diff options
| author | mo khan <mo@mokhan.ca> | 2025-07-08 08:22:53 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-07-08 08:22:53 -0600 |
| commit | dd14ea6db69c8d58fd5d4ec727c93d96203bf63e (patch) | |
| tree | 7ac1cdc089722eef6a561bf7eccf6e37c8b50f9a /share | |
| parent | 58489718a7bd33918a523804f372d845135afa10 (diff) | |
docs: add screenshot from warsaw accord diagram
Diffstat (limited to 'share')
| -rw-r--r-- | share/man/README.md | 66 | ||||
| -rw-r--r-- | share/man/screenshot.png | bin | 0 -> 64470 bytes |
2 files changed, 41 insertions, 25 deletions
diff --git a/share/man/README.md b/share/man/README.md index f9dbc4cf..d5c1adf4 100644 --- a/share/man/README.md +++ b/share/man/README.md @@ -34,6 +34,7 @@ This is different from Rails where authorization typically happens inside the ap ``` ### Challenges + - Every app reimplements auth logic - Hard to enforce consistent policies - Difficult to audit authorization decisions @@ -43,10 +44,13 @@ This is different from Rails where authorization typically happens inside the ap ## Slide 3: Our Solution - Authorization at the Edge + + ``` +--------------+ | User-Agent | +------+-------+ + | | HTTP Request v +=========================================+ @@ -170,7 +174,7 @@ User-Agent Envoy(Sparkle) Go Authzd Rust Authzd | Docker Container | | | | +---------+ +--------------+ +----------+ | -| | Envoy |--->| Go Authzd | | Sparkled | | +| | Envoy |--->| Go Authzd | | Sparkled | | | | (local) | | (sidecar) | | (App) | | | +---------+ +------+-------+ +----------+ | | | | @@ -212,6 +216,7 @@ User-Agent Envoy(Sparkle) Go Authzd Rust Authzd ``` ### Benefits: + 1. **Local authzd** - Fast, no network latency, basic policies 2. **Remote authzd** - Centralized policy management, complex rules 3. **Future**: In-process library reduces gRPC overhead @@ -220,11 +225,13 @@ User-Agent Envoy(Sparkle) Go Authzd Rust Authzd ## Slide 7: Envoy Configuration Deep Dive -### ⚠️ **Architecture Evolution Note** +### **Architecture Evolution Note** + The OAuth2 and JWT filters shown below may be removed in future versions: + - **Option 1**: Move to Rust authzd's Envoy configuration - **Option 2**: Implement as code inside Rust authzd -- **Goal**: Replace JWT with URT (Unified Request Token) via ext_authz +- **Goal**: Replace JWT with URT (Unified Request Token) via `ext_authz` ### Current Filter Chain (order matters!) @@ -237,6 +244,7 @@ http_filters: ``` Each filter processes the request and can: + - Allow it to continue to the next filter - Return an immediate response (redirect, error, etc.) - Modify headers before passing along @@ -245,10 +253,12 @@ Each filter processes the request and can: ## Slide 8: OAuth2 Filter - Authentication (Current) -### ⚠️ **Future Architecture** +### **Future Architecture** + This OIDC authentication may move to Rust authzd for centralized token management. ### Configuration + ```yaml - name: envoy.filters.http.oauth2 config: @@ -267,6 +277,7 @@ This OIDC authentication may move to Rust authzd for centralized token managemen ``` ### What it does: + 1. Intercepts unauthenticated requests 2. Manages OAuth2 flow with GitLab 3. Stores tokens in encrypted cookies @@ -276,13 +287,16 @@ This OIDC authentication may move to Rust authzd for centralized token managemen ## Slide 9: JWT Filter - Token Validation (Current) -### ⚠️ **Future Architecture** +### **Future Architecture** + JWT validation may move to authzd, which will: + 1. Validate JWT from identity provider 2. **Replace JWT with URT (Unified Request Token)** -3. Inject URT as header via ext_authz response +3. Inject URT as header via `ext_authz` response ### Configuration + ```yaml - name: envoy.filters.http.jwt_authn providers: @@ -299,6 +313,7 @@ JWT validation may move to authzd, which will: ``` ### Current headers passed to app: + ``` x-jwt-claim-sub: 123456 x-jwt-claim-username: john.doe @@ -307,12 +322,12 @@ x-jwt-payload: <base64 encoded JWT> --- -## Slide 10: Ext_Authz Filter - Authorization +## Slide 10: `ext_Authz` Filter - Authorization ### The gRPC Call ``` -+------------+ CheckRequest +------------+ ++------------+ CheckRequest +------------+ | Envoy | ---------------------> | Authzd | | | | | | | <--------------------- | | @@ -320,6 +335,7 @@ x-jwt-payload: <base64 encoded JWT> ``` ### CheckRequest includes: + ```protobuf message CheckRequest { AttributeContext attributes = 1; @@ -332,6 +348,7 @@ message AttributeContext { ``` ### CheckResponse: + ```protobuf message CheckResponse { Status status = 1; // OK or Permission Denied @@ -340,9 +357,11 @@ message CheckResponse { ``` ### **Key Feature: URT Injection** + Authzd can inject **URT (Unified Request Token)** headers: + ``` -x-urt-token: <downscoped_token> +x-urt: <downscoped_token> x-user-id: 123456 ``` @@ -350,18 +369,11 @@ x-user-id: 123456 ## Slide 11: Authzd Implementation -### 🚧 **Current Cedar Policies (Placeholder)** +### **Current Cedar Policies (Placeholder)** **Note**: These are hard-coded placeholder policies to test the local <-> remote authzd interaction. Real policies are being developed next. ```cedar -// Allow requests with valid bearer token -permit(principal, action == Action::"check", resource) -when { - context has bearer_token && - context.bearer_token == "valid-token" -}; - // Allow static assets permit(principal, action, resource) when { @@ -423,24 +435,28 @@ when { ## Slide 13: Demo Scenarios ### Scenario 1: Unauthenticated Access + ```bash curl http://localhost:10000/dashboard # → 302 Redirect to GitLab login ``` ### Scenario 2: Static Asset (No Auth Required) + ```bash curl http://localhost:10000/style.css # → 200 OK (bypasses auth) ``` ### Scenario 3: Authenticated Access + ```bash curl -H "Cookie: id_token=..." http://localhost:10000/dashboard # → 200 OK (if authorized) ``` ### Scenario 4: Invalid Token + ```bash curl -H "Cookie: id_token=expired" http://localhost:10000/dashboard # → 401 Unauthorized @@ -451,13 +467,9 @@ curl -H "Cookie: id_token=expired" http://localhost:10000/dashboard ## Slide 14: Key Takeaways 1. **Authorization at the edge** is more secure and performant - 2. **Envoy handles the complex parts** - OAuth flows, token validation - 3. **Cedar policies** are easier to audit than code - 4. **Separation of concerns** - Apps do business logic, not auth - 5. **Gradual migration** is possible - no big bang required --- @@ -465,15 +477,19 @@ curl -H "Cookie: id_token=expired" http://localhost:10000/dashboard ## Appendix A: Resources ### Documentation -- Envoy ext_authz: https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/ext_authz_filter + +- Envoy `ext_authz:` https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/ext_authz_filter - Cedar Language: https://www.cedarpolicy.com/ - Warsaw Accord Design Doc: See pages 3-5 ### Code Repositories + - Sparkled: `/sparkled` - Demo application - Authzd: `/authzd` - Authorization daemon ### Key Files -- `/sparkled/etc/envoy/envoy.yaml` - Envoy configuration -- `/authzd/etc/authzd/policy0.cedar` - Authorization policies -- `/sparkled/share/man/ENVOY.md` - Detailed Envoy documentation + +- [`/authzd/etc/authzd/*.cedar`](https://gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd/-/tree/63c5263087c9e282ced0e549b78c7ebd4353b273/etc/authzd) - Authorization policies +- [`/sparkled/etc/envoy/envoy.yaml`](https://gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/-/blob/main/etc/envoy/envoy.yaml) - Sparkle Envoy configuration +- [`/sparkled/etc/envoy/envoy.yaml`](https://gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd/-/blob/63c5263087c9e282ced0e549b78c7ebd4353b273/etc/envoy/envoy.yaml) - Authzd Envoy configuration +- [`/sparkled/share/man/ENVOY.md`](https://gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/-/blob/a3b0accde30a92434053bab1d25d8028e24ed866/share/man/ENVOY.md) - Detailed Envoy documentation diff --git a/share/man/screenshot.png b/share/man/screenshot.png Binary files differnew file mode 100644 index 00000000..5d15a20e --- /dev/null +++ b/share/man/screenshot.png |
