Flava IAM: Bridging Security and Usability with Athenz

'MBWB*".#SJEHJOH4FDVSJUZBOE6TBCJMJUZ XJUI"UIFO[ -*/&1-64 +BFXPO)FP

#BDLHSPVOE 8IBU*".4IPVME#F #VJMEJOH'MBWB*".XJUI"UIFO[ ,FZ*NQSPWFNFOUT $IBMMFOHFT-FTTPOT
4VNNBSZ/FYU4UFQT $POUFOUT

#BDLHSPVOE

8IBUJT*".JO$MPVE ⎯ 4ZTUFNUIBUTFDVSFMZNBOBHFTVTFSBOESFTPVSDFBDDFTTQFSNJTTJPOTJOBDMPVE FOWJSPONFOU • 4ZTUFNUIBUEFGJOFTBOENBOBHFTlXIP DBOEPXIBUzJOUIFDMPVE • 'PSFYBNQMF +BFXPO)FPDBOVQMPBEGJMFTUPUIFSFQPTJUPSZ
⎯ 5PEBZTTUPSZJTBCPVUEFWFMPQJOHUIJT*". *".*EFOUJUZBOEBDDFTTNBOBHFNFOU

/FX$MPVE1MBUGPSN ⎯ 5IFNFSHFSPG:BIPP+"1"/BOE-*/&JOUFHSBUFEJOUFSOBMJOGSBTUSVDUVSFT ⎯ *OUFSOBM$MPVE1MBUGPSNXBTBMTPJODMVEFEJOUIJTJOUFHSBUJPOVOEFSUIFOBNF'MBWB ⎯ (PBM$PNCJOFUIFTUSFOHUITPGFYJTUJOHDMPVE*".TPMVUJPOTGSPNCPUI /FX$MPVE1MBUGPSN'MBWB

8IBU*".4IPVME#F

• #BMBODFE#SPLFS • 균형 잡힌 중개자 • όϥϯεͷऔΕͨϒϩʔΧʔ *".4IPVME#F

8IZ*"..BUUFSTJOUIF$MPVE 6TFS 1SPWJEFS 3FRVFTU1FSNJTTJPO "TTJHO1FSNJTTJPO 6TJOHQSPEVDU JOUIFDMPVE %FMJWFSJOHQSPEVDU JOUIFDMPVE

8IZ*"..BUUFSTJOUIF$MPVE .BOBHFNVMUJQMF TFSWJDFT QFSNJTTJPOT #VJMETFQBSBUF "VUI/;

8IZ*"..BUUFSTJOUIF$MPVE *". *".JTVOJGJFEDPOUSPMQPJOUGPSBDDFTT

*".BTB#BMBODFE#SPLFS "VUPOPNZ *ODPOTJTUFODZ %FDFOUSBMJ[FE $POUSPM 6OJGPSNJUZ $FOUSBMJ[FE3JTL *".TIPVMECFBCSPLFSCBMBODJOHTFDVSJUZBOEVTBCJMJUZ -PXJOWPMWFNFOU )JHIJOWPMWFNFOU

-FBSOJOHGSPNUIF1BTU ⎯ #VJMUEJSFDUMZPO"UIFO[ XJUINJOJNBMBCTUSBDUJPO ⎯ ✅ 1SPWJEFSTIBEIJHIBVUPOPNZ 4FDVSF ⎯ 🤔
1MBZFEBMJNJUFESPMFJODMPVEVTFSFYQFSJFODF)JHISFTQPOTJCJMJUZPOQSPWJEFST 4FDVSFCZ%FTJHO CVU-FTT*OUFHSBUFE :BIPP+"1"/$MPVE

⎯ 3PMFCBTFEBDDFTTNBOBHFEWJB0QFO4UBDL,FZTUPOF ⎯ ✅ 4JNQMFBOEDPOTJTUFOU69UISPVHIDFOUSBMJ[FEDPOUSPM ⎯ 🤔 %JGGJDVMUUPTVQQPSUQSPEVDUTQFDJGJDQFSNJTTJPOT $FOUSBMJ[FECVU*OGMFYJCMF -*/&$MPVE
-FBSOJOHGSPNUIF1BTU

0VS"QQSPBDI 5PCFDPNF#BMBODFE#SPLFS -*/& $MPVE :BIPP +"1"/ $MPVE 'MBWB *". "VUPOPNZ
4FDVSJUZ $POTJTUFODZ 4JNQMJDJUZ "UIFO[ 6* 4FDVSJUZ 1SFTFSWJOH69

#VJMEJOH'MBWB*".XJUI"UIFO[

8IBUJT"UIFO[ ⎯ 'JOFHSBJOFE3PMF1PMJDZ.PEFM ⎯ .VMUJUFOBODZTVQQPSU ⎯ .VMUJQMF"VUI.FUIPET Y 0"VUI ⎯
.PEVMBS TDBMBCMFBSDIJUFDUVSF ⎯ 1SPWFOTUBCJMJUZ CBTJTPG:BIPP+"1"/$MPVE*". "UIFO[0QFOTPVSDF3#"$"VUI/"VUI; 1MBUGPSN

3PMF#BTFE"DDFTT$POUSPM 4FSWFS "ENJO %BUBCBTF"ENJO • $SFBUF4FSWFS • -JTU4FSWFS • 6QEBUF4FSWFS
• %FMFUF4FSWFS • $SFBUF%# • -JTU%# • 6QEBUF%# • %FMFUF%# 4FSWJDF "DDPVOU 6TFS 1SJODJQBM 3PMF 1PMJDZ

%BUBNPEFM

%BUBNPEFM %PNBJO "MPHJDBMHSPVQJOHPG SFTPVSDFTBOEQPMJDJFT

%BUBNPEFM 3PMF "DPMMFDUJPOPGQSJODJQBMT XIPBSFHSBOUFETQFDJGJD QFSNJTTJPOT

%BUBNPEFM 1PMJDZ "TFUPGSVMFTUIBUEFGJOF XIBUBDUJPOTSPMFTDBO QFSGPSNPOXIJDI SFTPVSDFT

%BUBNPEFM 1SJODJQBMT &OUJUZUIBUDBOCF BTTJHOFEUPSPMFTBOE HSBOUFEBDDFTTSJHIUT

6TFS4DFOBSJP 6TFS "UIFO[ 1SPWJEFS%PNBJO "DDFTTUP 3FTPVSDF 6TFS 1SPWJEFS 4JEFDBS 5PLFO4ZTUFN
1SPWJEFS4FSWJDF (SBOUQFSNJTTJPO 3PMF 1PMJDZ 1SPWJEFS 1SPDFTT 1SPWJEFS

(FU5PLFO 1SPWJEFS4FSWJDF (SBOUQFSNJTTJPO 3PMF 1PMJDZ 1SPWJEFS 1SPDFTT 1SPWJEFS

(FU5PLFO 3FRVFTUXJUI5PLFO 1SPWJEFS4FSWJDF (SBOUQFSNJTTJPO 3PMF 1PMJDZ 1SPWJEFS 1SPDFTT 1SPWJEFS

(FU5PLFO 3FUSJFWF1PMJDZ 3FRVFTUXJUI5PLFO 1SPWJEFS4FSWJDF (SBOUQFSNJTTJPO 3PMF 1PMJDZ 1SPWJEFS 1SPDFTT 7BMJEBUF5PLFO 7FSJGZ1PMJDZ 1SPWJEFS

(FU5PLFO 3FUSJFWF1PMJDZ 3FRVFTUXJUI5PLFO 1SPWJEFS4FSWJDF (SBOUQFSNJTTJPO 3PMF 1PMJDZ 1SPWJEFS 1SPDFTT 'PSXBSEJOH 3FRVFTU 7BMJEBUF5PLFO 7FSJGZ1PMJDZ 1SPWJEFS

5FOBODZ ⎯ *UMFUTQSPWJEFSTHJWFVTFSTQFSNJTTJPOUPNBOBHFXIPHFUTBDDFTT XJUIPVU NBOBHJOHFWFSZNFNCFSTUIFNTFMWFT 6TFS %PNBJO 1SPWJEFS %PNBJO 5SVTU
6TFS" 4FSWJDF# 5SVTU6TFS%PNBJO 6TFS" 4FSWJDF# "DDFTTUP 3FTPVSDF 6TF1SPWJEFS %PNBJO3PMF 3PMF 1PMJDZ %FMFHBUFE3PMF

6TFS4DFOBSJP 5FOBODZ 6TFS 6TFS DBOTQFDJGZXIJDI1SJODJQBMT BSFHSBOUFEQFSNJTTJPOT 1SPWJEFSTGPDVTPOXIBU3PMF1PMJDZ DPNCJOBUJPOTUPDSFBUF 1SPWJEFS%PNBJO 6TF1SPWJEFS
%PNBJO3PMF "DDFTTUP 3FTPVSDF 6TFS%PNBJO 5SVTU6TFS %PNBJO 6TFS" 4FSWJDF# 1SPWJEFS %FDFOUSBMJ[FE QFSNJTTJPONBOBHFNFOUXJUITFBNMFTTNVMUJUFOBOUEFMFHBUJPO

"SDIJUFDUVSF "UIFO[ "1*4FSWFS 6*6TFS $BDIF 1SPKFDU .FUBEBUB 1SPWJEFS $BUBMPH 'MBWB*".
⎯ 'MBWB*".JT -BZFSUPNBLF"UIFO[ FBTJFSGPSVTFSTBOEQSPWJEFSTUPVTF ⎯ 1FSNJTTJPOTUPJOEJWJEVBM"UIFO[ %PNBJOTBSFTUJMMIFMECZUIF6TFSBOE1SPWJEFS

3FMBUJPOTCFUXFFO'MBWB*".BOE"UIFO[ "UIFO[ 'MBWB*".

3FMBUJPOTCFUXFFO'MBWB*".BOE"UIFO[ 1SPKFDU "UIFO[ 'MBWB*". 6TFS%PNBJO 1SPWJEFS%PNBJO %BUBCBTF 1SPWJEFS%PNBJO 4FSWFS 5IFSFRVJSFE%PNBJOJT
DSFBUFEXIFOUIF1SPKFDU JTDSFBUFE

3FMBUJPOTCFUXFFO'MBWB*".BOE"UIFO[ 1SPKFDU "UIFO[ 'MBWB*". 6TFS%PNBJO 1SPWJEFS%PNBJO %BUBCBTF 1SPWJEFS%PNBJO 4FSWFS -JTU4FSWFS
4FSWFS 3FBEPOMZ $36% %BUBCBTF %#"ENJO "DDFTT %BUBCBTF %#"DDFTT $SFBUF3PMFTCBTFE PO1SFEFGJOFE 5FNQMBUFT $36% 4FSWFS 4FSWFS "ENJO 5SVTU

3FMBUJPOTCFUXFFO'MBWB*".BOE"UIFO[ 1SPKFDU 6TFS 4FSWJDF "DDPVOU 3PMF(SPVQ "UIFO[ 'MBWB*". 6TFS%PNBJO 1SPWJEFS%PNBJO
%BUBCBTF $36% 4FSWFS 4FSWFS "ENJO %#"ENJO 6TFS 1SPWJEFS%PNBJO 4FSWFS -JTU4FSWFS 4FSWFS 3FBEPOMZ $36% %BUBCBTF %#"ENJO 3FBE %BUBCBTF %#"DDFTT 4FSWFS 3FBEPOMZ 4FSWJDF 4FSWFS"ENJO %#"ENJO 6TFST 4FSWJDFT .PEJGZUIF3PMF1PMJDZJO 6TFS%PNBJOUIBU DPSSFTQPOETUP'MBWB*".

3FMBUJPOTCFUXFFO'MBWB*".BOE"UIFO[ 1SPKFDU 6TFS" 4FSWJDF "DDPVOU 3PMF(SPVQ "UIFO[ 'MBWB*". 6TFS%PNBJO 1SPWJEFS%PNBJO
%BUBCBTF $36% 4FSWFS 4FSWFS "ENJO %#"ENJO 6TFS" 1SPWJEFS%PNBJO 4FSWFS -JTU4FSWFS 4FSWFS 3FBEPOMZ $36% %BUBCBTF %#"ENJO 6TFS" 3FBE %BUBCBTF %#"DDFTT 4FSWFS 3FBEPOMZ 4FSWJDF 4FSWFS"ENJO %#"ENJO 6TFST 4FSWJDFT .PEJGZUIF3PMF1PMJDZJO 6TFS%PNBJOUIBU DPSSFTQPOETUP'MBWB*".

,FZ*NQSPWFNFOUT

6TFS69*NQSPWFNFOUT ⎯ 🔍 $MFBSFS7JFXTCZ6TFSBOE3PMF ⎯ 🧩 'MFYJCMF8BZTUP.BOBHF3PMFT ⎯ 🕒 #VJMUJO1FSNJTTJPO3FWJFXT
$MFBSFSBOE.PSF"DUJPOBCMFGPS6TFST

6* 1SPKFDU

6* 6TFS

6* 3PMFHSPVQ

6* 3PMF

6* 2VBSUFSMZ3FWJFX

1SPWJEFS69*NQSPWFNFOUT 6TFS "UIFO[ 1SPWJEFS"1* 1SPWJEFS"1* 1SPWJEFS"1* ⎯ $VTUPN"1*TXFSFOFFEFEGPSQFSNJTTJPOT ⎯ &BDIQSPWJEFSNBOBHFEJUTPXO"UIFO[
EPNBJO ⎯ )JHIPQFSBUJPOBMCVSEFO #FGPSF

1SPWJEFS69*NQSPWFNFOUT 6TFS "UIFO[ 'MBWB*". 1SPWJEFS $BUBMPH ⎯ %PNBJOSPMFTDSFBUFEWJB"UIFO[ UFNQMBUF ⎯
'MBWB*".IBTMJNJUFEQFSNJTTJPOTPO%PNBJO 4UJMM4FDVSF ⎯ /PDVTUPN"1*PSEJSFDU"UIFO[ IBOEMJOHCZ1SPWJEFS • -PXFSFGGPSU)JHIFSDPOTJTUFODZ "GUFS 5FNQMBUFT

"UIFO[ 5FNQMBUF template: metadata: - template-name: flava-provider-function-v1 roles: - name:
function_admin trust: _userDomain_ - name: function_readonly trust: _userDomain_ policies: - name: function_admin assertions: - grant * to function_admin on function.* - name: function_readonly assertions: - grant GET to function_readonly on function.api.*

function_admin trust: _userDomain_ - name: function_readonly trust: _userDomain_ policies: - name: function_admin assertions: - grant * to function_admin on function.* - name: function_readonly assertions: - grant GET to function_readonly on function.api.* %FGJOF3PMFT UIBUUSVTUT 6TFSEPNBJO

function_admin trust: _userDomain_ - name: function_readonly trust: _userDomain_ policies: - name: function_admin assertions: - grant * to function_admin on function.* - name: function_readonly assertions: - grant GET to function_readonly on function.api.* %FGJOF1PMJDJFT

1SPWJEFS$BUBMPH flava-faas: register: type: template template: name: flava-provider-function-v1 admins: -
flava-iam.dev.flava-faas.faas-api authority: type: athenz athenz: includeRoles: - name: function_admin description: ”All permissions provided for all function resources." - name: function_readonly description: "Read permissions provided for all function resources." 3FHJTUFSUFNQMBUFT BOEVTFSSPMFT UPDBUBMPH

$IBMMFOHFT-FTTPOT

1SJODJQBMWT3PMF"VUIFOUJDBUJPO "VUIFOUJDBUJPO1SJODJQBMWT3PMF ⎯ 1SJODJQBM"VUIFOUJDBUJPO 8IBUDBOUIJT1SJODJQBMEP • "MXBZTSFGMFDUTDVSSFOUQFSNJTTJPOT • 3FRVJSFTDFOUSBMRVFSZ QPUFOUJBMCPUUMFOFDL
⎯ 3PMF"VUIFOUJDBUJPO8IBUDBOUIJT3PMFEP • 4VJUTEJTUSJCVUFE IJHITDBMFVTFDBTFT *GUIF3PMFT1PMJDZSBSFMZDIBOHFT • -FTTQSFDJTFBVEJUJOH

"VUIFOUJDBUJPO1SJODJQBMWT3PMF ⎯ 'MBWB1SPWJEFSTDBOVTFCPUIXBZ ⎯ 1SJODJQBM"VUIWJB'MBWBDVTUPN1SPYZGPSMPXUSBGGJD BVEJUIFBWZTDFOBSJPT $36% QSPEVDUNBOBHFNFOU ⎯
3PMF"VUIWJB"UIFO[ "VUIPSJ[BUJPO1SPYZGPSIJHIUSBGGJD SFTPVSDFBDDFTTDBTFT 0VS"QQSPBDIJO'MBWB*".

*OUFHSBUFXJUI,FZTUPOF ⎯ 0QFO4UBDLQSPEVDUTIBWFIBEUPDPOUJOVFUPVTF,FZTUPOF ⎯ )BWJOHUXPCBDLFOETXBTBDIBMMFOHF 1SPCMFN "UIFO[ 'MBWB*". ,FZTUPOF 6QEBUF#PUI
🤔

*OUFHSBUFXJUI,FZTUPOF ⎯ "VUIFOUJDBUJPO$POWFSU"UIFO[ UPLFOUP,FZTUPOFUPLFOWJB,FZTUPOF GFEFSBUJPONBQQJOH ⎯ "VUIPSJ[BUJPO6QEBUFUP"UIFO[ JO'MBWB*".BOETZODISPOJ[F 1SJODJQBMTJO "UIFO[
SPMFTXJUISPMFTJO,FZTUPOFJO0QFO4UBDL ⎯ $BODPOUJOVFUPVTF"UIFO[ BTBTJOHMFTPVSDFPGUSVUI 5IBOLTUP*BB45FBN 4PMVUJPO 3FTVMU "UIFO[ 'MBWB*". ,FZTUPOF 6QEBUF 4ZOD

4VNNBSZ/FYU4UFQT

4VNNBSZ ⎯ *".TIPVMECBMBODF4FDVSJUZBOE6TBCJMJUZ • #FJOHUPPQBTTJWFMFBETUPQPPSVTBCJMJUZ • #FJOHUPPBHHSFTTJWFDPNQSPNJTFTTFDVSJUZ ⎯ 'MBWB*".JTWBMVFBEEFEMBZFSUP"UIFO[ FOIBODJOHUIF69XIJMFLFFQJOHVTFST
BOEQSPWJEFSTTFDVSF • *OIFSJUFEUIFWBMVFTPG-*/&$MPVEBOE:BIPP+"1"/$MPVE *".BTB#BMBODFE #SPLFS

/FYUTUFQT ⎯ 1SPEVDUBENJOTXJUI'JOF(SBJOFE*".QFSNJTTJPO • $VSSFOU*".NPEFMJTFJUIFSGVMMQFSNJTTJPOBTTJHONFOUPSSFBEPOMZ • .BLF1SPEVDUBENJOTDBOEJSFDUMZBTTJHOQFSNJTTJPOTGPSUIFJSPXOSFTPVSDFT ⎯ *".BTB4FSWJDF •
&NQPXFSJOH$MPVE6TFSTBT1SPWJEFST • 4FMG4FSWJDF"VUIPSJ[BUJPOJOUFHSBUFEXJUI'MBWBQSPEVDUT /FYUTUFQT

5IBOL:PV

Flava IAM: Bridging Security and Usability with...

Flava IAM: Bridging Security and Usability with Athenz

More Decks by LINEヤフーTech (LY Corporation Tech)

Other Decks in Technology

Featured

Transcript