.@dschenkelman's chat with @juanrossi, a Senior Platform Security Manager at @Mercadolibre. Join us to know more about their Authorization challenges and how they tackled them.

Join here twitter.com/i/spaces/1yNGa…
#Authorization and #Authentication are too critical to have everyone learning and implementing them from scratch. With more tens of thousands of employees, @Mercadolibre needed to create a solution that is easy to use and can be implemented in any language and tech stack
They also needed to solve for an important problem that touches on #AuthN and #AuthN: how to handle delegation of permissions, where a user can act on behalf of another user.
They have thousands of applications.

Having each service had to do it's own authorization raised some issues:
* requires maintaining every implementation to prevent vulnerabilities
* improvements & new features rely on modifying implementations by many teams
* visibility is hard
A centralized solution that is standardized within the company & shared by multiple systems alleviates many of these issues

* Create an token and send it to applications.
* Applications request decision from the policy agent.

Downsides: higher latency, single point of failure
> Downsides: higher latency, single point of failure

Bundling the AuthZ agent into sidecars improves latency and performance.
Side-note: This article from the @netflix tech blog might be interesting to people following along:

AuthZ question and logic "if user has this permission, allow otherwise deny" implemented in #Rego and evaluated on a framework based on #OPA

Rego allowed them writing #AuthZ decisions and use regex, loops, etc.. It is a complex language with a learning curve.
Benefit of #Rego and #OPA:
* Framework is pretty good on the optimization side where policies are indexes
* policies evaluated in microseconds
Because of it's complexity and steep learning curve, asking the whole company (thousands of employees) to learn #Rego was not practical

They needed to create abstractions that make it as simple as possible to implement #AuthZ
Q: How do you know if a team is using an #AuthZ anti-pattern
* Hard to police
* Educate. New system in place for only a few months, work is still underway to document and answer most questions
* Push people away from writing their own #Rego solution
* Consistent approach
They have policies stored on S3, sidecars pull the information every minute, and update in memory if changed.

Checks prevents people from deploying policies to production without approval.
While building their solutions, they focused on having a generic solution that can handle permissions and can answer any #Authorization question.

Resilience and low-latency were also important
Pragmatism is important.

They did not focus on having the most performant and scalable solution from day one.

* test hypothesis early
* build a system that performs correctly
* iterate from there
That was it!

Recording of the discussion will be up in the next few days

Thanks to @juanrossi from @MercadoLibre for joining us and sharing his insight & knowledge into #AuthZAtScale, the challenges he and his team are facing, and his thoughts on how they are approaching them
If you didn't manage to catch the chat yesterday, fear not! The recording is now up. You can find it here 👇

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with The Auth0 Lab

The Auth0 Lab Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @Auth0Lab

3 Dec 20
1/ Let's continue exploring how the "Zanzibar" model allows us to solve #fgaatscale 👇

3️⃣ Correctness: no invalid permissions are granted

To provide "correct" answers, an ACL check needs to always read a "valid view" of the system.
2/ "Valid" means: the full state read from storage should have existed at a "logical point in time" and includes all committed records at that point.

The picture provides a counterexample, a request should not read two different values from a namespace at different reads. Image
3/ Similarly, new tuples should not "show up" in a request's query replies while it executes.

This applies to:
- in progress transactions
- records committed in the lifetime of the request

Summarizing: reads should be consistent at a "logical timestamp" within a request.
Read 10 tweets
2 Dec 20
1/ Back after last week's break 😴, ready to talk about why we picked the "Zanzibar model" for project #sandcastle: 👇
2/ We've shared the 5 things needed to solve #fgaatscale

Let's explore high-level how "Zanzibar" works and how it meets those needs

3/ 0️⃣ Introduction
Zanzibar is a "Relationship based access control" (ReBAC) authorization system, i.e.: a user has access to an object if it has a particular relation to it.

Zanzibar stores (object, relation, user) "tuples" with data about these relations.
Read 11 tweets
18 Nov 20
1/ We've analyzed the #fgaatscale problem:

We've shared our view on the market:

It's time to tell you what we are planning to build 🥁... 🧵
2/ Project #sandcastle will be a globally distributed, highly reliable service for large scale, fine grained authorization.

It's based on @Google's Zanzibar paper: research.google/pubs/pub48190/, that powers #fgaatscale for @googledrive @googlecloud @YouTube and @Google other products!
3/ You'd:
1. Sign up for a subscription
2. Configure who has access to what
3. Pick an SDK for your favorite language/tool
4. (optionally) Feed your authZ data from existing sources into #sandcastle

That's the ideal future. At this point you'd have AuthZ for your app 🤯
Read 8 tweets
11 Nov 20
1/ Having analyzed the @github and @googledrive #fgaatscale cases, we'll share our view on the authz market.

We'll go over what is currently being addressed and what the gaps are👇
As we've mentioned before, solving #fgaatscale requires:
1️⃣ Permission modelling flexibility
2️⃣ Auditing capabilities
3️⃣ Correctness: no invalid permissions are granted
4️⃣ Low Latency
5️⃣ High availability
3/ Solving #fgaatscale is becoming a need because:
☝️ Users expect collaboration features in most products they used, and that requires FGA
✌️ Increasing privacy and compliance regulations require companies in different verticals to restrict access as much as possible
Read 21 tweets
10 Nov 20
1/ Last week we did a deep dive of @github's authorization model and the problems they solve

In this thread we'll focus on another well known product: @googledrive a great example of a collaboration platform.

📊How is gdrive "authorization at scale"?
2/ Well, in 2018 they:
- hit 1B users
- 2 trillion files


🔐 Review their permission model
🔍Go over their "search" story and how authz fits in it
🎯Analyze examples of why "correctness" () is important
3/ Like github, @googledrive has B2C and B2B models. However, @googledrive's sharing model is the same for B2C and B2B. The difference is who you can share files with.
Read 21 tweets
5 Nov 20
1/ Last time explained why we are exploring fine grained authorization:

In this thread explore we'll the problems of authorization at scale using a real world, well known example
2/ This is a key part of product development, especially when building infrastructure. We want to understand what our customers will eventually build with our service.

Our analysis case is @github.
3/ @github is an interesting example as it’s a *collaboration* platform built on top of git.

We believe collaboration and authorization are two sides of the same coin
Read 19 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!