From 46f0fca196a01b62506902d6138898f06d6bc96d Mon Sep 17 00:00:00 2001 From: Nicolai Ort Date: Mon, 21 Jul 2025 15:07:12 +0200 Subject: [PATCH] docs(day1): Added auth talk --- content/day1/08_auth.md | 83 +++++++++++++++++++++++++++++++++++++++++ content/day1/_index.md | 3 +- 2 files changed, 85 insertions(+), 1 deletion(-) create mode 100644 content/day1/08_auth.md diff --git a/content/day1/08_auth.md b/content/day1/08_auth.md new file mode 100644 index 0000000..d1f9e8f --- /dev/null +++ b/content/day1/08_auth.md @@ -0,0 +1,83 @@ +--- +title: How Google Built a Consistent, Global, Authorization System with Zansibar and you can too +weight: 8 +tags: + - auth + - security +--- + + + + +Challenge: You send an mail via gmail that has a google drive attachment -> Those are two seperate apps but a central auth check needs to take place to provide access to the recipient. + +## Access controll types + +- ACL (access control list): Pretty basic +- RBAC: The defacto standard for a long time +- ABAC (Attribute based access controll): Check attributes (user-id, ip address, ...) on access time to make a decision +- ReBAC (Relationship based access controll) + +## ReBAC + +### Baseline + +```mermaid +graph LR +document-->|Is part of|folder-->|was created by|user +``` + +### Relation Tuple + +- `document:123#owner@user:3` -> User 3 is owhner of document 123 +- `groud:engineering#membner@group:security` -> Group security is a member of the group engineering + +### Graph representation (DAG) + +```mermaid +graph LR +somedocument-->reader +somedocument-->writer +reader-.->|is also available via|writer +reader-->UserA +reader-->UserB +writer-->UserC +writer-->UserD +``` + +And check if there is a unidirectional way from somedocument to UserA over writer -> No = No access + +## Zansibar + +- Globaly distributed +- ReBAC based +- Zentral API + +### Hotspots + +- Problem: Some checks need to happen often +- Solution: Distributed caching +- Cache validity: Time stamp optimization by rounding to a second or 50ms +- Improvement: Internal use of grpc +- Lock table: If the same query get's executed multiple times at once, calculate query once and return cached response to all waiting queries +- Improve cache population: Don't kill sub-checks instantly but delayed + +### Zookies + +- Specify a specific point in time (e.g. to bypass cache with "give me the latest") +- Allows control over the latency vs real-time trade-off +- Solves the new enemy problem: You loose access at the same time it get's changed -> may result in phantom access to the new version if cached data get's used + +### Implementations + +> Some of the popular oppen source implementations, just for later + +- SpiceDB +- ORY +- Permify + +### Pro + +- Low latency with high throughput +- Global consistency +- Composable and hierarchical permission models \ No newline at end of file diff --git a/content/day1/_index.md b/content/day1/_index.md index 4d535f7..0a183a4 100644 --- a/content/day1/_index.md +++ b/content/day1/_index.md @@ -10,4 +10,5 @@ The first day started with the usual organizational topics (schedule, sponsors a - For everyone: [IT-Grundschutz trifft Kubernetes: Praxisnahe Umsetzung sicherheitsrelevanter Anforderungen](./03_grundschutz)(it was presented in an engaging way) - If you're interested in metalĀ³: [Bringing Cloud-Native Agility to Bare-Metal Kubernetes with Cluster API and MetalĀ³](./05_baremetal) -- DevEx: [What going cloud native taught us about developer experience](./07_devex) (and honestly worth the speaker's accent and city skylines metaphor) \ No newline at end of file +- DevEx: [What going cloud native taught us about developer experience](./07_devex) (and honestly worth the speaker's accent and city skylines metaphor) +- If you're interested in different access control patterns: [How Google Built a Consistent, Global, Authorization System with Zansibar and you can too](./08_auth)