Upgrade to Pro — share decks privately, control downloads, hide ads and more …

All About AuthZ

All About AuthZ

Over the past 10 years we've seen the rise of SaaS companies that sell products for dev and infra teams. Payments, communications, authentication, and observability (to name a few) have all been revolutionized by companies like Stripe, Twilio, Auth0 and Datadog.

In a world where users are starting to care more about their privacy, expect collaboration capabilities from their software, and where adhering to compliance standards is table stakes, Authorization is starting to become one of those concerns to be addressed.

In this talk we'll go over what Authorization is, some of its core concepts, the context that is making it a rising topic, and review some of the alternatives (both buy and build) to solve Authorization.

Damian Schenkelman

August 06, 2021
Tweet

More Decks by Damian Schenkelman

Other Decks in Technology

Transcript

  1. All about AuthZ @dschenkelman

  2. Building a SaaS in 2021…

  3. Security

  4. Privacy

  5. Compliance

  6. Table Stakes https://medium.com/pm-insights/how-to-pick-winning-product- features-7b03abcf7d12

  7. Collaboration

  8. Sharing

  9. Partnerships

  10. Differentiator https://medium.com/pm-insights/how-to-pick-winning-product- features-7b03abcf7d12

  11. Authorization

  12. NOT Authentication

  13. Authorization

  14. In the beginning… RBAC DELETE /customers/{id} const user = await

    db.users.get(cookie.userId); if (user.role === "admin")) { // delete customer // return 204 } else { // return 403 } select role from users where userId == {uid};
  15. In the beginning… RBAC DELETE /customers/{id} const user = await

    db.users.get(cookie.userId); if (user.role === "admin")) { // delete customer // return 204 } else { // return 403 } select role from users where userId == {uid};
  16. In the beginning… RBAC DELETE /customers/{id} const user = await

    db.users.get(cookie.userId); if (user.role === "admin")) { // delete customer // return 204 } else { // return 403 } select role from users where userId == {uid};
  17. In the beginning… RBAC DELETE /customers/{id} const user = await

    db.users.get(cookie.userId); if (user.role === "admin")) { // delete customer // return 204 } else { // return 403 } select role from users where userId == {uid};
  18. In the beginning… RBAC DELETE /customers/{id} const user = await

    db.users.get(cookie.userId); if (user.role === "admin")) { // delete customer // return 204 } else { // return 403 } select role from users where userId == {uid};
  19. I want to use attributes from subject and object… ABAC

    DELETE /customers/{id} const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && !customer.subscribed)) { // delete customer // return 204 } else { // return 403 } select department from users where id == {uid}; select subscribed from customers where id == {cid};
  20. I want to use attributes from subject and object… ABAC

    DELETE /customers/{id} const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && !customer.subscribed)) { // delete customer // return 204 } else { // return 403 } select department from users where id == {uid}; select subscribed from customers where id == {cid};
  21. I want to use attributes from subject and object… ABAC

    DELETE /customers/{id} const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && !customer.subscribed)) { // delete customer // return 204 } else { // return 403 } select department from users where id == {uid}; select subscribed from customers where id == {cid};
  22. I want to use attributes from subject and object… ABAC

    DELETE /customers/{id} const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && !customer.subscribed)) { // delete customer // return 204 } else { // return 403 } select department from users where id == {uid}; select subscribed from customers where id == {cid};
  23. I want to use attributes from subject and object… ABAC

    DELETE /customers/{id} const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && !customer.subscribed)) { // delete customer // return 204 } else { // return 403 } select department from users where id == {uid}; select subscribed from customers where id == {cid};
  24. I want to use attributes from subject and object… ABAC

    DELETE /customers/{id} const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && !customer.subscribed)) { // delete customer // return 204 } else { // return 403 } select department from users where id == {uid}; select subscribed from customers where id == {cid};
  25. I want to know who did what… DELETE /customers/{id} //

    log: cookie.userId requesting authz to delete customer const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && customer.unsubscribed)) { // log: cookie.userId authorized to delete customer // delete customer // return 204 } else { // log: cookie.userId unauthorized to delete customer // return 403 } select department from users where id == {uid}; select unsubscribed from customers where id == {cid};
  26. I want to know who did what… DELETE /customers/{id} //

    log: cookie.userId requesting authz to delete customer const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && customer.unsubscribed)) { // log: cookie.userId authorized to delete customer // delete customer // return 204 } else { // log: cookie.userId unauthorized to delete customer // return 403 } select department from users where id == {uid}; select unsubscribed from customers where id == {cid};
  27. I want to know who did what… DELETE /customers/{id} //

    log: cookie.userId requesting authz to delete customer const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && customer.unsubscribed)) { // log: cookie.userId authorized to delete customer // delete customer // return 204 } else { // log: cookie.userId unauthorized to delete customer // return 403 } select department from users where id == {uid}; select unsubscribed from customers where id == {cid};
  28. I want it to be reliable and fast… DELETE /customers/{id}

    // log: cookie.userId requesting authz to delete customer const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && customer.unsubscribed)) { // log: cookie.userId authorized to delete customer // delete customer // return 204 } else { // log: cookie.userId unauthorized to delete customer // return 403 } select department from users where id == {uid}; select unsubscribed from customers where id == {cid};
  29. Access Review? Who can access what?

  30. Approval? Change Management

  31. Auditing? What happened?

  32. Reliability?

  33. Latency?

  34. Developer SaaS

  35. Approach #1: Policies

  36. Policy

  37. XACML http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html

  38. Rego https://www.openpolicyagent.org/docs/latest/policy-language/

  39. Polar https://docs.osohq.com/reference/polar/polar-syntax.html

  40. Architecture Abstract 4. get user and customer data 2. can

    user delete customer? 1. can user delete customer? Manage Policies Distribute Policies PAP PEP PDP PIP (the original DB) 6. delete customer 5. user is authorized Policy Repository 3. evaluate policy
  41. Architecture Concrete 4. get user and customer data 2. can

    user delete customer? 1. can user delete customer? Manage Policies Distribute Policies PAP PEP PDP PIP (the original DB) 6. delete customer 5. user is authorized Policy Repository
  42. Alternatives

  43. Advantages • Auditing is implemented outside of business logic •

    Authorization change management is simpler than having it in code • Easier to understand what authorization logic applies
  44. Disadvantages • Requires operating more components

  45. Architecture Services 4.1. get user data 2. can user delete

    customer? 1. can user delete customer? PEP PDP PIP (users service) 5. user is authorized PIP (customer service) 4.2. get customer data
  46. us-west-2 us-east-1 Architecture Services + Multiregion PEP PDP PIP PIP

    4.1. get user 2. can user delete customer? 1. can user delete customer? PEP PDP PIP 5. user is authorized PIP 4.2 get customer
  47. us-west-2 us-east-1 Architecture Services + Multi-region + Failure PEP PDP

    PIP PIP PEP PDP PIP PIP
  48. Disadvantages • Requires operating more components • Does not handle

    storage of authz data • 👉 latency + reliability + scale
  49. Approach #2: "Zanzibar"

  50. Zanzibar Not this one…

  51. Google Zanzibar https://research.google/pubs/pub48190/

  52. ReBAC

  53. Multi-region

  54. Sweet spot Policies (AuthZ needs) DBaaS (handles data) Zanzibar "as

    a Service”
  55. Alternatives (disclaimer: I work on “Sandcastle") "Sandcastle"

  56. DEMO

  57. Architecture Sandcastle in "PDP Mode" 2. check(user, delete, customer) 1.

    can user delete customer? Customer Service PDP Sandcastle 4. delete customer 3. user is authorized nginx
  58. Enforcement

  59. us-west-2 us-east-1 Architecture Services + Multi-region + Sandcastle Users Service

    Customers Service Sandcastle Sandcastle nginx Customers Service Users Service nginx check(user, delete, customer) check(user, delete, customer)
  60. Advantages • Auditing is part of "aaS" • Authorization change

    management is simpler than having it in code • Easier to understand what authorization logic applies • Multi-region and operated by someone else
  61. Disadvantages • Many things are a relationship, but not everything

    (e.g. time of day)
  62. Approach #3: Combined

  63. Architecture Sandcastle in "PIP Mode" 4. check(user, delete, customer) 2.

    can user delete customer? 1. can user delete customer? Manage Policies Distribute Policies PAP PEP PDP PIP Sandcastle 6. delete customer 5. user is authorized Policy Repository 3. evaluate policy
  64. us-west-2 us-east-1 Architecture Services + Multi-region + Sandcastle + Policies

    PEP PDP Users Service Customers Service Sandcastle Sandcastle PEP PDP Customers Service Users Service
  65. Sandcastle + OPA

  66. Final Thoughts

  67. @auth0lab Resources • Sandcastle playground: https://learn.sandcastle.cloud/ • Auth0 Lab discord:

    https://t.co/ybHn8hEOBl?amp=1 • Authorization in Software: Subject Matter Expert Chats: https:// www.youtube.com/playlist? list=PLZuCrkqyqw9wY0bCosGYDMI9enFpg_tk- • @auth0lab: https://twitter.com/auth0lab
  68. Resources • OPA: https://www.openpolicyagent.org/ • Styra: https://www.styra.com/ • OSOHQ: https://docs.osohq.com/

    • XACML: http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html • NIST ABAC: https://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf • RBAC: https://csrc.nist.gov/CSRC/media/Publications/conference-paper/1992/10/13/ role-based-access-controls/documents/ferraiolo-kuhn-92.pdf
  69. Resources • Facebook TAO: https://www.usenix.org/system/ fi les/conference/atc13/atc13- bronson.pdf • Google

    Zanzibar: https://research.google/pubs/pub48190/ • Himeji (Zanzibar @ Airbnb): https://medium.com/airbnb-engineering/himeji-a- scalable-centralized-system-for-authorization-at-airbnb-341664924574 • AuthZ (Zanzibar @ Carta): https://medium.com/building-carta/authz-cartas-highly- scalable-permissions-system-782a7f2c840f • Authzed: https://authzed.com/ • Ory Keto: https://www.ory.sh/keto/docs/
  70. Questions?

  71. Thanks! @dschenkelman @auth0lab