docs(day1): Added auth talk

2025-07-21 15:07:12 +02:00 · 2025-07-21 15:07:12 +02:00 · 46f0fca196
commit 46f0fca196
parent d0a270d84e
2 changed files with 85 additions and 1 deletions
--- a/content/day1/08_auth.md
+++ b/content/day1/08_auth.md
@ -0,0 +1,83 @@
+---
+title: How Google Built a Consistent, Global, Authorization System with Zansibar and you can too
+weight: 8
+tags:
+ - auth
+ - security
+---
+
+<!-- {{% button href="https://youtu.be/rkteV6Mzjfs" style="warning" icon="video" %}}Watch talk on YouTube{{% /button %}} -->
+<!-- {{% button href="https://docs.google.com/presentation/d/1nEK0CVC_yQgIDqwsdh-PRihB6dc9RyT-" style="tip" icon="person-chalkboard" %}}Slides{{% /button %}} -->
+
+Challenge: You send an mail via gmail that has a google drive attachment -> Those are two seperate apps but a central auth check needs to take place to provide access to the recipient.
+
+## Access controll types
+
+- ACL (access control list): Pretty basic
+- RBAC: The defacto standard for a long time
+- ABAC (Attribute based access controll): Check attributes (user-id, ip address, ...) on access time to make a decision
+- ReBAC (Relationship based access controll)
+
+## ReBAC
+
+### Baseline
+
+```mermaid
+graph LR
+document-->|Is part of|folder-->|was created by|user
+```
+
+### Relation Tuple
+
+- `document:123#owner@user:3` -> User 3 is owhner of document 123
+- `groud:engineering#membner@group:security` -> Group security is a member of the group engineering
+
+### Graph representation (DAG)
+
+```mermaid
+graph LR
+somedocument-->reader
+somedocument-->writer
+reader-.->|is also available via|writer
+reader-->UserA
+reader-->UserB
+writer-->UserC
+writer-->UserD
+```
+
+And check if there is a unidirectional way from somedocument to UserA over writer -> No = No access
+
+## Zansibar
+
+- Globaly distributed
+- ReBAC based
+- Zentral API
+
+### Hotspots
+
+- Problem: Some checks need to happen often
+- Solution: Distributed caching
+- Cache validity: Time stamp optimization by rounding to a second or 50ms
+- Improvement: Internal use of grpc
+- Lock table: If the same query get's executed multiple times at once, calculate query once and return cached response to all waiting queries
+- Improve cache population: Don't kill sub-checks instantly but delayed
+
+### Zookies
+
+- Specify a specific point in time (e.g. to bypass cache with "give me the latest")
+- Allows control over the latency vs real-time trade-off
+- Solves the new enemy problem: You loose access at the same time it get's changed -> may result in phantom access to the new version if cached data get's used
+
+### Implementations
+
+> Some of the popular oppen source implementations, just for later
+
+- SpiceDB
+- ORY
+- Permify
+
+### Pro
+
+- Low latency with high throughput
+- Global consistency
+- Composable and hierarchical permission models
--- a/content/day1/_index.md
+++ b/content/day1/_index.md
@ -11,3 +11,4 @@ The first day started with the usual organizational topics (schedule, sponsors a
 - For everyone: [IT-Grundschutz trifft Kubernetes: Praxisnahe Umsetzung sicherheitsrelevanter Anforderungen](./03_grundschutz)(it was presented in an engaging way)
 - If you're interested in metal³: [Bringing Cloud-Native Agility to Bare-Metal Kubernetes with Cluster API and Metal³](./05_baremetal)
 - DevEx: [What going cloud native taught us about developer experience](./07_devex) (and honestly worth the speaker's accent and city skylines metaphor)
+- If you're interested in different access control patterns: [How Google Built a Consistent, Global, Authorization System with Zansibar and you can too](./08_auth)