How Netflix Is Solving Authorization Across Their Cloud [I] - Manish Mehta & Torin Sandall, Netflix

Поділитися
Вставка
  • Опубліковано 12 гру 2024

КОМЕНТАРІ • 24

  • @brainoverflow98
    @brainoverflow98 4 роки тому +21

    And I'm here trying to solve the Authorization problem by myself as a undergraduate! This is a whole different story.

  • @jasondoubleoseven
    @jasondoubleoseven 4 роки тому +5

    I've implemented microservice authorization using opa and serverless in AWS. Custom authrorizer is the location where I decode a JWT token and verify authorization.

  • @AymenBenMiled-r4q
    @AymenBenMiled-r4q Рік тому +1

    We are awlays speaking about Authorization for a single resource, Get Employees/123 Update Employees/123, what about Get List Employees or search operation... how this pattern will act ?
    Thanks

  • @FINSuojeluskunta
    @FINSuojeluskunta 4 роки тому +4

    The explanation of how it ties in with data is vague. Say I have a database with all of my pets and their owners in it. Doesn't make sense to do this via http request because most authorization requires a database call if it's not something simple stored in the jwt and the only way I see this working is if we send it a list of owners in the request. However, it seems nice for microservices without network roundtrips.

    • @khanhbq
      @khanhbq 4 місяці тому

      Then your pets and their owners data is fetched and then cached in memory inside the AuthZ agent. The data that OPA use to make authorization decisions can be any business-related data

  • @sksjdfl
    @sksjdfl 3 роки тому +2

    I am question , when the authorization of each user changed in example , the role of user in group is exprised or new policy of business was changed the permissions , how you resolve the changed in OPA and updating the permissions in JWT payload or other shared memories of authorizaton server. I assume in case realtime in hight rate request of client

    • @danielpops
      @danielpops 3 роки тому

      The jwt payload should ideally not carry any authorization information

    • @khanhbq
      @khanhbq 4 місяці тому

      15:09 There is a blue part called "Updater" that periodically update the policies and data, but in the presentation they did not talk about how to manage inconsistency when caching policies and data inside the Authz agent, i guess we need on-demand cache invalidation mechanism for consistency here

  • @andrewstark917
    @andrewstark917 3 роки тому +3

    so technically if I want to bind a few billions of users who can edit this post, I have to add them manually to OPA rule dataset to bind it? So from server we send the current user id and OPA check if passed id is among manually bound billions of ids? It will take dozens of years to fill them manually, or insane of traffic to pass on each request

    • @khanhbq
      @khanhbq 4 місяці тому

      There must be some kind of business logic about it? Let's say that few billions of users is the members of a group that contains the post, then a custom function is_member_of_group(post_id) will do the job. It makes no sense if that few billions of users are completely arbitrary

  • @BradleyWeston92
    @BradleyWeston92 6 років тому +4

    Great talk! Just a few questions what stops an application posing itself as a different app name? What verifies a user is a certain user and not another user, example just a token that is validated before the requests gets to the service?

    • @aditya234567
      @aditya234567 4 роки тому +2

      All that comes in authentication

    • @mukuz
      @mukuz 4 роки тому +1

      Signed JWT

  • @srikumarks
    @srikumarks 3 роки тому

    Authorization applies to resource access as well as information access. Does OPA cover situations where role R is permitted to access resource X except for the F field that the service sends in its response? One answer would be to author the service to separate out such "sensitive" information as a resource .. but that may not always be possible, especially retrospectively. For example, a customer support app may want to retrieve a customer's information but not have permission to read bank account number. If the "customer info" service clubs all of that .. we'll want to restrict the response to a subset.

    • @sajidbadiuzzaman
      @sajidbadiuzzaman 3 роки тому

      One solution is to separate services altogether, If you separate services for different roles this could solve it.

  • @ranajitjana4030
    @ranajitjana4030 3 роки тому

    is it open sourced yet? Nice stuff

  • @satyachillale
    @satyachillale 3 роки тому

    How do you scale when you have 100s of millions of users ? Can the auth agent store so much of data in memory ?

    • @irasychan
      @irasychan 3 роки тому

      database sharding can be a great help on that

    • @sksjdfl
      @sksjdfl 3 роки тому

      @@irasychan how cant update the authorization of regular user

    • @khanhbq
      @khanhbq 4 місяці тому

      You can be flexible with different kind of authorization. Some policies can be cached and stale/inconsistent data are acceptable, some other important policies that can't afford any inconsistency can have different caching mechanism

  • @ChengZhao
    @ChengZhao 6 років тому +3

    Is this similar to what Istio does?

    • @natecoffing2591
      @natecoffing2591 6 років тому

      Perhaps when Istio is able to run across legacy apps and microservices