-
Notifications
You must be signed in to change notification settings - Fork 0
/
explore.html
306 lines (304 loc) · 14.9 KB
/
explore.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Athenz IO Docs</title>
<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.2.1/css/bootstrap.min.css"
integrity="sha384-GJzZqFGwb1QTTN6wy59ffF1BuGJpLSa9DkKMp0DgiMDm4iYMj70gZWKYbI706tWS" crossorigin="anonymous">
<link rel="stylesheet" href="css/style.css">
</head>
<body>
<div class="container-fluid fixed-top ">
<nav class="navbar navbar-dark navbar-expand-lg justify-content-between">
<a class="navbar-brand logo visible" href="index.html">
<img src="assets/logo.png" alt="Athenz Logo" style="width: 30px; height: 30px;">
Athenz
</a>
<button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbars"
aria-label="Toggle navigation">
<span class="navbar-toggler-icon"></span>
</button>
<div class="collapse navbar-collapse" id="navbars">
<ul class="navbar-nav ml-auto">
<li class="nav-item">
<a class="nav-link active" href="explore.html">Explore</a>
</li>
<li class="nav-item">
<a class="nav-link" href="https://yahoo.github.io/athenz/site/">Documentation</a>
</li>
<li class="nav-item">
<a class="nav-link" href="https://athenz-rbac.tumblr.com/">Blog</a>
</li>
<li class="nav-item">
<a class="nav-link"
href="https://join.slack.com/t/athenz/shared_invite/enQtNDk2MzczMjAxNDExLWVjNDMyZGQ4NmM0ZDYwNGUwY2QxNGEyMGJkMDZhOTljOTY3OTNjNmQyMmM0Y2Y4MDRhMzU0YzE4MzlkNmRmOWQ">Slack</a>
</li>
<li class="nav-item">
<a class="nav-link" href="https://github.com/yahoo/athenz">Github</a>
</li>
<li class="nav-item">
<a class="nav-link" href="contact.html">Contact</a>
</li>
</ul>
</div>
</nav>
</div>
<div class="container-fluid header">
<div class="container pt-5 pb-1">
<div class="row">
<div class="col-md-auto col-lg-8 col-xl-6">
<div class="heading mt-5 mb-4">
<h2>Explore Athenz</h2>
</div>
</div>
<div class="col-md-auto col-lg-4 col-xl-6"></div>
</div>
</div>
</div>
<div class="container">
<div class="about pl-sm-0">
<div class="row">
<div class="col-md">
<h4 class="heading">About</h4>
<p class="details">Athenz is an open source platform for X.509 certificate based service authentication
and fine grained access control in dynamic infrastructures. It provides a generalized model for authorized
service providers to launch other services identified by their X.509 certificates in an authorized way through
a callback-based verification model. Athenz also supports role-based authorization (RBAC) for provisioning and
configuration (centralized authorization) use cases as well as serving/runtime (decentralized authorization)
use cases to handle on-box enforcement.
</p>
</div>
</div>
</div>
</div>
<div class="container-fluid grey-background">
<div class="container service-auth-container">
<div class="row grey-background">
<div class="col-lg-5 col-12 col-sm-12">
<div class="service-auth">
<h4 class="heading">Service Authentication</h4>
<p class="details">
Athenz provides secure identity in the form of short-lived
<a href="https://en.wikipedia.org/wiki/X.509">X.509 certificates</a>
for every workload or service deployed in private (e.g. OpenStack, Kubernetes, Screwdriver) or public
cloud (e.g. AWS EC2, ECS, Fargate, Lambda). Using these X.509 certificates, clients and services
establish secure connections and through mutual TLS authentication verify each other's identity.
The service identity certificates are only valid for 30 days and the service identity agents
(SIA)
part of those frameworks automatically refresh them daily. The term service within Athenz is
more
generic than a traditional service. A service identity could represent a command, job, daemon,
workflow,
as well as both an application client and application service.
</p>
</div>
</div>
<div class="col-lg-7 col-12 col-sm-12">
<div class="service-auth-img"></div>
</div>
</div>
</div>
</div>
<div class="container">
<div class="rbac">
<div class="row">
<div class="col-md">
<h4 class="heading">Role-Based Authorization (RBAC)</h4>
<p class="details">
Once the client is authenticated with its X.509 certificate, the service can then check if
the given client is authorized to carry out the requested action. Athenz provides fine-grained
role-based access control (RBAC) support for a centralized management system with support for
control-plane access control decisions and a decentralized enforcement mechanism suitable for
data-plane access control decisions. It also provides a delegated management model that supports
multi-tenant and self-service concepts.
<a href="https://yahoo.github.io/athenz/site/auth_flow/">Learn More</a>
</p>
</div>
</div>
</div>
<div class="row">
<div class="col-lg">
<div class="architecture">
<h5 class="heading">Centralized Access Control</h5>
<p class="details">
A traditional centralized mechanism works as expected for
services that are not dealing with the decentralized authorization:
the server with resources can simply ask the ZMS directly about access,
passing the service identity and resource/action information to get a simple boolean answer.
It is suitable for provisioning and configuration use cases where latency for authorization
checks is not important.
<a href="https://yahoo.github.io/athenz/site/auth_flow/#centralized-access-control-control-plane">Learn
More</a>
</p>
</div>
<div class="thumbnail">
<div class="row centralized-explore"></div>
</div>
</div>
<div class="col-lg">
<div class="architecture">
<h5 class="heading">Decentralized Access Control</h5>
<p class="details">
A more interesting scenario introduces the local policy engine (ZPE),
and a few supporting changes. Rather than directly asking for an access
check with a principal identity, the identity is instead used to get a ZToken,
and that is presented to the target service until it expires. This mechanism
allows a service to make a completely local access check against ZPE, given
a ZToken and locally cached policies.
<a href="https://yahoo.github.io/athenz/site/auth_flow/#decentralized-access-control-data-plane">Learn
More</a>
</p>
</div>
<div class="thumbnail">
<div class="row decentralized-explore"></div>
</div>
</div>
</div>
</div>
<div class="container-fluid grey-background">
<div class="container">
<div class="row grey-background aws-temp-container">
<div class="col-lg-5 col-12">
<div class="aws-temp mt-lg-0">
<h4 class="heading">AWS Temporary Credentials Support</h4>
<p class="details">
When working with AWS, Athenz provides support to access AWS services from on-prem
services by using AWS temporary credentials rather than static credentials. Athenz
ZTS server can be used to request AWS temporary credentials for configured AWS IAM roles.
</p>
</div>
</div>
<div class="col-lg-7 col-12">
<div class="aws-temp-img ml-lg-0"></div>
</div>
</div>
</div>
</div>
<div class="container data-model-container">
<h4 class="box-title heading">Data Model</h4>
<div class="row">
<div class="col-12 col-lg-5">
<div class="d-flex">
<div>
<img src="assets/domain.png" alt="">
<hr>
</div>
<div class="desc">
<h4 class="heading">Domain</h4>
<p class="details">Domains are namespaces, strictly partitioned, providing a context for authoritative statements to
be
made about the entities it contains.</p>
</div>
</div>
<div class="d-flex">
<div>
<img src="assets/policies.png" alt="">
<hr>
</div>
<div class="desc">
<h4 class="heading">Policies</h4>
<p class="details">To implement access control, we have policies in our domain that govern the use of our resources.
A
policy is set of assertions (rules) about granting or denying an operation/action on a
resource.</p>
</div>
</div>
<div class="d-flex">
<div>
<img src="assets/roles.png" alt="">
<hr>
</div>
<div class="desc">
<h4 class="heading">Roles</h4>
<p class="details">A role can be thought of as a group and anyone in the group can assume the role that takes a
particular action. Every policy assertion describes what can be done by a role.</p>
</div>
</div>
<div class="d-flex">
<div><img src="assets/principle.png" alt=""></div>
<div class="desc">
<h4 class="heading">Principle</h4>
<p class="details">The actors in Athenz that can assume a role are called principals. These principals are
authenticated and can be users or services. Athenz currently provides service identity and
authentication support.</p>
</div>
</div>
</div>
<div class="col-12 col-lg-7 data-model">
<img src="assets/data-model.png"/>
</div>
</div>
</div>
<div class="container-fluid grey-background">
<div class="container">
<div class="row">
<div class="col-md">
<div class="getting-started">
<h4 class="heading">Getting Started</h4>
<p class="details">Explore the Athenz documentation and easily create a test development
environment with
<a href="https://yahoo.github.io/athenz/site/setup_zms_prod/">ZMS (Athenz Management
Service)</a>,
<a href="https://yahoo.github.io/athenz/site/setup_zts_prod/">ZTS (Athenz Token Service)</a>,
and
<a href="https://yahoo.github.io/athenz/site/setup_ui_prod/">UI</a>
services. For reference implementation, visit the
<a href="https://yahoo.github.io/athenz/site/example_java_centralized_access/">Java
Client/Servlet</a> or
<a href="https://yahoo.github.io/athenz/site/example_go_centralized_access/">Go
Client/Server</a>
example documentation.</p>
<p>
<a href="https://yahoo.github.io/athenz/site/"
class="btn btn-outline-primary btn-documentation">Documentation</a>
</p>
</div>
</div>
</div>
</div>
</div>
<div class="container">
<div class="row footer">
<div class="col-md col-12 col-sm-12">
<div class="row footer-lists pl-sm-0">
<div class="col-md col-xs col-sm">
<h6>COMMUNITY</h6>
<ul class="list-unstyled">
<li><a href="https://athenz-rbac.tumblr.com">Blog</a></li>
<li>
<a href="https://join.slack.com/t/athenz/shared_invite/enQtNDk2MzczMjAxNDExLWVjNDMyZGQ4NmM0ZDYwNGUwY2QxNGEyMGJkMDZhOTljOTY3OTNjNmQyMmM0Y2Y4MDRhMzU0YzE4MzlkNmRmOWQ">Slack</a>
</li>
<li><a href="contact.html">Contact Us</a></li>
</ul>
</div>
<div class="col-md col-xs col-sm">
<h6>CONTRIBUTE</h6>
<ul class="list-unstyled">
<li><a href="https://github.com/yahoo/athenz">GitHub</a></li>
<li><a href="https://github.com/yahoo/athenz/issues">Suggest</a></li>
</ul>
</div>
<div class="col-md col-xs col-sm">
<h6>RESOURCES</h6>
<ul class="list-unstyled">
<li><a href="">Getting Started</a></li>
<li><a href="https://yahoo.github.io/athenz/site/">Documentation</a></li>
</ul>
</div>
</div>
</div>
<div class="col-md"></div>
</div>
</div>
</main>
<script src="https://code.jquery.com/jquery-3.3.1.slim.min.js"
integrity="sha384-q8i/X+965DzO0rT7abK41JStQIAqVgRVzpbzo5smXKp4YfRvH+8abtTE1Pi6jizo"
crossorigin="anonymous"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.6/umd/popper.min.js"
integrity="sha384-wHAiFfRlMFy6i5SRaxvfOCifBUQy1xHdJ/yoi7FRNXMRBu5WHdZYu1hA6ZOblgut"
crossorigin="anonymous"></script>
<script src="https://stackpath.bootstrapcdn.com/bootstrap/4.2.1/js/bootstrap.min.js"
integrity="sha384-B0UglyR+jN6CkvvICOB2joaf5I4l3gm9GU6Hc1og6Ls7i6U/mkkaduKaBhlAXv9k"
crossorigin="anonymous"></script>
</body>
</html>