Modernizing authorization with OpenFGA (Presentation)

LizbethGarcia79338 109 views 20 slides Jun 17, 2024
Slide 1
Slide 1 of 20
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15
Slide 16
16
Slide 17
17
Slide 18
18
Slide 19
19
Slide 20
20

About This Presentation

Presentation shared on June 5, 2024 at the in person event of Kubernetes Puerto Rico

Size: 884.19 KB
Language: en
Added: Jun 17, 2024
Slides: 20 pages

Slide Content

Modernizing
authorization with
OpenFGA
Yamil Asusta @elbuo8

The process of verifying someone's identity.

E.g. "Is this person really Kate?"



The process of evaluating if a user can
perform a certain action on a resource.

E.g. "Can Kate reply to Jimmy's post?"

Authentication Authorization
?????? ??????

Example
You want to build a product like Google Drive that allows users to
create and share documents amongst each other.

Users can be in groups.

Documents can be in folders.

app.get("/documents/:id", async (res, req) => {
const document = await db.documents.findOne({ id: req.params.id });
res.send({ document });
});

app.get("/documents/:id", async (res, req) => {
if (!req.user.roles.includes("employee") && !req.user.roles.includes("manager")) {
throw new ForbiddenError();
}
const document = await db.documents.findOne({ id: req.params.id });
res.send({ document });
});
Add RBAC!
If the user has a role, grant access








But… what if there are many roles? What if new roles get added?

Add PBAC (RBAC + permissions)!
If the user has a permission, grant access







But… how do you grant (or revoke) permissions to view a single document?
app.get("/documents/:id", async (res, req) => {
if (!req.user.permissions.includes("documents:view")) {
throw new ForbiddenError();
}

const document = await db.documents.findOne({ id: req.params.id });
res.send({ document });
});

Role-Based Access Control (RBAC)


Downsides:
●Role explosion: delegating access to individual resources requires creating a
new role per resource. (and if you try to add the roles to the JWT? You can’t
have many!)
●Expressiveness: you can’t express more complex policies
○How do you handle hierarchies, e.g. if a user can view a parent folder, they
should be able to view all the documents inside child folders?
○How do you grant access to a single folder or a single document?

ABAC allows granting more granular permissions.







But… is this check fast?! What if you forget to check the folders the document is in?
// GET /documents/:id
const document = await db.documents.findOne({ id: req.params.id });
// Because we might have the document nested in many folders, any of which may have been shared with
the user
const folders = await db.folders.recursivelyFindAllFoldersInChain ({ id: document.folder_id });
// Because the document or folder may have been shared with a group the user is in
const groups = await db.groups.recursivelyFindAllGroupsInChain ({ ids: req.user.group_ids });

await authorize(req.user, "read", { folders, groups });
res.send({ document });
Use ABAC!

Downsides:
●Nesting gets complicated: attributes about the documents and the users need to
be gathered from the database, increasing database load and increasing
response latency

●Repeated implementation for each type of resources and each type of requests
(whether user can access a particular resource and what resources a particular
user can access)

Attribute-Based Access Control (ABAC)

Introducing… ReBAC!

It allows expressing authorization rules based on relations that users and objects in a
system have with each other.

Google Zanzibar

OpenFGA is based
on Zanzibar

There are other solutions out there, too: SpiceDB, Aserto,
Topaz, etc.

In order to make authorization decisions, OpenFGA
needs two types of data:

1.An authorization model
-Does not change often
-Usually updated when introducing new products
or features
2.The authorization data
-Changes very often
-Updated as relationships between objects
change

Step 1. Write the Authorization Model

●Direct Relationships
●Computed Relationships
●Hierarchical Relationships
●Rewrite Set Operations
○Union
○Intersection
○Exclusion

Step 2. Write the Tuples

Can user:jon view document:1?


user:jon document:1
viewer
folder:X
viewer
parent
Step 3. Check for access

Demo

Resources
Zanzibar Paper https://research.google/pubs/pub48190/
Zanzibar Academy https://zanzibar.academy
OpenFGA Documentation https://openfga.dev
OpenFGA Playground https://play.fga.dev

Thanks
Tags
Categories
General
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 109
  • Slides 20
  • Age 531 days
Related Slideshows
Pray For The Peace Of Jerusalem and You Will Prosper 22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
Don_t_Waste_Your_Life_God.....powerpoint 26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf 31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
Fertility awareness methods for women in the society 14
Fertility awareness methods for women in the society
Isaiah47
29 views
Chapter 5 Arithmetic Functions Computer Organisation and Architecture 35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
syakira bhasa inggris (1) (1).pptx....... 5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views
View More in This Category