Authorization is on the rise. What if there was an API for it?

Transcript

Authorization is on the rise. What if there was an

API for it? @dschenkelman

Table Stakes https://medium.com/pm-insights/how-to-pick-winning-product- features-7b03abcf7d12

Differentiator https://medium.com/pm-insights/how-to-pick-winning-product- features-7b03abcf7d12

OWASP TOP 1 https://owasp.org/Top10/ Broken Access Control

In the beginning… RBAC DELETE /customers/{id} const user = await

db.users.get(cookie.userId); if (user.role === "admin")) { // delete customer // return 204 } else { // return 403 } select role from users where userId == {uid};

In the beginning… RBAC DELETE /customers/{id} const user = await

I want to use attributes from subject and object… ABAC

DELETE /customers/{id} const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && !customer.subscribed)) { // delete customer // return 204 } else { // return 403 } select department from users where id == {uid}; select subscribed from customers where id == {cid};

I want to use attributes from subject and object… ABAC

I want to know who did what… DELETE /customers/{id} //

log: cookie.userId requesting authz to delete customer const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && customer.unsubscribed)) { // log: cookie.userId authorized to delete customer // delete customer // return 204 } else { // log: cookie.userId unauthorized to delete customer // return 403 } select department from users where id == {uid}; select unsubscribed from customers where id == {cid};

I want to know who did what… DELETE /customers/{id} //

I want it to be reliable and fast… DELETE /customers/{id}

// log: cookie.userId requesting authz to delete customer const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && customer.unsubscribed)) { // log: cookie.userId authorized to delete customer // delete customer // return 204 } else { // log: cookie.userId unauthorized to delete customer // return 403 } select department from users where id == {uid}; select unsubscribed from customers where id == {cid};

Access Review? Who can access what?

Approval? Change Management

Auditing? What happened?

Reliability?

Latency?

Developer APIs

Approach #1: Policies

Mental Picture public enum Decision { Allow, Deny, … }

public Decision {policy_name} (subject, permission, object, context) { // rules… }

Example Architecture 3. get user and customer data 2. can

user delete customer? 1. can user delete customer? Manage Policies PAP Policy Decision Point Policy Information Point 6. delete customer 5. user is authorized Policy Repository Customer Service 4. evaluate policy

Advantages • Easier to understand what authorization logic applies •

Authorization change management is simpler than having it in code • Auditing is implemented outside of business logic

Disadvantages • Requires operating more components

Disadvantages • Requires operating more components • Does not handle

storage of authz data • 👉 latency + reliability + scale • 👉 collaboration scenarios •

Approach #2: "Zanzibar"

Zanzibar Not this one…

Google Zanzibar https://research.google/pubs/pub48190/

ReBAC

Multi-region

Sweet spot Policies (AuthZ needs) DBaaS (handles data) Zanzibar "as

a Service”

Internal Use

For others to use (disclaimer: I work on Project "Sandcastle")

Project "Sandcastle"

DEMO

Architecture Sandcastle in "PDP Mode" 2. check(user, delete, customer) 1.

can user delete customer? Customer Service PDP Sandcastle 4. delete customer 3. user is authorized nginx

Enforcement

Advantages • Auditing is part of "aaS" • Authorization change

management is simpler than having it in code • Easier to understand what authorization logic applies • Multi-region and operated by someone else

Disadvantages • Many things are a relationship, but not everything

(e.g. time of day)

Approach #3: Combined

Architecture Sandcastle in "PIP Mode" 4. check(user, delete, customer) 2.

can user delete customer? 1. can user delete customer? Manage Policies Distribute Policies PAP PDP PIP Sandcastle 6. delete customer 5. user is authorized Policy Repository 3. evaluate policy

Final Thoughts

Resources

Project “Sandcastle" Dev Community Preview Waitlist shorturl.at/hkouS

AuthZ APIs Resources • Google Zanzibar: https://research.google/pubs/pub48190/ • Zanzibar Academy:

https://zanzibar.academy • Himeji (Zanzibar @ Airbnb): https://medium.com/airbnb-engineering/himeji-a-scalable- centralized-system-for-authorization-at-airbnb-341664924574 • AuthZ (Zanzibar @ Carta): https://medium.com/building-carta/authz-cartas-highly- scalable-permissions-system-782a7f2c840f • Facebook TAO: https://www.usenix.org/system/ fi les/conference/atc13/atc13-bronson.pdf • Authzed: https://authzed.com/ • Ory Keto: https://www.ory.sh/keto/docs/

@auth0lab Resources • Sandcastle playground: https://learn.sandcastle.cloud/ • Auth0 Lab discord:

https://t.co/ybHn8hEOBl?amp=1 • Authorization in Software Podcast: https:// authorizationinsoftware.auth0.com/ • @auth0lab: https://twitter.com/auth0lab

Policy Resources • OPA: https://www.openpolicyagent.org/ • Styra: https://www.styra.com/ • OSOHQ:

https://docs.osohq.com/ • XACML: http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html • NIST ABAC: https://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf • RBAC: https://csrc.nist.gov/CSRC/media/Publications/conference-paper/1992/10/13/ role-based-access-controls/documents/ferraiolo-kuhn-92.pdf

Authorization is on the rise. What if there was...

Authorization is on the rise. What if there was an API for it?

More Decks by Damian Schenkelman

Other Decks in Technology

Featured

Transcript