-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathexplore.html
281 lines (250 loc) · 18.8 KB
/
explore.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
<!DOCTYPE html>
<html lang="en" style="height: 100%">
<head>
<!-- Global site tag (gtag.js) - Google Analytics -->
<script async src="https://www.googletagmanager.com/gtag/js?id=G-93621L5G27"></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', 'G-93621L5G27');
</script>
<meta charset="UTF-8">
<meta content="width=device-width, initial-scale=1.0, shrink-to-fit=no" name="viewport">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>Athenz IO - Explore</title>
<meta property="og:title" content="Open source platform for X.509 certificate based service authentication and fine grained access control in dynamic infrastructures">
<meta property="og:description" content="Open source platform for X.509 certificate based service authentication and fine grained access control in dynamic infrastructures">
<meta property="og:type" content="website"
><meta property="og:url" content="https://athenz.io/">
<meta property="og:site_name" content="Athenz">
<meta itemprop=name content="Open source platform for X.509 certificate based service authentication and fine grained access control in dynamic infrastructures">
<meta itemprop=description content="Open source platform for X.509 certificate based service authentication and fine grained access control in dynamic infrastructures">
<meta name=twitter:card content="summary">
<meta name=twitter:title content="Open source platform for X.509 certificate based service authentication and fine grained access control in dynamic infrastructures">
<meta name=twitter:description content="Open source platform for X.509 certificate based service authentication and fine grained access control in dynamic infrastructures">
<meta name=twitter:image content="https://athenz.io/images/icons/athenz-twitter-icon.jpg">
<meta name=twitter:image:alt content="Athenz">
<meta property="og:image" content="/images/icons/athenz-icon.png">
<link rel="icon" href="images/icons/favicon.ico"/>
<link href="https://cdn.jsdelivr.net/gh/denali-design/[email protected]/css/denali.css" rel="stylesheet">
<link href="https://cdn.jsdelivr.net/gh/denali-design/[email protected]/dist/denali-icon-font.css" rel="stylesheet">
<link href="css/site.css" rel="stylesheet">
<link href="https://fonts.googleapis.com/css2?family=Rubik:wght@300;400;500;700;900&display=swap" rel="stylesheet">
</head>
<body class="denali-default-theme">
<div class="nav rubik-regular">
<div class="nav-left">
<a onclick="toggleTabsLeft()" tabindex="0" id="toggleTab" class="nav-icon hide-small-desktop-up-custom">
<i class="d-icon d-menu-hamburger"></i>
</a>
<a href="/">
<img class="nav-brand" src="images/icons/athenz-icon.png" alt="Athenz logo" />
</a>
<div class="float-right hide-small-desktop-up-custom">
<a class="nav-icon" id="navToggle"><i class="d-icon d-more-vertical"></i></a>
</div>
</div>
<div class="nav-responsive" id="navMenuContent">
<div class="nav-center">
<a class="nav-item" href="explore.html#model">Explore</a>
<a class="nav-item" href="casestudies.html#hybrid">Case Studies</a>
<a class="nav-item" href="https://athenz.github.io/athenz/" target="_blank">Documentation <i class="d-icon d-external is-sub is-extrasmall"></i></a>
<a class="nav-item" href="comparison.html#general">Comparison</a>
</div>
<div class="nav-right">
<a href="https://join.slack.com/t/athenz/shared_invite/zt-6c13sdfn-Lilbb~v2FYOkM7hZLGqF6A" target="_blank" class="nav-icon">
<i class="d-icon d-slack"></i>
<span class="icon-name">Slack</span>
</a>
<a href="https://github.com/AthenZ/athenz" target="_blank" class="nav-icon">
<i class="d-icon d-github"></i>
<span class="icon-name">Github</span>
</a>
<a href="contact.html" class="nav-icon">
<i class="d-icon d-help-circle"></i>
<span class="icon-name">Contact</span>
</a>
</div>
</div>
</div>
<div class="flex h-minus-nav" >
<div id="toggleTabsLeft" class="tabs is-primary is-vertical tablet-down-hide-left-custom">
<ul>
<li><a onclick="toggleTabActive('model')" class="is-active tablinks model" href="#model">Data Model</a></li>
<li><a onclick="toggleTabActive('authn')" class="tablinks authn" href="#authn">Service Authentication</a></li>
<li><a onclick="toggleTabActive('authz')" class="tablinks authz" href="#authz">Role Based Authorization</a></li>
<li><a onclick="toggleTabActive('zerotrust')" class="tablinks zerotrust" href="#zerotrust">Zero Trust Principles</a></li>
</ul>
</div>
<div id="container" class="overflow-y-auto flex-auto case-studies-container">
<div class="maincontent">
<!-- Model -->
<div id="model" class="tabcontent" >
<div class="container-full p-t-30">
<p class="rubik-bold f-s-28">Data Model</p>
<div>
<img class="" src="images/athenz-data-model.png" alt="" style="max-height: 450px;"/>
</div>
<div class="case-study-content">
<p class="p-t-30 rubik-bold f-s-20">Domain</p>
<p class="rubik-regular">Domains are namespaces, strictly partitioned, providing a context for authoritative statements to be made about the entities it contains.</p>
<p class="p-t-30 rubik-bold f-s-20">Policies</p>
<p class="rubik-regular">To implement access control, we have policies in our domain that govern the use of our resources. A policy is a set of assertions (rules) about granting or denying an operation/action on a resource.</p>
<p class="p-t-30 rubik-bold f-s-20">Resources</p>
<p class="rubik-regular">Resources aren't explicitly modeled in Athenz, they are referred to by name. A resource is something that is "owned" and controlled in a specific domain by the provider service.
Each service using Athenz for authorization is responsible for defining their own resources and referencing them in their policy rules (assertions).</p>
<p class="p-t-30 rubik-bold f-s-20">Actions</p>
<p class="rubik-regular">Similar to resources, actions are also controlled by the service owners. Athenz does not own nor enforce the actions on resources.
They are only referenced in policies and used by Athenz to carry out authorization checks and return the appropriate response to the caller.</p>
<p class="p-t-30 rubik-bold f-s-20">Roles</p>
<p class="rubik-regular">A role can be thought of as a group and anyone in the group can assume the role that takes a particular action. Every policy assertion describes what can be done by a role.</p>
<p class="p-t-30 rubik-bold f-s-20">Principal</p>
<p class="rubik-regular p-b-30">The actors in Athenz that can assume a role are called principals. These principals are authenticated and can be users or services. Athenz currently provides service identity and authentication support.</p>
<p class="p-t-30 rubik-bold f-s-20">Groups</p>
<p class="rubik-regular p-b-30">To simplify principal management, the users and services can be included in Groups. Then, the Group can be added as a member to any role within Athenz thus granting the members of that group access to the configured resources.</p>
</div>
</div>
</div>
<!-- Authn -->
<div id="authn" class="tabcontent" >
<div class="container-full p-t-30">
<p class="rubik-bold f-s-28">Service Authentication</p>
<div>
<img class="" src="images/[email protected]" alt="" style="max-height: 450px;"/>
</div>
<div class="case-study-content">
<p class="rubik-regular">Athenz provides secure identity in the form of short-lived X.509 certificates for every workload or service deployed in private (e.g. OpenStack, Kubernetes)
or public cloud (e.g. AWS EC2, ECS, Fargate, Lambda). Using these X.509 certificates, clients and services establish secure connections and through mutual TLS authentication verify each other's identity.
The service identity certificates are only valid for 30 days and the service identity agents (SIA) part of those frameworks automatically refresh them daily.
The term service within Athenz is more generic than a traditional service. A service identity could represent a command, job, daemon, workflow, as well as both an application client and application service.</p>
</div>
</div>
</div>
<!-- AuthZ -->
<div id="authz" class="tabcontent" >
<div class="container-full p-t-30">
<p class="rubik-bold f-s-28">Role-Based Authorization (RBAC)</p>
<div>
<img class="" src="images/[email protected]" alt="" style="max-height: 450px;"/>
</div>
<div class="case-study-content">
<p class="rubik-regular">Once the client is authenticated with its X.509 certificate, the service can then check if the given client is authorized to carry out the requested action.
Athenz provides fine-grained role-based access control (RBAC) support for a centralized management system with support
for control-plane access control decisions and a decentralized enforcement mechanism suitable for data-plane access control decisions.
It also provides a delegated management model that supports multi-tenant and self-service concepts. <a href="https://athenz.github.io/athenz/auth_flow/" target="_blank">Learn More</a></p>
<p class="p-t-30 rubik-bold f-s-20">Centralized Access Control</p>
<p class="rubik-regular">A traditional centralized mechanism works as expected for services that are not dealing with the decentralized authorization: the server with resources
can simply ask the Athenz Management Service directly about access, passing the service identity and resource/action information to get a simple boolean answer.
It is suitable for provisioning and configuration use cases where latency for authorization checks is not important.
<a href="https://athenz.github.io/athenz/auth_flow/#centralized-access-control-control-plane" target="_blank">Learn More</a></p>
<p class="p-t-30 rubik-bold f-s-20">Decentralized Access Control</p>
<p class="rubik-regular">A more interesting scenario introduces the local policy engine (ZPE), and a few supporting changes. Rather than directly asking for an access check with a principal identity,
the identity is instead used to get an access token, and that is presented to the target service until it expires. This mechanism allows a service to make a completely local access check against ZPE,
given an access token and locally cached policies. <a href="https://athenz.github.io/athenz/auth_flow/#decentralized-access-control-data-plane" target="_blank">Learn More</a></p>
</div>
</div>
</div>
<!-- Zero Trust -->
<div id="zerotrust" class="tabcontent" >
<div class="container-full p-t-30">
<p class="rubik-bold f-s-28">Zero Trust Principles</p>
<div class="case-study-content">
<p class="rubik-regular">Zero Trust is a security model to defend against modern day adversaries.
In a nutshell, the Zero Trust model stipulates that in order to establish or maintain a certain level of security,
any and all trust amongst participating entities has to be explicit and limited , not implicit or inherited and broad or persistent.
That is, by default a system or service will not trust any user or client. While this does not sound particularly revolutionary,
it does overturn a few decades of common practice of perimeter security ("hard shell, soft internals") whereby a privileged position inside a network,
such as being on a VPN, implicitly grants access to various services.
Instead, in a Zero Trust network, the underlying assumption is that enterprise users, devices, applications, and data are at constant risk of compromise both from external as well as internal threats.
As part of a typical Attack Life Cycle, after an initial compromise, attackers will attempt to move laterally within the target infrastructure.
As a result, the surrounding environment of even "internal" services must be assumed to be hostile, untrusted.
Zero Trust treats the surrounding environment as inherently untrusted, thereby mandating the application of a few core principles:</p>
<p class="p-t-30 rubik-bold f-s-20">Traffic Encryption</p>
<p class="rubik-regular">All network traffic between services, clients, and components must be encrypted in transit, as all networks are considered hostile.</p>
<p class="p-t-30 rubik-bold f-s-20">AuthN and AuthZ</p>
<p class="rubik-regular">Always authenticate and always verify authorization all the way up to an appropriate Root Of Trust.</p>
<p class="p-t-30 rubik-bold f-s-20">Dynamic trust</p>
<p class="rubik-regular">Any given entity is trusted only for a limited duration, and only when it is expected (e.g., authenticated and authorized). Trust may also be context-dependent.</p>
<p class="p-t-30 rubik-bold f-s-20">Least Privilege</p>
<p class="rubik-regular"> Entities—whether people, organizations, hardware, or software—are granted only the least privilege required to accomplish their current tasks. Any particular grant of privilege ends when the task for which it was granted ends. New tasks require new grants of privilege.</p>
</div>
</div>
</div>
</div>
<!--footer-->
<footer class="container-full custom-footer">
<div class="container">
<div class="row p-t-70">
<div class="xs-col-4-12 col-2-12 p-b-30">
<ul>
<li class="rubik-bold f-s-16">Community</li>
<!-- <li class="rubik-regular"><a href="https://athenz-rbac.tumblr.com/">Blog</a></li>-->
<li class="rubik-regular"><a href="https://join.slack.com/t/athenz/shared_invite/zt-6c13sdfn-Lilbb~v2FYOkM7hZLGqF6A" target="_blank">Slack</a></li>
<li class="rubik-regular"><a href="contact.html">Contact Us</a></li>
</ul>
</div>
<div class="xs-col-4-12 col-2-12 p-b-30">
<ul>
<li class="rubik-bold f-s-16">Contribute</li>
<li class="rubik-regular"><a href="https://github.com/AthenZ/athenz" target="_blank">Github</a></li>
<li class="rubik-regular"><a href="https://github.com/AthenZ/athenz/issues" target="_blank">Suggest</a></li>
</ul>
</div>
<div class="xs-col-4-12 col-2-12 p-b-30">
<ul>
<li class="rubik-bold f-s-16">Resources</li>
<li class="rubik-regular"><a href="https://athenz.github.io/athenz/" target="_blank">Documentation</a></li>
</ul>
</div>
</div>
<div class="nav-center">
Copyright © 2022 The Athenz Authors<br>
Copyright © 2022 The Linux Foundation ®. All rights reserved. The Linux Foundation has registered trademarks and uses trademarks.
For a list of trademarks of The Linux Foundation, please see our <a href="https://www.linuxfoundation.org/trademark-usage" target="_blank">Trademark Usage page</a>
</div>
</div>
</footer>
</div>
</div>
</body>
<script type="text/javascript">
function toggleTabsLeft() {
let toggleTabsLeft = document.getElementById("toggleTabsLeft");
toggleTabsLeft.classList.toggle('tablet-down-toggle-tabs-left-custom');
};
document.getElementById('navToggle').addEventListener("click", toggleMenu);
function toggleMenu() {
document.getElementById('navMenuContent').classList.toggle("is-active");
}
function toggleTabActive(tabName) {
var i, tabcontent, tablinks;
tabcontent = document.getElementsByClassName("tabcontent");
for (i = 0; i < tabcontent.length; i++) {
tabcontent[i].style.display = "none";
}
tablinks = document.getElementsByClassName("tablinks");
for (i = 0; i < tablinks.length; i++) {
tablinks[i].className = tablinks[i].className.replace("is-active", "");
}
document.getElementById(tabName).style.display = "block";
var activeTab = document.getElementsByClassName(tabName);
activeTab[0].classList.add("is-active");
let toggleTabsLeft = document.getElementById("toggleTabsLeft");
if(toggleTabsLeft.classList.contains("tablet-down-toggle-tabs-left-custom")) {
toggleTabsLeft.classList.toggle('tablet-down-toggle-tabs-left-custom');
}
}
document.addEventListener("DOMContentLoaded", function(){
// Handler when the DOM is fully loaded
function onHashChange() {
var hash = window.location.hash;
if (hash) {
toggleTabActive(hash.split('#')[1]);
}
}
window.addEventListener('hashchange', onHashChange, false);
onHashChange();
});
</script>
</html>