Slide 1

Slide 1 text

@luxas @luxas Beyond RBAC: Avoid broken ACLs in control planes with declarative Relation-based Access Control Lucas Käldström, Jan 16, 2024 – , Helsinki 1

Slide 2

Slide 2 text

@luxas @luxas $ whoami Kubernetes Contributor, former maintainer => co-led kubeadm/cluster lifecycle work, ported Kubernetes to ARM CNCF Ambassador, meetup organizer 9-time KubeCon speaker Senior Software Engineer at formerly Weaveworks 1st-year MSc student at 2

Slide 3

Slide 3 text

@luxas @luxas 3 “All I want is a secure system where it's easy to do anything I want. Is that so much to ask?” – xkcd

Slide 4

Slide 4 text

@luxas @luxas 4 Source: xkcd

Slide 5

Slide 5 text

@luxas @luxas 5 Security landscape is rapidly changing Photo by Maksym Kaharlytskyi on Unsplash

Slide 6

Slide 6 text

@luxas @luxas 6 … it is becoming more dynamic Photo by Maksym Kaharlytskyi on Unsplash

Slide 7

Slide 7 text

@luxas @luxas 7 Photo by M Alazia on Unsplash … and fragmented

Slide 8

Slide 8 text

@luxas @luxas OWASP API #1: Broken Object-level Authorization “APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface of Object Level Access Control issues. Object level authorization checks should be considered in every function that accesses a data source using an ID from the user.” – OWASP 8

Slide 9

Slide 9 text

@luxas @luxas OWASP API #3: Broken Property-level Authorization “This category combines API3:2019 Excessive Data Exposure and API6:2019 - Mass Assignment, focusing on the root cause: the lack of or improper authorization validation at the object property level. This leads to information exposure or manipulation by unauthorized parties.” – OWASP 9

Slide 10

Slide 10 text

@luxas @luxas Challenges with Access Control 10

Slide 11

Slide 11 text

@luxas @luxas Challenge#1: Uniform enforcement Separation of concerns: Clearly separate all computation of policy decisions (Policy Decision Point, PDP), from enforcement (Policy Enforcement Point, PEP). Even if “just” behind an interface. 11 User Policy Enforcement (PEP) Resource Access (RAP) Policy Decision (PDP) 1 2 3 4

Slide 12

Slide 12 text

@luxas @luxas Challenge#1: Uniform enforcement Separation of concerns: Clearly separate all computation of policy decisions (Policy Decision Point, PDP), from enforcement (Policy Enforcement Point, PEP). Even if “just” behind an interface. Policy Uniformity: Use a non-Turing complete* policy language like Open Policy Agent or Cedar for uniform enforcement and policy description across services in the organization. 12 *Or something that at least tries to be scoped down

Slide 13

Slide 13 text

@luxas @luxas Challenge#1: Uniform enforcement Separation of concerns: Clearly separate all computation of policy decisions (Policy Decision Point, PDP), from enforcement (Policy Enforcement Point, PEP). Even if “just” behind an interface. Policy Uniformity: Use a non-Turing complete* policy language like Open Policy Agent or Cedar for uniform enforcement and policy description across services in the organization. Uniform Attributes: Every request to the PDP consists of {principal, action, resource, (attributes)}** 13 **Sometimes you want to send the full payload as well, for ABAC

Slide 14

Slide 14 text

@luxas @luxas Challenge#2: Ensuring correctness Testing: Unit tests, static analysis, fuzzing, differential testing 14

Slide 15

Slide 15 text

@luxas @luxas Challenge#2: Ensuring correctness Testing: Unit tests, static analysis, fuzzing, differential testing Policy Equality: A lot bugs arise when you change/upgrade/refactor something, and you miss an edge case. Strive for a canonical representation of your ACL logic, so you can check for equality. 15

Slide 16

Slide 16 text

@luxas @luxas Challenge#2: Ensuring correctness Testing: Unit tests, static analysis, fuzzing, differential testing Policy Equality: A lot bugs arise when you change/upgrade/refactor something, and you miss an edge case. Strive for a canonical representation of your ACL logic, so you can check for equality. Shadow rollout: Run both new and old policy in production, enforce old, warn if new yields other results 16

Slide 17

Slide 17 text

@luxas @luxas Challenge#2: Ensuring correctness Testing: Unit tests, static analysis, fuzzing, differential testing Policy Equality: A lot bugs arise when you change/upgrade/refactor something, and you miss an edge case. Strive for a canonical representation of your ACL logic, so you can check for equality. Shadow rollout: Run both new and old policy in production, enforce old, warn if new yields other results Preventing Privilege Escalation: How can users be allowed to manage a subdivision of the authorization state, without escalating their, or someone else’s privileges? 17

Slide 18

Slide 18 text

@luxas @luxas Challenge#3: Consistency and Availability (CAP) A spectrum between “offline-only” and “online-only” modes. Offline-only: Rely only on attribute and role info in the credential (JWT or cert), static policy based on that. => Hard (if not impossible) to revoke access before expiration 18

Slide 19

Slide 19 text

@luxas @luxas Challenge#3: Consistency and Availability (CAP) A spectrum between “offline-only” and “online-only” modes. Offline-only: Rely only on attribute and role info in the credential (JWT or cert), static policy based on that. => Hard (if not impossible) to revoke access before expiration Online-only: Credentials ID-only, always lookup permissions from a central database. Authorization system “single point of failure”. => Is it acceptable to cache and return potentially stale results? 19

Slide 20

Slide 20 text

@luxas @luxas Challenge#3: Consistency and Availability (CAP) Authorization state size: How much data can you process in working memory or put in a credential? Dimensionality high => DB needed 20

Slide 21

Slide 21 text

@luxas @luxas Challenge#3: Consistency and Availability (CAP) Authorization state size: How much data can you process in working memory or put in a credential? Dimensionality high => DB needed Change Propagation Delay: What is the upper bound for change propagation delays? One millisecond? One second? One minute? One hour? One day? One year? 21

Slide 22

Slide 22 text

@luxas @luxas Challenge#3: Consistency and Availability (CAP) Authorization state size: How much data can you process in working memory or put in a credential? Dimensionality high => DB needed Change Propagation Delay: What is the upper bound for change propagation delays? One millisecond? One second? One minute? One hour? One day? One year? Casual Ordering: Google coined New Enemy Problem in a paper of theirs, defined as “when we fail to respect the ordering between ACL updates or when we apply old ACLs to new content.” 22

Slide 23

Slide 23 text

@luxas @luxas Challenge#3: Consistency and Availability (CAP) Authorization state size: How much data can you process in working memory or put in a credential? Dimensionality high => DB needed Change Propagation Delay: What is the upper bound for change propagation delays? One millisecond? One second? One minute? One hour? One day? One year? Casual Ordering: Google coined New Enemy Problem in a paper of theirs, defined as “when we fail to respect the ordering between ACL updates or when we apply old ACLs to new content.” Time Complexity: How does the latency scale? O(n)? O(n2)? O(n3)? 23

Slide 24

Slide 24 text

@luxas @luxas Challenge#4: Observability Explainability: The system’s ability to provide the “reasons” for a access decision in both human- and machine-friendly form 24

Slide 25

Slide 25 text

@luxas @luxas Challenge#4: Observability Explainability: The system’s ability to provide the “reasons” for a access decision in both human- and machine-friendly form Lookupability: List all the resources a user can access with a permission, or all the users with a given permission to a resource 25

Slide 26

Slide 26 text

@luxas @luxas Challenge#4: Observability Explainability: The system’s ability to provide the “reasons” for a access decision in both human- and machine-friendly form Lookupability: List all the resources a user can access with a permission, or all the users with a given permission to a resource Audit Logging: The system’s ability to log access control decisions to an append-only audit log 26

Slide 27

Slide 27 text

@luxas @luxas Relation-based Access Control (ReBAC) The Next Generation Access Control (NGAC) 2018 standard, developed by NIST, proposes a graph-based access control implementation that is a superset of RBAC, ABAC, MLS, SoD, etc. paradigms. 27

Slide 28

Slide 28 text

@luxas @luxas Relation-based Access Control (ReBAC) The Next Generation Access Control (NGAC) 2018 standard, developed by NIST, proposes a graph-based access control implementation that is a superset of RBAC, ABAC, MLS, SoD, etc. paradigms. Google Zanzibar paper in 2019 on how Google handles all their authorization concerns for Drive, Youtube, Gmail, etc. using one single graph with relations between users and resources. 28

Slide 29

Slide 29 text

@luxas @luxas Relation-based Access Control (ReBAC) The Next Generation Access Control (NGAC) 2018 standard, developed by NIST, proposes a graph-based access control implementation that is a superset of RBAC, ABAC, MLS, SoD, etc. paradigms. Google Zanzibar paper in 2019 on how Google handles all their authorization concerns for Drive, Youtube, Gmail, etc. using one single graph with relations between users and resources. => Core idea is to “compile” the access control problem down to: “is there a relation of type get in the graph between the user:lucas and document:todolist” 29

Slide 30

Slide 30 text

@luxas @luxas Relation-based Access Control 1. App developer specifies an authorization model (schema) a. “Users can read or write folders, folders contain documents” 30 user folder document write contains read

Slide 31

Slide 31 text

@luxas @luxas Relation-based Access Control 1. App developer specifies an authorization model (schema) a. “Users can read or write folders, folders contain documents” 2. Write or import relationship data a. “User Lucas can read folder ‘customers’ b. “folder ‘customers’ has documents ‘secret’ and ‘fooinc’” 31 user:lucas folder:customers document:secret document:fooinc contains read contains

Slide 32

Slide 32 text

@luxas @luxas Relation-based Access Control 1. App developer specifies an authorization model (schema) a. “Users can read or write folders, folders contain documents” 2. Write or import relationship data a. “User Lucas can read folder ‘customers’ b. “folder ‘customers’ has documents ‘secret’ and ‘fooinc’” 3. Query the graph a. “Can user Lucas read document ‘secret’?” => true b. “Can user Lucas write document ‘secret’?” => false c. “What documents can user Lucas read?” => [“document:secret”, “document:fooinc”] 32 user:lucas folder:customers document:secret document:fooinc contains read contains

Slide 33

Slide 33 text

@luxas @luxas ReBAC users or evaluators in the wild 33 Homegrown Zanzibar: Homegrown NGAC: OSS Zanzibar: Evaluating Zanzibar: Zanzibar Himeji AuthZ Source Source Source Source Source Source

Slide 34

Slide 34 text

@luxas @luxas Implementing RBAC with ReBAC (Zanzibar schema) 34 user team member

Slide 35

Slide 35 text

@luxas @luxas Implementing RBAC with ReBAC (Zanzibar schema) 35 user role assignee team member

Slide 36

Slide 36 text

@luxas @luxas Implementing RBAC with ReBAC (Zanzibar schema) 36 user folder role assignee viewer editor team member admin

Slide 37

Slide 37 text

@luxas @luxas Implementing RBAC with ReBAC (Zanzibar schema) 37 user folder role assignee viewer editor team member admin

Slide 38

Slide 38 text

@luxas @luxas Implementing RBAC with ReBAC (Zanzibar schema) 38 user folder role assignee viewer editor team member admin parent

Slide 39

Slide 39 text

@luxas @luxas Implementing RBAC with ReBAC (Zanzibar schema) 39 user folder role assignee viewer editor team member admin document viewer admin editor parent contains

Slide 40

Slide 40 text

@luxas @luxas Implementing RBAC with ReBAC (Zanzibar schema) 40 user folder role assignee viewer editor team member admin document viewer admin editor parent contains

Slide 41

Slide 41 text

@luxas @luxas Implementing RBAC with ReBAC (Zanzibar schema) 41 user folder role assignee viewer editor team member admin document viewer admin editor parent contains

Slide 42

Slide 42 text

@luxas @luxas Implementing RBAC with ReBAC (Zanzibar data) 42 user:bob team:employees user:alice member

Slide 43

Slide 43 text

@luxas @luxas Implementing RBAC with ReBAC (Zanzibar data) 43 user:bob team:employees user:alice role:admins folder:acmeco member assignee viewer editor admin

Slide 44

Slide 44 text

@luxas @luxas Implementing RBAC with ReBAC (Zanzibar data) 44 user:bob team:employees user:alice role:admins folder:acmeco member assignee viewer editor admin doc:salaryinfo viewer editor admin contains

Slide 45

Slide 45 text

@luxas @luxas parent Implementing RBAC with ReBAC (Zanzibar data) 45 user:bob team:employees user:alice role:admins folder:acmeco folder:public member assignee viewer editor admin doc:salaryinfo viewer editor admin viewer admin editor contains

Slide 46

Slide 46 text

@luxas @luxas parent Implementing RBAC with ReBAC (Zanzibar data) 46 user:bob team:employees user:alice role:admins folder:acmeco folder:public member assignee viewer editor admin doc:templates viewer admin editor doc:salaryinfo viewer editor admin viewer admin editor contains contains

Slide 47

Slide 47 text

@luxas @luxas parent Implementing RBAC with ReBAC (Zanzibar data) 47 user:bob team:employees user:alice role:admins folder:acmeco folder:public member assignee assignee viewer editor admin doc:templates viewer admin editor doc:salaryinfo viewer editor admin viewer admin editor contains role:public-edit contains

Slide 48

Slide 48 text

@luxas @luxas parent Query: What documents does bob have access to? 48 user:bob team:employees user:alice role:admins folder:acmeco folder:public member assignee assignee viewer editor admin doc:templates viewer admin editor doc:salaryinfo viewer editor admin viewer admin editor contains role:public-edit contains

Slide 49

Slide 49 text

@luxas @luxas role:public-edit parent Query: What documents does bob have access to? 49 user:bob team:employees user:alice role:admins folder:acmeco folder:public member assignee assignee viewer editor admin doc:templates viewer admin editor doc:salaryinfo viewer editor admin viewer admin editor contains contains

Slide 50

Slide 50 text

@luxas @luxas role:public-edit parent Query: What documents does bob have access to? 50 user:bob team:employees user:alice role:admins folder:acmeco folder:public member assignee assignee viewer editor admin doc:templates viewer admin editor doc:salaryinfo viewer editor admin viewer admin editor contains contains

Slide 51

Slide 51 text

@luxas @luxas role:public-edit parent Query: What documents does bob have access to? 51 user:bob team:employees user:alice role:admins folder:acmeco folder:public member assignee assignee viewer editor admin doc:templates viewer admin editor doc:salaryinfo viewer editor admin viewer admin editor contains contains

Slide 52

Slide 52 text

@luxas @luxas role:public-edit parent Query: What documents does bob have access to? 52 user:bob team:employees user:alice role:admins folder:acmeco folder:public member assignee assignee viewer editor admin doc:templates viewer admin editor doc:salaryinfo viewer editor admin viewer admin editor contains contains

Slide 53

Slide 53 text

@luxas @luxas parent Query: What documents does alice have access to? 53 user:bob team:employees user:alice role:admins folder:acmeco folder:public member assignee assignee viewer editor admin doc:templates viewer admin editor doc:salaryinfo viewer editor admin viewer admin editor contains role:public-edit contains

Slide 54

Slide 54 text

@luxas @luxas role:public-edit parent Query: What documents does alice have access to? 54 user:bob team:employees user:alice role:admins folder:acmeco folder:public member assignee assignee viewer editor admin doc:templates viewer admin editor doc:salaryinfo viewer editor admin viewer admin editor contains contains

Slide 55

Slide 55 text

@luxas @luxas role:public-edit parent Query: What documents does alice have access to? 55 user:bob team:employees user:alice role:admins folder:acmeco folder:public member assignee assignee viewer editor admin doc:templates viewer admin editor doc:salaryinfo viewer editor admin viewer admin editor contains contains

Slide 56

Slide 56 text

@luxas @luxas role:public-edit parent Query: What documents does alice have access to? 56 user:bob team:employees user:alice role:admins folder:acmeco folder:public member assignee assignee viewer editor admin doc:templates viewer admin editor doc:salaryinfo viewer editor admin viewer admin editor contains contains

Slide 57

Slide 57 text

@luxas @luxas role:public-edit parent Query: What documents does alice have access to? 57 user:bob team:employees user:alice role:admins folder:acmeco folder:public member assignee assignee viewer editor admin doc:templates viewer admin editor doc:salaryinfo viewer editor admin viewer admin editor contains contains

Slide 58

Slide 58 text

@luxas @luxas role:public-edit parent Query: What documents does alice have access to? 58 user:bob team:employees user:alice role:admins folder:acmeco folder:public member assignee assignee viewer editor admin doc:templates viewer admin editor doc:salaryinfo viewer editor admin viewer admin editor contains contains

Slide 59

Slide 59 text

@luxas @luxas Emulating ABAC with ReBAC (Zanzibar) 59 workload:prod-backend-eu user:lucas read write attr-region:eu read write AND AND workload:prod-backend-us read write AND AND workload:dev-backend-eu read write AND AND attr-region:us attr-env:prod read write attr-env:dev read write Region definitions

Slide 60

Slide 60 text

@luxas @luxas Environment definitions Emulating ABAC with ReBAC (Zanzibar) 60 workload:prod-backend-eu user:lucas read write attr-region:eu read write AND AND workload:prod-backend-us read write AND AND workload:dev-backend-eu read write AND AND attr-region:us attr-env:prod read write attr-env:dev read write

Slide 61

Slide 61 text

@luxas @luxas Emulating ABAC with ReBAC (Zanzibar) 61 workload:prod-backend-eu user:lucas read write attr-region:eu read write AND AND workload:prod-backend-us read write AND AND workload:dev-backend-eu read write AND AND attr-region:us attr-env:prod read write attr-env:dev read write

Slide 62

Slide 62 text

@luxas @luxas Query: Which workloads can Lucas access? 62 workload:prod-backend-eu user:lucas read write attr-region:eu read write AND AND workload:prod-backend-us read write AND AND workload:dev-backend-eu read write AND AND attr-region:us attr-env:prod read write attr-env:dev read write

Slide 63

Slide 63 text

@luxas @luxas Query: Which workloads can Lucas access? 63 workload:prod-backend-eu user:lucas read write attr-region:eu read write AND AND workload:prod-backend-us read write AND AND workload:dev-backend-eu read write AND AND attr-region:us attr-env:prod read write attr-env:dev read write

Slide 64

Slide 64 text

@luxas @luxas Query: Which workloads can Lucas access? 64 workload:prod-backend-eu user:lucas read write attr-region:eu read write AND AND workload:prod-backend-us read write AND AND workload:dev-backend-eu read write AND AND attr-region:us attr-env:prod read write attr-env:dev read write

Slide 65

Slide 65 text

@luxas @luxas Query: Which workloads can Lucas access? 65 workload:prod-backend-eu user:lucas read write attr-region:eu read write AND AND workload:prod-backend-us read write AND AND workload:dev-backend-eu read write AND AND attr-region:us attr-env:prod read write attr-env:dev read write

Slide 66

Slide 66 text

@luxas @luxas Query: Which workloads can Lucas access? 66 workload:prod-backend-eu user:lucas read write attr-region:eu read write AND AND workload:prod-backend-us read write AND AND workload:dev-backend-eu read write AND AND attr-region:us attr-env:prod read write attr-env:dev read write

Slide 67

Slide 67 text

@luxas @luxas The “lingua franca” of authorization? Challenge: How do I map everything an employee has access to consistently throughout 10s of SaaS services, and 10s of internal platforms and tools, to see what they can do? 67

Slide 68

Slide 68 text

@luxas @luxas The “lingua franca” of authorization? Challenge: How do I map everything an employee has access to consistently throughout 10s of SaaS services, and 10s of internal platforms and tools, to see what they can do? 😱 There is no de-facto “standard” for comparing, merging or joining various authorization policies. 🔥 Can ReBAC do this? Maybe! 68

Slide 69

Slide 69 text

@luxas @luxas The “lingua franca” of authorization? Relation-based access control (ReBAC) provides for an intriguing way of “emulating” or “supporting” a multitude of access control paradigms, e.g. RBAC, ABAC, Multi-level security (MLS), Separation of Duty, and so on. 69

Slide 70

Slide 70 text

@luxas @luxas The “lingua franca” of authorization? Relation-based access control (ReBAC) provides for an intriguing way of “emulating” or “supporting” a multitude of access control paradigms, e.g. RBAC, ABAC, Multi-level security (MLS), Separation of Duty, and so on. A highly optimized index: The “compilation” to a graph - makes lookups extremely fast 70

Slide 71

Slide 71 text

@luxas @luxas The “lingua franca” of authorization? Relation-based access control (ReBAC) provides for an intriguing way of “emulating” or “supporting” a multitude of access control paradigms, e.g. RBAC, ABAC, Multi-level security (MLS), Separation of Duty, and so on. A highly optimized index: The “compilation” to a graph - makes lookups extremely fast - provides for a consistent data format 71

Slide 72

Slide 72 text

@luxas @luxas The “lingua franca” of authorization? Relation-based access control (ReBAC) provides for an intriguing way of “emulating” or “supporting” a multitude of access control paradigms, e.g. RBAC, ABAC, Multi-level security (MLS), Separation of Duty, and so on. A highly optimized index: The “compilation” to a graph - makes lookups extremely fast - provides for a consistent data format - allows for auditing of graph schema and data 72

Slide 73

Slide 73 text

@luxas @luxas Load test of Zanzibar OSS impl SpiceDB (similar for OpenFGA): Graph structure: Social-media-like (Pareto distribution) Graph size: 100,000,000,000 edges (100G) Authorization Graph is “Extremely Fast”? 73

Slide 74

Slide 74 text

@luxas @luxas Load test of Zanzibar OSS impl SpiceDB (similar for OpenFGA): Graph structure: Social-media-like (Pareto distribution) Graph size: 100,000,000,000 edges (100G) Read load: 1,000,000 permission checks/second (1M) Write load: 1,000 writes/second (1%) Authorization Graph is “Extremely Fast”? 74

Slide 75

Slide 75 text

@luxas @luxas Load test of Zanzibar OSS impl SpiceDB (similar for OpenFGA**): Graph structure: Social-media-like (Pareto distribution) Graph size: 100,000,000,000 edges (100G) Read load: 1,000,000 permission checks/second (1M) Write load: 1,000 writes/second (1%) Permission check latency*: ~3ms p50, ~6ms p95 (!) Permission write latency: ~16ms p50, ~50ms p95 Authorization Graph is “Extremely Fast”? 75 *Check result here can be cached for at most 10 seconds in this setup **Even without caching, OpenFGA records check latency of ~12ms/p50 & ~20ms/p95

Slide 76

Slide 76 text

@luxas @luxas ReBAC Datastores vs Policy Engines 76 ReBAC Datastore Policy Engine State Stateful Mostly stateless Response Allow/Deny Any Typing Strong Strong or Dynamic Topology Centralized Server Any (Client, Server, Embed) Policy Updates Via API Out of band Lookup resources Yes No Consistency Strong* Eventual Best for Hierarchical roles or attrs ABAC Preprocessing needed Yes No *If you make your app support it, and back the store with a consistent database

Slide 77

Slide 77 text

@luxas @luxas API Server Putting it all together 77 User Authenticator Flow Control Authorizer Audit Log

Slide 78

Slide 78 text

@luxas @luxas API Server Putting it all together 78 User Authenticator ReBAC Server Flow Control Authorizer ReBAC Database Audit Log Check

Slide 79

Slide 79 text

@luxas @luxas API Server Putting it all together 79 User Authenticator ReBAC Server Flow Control Authorizer Admission ReBAC Database Audit Log Policy Engine Check

Slide 80

Slide 80 text

@luxas @luxas API Server Putting it all together 80 User Authenticator ReBAC Server Flow Control Authorizer Admission Privilege Escalation Prevention Authorization State Update ReBAC Database Audit Log Policy Engine Check WriteRelations

Slide 81

Slide 81 text

@luxas @luxas API Server Putting it all together 81 User Authenticator ReBAC Server Flow Control Authorizer Admission Privilege Escalation Prevention Authorization State Update List Filter ReBAC Database Storage Audit Log Policy Engine Check ListResources WriteRelations

Slide 82

Slide 82 text

@luxas @luxas API Server Putting it all together 82 User Authenticator ReBAC Server Flow Control Authorizer Admission Privilege Escalation Prevention Authorization State Update List Filter ReBAC Database Storage Audit Log Policy Engine Check ListResources WriteRelations

Slide 83

Slide 83 text

@luxas @luxas API Server Putting it all together 83 User Authenticator ReBAC Server Flow Control Authorizer Admission Privilege Escalation Prevention Authorization State Update List Filter ReBAC Database Storage Audit Log Policy Engine Check ListResources WriteRelations Syncer SaaS/Partners Read data WriteRelations

Slide 84

Slide 84 text

@luxas @luxas Kubernetes as the generic control plane! Kubernetes provides everything needed for a generic control plane ✅ Extensible, uniform REST API, authn/z, audit, controllers, etc. 84

Slide 85

Slide 85 text

@luxas @luxas Kubernetes as the generic control plane! Kubernetes provides everything needed for a generic control plane ✅ Extensible, uniform REST API, authn/z, audit, controllers, etc. OPA, Cedar and CEL good implementations of policy engines SpiceDB and OpenFGA are good OSS ReBAC implementations 🙌 You don’t have to make it all yourself! 85

Slide 86

Slide 86 text

@luxas @luxas Kubernetes as the generic control plane! Kubernetes provides everything needed for a generic control plane ✅ Extensible, uniform REST API, authn/z, audit, controllers, etc. OPA, Cedar and CEL good implementations of policy engines SpiceDB and OpenFGA are good OSS ReBAC implementations 🙌 You don’t have to make it all yourself! Instead let’s put the ready-made components together. 🚀 Join us Upbounders in the OSS community to explore this area! 86

Slide 87

Slide 87 text

@luxas @luxas Thank you! [email protected] / [email protected] GitHub: @luxas Twitter: @kubernetesonarm LinkedIn: @luxas CNCF/Kubernetes/Crossplane Slack: @luxas 87

Slide 88

Slide 88 text

@luxas @luxas Other sources (not a fully exhaustive list) - Everything is a graph – Matt Rickard - OpenID Shared Signals Working Group - OpenID AuthZen Working Group - It’s time for Authorization Standards – AuthZEN – CNCF Blog – Omri Gazitt - API Improvement Proposals, on (Control/Data) Planes and Authorization – Google - The Authorization in Software Podcast – Damian Schenkelman - The Cedar Language and Policy Based Authorization – Emina Torlak - All things Rego, OPA and Styra – Tim Hinrichs - NGAC sample implementation (not production ready!) – NIST - Fine-Grained Policies RBAC with NGAC – José Carlos Chávez - Using Policy as Code for Enterprise wide Authorization - Demo – Ignasi Barerra - NGAC demo for Service Mesh – Tetrate - ABAC on SpiceDB: Enabling Netflix’s Complex Identity Types – Chris Wolfe, Joey Schorr, and Victor Roldan Betancort - Pitfalls of JWT Authorization – Jimmy Zelinskie - Policy-Based Access Control (PBAC) vs Google Zanzibar: When You Should Use One or the Other – Evan Cordell - Enforcing Causal Ordering in Distributed Systems: The Importance of Permissions Checking – Jake Moshenko - Higher-level OpenFGA Client – Canonical 88