Authorization at Netflix

Manish Mehta: Security Engineer at Netflix, specializes in secure bootstrapping, PKI, secrets management, authentication, and authorization.
Torinn Sandal: Tech lead of the Open Policy Agent (OPA) project, contributing to Kubernetes and Istio.

Key Concepts

Authentication (AuthN): Verifying the identity of the requester. Example: A bank verifying who is requesting a $1,000 transfer.
Authorization (AuthZ): Verifying if the authenticated identity has permission to perform a requested action.

These two processes do not need to be tied together within one system to maintain flexibility.

High-Level View: Simplified architecture with customers, backend, cloud providers (like AWS), and CDN.
Focus: The backend controls applications such as API gateways, personalization, account management, etc.

Applications within the control plane (e.g., REST, gRPC services) must effectively communicate with each other.
Important considerations include:
- Network Reachability vs. Authorization: Network reachability does not equal authorization. Need more granular control over REST endpoints.
- Diverse Protocols: Varying protocols (REST, gRPC, custom protocols) require flexible solutions.

Need a unified approach to define and enforce rules based on combinations of:
- I: Identity
- O: Operation
- R: Resource
Avoid multiple solutions causing a lack of visibility and control.

Company Culture Alignment: Must enable freedom and responsibility (self-service) for engineers and teams.
Resource Type Support: Must accommodate various resource types, including non-API resources (e.g., SSH).
Diverse Identities: Support user roles including employees, contractors, and software services.
Protocol Independence: Ability to cater to multiple underlying protocols (e.g., HTTP, gRPC).
Flexibility of Rules: Capable of adapting to new use cases and formats.
Performance (Latency): Decisions must be made in sub-millisecond time frame, preferably without network round trips.
Capture of Intent: Ensure users don’t mistakenly write policies that diverge from their intent.

Components:
- Policy Portal: UI where engineers write policies, manage versions, and override rules when necessary.
- Aggregator: Gathers data from various sources (e.g., ownership databases) to inform policies.
- Distributor: Distributes policies to agents, ensuring information is kept fresh in memory without introducing latency.
Authorization Agents: Located next to applications for fast decision-making (hot path) and asynchronously updating from distributors (slow path).

REST API with endpoints get salary and update salary:
- Policies for reading salaries based on employee-manager relationships and job roles.

General-purpose policy engine: Implementation in Go, lightweight, designed for runtime integration without dependencies.
Rego Language: Declarative language for writing policies, focusing on data and logic.
Performance Metrics: Latency remains stable even as data sets grow.

Policy composition allows reusing logic across different rules, aiding maintainability.
Resource agnostic, meaning it's not specific to any single domain or technology.
Community and Ecosystem: OPA offers pre-built integrations for platforms like Kubernetes and has strong community support.

Developed a UI to simplify policy creation, ensuring engineers don't write overly complex rules, thus capturing their intent effectively.
Built-in Unit Testing: Tests run against policies before deployment, preserving original intentions and preventing errors after updates occur.

Authorization is a critical security challenge, with cloud environments changing the dynamics.
Aim for a cohesive solution rather than multiple fragmented systems to ensure visibility and control.
Community Engagement: Look into open-source projects like OPA, and consider collaborating with others facing similar challenges.