Presentation is loading. Please wait.

Presentation is loading. Please wait.

Unlocking the mysteries of distributed microservice authorization

Published byJulianna Kelly Modified over 6 years ago

Similar presentations

Presentation on theme: "Unlocking the mysteries of distributed microservice authorization"— Presentation transcript:

1 Unlocking the mysteries of distributed microservice authorization
Wil Schobeiri CTO MediaMath Kasey Klipsch Principal Engineer MediaMath

2 Wil Who is MediaMath? MediaMath is the leading independent programmatic company for marketers. Went from 30 to 200 engineers in the last 5 years. In the same time, grew from 1 to 6 engineering offices globally. Currently handle 5 million rps across all of our systems. There are 100s of millions of entities in our configuration system.

3 Wil What this talk is How we are rearchitecting our authorization system for microservices. Start from our typical monolith Show several options we considered by rejected Show the solution we are currently deploying Discuss things we are worried about with our solution Reminder: Authorization is determining if a user has access to a entity

4 What this talk is not Wil A security presentation
A discussion about authentication generally or oauth specifically A security presentation A generic rules engine talk A big reveal of a product Reminder: if access is *not* based on the user its not authorization.

5 Where did we start?

6 Our Authorization Model (briefly)
Wil Our Authorization Model (briefly) 1 2 5 99 200 89 2 3 10 11 101 1001 99 2 3 87 89

7 Wil Where we started

8 Where we (actually) started
Wil Where we (actually) started

9 Enter the microservices
Wil Enter the microservices Completely separate authorization: No interaction with existing entities. Different set of rules. Authorization was proxied: Monolith enforced rules. Forwarded enough information for the microservice to proceed.

10 Enter more different microservices
Kasey -> Wil Enter more different microservices Batch/Analytics: Batch driven (thousands of entities to authorize) Internal to the response (e.g. authorizing lines in a report) Naturally cross cutting Event based microservices: RESTful interactions with an entity bus. Standardized system for communicating entity data. Encourages cross cutting microservices.

11 Kasey Design Patterns

12 Each microservice controls its own authorization
Kasey Each microservice controls its own authorization Authorization rules can be arbitrarily complex. Team most familiar with the entity able to make all the decisions about it. Straightforward mapping of monolith behavior onto microservices.

13 Each microservice controls its own authorization
Kasey Each microservice controls its own authorization Requires rigorous standardization. Requires all teams to think about and develop authorization systems. Boilerplate authorization functionality like audit/compliance is spread everywhere. Does not answer the cross cutting concerns problem.

14 Authorization middleware for all user interactions.
Kasey Authorization middleware for all user interactions. Pros: Authorization team handles authorization complexity and boilerplate. No standardization difficulty. Aligns with other edge elements like load balancing. Cons: Must scale to highest scale system. Reintroduces many of the negatives of the monolith. Still doesn’t solve for non-request reply semantics.

15 What do would we ideally want?
Kasey/Wil What do would we ideally want? Management of what a user’s rules are should occur in one place. Resolution of the rules should be distributable. Creation of authorization rules about entities should be controllable by the owners of the entities. Services other than the owners of the entities, must be able to display the entities. An authorization system must not assume all use cases are request/reply single entity contexts. Rule resolution must not require talking to the owners of entity data.

16 Kasey Our Solution

17 The system we want Kasey Rules are stored as data.
Distributed by our existing event entity system. Rules can be updated via a system that the authorization team controls. Microservices with scalability concerns or that are not request/reply can cache locally via events. Others can use a restful API into the data.

18 First step: Determine a data model
Kasey First step: Determine a data model 99 2 3 87 89 EVERY ENTITY HAS A: Path: Denormalized encoding of the full branch to the entity. Required Roles: Roles needed to perform one of the CRUD operations. EVERY USER HAS A LIST OF: Path walk: Description of the part of the hierarchy being applied to. Role: The role being given. 89 2

19 It worked! The case of the massive security hole
Wil It worked! The case of the massive security hole The model check exercise found: holes in our data model (expected) edge cases where the monolith was doing odd things (not surprising) a massive security hole (headdesk) Top level entity allowed update/delete for any user attached to it, regardless of role/scope A frequent pattern was to add read only users at the top level to leverage the inheritance rules Result was *lots* of users with highly elevated abilities. Oops. Finding this validated the exercise independent of any other results.

20 Second step: Publish rules in a distributed data store
Kasey Second step: Publish rules in a distributed data store USERS Monolith entities already exist in our entity event system (including users). Daemon that translates monolith user data to new user model. Daemon that translates monolith entity data to new entity model. Published to existing entity event system as new entities. ENTITIES

21 Third step: Build client libraries and REST API
Kasey Third step: Build client libraries and REST API Reference client library that takes user model & entity model. Answers does this user have this access to this entity? Can be embedded in microservices that need local resolution. Also wrapped with a REST API for clients who don’t.

22 Fourth step: Add support for microservice based entities
Kasey Fourth step: Add support for microservice based entities Administration API: Add new required role types to entities. Assign paths and roles to users.

23 How does this system score on our principles?
Wil How does this system score on our principles? Management of what a user’s rules are should occur in one place. The authorization teams publisher acts as the gatekeeper for this. Resolution of the rules should be distributable. Any system can subscribe to the authorization feeds. Creation of authorization rules about entities should be controllable by the owners of the entities. External systems can change the rules via an authorization team endpoint. Services other than the owners of the entities must be able to display the entities. By marrying the authorization streams, client library and the entity streams any service can show data correctly.

24 How does this system score on our principles?
Wil How does this system score on our principles? An authorization system must not assume all use cases are request/reply single entity contexts. System works as well for event driven and batch supplied systems as request/reply ones. Rule resolution must not require talking to the owners of entity data. All of the data is available by our existing Kafka data system.

25 What are we worried about?
Kasey What are we worried about? Globally distributed data is a hard problem. Can the data model hold up into the future: In the face of arbitrarily complex rules or new use cases? Are we going to see cyclical entity relationships? Adoption difficulty

26 Kasey Key Takeaways Authorizations are now resolvable by all microservices! Modeling things as data instead of code makes them more distributable – across both systems and people. Changes to the data are self serve One team owns the data model

27 Thanks and questions? ANY QUESTIONS? Kasey
There is a whole team at MediaMath doing the hard work of getting this system in place and making sure it meets our needs. They deserve the credit for this system. ANY QUESTIONS?

28 Wil Thank you! PS: We’re hiring. Come talk to us!

Download ppt "Unlocking the mysteries of distributed microservice authorization"

Similar presentations

SG-A Ad Hoc - ENUM Jordyn A. Buchanan Register.com February 12, 2001.

SG-A Ad Hoc - ENUM Jordyn A. Buchanan Register.com February 12, 2001.
Delegates & Events Observer and Strategy Patterns Game Design Experience Professor Jim Whitehead January 30, 2009 Creative Commons Attribution 3.0 creativecommons.org/licenses/by/3.0.

Delegates & Events Observer and Strategy Patterns Game Design Experience Professor Jim Whitehead January 30, 2009 Creative Commons Attribution 3.0 creativecommons.org/licenses/by/3.0.
Using Digital Credentials On The World-Wide Web M. Winslett.

Using Digital Credentials On The World-Wide Web M. Winslett.
Cloud Computing for the Enterprise November 18th, 2011. This work is licensed under a Creative Commons.

Cloud Computing for the Enterprise November 18th, This work is licensed under a Creative Commons.
Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.

Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.
Aspect Oriented Programming (AOP) in.NET Brent Krueger 12/20/13.

Aspect Oriented Programming (AOP) in.NET Brent Krueger 12/20/13.
Microsoft SharePoint Server 2010 for the Microsoft ASP.NET Developer Yaroslav Pentsarskyy

Microsoft SharePoint Server 2010 for the Microsoft ASP.NET Developer Yaroslav Pentsarskyy
1 Vigil : Enforcing Security in Ubiquitous Environments Authors : Lalana Kagal, Jeffrey Undercoffer, Anupam Joshi, Tim Finin Presented by : Amit Choudhri.

1 Vigil : Enforcing Security in Ubiquitous Environments Authors : Lalana Kagal, Jeffrey Undercoffer, Anupam Joshi, Tim Finin Presented by : Amit Choudhri.
WP3 Authorization and R-GMA Linda Cornwall WP3 workshop 2-4 April 2003.

WP3 Authorization and R-GMA Linda Cornwall WP3 workshop 2-4 April 2003.
Messaging. Message Type Patterns Command Invoke a procedure in another application SOAP request is an example Document Message Single unit of information,

Messaging. Message Type Patterns Command Invoke a procedure in another application SOAP request is an example Document Message Single unit of information,
CS223: Software Engineering

CS223: Software Engineering
1 Distributed Systems Architectures Distributed object architectures Reference: ©Ian Sommerville 2000 Software Engineering, 6th edition.

1 Distributed Systems Architectures Distributed object architectures Reference: ©Ian Sommerville 2000 Software Engineering, 6th edition.
CS223: Software Engineering

CS223: Software Engineering
100% Exam Passing Guarantee & Money Back Assurance

100% Exam Passing Guarantee & Money Back Assurance
Microservices & API Gateways Marco Palladino.

Microservices & API Gateways Marco Palladino.
Essentials of UrbanCode Deploy v6.1 QQ147

Essentials of UrbanCode Deploy v6.1 QQ147
Where are we ? Setup Sprites Input Collision Drawing Sprites

Where are we ? Setup Sprites Input Collision Drawing Sprites
Leveraging the Business Intelligence Features in SharePoint 2010

Leveraging the Business Intelligence Features in SharePoint 2010
CSE Retargeting to AE, IPE, and NoDN Hosted Resources

CSE Retargeting to AE, IPE, and NoDN Hosted Resources
CSE Retargeting to AE, IPE, and NoDN Hosted Resources

CSE Retargeting to AE, IPE, and NoDN Hosted Resources

Similar presentations

Ads by Google