Upgrade to Pro — share decks privately, control downloads, hide ads and more …

All About AuthZ

All About AuthZ

Over the past 10 years we've seen the rise of SaaS companies that sell products for dev and infra teams. Payments, communications, authentication, and observability (to name a few) have all been revolutionized by companies like Stripe, Twilio, Auth0 and Datadog.

In a world where users are starting to care more about their privacy, expect collaboration capabilities from their software, and where adhering to compliance standards is table stakes, Authorization is starting to become one of those concerns to be addressed.

In this talk we'll go over what Authorization is, some of its core concepts, the context that is making it a rising topic, and review some of the alternatives (both buy and build) to solve Authorization.

Damian Schenkelman

August 06, 2021
Tweet

More Decks by Damian Schenkelman

Other Decks in Technology

Transcript

  1. All about AuthZ
    @dschenkelman

    View Slide

  2. Building a SaaS in 2021…

    View Slide

  3. Security

    View Slide

  4. Privacy

    View Slide

  5. Compliance

    View Slide

  6. Table Stakes
    https://medium.com/pm-insights/how-to-pick-winning-product-
    features-7b03abcf7d12

    View Slide

  7. Collaboration

    View Slide

  8. Sharing

    View Slide

  9. Partnerships

    View Slide

  10. Differentiator
    https://medium.com/pm-insights/how-to-pick-winning-product-
    features-7b03abcf7d12

    View Slide

  11. Authorization

    View Slide

  12. NOT Authentication

    View Slide

  13. Authorization

    View Slide

  14. In the beginning…
    RBAC
    DELETE /customers/{id}


    const user = await db.users.get(cookie.userId);


    if (user.role === "admin")) {


    // delete customer


    // return 204


    } else {


    // return 403


    }
    select role from users


    where userId == {uid};

    View Slide

  15. In the beginning…
    RBAC
    DELETE /customers/{id}


    const user = await db.users.get(cookie.userId);


    if (user.role === "admin")) {


    // delete customer


    // return 204


    } else {


    // return 403


    }
    select role from users


    where userId == {uid};

    View Slide

  16. In the beginning…
    RBAC
    DELETE /customers/{id}


    const user = await db.users.get(cookie.userId);


    if (user.role === "admin")) {


    // delete customer


    // return 204


    } else {


    // return 403


    }
    select role from users


    where userId == {uid};

    View Slide

  17. In the beginning…
    RBAC
    DELETE /customers/{id}


    const user = await db.users.get(cookie.userId);


    if (user.role === "admin")) {


    // delete customer


    // return 204


    } else {


    // return 403


    }
    select role from users


    where userId == {uid};

    View Slide

  18. In the beginning…
    RBAC
    DELETE /customers/{id}


    const user = await db.users.get(cookie.userId);


    if (user.role === "admin")) {


    // delete customer


    // return 204


    } else {


    // return 403


    }
    select role from users


    where userId == {uid};

    View Slide

  19. I want to use attributes from subject and object…
    ABAC
    DELETE /customers/{id}


    const user = await db.users.get(cookie.userId);


    const customer = await db.customers.get(req.path.id);


    if (user.department === "IT" && !customer.subscribed)) {


    // delete customer


    // return 204


    } else {


    // return 403


    }
    select department from users


    where id == {uid};


    select subscribed from customers


    where id == {cid};

    View Slide

  20. I want to use attributes from subject and object…
    ABAC
    DELETE /customers/{id}


    const user = await db.users.get(cookie.userId);


    const customer = await db.customers.get(req.path.id);


    if (user.department === "IT" && !customer.subscribed)) {


    // delete customer


    // return 204


    } else {


    // return 403


    }
    select department from users


    where id == {uid};


    select subscribed from customers


    where id == {cid};

    View Slide

  21. I want to use attributes from subject and object…
    ABAC
    DELETE /customers/{id}


    const user = await db.users.get(cookie.userId);


    const customer = await db.customers.get(req.path.id);


    if (user.department === "IT" && !customer.subscribed)) {


    // delete customer


    // return 204


    } else {


    // return 403


    }
    select department from users


    where id == {uid};


    select subscribed from customers


    where id == {cid};

    View Slide

  22. I want to use attributes from subject and object…
    ABAC
    DELETE /customers/{id}


    const user = await db.users.get(cookie.userId);


    const customer = await db.customers.get(req.path.id);


    if (user.department === "IT" && !customer.subscribed)) {


    // delete customer


    // return 204


    } else {


    // return 403


    }
    select department from users


    where id == {uid};


    select subscribed from customers


    where id == {cid};

    View Slide

  23. I want to use attributes from subject and object…
    ABAC
    DELETE /customers/{id}


    const user = await db.users.get(cookie.userId);


    const customer = await db.customers.get(req.path.id);


    if (user.department === "IT" && !customer.subscribed)) {


    // delete customer


    // return 204


    } else {


    // return 403


    }
    select department from users


    where id == {uid};


    select subscribed from customers


    where id == {cid};

    View Slide

  24. I want to use attributes from subject and object…
    ABAC
    DELETE /customers/{id}


    const user = await db.users.get(cookie.userId);


    const customer = await db.customers.get(req.path.id);


    if (user.department === "IT" && !customer.subscribed)) {


    // delete customer


    // return 204


    } else {


    // return 403


    }
    select department from users


    where id == {uid};


    select subscribed from customers


    where id == {cid};

    View Slide

  25. I want to know who did what…
    DELETE /customers/{id}


    // log: cookie.userId requesting authz to delete customer


    const user = await db.users.get(cookie.userId);


    const customer = await db.customers.get(req.path.id);


    if (user.department === "IT" && customer.unsubscribed)) {


    // log: cookie.userId authorized to delete customer


    // delete customer


    // return 204


    } else {


    // log: cookie.userId unauthorized to delete customer


    // return 403


    }
    select department from users


    where id == {uid};


    select unsubscribed from customers


    where id == {cid};

    View Slide

  26. I want to know who did what…
    DELETE /customers/{id}


    // log: cookie.userId requesting authz to delete customer


    const user = await db.users.get(cookie.userId);


    const customer = await db.customers.get(req.path.id);


    if (user.department === "IT" && customer.unsubscribed)) {


    // log: cookie.userId authorized to delete customer


    // delete customer


    // return 204


    } else {


    // log: cookie.userId unauthorized to delete customer


    // return 403


    }
    select department from users


    where id == {uid};


    select unsubscribed from customers


    where id == {cid};

    View Slide

  27. I want to know who did what…
    DELETE /customers/{id}


    // log: cookie.userId requesting authz to delete customer


    const user = await db.users.get(cookie.userId);


    const customer = await db.customers.get(req.path.id);


    if (user.department === "IT" && customer.unsubscribed)) {


    // log: cookie.userId authorized to delete customer


    // delete customer


    // return 204


    } else {


    // log: cookie.userId unauthorized to delete customer


    // return 403


    }
    select department from users


    where id == {uid};


    select unsubscribed from customers


    where id == {cid};

    View Slide

  28. I want it to be reliable and fast…
    DELETE /customers/{id}


    // log: cookie.userId requesting authz to delete customer


    const user = await db.users.get(cookie.userId);


    const customer = await db.customers.get(req.path.id);


    if (user.department === "IT" && customer.unsubscribed)) {


    // log: cookie.userId authorized to delete customer


    // delete customer


    // return 204


    } else {


    // log: cookie.userId unauthorized to delete customer


    // return 403


    }
    select department from users


    where id == {uid};


    select unsubscribed from customers


    where id == {cid};

    View Slide

  29. Access Review?
    Who can access what?

    View Slide

  30. Approval?
    Change Management

    View Slide

  31. Auditing?
    What happened?

    View Slide

  32. Reliability?

    View Slide

  33. Latency?

    View Slide

  34. Developer SaaS

    View Slide

  35. Approach #1: Policies

    View Slide

  36. Policy

    View Slide

  37. XACML
    http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html

    View Slide

  38. Rego
    https://www.openpolicyagent.org/docs/latest/policy-language/

    View Slide

  39. Polar
    https://docs.osohq.com/reference/polar/polar-syntax.html

    View Slide

  40. Architecture
    Abstract
    4. get user and
    customer data


    2. can user
    delete customer?


    1. can user
    delete customer?


    Manage Policies


    Distribute Policies
    PAP


    PEP
    PDP


    PIP


    (the original
    DB)
    6. delete customer


    5. user is authorized


    Policy Repository


    3. evaluate policy


    View Slide

  41. Architecture
    Concrete
    4. get user and
    customer data


    2. can user
    delete customer?


    1. can user
    delete customer?


    Manage Policies


    Distribute Policies
    PAP


    PEP
    PDP


    PIP


    (the original
    DB)
    6. delete customer


    5. user is
    authorized


    Policy Repository


    View Slide

  42. Alternatives

    View Slide

  43. Advantages
    • Auditing is implemented outside of business logic

    • Authorization change management is simpler than having it in code

    • Easier to understand what authorization logic applies

    View Slide

  44. Disadvantages
    • Requires operating more components

    View Slide

  45. Architecture
    Services
    4.1. get user data


    2. can user delete
    customer?


    1. can user delete
    customer?


    PEP
    PDP


    PIP


    (users service)
    5. user is authorized


    PIP


    (customer service)
    4.2. get customer data


    View Slide

  46. us-west-2
    us-east-1
    Architecture
    Services + Multiregion
    PEP PDP


    PIP


    PIP


    4.1. get user
    2. can user delete
    customer?


    1. can user
    delete customer?


    PEP PDP


    PIP


    5. user is
    authorized


    PIP


    4.2 get
    customer

    View Slide

  47. us-west-2
    us-east-1
    Architecture
    Services + Multi-region + Failure
    PEP PDP


    PIP


    PIP


    PEP PDP


    PIP


    PIP


    View Slide

  48. Disadvantages
    • Requires operating more components

    • Does not handle storage of authz data

    • 👉 latency + reliability + scale

    View Slide

  49. Approach #2: "Zanzibar"

    View Slide

  50. Zanzibar
    Not this one…

    View Slide

  51. Google Zanzibar
    https://research.google/pubs/pub48190/

    View Slide

  52. ReBAC

    View Slide

  53. Multi-region

    View Slide

  54. Sweet spot
    Policies
    (AuthZ needs)
    DBaaS
    (handles data)
    Zanzibar "as a Service”

    View Slide

  55. Alternatives
    (disclaimer: I work on “Sandcastle")
    "Sandcastle"

    View Slide

  56. DEMO

    View Slide

  57. Architecture
    Sandcastle in "PDP Mode"
    2. check(user, delete, customer)


    1. can user
    delete customer?


    Customer Service
    PDP


    Sandcastle
    4. delete customer


    3. user is authorized


    nginx

    View Slide

  58. Enforcement

    View Slide

  59. us-west-2
    us-east-1
    Architecture
    Services + Multi-region + Sandcastle
    Users Service
    Customers
    Service
    Sandcastle
    Sandcastle
    nginx
    Customers Service
    Users Service
    nginx
    check(user, delete, customer)


    check(user, delete, customer)


    View Slide

  60. Advantages
    • Auditing is part of "aaS"

    • Authorization change management is simpler than having it in code

    • Easier to understand what authorization logic applies

    • Multi-region and operated by someone else

    View Slide

  61. Disadvantages
    • Many things are a relationship, but not everything (e.g. time of day)

    View Slide

  62. Approach #3: Combined

    View Slide

  63. Architecture
    Sandcastle in "PIP Mode"
    4. check(user,
    delete, customer)


    2. can user
    delete customer?


    1. can user
    delete customer?


    Manage Policies


    Distribute Policies
    PAP


    PEP
    PDP


    PIP


    Sandcastle
    6. delete customer


    5. user is authorized


    Policy Repository


    3. evaluate policy


    View Slide

  64. us-west-2
    us-east-1
    Architecture
    Services + Multi-region + Sandcastle + Policies
    PEP PDP


    Users Service
    Customers Service
    Sandcastle
    Sandcastle
    PEP PDP


    Customers Service
    Users Service

    View Slide

  65. Sandcastle + OPA

    View Slide

  66. Final Thoughts

    View Slide

  67. @auth0lab Resources
    • Sandcastle playground: https://learn.sandcastle.cloud/

    • Auth0 Lab discord: https://t.co/ybHn8hEOBl?amp=1

    • Authorization in Software: Subject Matter Expert Chats: https://
    www.youtube.com/playlist?
    list=PLZuCrkqyqw9wY0bCosGYDMI9enFpg_tk-

    • @auth0lab: https://twitter.com/auth0lab

    View Slide

  68. Resources
    • OPA: https://www.openpolicyagent.org/

    • Styra: https://www.styra.com/

    • OSOHQ: https://docs.osohq.com/

    • XACML: http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html

    • NIST ABAC: https://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf

    • RBAC: https://csrc.nist.gov/CSRC/media/Publications/conference-paper/1992/10/13/
    role-based-access-controls/documents/ferraiolo-kuhn-92.pdf

    View Slide

  69. Resources
    • Facebook TAO: https://www.usenix.org/system/
    fi
    les/conference/atc13/atc13-
    bronson.pdf

    • Google Zanzibar: https://research.google/pubs/pub48190/

    • Himeji (Zanzibar @ Airbnb): https://medium.com/airbnb-engineering/himeji-a-
    scalable-centralized-system-for-authorization-at-airbnb-341664924574

    • AuthZ (Zanzibar @ Carta): https://medium.com/building-carta/authz-cartas-highly-
    scalable-permissions-system-782a7f2c840f

    • Authzed: https://authzed.com/

    • Ory Keto: https://www.ory.sh/keto/docs/

    View Slide

  70. Questions?

    View Slide

  71. Thanks!
    @dschenkelman

    @auth0lab

    View Slide