niggl/cnsmunich25
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs(day1): Added auth talk

Browse Source
This commit is contained in:
Nicolai Ort 2025-07-21 15:07:12 +02:00
parent d0a270d84e
commit 46f0fca196
2 changed files with 85 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
content/day1/08_auth.md Normal file
View File

@ -0,0 +1,83 @@
---
title: How Google Built a Consistent, Global, Authorization System with Zansibar and you can too
weight: 8
tags:
- auth
- security
---
<!-- {{% button href="https://youtu.be/rkteV6Mzjfs" style="warning" icon="video" %}}Watch talk on YouTube{{% /button %}} -->
<!-- {{% button href="https://docs.google.com/presentation/d/1nEK0CVC_yQgIDqwsdh-PRihB6dc9RyT-" style="tip" icon="person-chalkboard" %}}Slides{{% /button %}} -->
Challenge: You send an mail via gmail that has a google drive attachment -> Those are two seperate apps but a central auth check needs to take place to provide access to the recipient.
## Access controll types
- ACL (access control list): Pretty basic
- RBAC: The defacto standard for a long time
- ABAC (Attribute based access controll): Check attributes (user-id, ip address, ...) on access time to make a decision
- ReBAC (Relationship based access controll)
## ReBAC
### Baseline
```mermaid
graph LR
document-->|Is part of|folder-->|was created by|user
```
### Relation Tuple
- `document:123#owner@user:3` -> User 3 is owhner of document 123
- `groud:engineering#membner@group:security` -> Group security is a member of the group engineering
### Graph representation (DAG)
```mermaid
graph LR
somedocument-->reader
somedocument-->writer
reader-.->|is also available via|writer
reader-->UserA
reader-->UserB
writer-->UserC
writer-->UserD
```
And check if there is a unidirectional way from somedocument to UserA over writer -> No = No access
## Zansibar
- Globaly distributed
- ReBAC based
- Zentral API
### Hotspots
- Problem: Some checks need to happen often
- Solution: Distributed caching
- Cache validity: Time stamp optimization by rounding to a second or 50ms
- Improvement: Internal use of grpc
- Lock table: If the same query get's executed multiple times at once, calculate query once and return cached response to all waiting queries
- Improve cache population: Don't kill sub-checks instantly but delayed
### Zookies
- Specify a specific point in time (e.g. to bypass cache with "give me the latest")
- Allows control over the latency vs real-time trade-off
- Solves the new enemy problem: You loose access at the same time it get's changed -> may result in phantom access to the new version if cached data get's used
### Implementations
> Some of the popular oppen source implementations, just for later
- SpiceDB
- ORY
- Permify
### Pro
- Low latency with high throughput
- Global consistency
- Composable and hierarchical permission models

3
content/day1/_index.md
View File

@ -10,4 +10,5 @@ The first day started with the usual organizational topics (schedule, sponsors a
- For everyone: [IT-Grundschutz trifft Kubernetes: Praxisnahe Umsetzung sicherheitsrelevanter Anforderungen](./03_grundschutz)(it was presented in an engaging way)
- If you're interested in metal³: [Bringing Cloud-Native Agility to Bare-Metal Kubernetes with Cluster API and Metal³](./05_baremetal)
- DevEx: [What going cloud native taught us about developer experience](./07_devex) (and honestly worth the speaker's accent and city skylines metaphor)
- DevEx: [What going cloud native taught us about developer experience](./07_devex) (and honestly worth the speaker's accent and city skylines metaphor)
- If you're interested in different access control patterns: [How Google Built a Consistent, Global, Authorization System with Zansibar and you can too](./08_auth)