Skip to main content
USENIX
  • Conferences
  • Students
Sign in
  • Home
  • Attend
  • Program
  • Participate
    • Instructions for Participants
    • Call for Participation
  • Sponsorship
  • About
    • Summit Organizers
    • Help Promote
    • Questions
    • Past Summits
  • Home
  • Attend
  • Program
  • Participate
  • Sponsorship
  • About

help promote

URES '15 button

Get more
Help Promote graphics!

connect with us


  •  Twitter
  •  Facebook
  •  LinkedIn
  •  Google+
  •  YouTube

twitter

Tweets by @usenix

usenix conference policies

  • Event Code of Conduct
  • Conference Network Policy
  • Statement on Environmental Responsibility Policy

You are here

Home » A Scalable Client Authentication & Authorization Service for Container-Based Environments
Tweet

connect with us

A Scalable Client Authentication & Authorization Service for Container-Based Environments

Binu Ramakrishnan and Aditya Mahendrakar, Yahoo

Abstract: 

Container technologies are revolutionizing the way we develop, build and deploy applications in large scale production environments. At Yahoo we use containers in our CI build farms and production environments, that are on-demand and dynamic in nature. Applications running in containers often need to connect to various internal/external services that require authentication and authorization. Authenticating client application to a server is a challenge in such dynamic environments because we cannot rely on traditional IP or hostname based checks. IP based authentication no longer works because (1) container IP is dynamic and often repurposed (2) containers often share IPs. Alternate options include the use of TLS client certs and other key based authentication schemes. TLS client certificates provide authentication, but not authorization capabilities by its own and is not easy to configure and operate at scale ­ think about build pipeline spawning hundreds of containers that live only for few minutes!

In this session, we present a novel way of role based identity that provides both authentication and authorization to clients in a fully­automated, easy to configure, scalable fashion. The system comprises of (a) APIs for node and application provisioners to manage and publish public keys (b) Service that provides grouping of public key fingerprints of nodes/applications to form a service role that represents a capability and (c) Attestation service for the nodes to get a signed certificate on demand that asserts the requested node's role membership. The service provider maps the role with service specific capabilities and the requests are validated against the auth certificate placed by the client while making requests to the server. The system is designed from ground up based on our experience with an existing IP based authorization system, keeping practicality, flexibility and security in mind. The implementation makes use of modern security and crypto practices and such as ECDSA, JWT with service delegation capabilities, and works seamlessly with Docker and Chef.

Aditya Mahendrakar is a senior security engineer in the Paranoid Labs team at Yahoo. He has worked on a number of projects including a key management system, static code analysis framework, and input validation libraries. He received his Master's degree at Carnegie Mellon.

Binu Ramakrishnan is a senior security engineer at yahoo with extensive experience in Internet­-scale systems development, anti­abuse and application security. In this role, Binu manages security engagements with Yahoo mail, works with product engineers and leaders to help define and implement security strategy and programs with in Yahoo mail. Prior to this role, Binu worked as a lead engineer with Security and Platforms engineering team, built hosted key management service and managed various shared components that are used across Yahoo.

Binu Ramakrishnan, Yahoo

Binu Ramakrishnan is a senior security engineer at Yahoo with extensive experience in Internet­-scale systems development, anti­abuse and application security. In this role, Binu manages security engagements with Yahoo mail, works with product engineers and leaders to help define and implement security strategy and programs with in Yahoo mail. Prior to this role, Binu worked as a lead engineer with Security and Platforms engineering team, built hosted key management service and managed various shared components that are used across Yahoo.

Aditya Mahendrakar, Yahoo

Aditya Mahendrakar is a senior security engineer in the Paranoid Labs team at Yahoo. He has worked on a number of projects including a key management system, static code analysis framework, and input validation libraries. He received his Master's degree at Carnegie Mellon.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@conference {208653,
author = {Binu Ramakrishnan and Aditya Mahendrakar},
title = {A Scalable Client Authentication \& Authorization Service for {Container-Based} Environments},
year = {2015},
address = {Washington, D.C.},
publisher = {USENIX Association},
month = nov,
}
Download
View the slides
  • Log in or    Register to post comments

© USENIX

  • Privacy Policy
  • Contact Us