. The presentation also touches upon the most anticipated features that are believed to make developers' lives much easier.
Bluemix Live Sync: Speed Up Maintenance and Delivery for Node.jsAltoros
There are many ways to become a part of the Node.js ecosystem, but not all of them allow developers to jump in equally easily. A tool reducing the infrastructure development process to minutes would definitely make the process smoother. The presentation describes how IBM Bluemix Live Sync can help engineers working with Node.js to accelerate the setup of an IT infrastructure and a development environment.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
2. @altoros@altoros
Fire Exit Announcement
• Please note the locations of the surrounding emergency exits &
located the nearest lit EXIT sign to you
• In the event of a fire alarm or other emergency, please calmly
exit to the public concourse area
• Emergency exit stairwells leading to the outside of thisfacility
are located along the public concourse
• For your safety in an emergency, please follow the directions of
the Public Safety Staff
6. @altoros@altoros
What isAuthentication and Authorization
• Authentication (AuthN) - determining the identity of auser,
server, or client.
• Authorization (AuthZ) - determining whether that user,
server, or client as permission to do something.
7. @altoros@altoros
AuthN and AuthZ consumers in Kubernetes
• Operators (using kubectl command-line tool)
• Internal communication:
• Pods
• Control Plane (apiserver, controller, scheduler etc.)
14. @altoros@altoros
OpenID Connect AuthN Plugin
• Delegate authentication of users to a trusted IdP.
• Extension for OAuth 2.0.
• “OpenID Connect 1.0 is a simple identity layer on top of
the OAuth 2.0 protocol. It allows Clients to verify the
identity of the End-User based on the authentication
performed by an Authorization Server, as well as to obtain
basic profile information about the End-User in an
interoperable and REST-like manner.”
18. @altoros@altoros
What is UAA
• User Account and Authorization server
• OAuth2 server
• SAML, LDAP and OpenID Connect integration
• Supports APIs for user account management
• APIs defined by the specs for OAuth2 and OpenID Connect
19. @altoros@altoros
How Does it Work with Kubernetes?
User kubectl
Identity
Provider
API Server
Login to IdP
IdP provide access_token
and id_token Call kubectl using
provided id_token Send token in Authorization
header to the API server
Validate JWT
signature
Check id_token
expiration date
UserAuthorized?
Send response to kubectl
Send result to the user
24. @altoros@altoros
RBAC and ABAC comparison
RBAC ABAC
Authorization policy changes can
be made using kubectl
command-line tool.
Requires SSHand file system
access on Kubernetes Master to
make changes in authorization
policy file.
Changes are applied on the fly. Operator must restart API server
to pickup new policy.
Authorization is managed by
Kubernetes API.
Authorization is managed by
user-configured local file.
26. @altoros@altoros
Configure OpenID Connect in Kubernetes
Just configure additional flags on the API server:
• --oidc-issuer-url=URL
• --oidc-client-id=ID
• --oidc-username-claim=email
• --oidc-ca-file=/k8s-ca.em
28. @altoros@altoros
Lessons Learned
• Use one solution for Cloud Foundry and Kubernetes
• OpenID Connect includes discovery
• Easy to configure
• Minimize password security risks