diff options
| author | mo khan <mo@mokhan.ca> | 2025-05-02 14:29:41 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-05-02 14:29:41 -0600 |
| commit | c583bcd1473205104a1e1af812ed4976d30c7baa (patch) | |
| tree | 933edf78a4ac8aea55256e42641e56bbb4c58834 /doc/share/authz/README.md | |
| parent | 91defaefca47e9cebbe92c6abf33c4423df9bc7d (diff) | |
refactor: remove anything unrelated to the authz daemon
Diffstat (limited to 'doc/share/authz/README.md')
| -rw-r--r-- | doc/share/authz/README.md | 69 |
1 files changed, 0 insertions, 69 deletions
diff --git a/doc/share/authz/README.md b/doc/share/authz/README.md deleted file mode 100644 index 5b7da3fb..00000000 --- a/doc/share/authz/README.md +++ /dev/null @@ -1,69 +0,0 @@ -# Authz - -## Access Control Models - -Access Controls provide a means of restricting access to objects based on the -identity of subjects and/or groups to which they belong. - -* Role-Based Access Control ([RBAC](./RBAC.md)) -* Relationship-Based Access Control ([ReBAC](./ReBAC.md)) -* Attribute-Based Access Control ([ABAC](./ABAC.md)) - -Authentication (Authn) is used to determine that users or systems are who they -claim to be and provide proof in the form of identity principals and attributes. - -Authorization (Authz) is used to decide what privileges an actor has within a -system. - -## Policy - -* [What is a policy?](./POLICY.md) -* Policy Language Evaluation - * Casbin - * Cedar - * [Dafny](https://dafny.org/) - * Rego - -Criteria for evaluating policy languages: - -* Must be able to model different types of access control models (RBAC, ReBAC, ABAC) -* Must be able to perform static analysis -* Must be actively supported -* Must have concise documentation -* Must provide ability to extend language using Ruby/Golang for describing complex policies. -* Must have a compatible license that permits the way that we can use it. - -Ideally, we must be able to model the following relationships: - -| type | required | -| ---- | -------- | -| `user-to-resource` | required | -| `resource-to-resource` | required | -| `user-to-user` | not required | - -Note: `user-to-user` relationships are not in the current access control model. - -## Architecture - -```plaintext - ------------------ ------- ------------- - | Users/Services |--->| PEP |--->| Resources | - ------------------ ------- ------------- - | A - V | - ------- ------------ ------- - | PDP |-->| Policies |<---| PAP | - ------- ------------ ------- - | A A - V | | - ------- ----------------- - | PIP | | Administrator | - ------- ----------------- - -PAP: Policy Administration Point -PDP: Policy Decision Point -PEP: Policy Enforcement Point -PIP: Policy Information Point -``` - -* [Kubernetes Policy Management](https://github.com/kubernetes/sig-security/blob/main/sig-security-docs/papers/policy/kubernetes-policy-management.pdf) |