All About AuthZ

Transcript

1. All about AuthZ @dschenkelman

2. Building a SaaS in 2021…

3. Security

4. Privacy

5. Compliance

6. Table Stakes https://medium.com/pm-insights/how-to-pick-winning-product- features-7b03abcf7d12

7. Collaboration

8. Sharing

9. Partnerships

10. Differentiator https://medium.com/pm-insights/how-to-pick-winning-product- features-7b03abcf7d12

11. Authorization

12. NOT Authentication

13. Authorization

14. In the beginning… RBAC DELETE /customers/{id} const user = await

    db.users.get(cookie.userId); if (user.role === "admin")) { // delete customer // return 204 } else { // return 403 } select role from users where userId == {uid};

15. In the beginning… RBAC DELETE /customers/{id} const user = await

    db.users.get(cookie.userId); if (user.role === "admin")) { // delete customer // return 204 } else { // return 403 } select role from users where userId == {uid};

16. In the beginning… RBAC DELETE /customers/{id} const user = await

    db.users.get(cookie.userId); if (user.role === "admin")) { // delete customer // return 204 } else { // return 403 } select role from users where userId == {uid};

17. In the beginning… RBAC DELETE /customers/{id} const user = await

    db.users.get(cookie.userId); if (user.role === "admin")) { // delete customer // return 204 } else { // return 403 } select role from users where userId == {uid};

18. In the beginning… RBAC DELETE /customers/{id} const user = await

    db.users.get(cookie.userId); if (user.role === "admin")) { // delete customer // return 204 } else { // return 403 } select role from users where userId == {uid};

19. I want to use attributes from subject and object… ABAC

    DELETE /customers/{id} const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && !customer.subscribed)) { // delete customer // return 204 } else { // return 403 } select department from users where id == {uid}; select subscribed from customers where id == {cid};

20. I want to use attributes from subject and object… ABAC

    DELETE /customers/{id} const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && !customer.subscribed)) { // delete customer // return 204 } else { // return 403 } select department from users where id == {uid}; select subscribed from customers where id == {cid};

21. I want to use attributes from subject and object… ABAC

    DELETE /customers/{id} const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && !customer.subscribed)) { // delete customer // return 204 } else { // return 403 } select department from users where id == {uid}; select subscribed from customers where id == {cid};

22. I want to use attributes from subject and object… ABAC

    DELETE /customers/{id} const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && !customer.subscribed)) { // delete customer // return 204 } else { // return 403 } select department from users where id == {uid}; select subscribed from customers where id == {cid};

23. I want to use attributes from subject and object… ABAC

    DELETE /customers/{id} const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && !customer.subscribed)) { // delete customer // return 204 } else { // return 403 } select department from users where id == {uid}; select subscribed from customers where id == {cid};

24. I want to use attributes from subject and object… ABAC

    DELETE /customers/{id} const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && !customer.subscribed)) { // delete customer // return 204 } else { // return 403 } select department from users where id == {uid}; select subscribed from customers where id == {cid};

25. I want to know who did what… DELETE /customers/{id} //

    log: cookie.userId requesting authz to delete customer const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && customer.unsubscribed)) { // log: cookie.userId authorized to delete customer // delete customer // return 204 } else { // log: cookie.userId unauthorized to delete customer // return 403 } select department from users where id == {uid}; select unsubscribed from customers where id == {cid};

26. I want to know who did what… DELETE /customers/{id} //

    log: cookie.userId requesting authz to delete customer const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && customer.unsubscribed)) { // log: cookie.userId authorized to delete customer // delete customer // return 204 } else { // log: cookie.userId unauthorized to delete customer // return 403 } select department from users where id == {uid}; select unsubscribed from customers where id == {cid};

27. I want to know who did what… DELETE /customers/{id} //

    log: cookie.userId requesting authz to delete customer const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && customer.unsubscribed)) { // log: cookie.userId authorized to delete customer // delete customer // return 204 } else { // log: cookie.userId unauthorized to delete customer // return 403 } select department from users where id == {uid}; select unsubscribed from customers where id == {cid};

28. I want it to be reliable and fast… DELETE /customers/{id}

    // log: cookie.userId requesting authz to delete customer const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && customer.unsubscribed)) { // log: cookie.userId authorized to delete customer // delete customer // return 204 } else { // log: cookie.userId unauthorized to delete customer // return 403 } select department from users where id == {uid}; select unsubscribed from customers where id == {cid};

29. Access Review? Who can access what?

30. Approval? Change Management

31. Auditing? What happened?

32. Reliability?

33. Latency?

34. Developer SaaS

35. Approach #1: Policies

36. Policy

37. XACML http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html

38. Rego https://www.openpolicyagent.org/docs/latest/policy-language/

39. Polar https://docs.osohq.com/reference/polar/polar-syntax.html

40. Architecture Abstract 4. get user and customer data 2. can

    user delete customer? 1. can user delete customer? Manage Policies Distribute Policies PAP PEP PDP PIP (the original DB) 6. delete customer 5. user is authorized Policy Repository 3. evaluate policy

41. Architecture Concrete 4. get user and customer data 2. can

    user delete customer? 1. can user delete customer? Manage Policies Distribute Policies PAP PEP PDP PIP (the original DB) 6. delete customer 5. user is authorized Policy Repository

42. Alternatives

43. Advantages • Auditing is implemented outside of business logic •

    Authorization change management is simpler than having it in code • Easier to understand what authorization logic applies

44. Disadvantages • Requires operating more components

45. Architecture Services 4.1. get user data 2. can user delete

    customer? 1. can user delete customer? PEP PDP PIP (users service) 5. user is authorized PIP (customer service) 4.2. get customer data

46. us-west-2 us-east-1 Architecture Services + Multiregion PEP PDP PIP PIP

    4.1. get user 2. can user delete customer? 1. can user delete customer? PEP PDP PIP 5. user is authorized PIP 4.2 get customer

47. us-west-2 us-east-1 Architecture Services + Multi-region + Failure PEP PDP

    PIP PIP PEP PDP PIP PIP

48. Disadvantages • Requires operating more components • Does not handle

    storage of authz data • 👉 latency + reliability + scale

49. Approach #2: "Zanzibar"

50. Zanzibar Not this one…

51. Google Zanzibar https://research.google/pubs/pub48190/

52. ReBAC

53. Multi-region

54. Sweet spot Policies (AuthZ needs) DBaaS (handles data) Zanzibar "as

    a Service”

55. Alternatives (disclaimer: I work on “Sandcastle") "Sandcastle"

56. DEMO

57. Architecture Sandcastle in "PDP Mode" 2. check(user, delete, customer) 1.

    can user delete customer? Customer Service PDP Sandcastle 4. delete customer 3. user is authorized nginx

58. Enforcement

59. us-west-2 us-east-1 Architecture Services + Multi-region + Sandcastle Users Service

    Customers Service Sandcastle Sandcastle nginx Customers Service Users Service nginx check(user, delete, customer) check(user, delete, customer)

60. Advantages • Auditing is part of "aaS" • Authorization change

    management is simpler than having it in code • Easier to understand what authorization logic applies • Multi-region and operated by someone else

61. Disadvantages • Many things are a relationship, but not everything

    (e.g. time of day)

62. Approach #3: Combined

63. Architecture Sandcastle in "PIP Mode" 4. check(user, delete, customer) 2.

    can user delete customer? 1. can user delete customer? Manage Policies Distribute Policies PAP PEP PDP PIP Sandcastle 6. delete customer 5. user is authorized Policy Repository 3. evaluate policy

64. us-west-2 us-east-1 Architecture Services + Multi-region + Sandcastle + Policies

    PEP PDP Users Service Customers Service Sandcastle Sandcastle PEP PDP Customers Service Users Service

65. Sandcastle + OPA

66. Final Thoughts

67. @auth0lab Resources • Sandcastle playground: https://learn.sandcastle.cloud/ • Auth0 Lab discord:

    https://t.co/ybHn8hEOBl?amp=1 • Authorization in Software: Subject Matter Expert Chats: https:// www.youtube.com/playlist? list=PLZuCrkqyqw9wY0bCosGYDMI9enFpg_tk- • @auth0lab: https://twitter.com/auth0lab

68. Resources • OPA: https://www.openpolicyagent.org/ • Styra: https://www.styra.com/ • OSOHQ: https://docs.osohq.com/

    • XACML: http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html • NIST ABAC: https://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf • RBAC: https://csrc.nist.gov/CSRC/media/Publications/conference-paper/1992/10/13/ role-based-access-controls/documents/ferraiolo-kuhn-92.pdf

69. Resources • Facebook TAO: https://www.usenix.org/system/ fi les/conference/atc13/atc13- bronson.pdf • Google

    Zanzibar: https://research.google/pubs/pub48190/ • Himeji (Zanzibar @ Airbnb): https://medium.com/airbnb-engineering/himeji-a- scalable-centralized-system-for-authorization-at-airbnb-341664924574 • AuthZ (Zanzibar @ Carta): https://medium.com/building-carta/authz-cartas-highly- scalable-permissions-system-782a7f2c840f • Authzed: https://authzed.com/ • Ory Keto: https://www.ory.sh/keto/docs/

70. Questions?

71. Thanks! @dschenkelman @auth0lab