实施授权——Torin Sandall,Styra

无论您是为企业、移动设备还是内部微服务构建软件,安全性都很重要。类似 SAML、OIDC 和 SPIFFE 等的标准可帮助您解决身份和身份认证问题,但对于他们来说,认证是超出作用域的。当您需要控制应用程序中的“谁可以做什么”时,您就可以独立完成。 为解决授权问题,您可能会想要针对 SAML 断言、作用域或 X.509 属性证书对逻辑进行硬编码。但是,类似的方法会造成系统难以理解且难以维护。 本次演讲将展示如何利用 Open Policy Agent(常被 Netflix 和 Chef 等公司使用)在行业标准的认证协议之上构建强大的认证系统。本次演讲展示解耦如何会使认证解决方案更容易被理解,同时实现对应用程序的细粒度地控制
展开查看详情

1.Implementing Authorization @sometorin

2. Torin Sandall ● Engineer @ Styra ● Co-founder @ Open Policy Agent @sometorin

3."Undifferentiated Heavy Lifting" - Jeff Bezos (Amazon CEO, 2006) @sometorin

4.Authorization is heavy lifting. @sometorin

5....but every app needs authorization. @sometorin

6.Rethink how you implement authorization. @sometorin

7.Ship secure projects faster. @sometorin

8.Authentication != Authorization Verify identity Verify permission @sometorin

9.Authentication != Authorization Am I talking to Bob? Is Bob allowed to talk to me? @sometorin

10.Authentication standards SAML OpenID Connect SPIFFE <saml:Assertion> <saml:Subject> { <saml:NameID abcdef> "iss": https://example.com </saml:NameID> "sub": bob <saml:SubjectConfirmation "aud": retail Method="urn:...:bearer"> "nbf": 123456789, spiffe://acmecorp/a/b/c <saml:SubjectConfirmation "exp": 123456789, Data NotOnOrAfter=../> "amr": ["password", "otp"] </saml:SubjectConfirmation> } <saml:Conditions>... Enterprise Consumer Infrastructure @sometorin

11.Authentication verifies identity & produces attributes. Human { iss: acmecorp sub: bob aud: retail nbf: 123456789 credentials Authentication Verified Identity exp: 123456789 amr: [ password otp ] } Machine @sometorin

12. ### 2.2. Path The path component of a SPIFFE ID allows for the unique identification of a given workload. The Attribute meaning behind the path is left open ended and the responsibility of the administrator to define. Paths MAY be hierarchical - similar to filesystem semantics are paths. The specific meaning of paths is reserved as an exercise to the implementer and are outside the SVID specification. However some examples and conventions are expressed below. beyond the 2. ID Token [...] scope of the The definition of particular values to be used in the amr Claim is beyond the scope of this specification. Parties using this claim will need to agree upon the meanings of specification. the values used, which may be context-specific. [...] ID Tokens MAY contain other Claims. @sometorin

13.App must decide how identity attributes map to functionality, privileges, etc. @sometorin

14. RFC 6749 The OAuth 2.0 Authorization Framework Abstract What about OAuth? The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. @sometorin

15.OAuth 2.0 enables delegation. "Power of Attorney" for web and mobile applications. @sometorin

16. RFC 6749 Section 7 The client accesses protected resources by presenting Application of access tokens the access token to the resource server. The resource server MUST validate the access token and ensure that it has not expired and that its scope covers the is beyond the scope of the requested resource. The methods used by the resource server to validate the access token (as well as any specification. error responses) are beyond the scope of this specification but generally involve an interaction or coordination between the resource server and the authorization server. @sometorin

17.How does the app decide what to do with incoming requests, identity attributes, and access tokens? @sometorin

18.Authorization: Problem Statement Can identity I do operation O on resource R? @sometorin

19.Authorization: Problem Statement Can identity I do operation O on resource R? alice HTTP GET /salaries/bob @sometorin

20.Example Policy "Employees should be able to read their own salary and the salary of employees they manage." @sometorin

21.@route("GET", "/salaries/{employee_id}") def get_salary(req): if not authorized(req): app code return error(403) return db.read_salary(req.emp_id) def authorized(req): if req.user == req.emp_id: return True if req.user in managers_of(req.emp_id): authorization code return True return False @sometorin

22. This code raises questions! @route("GET", "/salaries/{employee_id}") ● How do you enforce policies from security or legal departments? def get_salary(req): if not authorized(req): ● How do you delegate control to your end-users? return error(403) return db.read_salary(req.emp_id) ● How do you roll-out policy changes? ● How do you access HR database or other sources of context? def authorized(req): if req.user == req.emp_id: ● How do you render the UI based on the user's permissions? return True if req.user in managers_of(req.emp_id): ● How do you audit and test your policies for correctness? return True return False ● How do you audit enforcement of the policies? ● What about 100+ other services written in Java, Go, and Ruby? @sometorin

23.Authorization: Problem Statement Can identity I do operation O on resource R? Goal: Solve for any combination of I, O, and R. Enforce in any language, framework, or environment. @sometorin

24.Authorization: Common Approaches ACLs RBAC IAM ABAC - deny by default - deny by default - allow and deny - boolean logic - admin controlled - group users - users, groups, resources - context - user, action, resource - grant groups permissions - negation & built-ins - relationships - inheritance - separation of duty (SOD) @sometorin

25.Authorization: Trade-offs ACLs RBAC IAM ABAC Ease of use Flexibility @sometorin

26. "Allow all HTTP requests "Restrict employees from accessing from 10.1.2.0/24." the service outside of work hours." "QA must sign-off on images "Restrict ELB changes to senior deployed to the production SREs that are on-call." namespace." "Analysts can read client data but PII must be redacted." ACLs, RBAC, and IAM are not enough. "Give developers SSH access to machines listed in JIRA tickets assigned to them." "Prevent developers from running containers with privileged security contexts in the production namespace." "Workloads for euro-bank must be deployed on PCI-certified clusters in the EU." @sometorin

27. Enforcement Service Policy Policy Query Decision Open Policy Agent (OPA) is a OPA general-purpose policy engine. Policy Data (rego) (json) @sometorin

28.Open Policy Agent (OPA) Enforcement Service Policy Policy Query Decision Decouple policy decisions from OPA enforcement and codify decisions using a declarative language. Policy Data (rego) (json) @sometorin

29.Open Policy Agent (OPA) Enforcement Service ● Integrate as a library or sidecar Policy Policy Query Decision ○ No runtime dependencies ○ Policy and data kept in-memory OPA ● Supports multiple authorization models ○ ✔ ACLs ○ ✔ RBAC ○ ✔ IAM ○ ✔ ABAC Policy Data (rego) (json) @sometorin