blob: 6de81523eacada38985dbdbeb7ab0b3483642264 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
|
# authzd - Authorization Daemon
## Overview
The system processes authorization requests from user agents and updates access control lists (ACLs) in response to identity changes.
It integrates with an identity provider (IdP) and uses message queues to stay in sync with membership data.
## Architecture
```plaintext
-------------
| user-agent |
-------------
|
V
----|:443|-------------------------------------------------------------
|
| ----------------------------------------
| | ______________________ |
+-->(:443)| envoy ->(:80)| /var/run/sparkled | |
| --|------------------- |
-----------------|----------------------
|
------------------+
|
| -------------------
| | IdP /IAM |---- publish membership change ---|
| ------------------- |
| |
| |---- sub membership change ------------------
+<-------| |
| V (update acls)
V -------------------------------------
| | ___________________ |
|-->(:443)| envoy ->(:80)| /var/run/authzd | |
| ------------------| |
-------------------------------------
|
|----> cron reconciliation process >---->------|
A |
|--- audit, validate list, notify, remediate --|
```
## Getting Started
### Prerequisites
- [make](https://www.gnu.org/software/make/)
- [mise](https://mise.jdx.dev/)
- [spicedb](https://authzed.com/docs/spicedb/getting-started/installing-spicedb)
1. Install tools:
```sh
$ make setup
```
1. Start servers:
```sh
$ make run
```
## Environments
### Staging
- https://authzd.staging.runway.gitlab.net
- [Logs](https://console.cloud.google.com/logs/query;query=resource.labels.service_name%3D%22authzd%22?project=gitlab-runway-staging)
### Production
- https://authzd.runway.gitlab.net
- [Logs](https://console.cloud.google.com/logs/query;query=resource.labels.service_name%3D%22authzd%22?project=gitlab-runway-production)
## References
* [Sparkle + Authzd: Overview Presentation][6]
* [Envoy Proposal][7]
* [gRPC][3]
* [protocol buffers][4]
* [tokio][2]
* [tonic][1]
* [Envoy External Authorization][5]
[1]: https://github.com/hyperium/tonic
[2]: https://github.com/tokio-rs/tokio
[3]: https://grpc.io/docs/
[4]: https://protobuf.dev/programming-guides/proto3/
[5]: https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/ext_authz_filter
[6]: https://drive.google.com/file/d/1cYsHePX5p6uG3WY6Fp8X7yXJtoWt5wCZ
[7]: https://gitlab.com/gitlab-org/architecture/auth-architecture/design-doc/-/blob/main/doc/share/envoy.md
|
