Athenz with Istio - Single Access Control Model in Cloud Infrastructures, Tatsuya Yano, Yahoo Japan

•

1 like•562 views

Athenz (www.athenz.io) is an open source platform for X.509 certificate-based service authentication and fine-grained access control in dynamic infrastructures that provides options to run multi-environments with a single access control model.

Technology

Athenz with Istio:
Single Access Control Model in
Cloud Infrastructures

Agenda
• What is Athenz?
• Service Authentication
• Authorization
• Multi-cloud in Yahoo Japan
• How do we integrate with Istio?
• Why Istio?
• Benefit of using Athenz with Istio

About
• Tatsuya Yano
• Platform Developer, Yahoo Japan Corporation
• Contributor to Athenz
• Open Source Summit Japan (https://sched.co/FDjp)

Athenz: Open Source System
Created by Yahoo Inc.
• Service Authentication
• Provide secure identity in the form short lived x.509
certificate to every workload / service in modern
environments
• Authorization
• Provides fine-grained Role Based Access Control
(RBAC)

Authentication
• User Authentication
• AD / LDAP / Kerberos / etc
• Service Authentication
• Instances within a service with a unique identity to
enable secure communication
• IP / Networks ACLs / iptable
• Headless/Automation users
• Shared secrets
• Mutual TLS with x.509 certificates

Certificate Based Authentication
• Every instance / service in your cloud has its own identity
• Stronger security by Mutual TLS Authentication
• Zero-trust security
• Short Lived Certificates

Copper Argos
• Generalized model for authorized service providers to launch other
service identities in an authorized way through a callback-based
verification model.
Providers
OpenStack Kubernetes Screwdriver
Amazon EC2 AWS ECS AWS Lambda

Authorization -
Centralized Access Control

Authorization -
Decentralized Access Control

Advantages of Athenz
• To provide service identity X.509 certificates for services
running in common providers like Kubernetes,
OpenStack or AWS that can be used for mutual TLS
authentication.
• To have precise and frequently configurable access
controls with single source of truth.

Why use Istio?
• Automatic load balancing.
• Fine-grained control of traffic behavior.
• A pluggable policy layer and configuration API.
• Automatic metrics, logs, and traces for all traffic.
• Secure service-to-service communication.
Referred from: https://istio.io/docs/concepts/what-is-istio/

Benefits of using Athenz with Istio
• Istio is in CNCF landscape.
• Service mesh strongly supports microservices architecture.
+
• Athenz enables single access control model in multi cloud.

Example integration:
Athenz Istio Mixer adapter
Referred from: https://istio.io/blog/2017/adapter-model/

Example integration:
Athenz Istio Mixer adapter

Other use-case:
Simplified mTLS authN/Z using Istio/Athenz

Simplified mTLS authN/Z using Istio/Athenz
Athenz Istio
Auth
Controller
Kubernetes API
Fetch
role/policy
information
from Athenz
Setup a watch on
namespaces
Create/update/delete
Istio CRs -
ServiceRole and
ServiceRolebinding
based on fetched
Athenz data
Athenz Istio Auth Controller translates
Athenz defined roles/policies into Istio
CRs - ServiceRole and
ServiceRolebinding
Watch
ServiceRole and
ServiceRoleBinding
https://github.com/yahoo/k8s-athenz-istio-auth

Future plans
•Currently
• On Premises and AWS Provisioning
•Planned
• Provide Athenz servers with Docker images
• Helm charts
• Productionize Athenz x509 certificate provisioning
• Productionize the authorization flow using Istio Envoy

Resources
• Website : http://www.athenz.io
• Github: https://github.com/yahoo/athenz
• Slack Channel: https://athenz.slack.com/
• Discussion Group:
• Google Group: Athenz-Users
• Questions or Comments:
• Tatsuya Yano: tatyano@yahoo-corp.jp

Athenz with Istio - Single Access Control Model in Cloud Infrastructures, Tatsuya Yano, Yahoo Japan

What's hot

24 Hours Of Exchange Server 2007 ( Part 15 Of 24)

Harold Wong

Azure Service Bus

BizTalk360

Azure Service Bus Overview

BizTalk360

Deployment options for Kentico CMS on Windows Azure

Thomas Robbins

Erwin Staal from 4DotNet will share experience on “Network security with Azure PaaS services“. He will share some of the things he learned while implementing network security at his current client. We will start with a short introduction to the basics of networking in Azure. He will present to you some best practices and tell you about some of the limitations you need to know before getting started. We will talk about how you for example can lock-down your API or SQL-server. To do that we will use relatively new Azure offerings like Service endpoints, Private endpoints, and VPN connections. Erwin is a .NET Software Engineer and DevOps Consultant at 4DotNet. He’s helping clients with ASP.NET Core, Docker and Kubernetes and as a DevOps Consultant he helps companies with the implementation of DevOps and Continuous Delivery.

Network security with Azure PaaS services by Erwin Staal from 4DotNet at Azur...

DevClub_lv

Meetup CNCF Torino - Amazon EKS March 29th 2019

Massimo Ferre'

Security is a hot topic, especially with new laws concerning how to deal with personally identifiable information (PII) and the journey to the cloud many organisations are making. When implemented correctly, security measures can protect your company from people trying to spy on you or manipulate your systems. Security can be implemented at different layers. In this presentation I'll zoom in on webservices and which choices there are to make on the application layer and transport layer. This spans area's like authentication, keys/keystores, OWSM policy choices, WebLogic SSL configuration and cipher suite choices. Security measures are even more relevant in cloud integration scenario's since services might not just be accessible from your internal network. After this presentation, architects and developers will have a good idea on how to quickly get started with taking security measures.

Webservice security considerations and measures

Maarten Smeets

Windows Azure

Nour Khouja

Docker + App Container = ocp

Apcera

In this session, Glenn and Toon will provide some basic insights into the recent B2B messaging protocol AS4. The core concepts will be explained of how AS4 establishes a reliable and secure message exchange between trading partners. As AS4 is not out-of-the-box supported by Microsoft, this session aims to demonstrate that Microsoft products can be extended in order to be interoperable with AS4. Expect a nice mix of theoretical concepts and practical demos.

An Intro to AS4, the Successor of AS2

BizTalk360

Cloud Bursting with A10 Lightning ADS

Akshay Mathur

Microsoft DirectAccess is a VPN like remote access technology that is a core component of the Windows Server 2012 R2 Remote Access role. DirectAccess is a unique solution that is designed to replace traditional VPN access. It provides secure, seamless, transparent and always-on remote access to corporate networks for clients running Windows 7 Enterprise, Windows 7 Ultimate, Windows 8.1 Enterprise, and now, Windows 10. Windows 10 support is welcome as over half of the 110 million managed Microsoft clients in Enterprise deployments have adopted the latest release. Eager as they are to get the new features Windows 10 offers, such as the new improved Start menu, the modern Edge web browser, Cortana – the intelligent personal assistant, Windows Hello authentication, and many other improvements. DirectAccess provides these advantages over most traditional VPN solutions: - Active Directory Domain joined client computers connect automatically rather than connections being user initiated - Connections seamlessly work through all firewalls - Supports selected server access when connected - Can use IPSEC authentication to corporate servers - Supports end to end encryption of the connection - Provides transparent failover to another corporate network access point or site if required - Supports offline domain join for clients that have never been on the corporate network -Allows central IT staff to manage the remote computers over the DirectAccess connection The integration with standard corporate Domains and the ability to manage clients remotely is very compelling especially for maintaining a client population that is remote and mobile with users who seldom connect directly to a corporate network. Windows 10 and DirectAccess work really well in concert to provide a true remote access solution for Windows based clients. One that users will not have to struggle with, and one that IT and security staff can be confident about using.

Microsoft DirectAccess Remote Access (VPN) with Windows 10 and Server 2012

Kemp

Azure IAAS architecture with High Availability for beginners and developers -...

Malleswar Reddy

Jan de Vries from 4DotNet will share experience on “Using Azure Managed Identities for your App Services“. He will show you what needs to be set up in your application and AAD to get you started. When everything is set up correctly you can manage the access to all of your API’s via Azure Active Directory and even restrict access to specific endpoints if you want. You’ll leave this session knowing how to set up your services by using the built-in capabilities of Azure and make your complete environment more secure and easy to manage. Jan is a Cloud Solution Architect at 4DotNet (Netherlands). His main focus is on developing highly performant and scalable solutions using the awesome services provided by the Microsoft Azure platform. Because of his expertise, he has been able to help out multiple customers to bring their on-premise solution to the cloud and guide them towards a better software development ecosystem.

Using Azure Managed Identities for your App Services by Jan de Vries from 4Do...

DevClub_lv

Azure Microservices in Practice - Radu Vunvulea ITCamp Community Timisoara 07...

Radu Vunvulea

Manage and operate multiple Azure Stack Hub stamp instances with ease and efficiency! From a single portal, operators and administrators can perform many of their scenarios without needing to jump between various stamp portals. This ability to perform the scenarios such as the following from a single pane of glass experience saves lot of time and effort in managing Azure Stack Hub stamp instances: - Aggregated health and monitoring - Patch and update management - Marketplace management - VM Images & VHD management - Infrastructure and Capacity management - Diagnostics - Resource Utilization and Billing - Tenant management - Aggregated Email reports for stakeholders and administrators

Manage and Operate Azure Stack Hub Stamps at Scale

Ravi C Kolandaiswamy

Techniques for scaling application with security and visibility in cloud

Akshay Mathur

Windows Server 2008

Luis Quiroz

Azure virtual network

Lalit Rawat

MicroService Architecture

Md. Hasan Basri (Angel)

What's hot (20)

24 Hours Of Exchange Server 2007 ( Part 15 Of 24)

Azure Service Bus

Azure Service Bus Overview

Deployment options for Kentico CMS on Windows Azure

Network security with Azure PaaS services by Erwin Staal from 4DotNet at Azur...

Meetup CNCF Torino - Amazon EKS March 29th 2019

Webservice security considerations and measures

Windows Azure

Docker + App Container = ocp

An Intro to AS4, the Successor of AS2

Cloud Bursting with A10 Lightning ADS

Microsoft DirectAccess Remote Access (VPN) with Windows 10 and Server 2012

Azure IAAS architecture with High Availability for beginners and developers -...

Using Azure Managed Identities for your App Services by Jan de Vries from 4Do...

Azure Microservices in Practice - Radu Vunvulea ITCamp Community Timisoara 07...

Manage and Operate Azure Stack Hub Stamps at Scale

Techniques for scaling application with security and visibility in cloud

Windows Server 2008

Azure virtual network

MicroService Architecture

Similar to Athenz with Istio - Single Access Control Model in Cloud Infrastructures, Tatsuya Yano, Yahoo Japan

Intelligent serverless-streaming-pipeline-using-kinesis-fargate-cfn

Yogesh Sharma

Docker Dublin: Just What is a Service Mesh, and if I get one will it make eve...

Elton Stoneman

AWS Community Day Bay Area 2020- Intelligent Scalable and Serverless Real-tim...

Yogesh Sharma

The world of integration is changing very quickly and we have the opportunity to use a lot of different technologies. There are many ways to solve the same problem and new technologies being introduced all of the time. Azure is now full of very interesting features and the real challenge is understanding how to use and combine all of these together in an effective way to create a good solution. In this session Nino will talk about his experiences and thoughts from the last year around areas such as BizTalk, Hybrid Integration, Microservices, Event Hubs, Stream Analytics and more.

An Azure of Things, a developer’s perspective

BizTalk360

20160304 blockchain in fsi client ready raymond

Meng-Ru (Raymond) Tsai

I heard many people saying that they need not worry about security of their application (or it is automatically PCI compliant) just because the application is hosted in AWS EC2. This was presented in AWS meetup to make it clear to audience that security is shared responsibility. While AWS takes care of security at L1 & L2 and provide tools for L3 & L4, we need to take care of security at L7 (Application layer)

Shared Security Responsibility Model of AWS

Akshay Mathur

Deep Dive Into Elasticsearch: Establish A Powerful Log Analysis System With E...

Tyler Nguyen

Apache Knox Gateway is a proxy for interacting with Apache Hadoop clusters in a secure way providing authentication, service level authorization, and many other extensions to secure any HTTP interactions in your cluster. One main feature of Apache Knox Gateway is the ability to extend the reach of your REST APIs to the internet while still securing your cluster and working with Kerberos. Recent contributions to the Apache Knox community have added support for Single Sign On (SSO) based on Pac4j 1.8.9 which is a very powerful security engine which provides SSO support through SAML2, OAuth, OpenID, and CAS. In addition, through recent community contributions Apache Ambari, and Apache Ranger can now also provide SSO authentication through Knox. This paper will discuss the architecture of Knox SSO, it will explain how enterprise user could benefit by this feature and will present enterprise use cases for Knox SSO, and integration with open source Shibboleth, ADFS Windows server Idp support, and Okta cloud Idp.

Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise Users

DataWorks Summit

Whether you are a traditional enterprise exploring migrating workloads to the cloud or are already “all-in” on AWS, performing common tasks of inventory collection, OS patch management, and image creation at scale is increasingly complicated in hybrid infrastructure environments. Amazon EC2 Systems Manager allows you to perform automated configuration and ongoing management of your hybrid environment systems at scale. This session provides an overview of key EC2 Systems Manager capabilities that help you define and track system configurations, prevent drift, and maintain software compliance of your EC2 and on-premises configurations. We will also discuss common use cases for EC2 Systems Manager and give you a demonstration of a hybrid-cloud management scenario.

ENT401 Deep Dive with Amazon EC2 Systems Manager

Amazon Web Services

Amazon EKS 그리고 Service Mesh Kubernetes는 컨테이너 서비스를 도입하는 기업들에게 가장 있기있는 Orchestration 플랫폼입니다. 이 세션에서는 아마존에서 6월 정식 출시한 managed Kubenetes서비스인 EKS를 소개해드리며, 오픈소스 버전과의 차이점 및 장점 등에 대해 설명하고, 진보한 마이크로 서비스인 Service Mesh를 구현하는 Linkerd 소개 및 데모를 진행하고자 합니다.

Amazon EKS 그리고 Service Mesh (김세호 솔루션즈 아키텍트, AWS) :: Gaming on AWS 2018

Amazon Web Services Korea

Apache Stratos (Incubating) is the Platform as a Service (PaaS) project from ...

WSO2

Understanding the WSO2 Platform and Technology

WSO2

Four Scenarios for Using an Integration Service Environment (ISE)

Daniel Toomey

AWS IoT vs Azure IoT

ahmed badr

사물 인터넷을 위한 AWS FreeRTOS 소개 - 트랙1, Community Day 2018 re:Invent 특집

AWSKRUG - AWS한국사용자모임

Global Azure Bootcamp: Azure service fabric

Luis Valencia

Service fabric and azure service fabric mesh

Mikkel Mørk Hegnhøj

사물 인터넷을 위한 AWS FreeRTOS 소개

Harry Oh

Cozystack: Free PaaS platform and framework for building clouds

Andrei Kvapil

AWS Finland User Group Meetup 2017-05-23

Rolf Koski

Similar to Athenz with Istio - Single Access Control Model in Cloud Infrastructures, Tatsuya Yano, Yahoo Japan (20)

Intelligent serverless-streaming-pipeline-using-kinesis-fargate-cfn

Docker Dublin: Just What is a Service Mesh, and if I get one will it make eve...

AWS Community Day Bay Area 2020- Intelligent Scalable and Serverless Real-tim...

An Azure of Things, a developer’s perspective

20160304 blockchain in fsi client ready raymond

Shared Security Responsibility Model of AWS

Deep Dive Into Elasticsearch: Establish A Powerful Log Analysis System With E...

Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise Users

ENT401 Deep Dive with Amazon EC2 Systems Manager

Amazon EKS 그리고 Service Mesh (김세호 솔루션즈 아키텍트, AWS) :: Gaming on AWS 2018

Apache Stratos (Incubating) is the Platform as a Service (PaaS) project from ...

Understanding the WSO2 Platform and Technology

Four Scenarios for Using an Integration Service Environment (ISE)

AWS IoT vs Azure IoT

사물 인터넷을 위한 AWS FreeRTOS 소개 - 트랙1, Community Day 2018 re:Invent 특집

Global Azure Bootcamp: Azure service fabric

Service fabric and azure service fabric mesh

사물 인터넷을 위한 AWS FreeRTOS 소개

Cozystack: Free PaaS platform and framework for building clouds

AWS Finland User Group Meetup 2017-05-23

More from Yahoo Developer Network

Developing Mobile Apps for Performance - Swapnil Patel, Verizon Media

Yahoo Developer Network

Athenz & SPIFFE, Tatsuya Yano, Yahoo Japan

Yahoo Developer Network

CICD at Oath using Screwdriver

Yahoo Developer Network

Offline and stream processing of big data sets can be done with tools such as Hadoop, Spark, and Storm, but what if you need to process big data at the time a user is making a request? Vespa (http://www.vespa.ai) allows you to search, organize and evaluate machine-learned models from e.g TensorFlow over large, evolving data sets with latencies in the tens of milliseconds. Vespa is behind the recommendation, ad targeting, and search at Yahoo where it handles billions of daily queries over billions of documents.

Big Data Serving with Vespa - Jon Bratseth, Distinguished Architect, Oath

Yahoo Developer Network

How @TwitterHadoop Chose Google Cloud, Joep Rottinghuis, Lohit VijayaRenu

Yahoo Developer Network

The Future of Hadoop in an AI World, Milind Bhandarkar, CEO, Ampool

Yahoo Developer Network

Apache YARN Federation and Tez at Microsoft, Anupam Upadhyay, Adrian Nicoara,...

Yahoo Developer Network

Containerized Services on Apache Hadoop YARN: Past, Present, and Future, Shan...

Yahoo Developer Network

HDFS Scalability and Security, Daryn Sharp, Senior Engineer, Oath

Yahoo Developer Network

Hadoop {Submarine} Project: Running deep learning workloads on YARN, Wangda T...

Yahoo Developer Network

Moving the Oath Grid to Docker, Eric Badger, Oath

Yahoo Developer Network

Architecting Petabyte Scale AI Applications

Yahoo Developer Network

Offline and stream processing of big data sets can be done with tools such as Hadoop, Spark, and Storm, but what if you need to process big data at the time a user is making a request? This presentation introduces Vespa (http://vespa.ai) – the open source big data serving engine. Vespa allows you to search, organize, and evaluate machine-learned models from e.g TensorFlow over large, evolving data sets with latencies in the tens of milliseconds. Vespa is behind the recommendation, ad targeting, and search at Yahoo where it handles billions of daily queries over billions of documents and was recently open sourced at http://vespa.ai.

Introduction to Vespa – The Open Source Big Data Serving Engine, Jon Bratseth...

Yahoo Developer Network

In recent times, YARN Capacity Scheduler has improved a lot in terms of some critical features and refactoring. Here is a quick look into some of the recent changes in scheduler: Global Scheduling Support General placement support Better preemption model to handle resource anomalies across and within queue. Absolute resources’ configuration support Priority support between Queues and Applications In this talk, we will deep dive into each of these new features to give a better picture of their usage and performance comparison. We will also provide some more brief overview about the ongoing efforts and how they can help to solve some of the core issues we face today. Speakers: Sunil Govind (Hortonworks), Jian He (Hortonworks)

Jun 2017 HUG: YARN Scheduling – A Step Beyond

Yahoo Developer Network

In recent years, Yahoo has brought the big data ecosystem and machine learning together to discover mathematical models for search ranking, online advertising, content recommendation, and mobile applications. We use distributed computing clusters with CPUs and GPUs to train these models from 100’s of petabytes of data. A collection of distributed algorithms have been developed to achieve 10-1000x the scale and speed of alternative solutions. Our algorithms construct regression/classification models and semantic vectors within hours, even for billions of training examples and parameters. We have made our distributed deep learning solutions, CaffeOnSpark and TensorFlowOnSpark, available as open source. In this talk, we highlight Yahoo use cases where big data and machine learning technologies are best exemplified. We explain algorithm/system challenges to scale ML algorithms for massive datasets. We provide a technical overview of CaffeOnSpark and TensorFlowOnSpark to jumpstart your journey of large-scale machine learning. Speakers: Andy Feng is a VP of Architecture at Yahoo, leading the architecture and design of big data and machine learning initiatives. He has architected large-scale systems for personalization, ad serving, NoSQL, and cloud infrastructure. Prior to Yahoo, he was a Chief Architect at Netscape/AOL, and Principal Scientist at Xerox. He received a Ph.D. degree in computer science from Osaka University, Japan.

Jun 2017 HUG: Large-Scale Machine Learning: Use Cases and Technologies

Yahoo Developer Network

Spark and SQL-on-Hadoop have made it easier than ever for enterprises to create or migrate apps to the big data stack. Thousands of apps are being generated every day in the form of ETL and modeling pipelines, business intelligence and data cubes, deep machine learning, graph analytics, and real-time data streaming. However, the task of reliably operationalizing these big data apps involves many painpoints. Developers may not have the experience in distributed systems to tune apps for efficiency and performance. Diagnosing failures or unpredictable performance of apps can be a laborious process that involves multiple people. Apps may get stuck or steal resources and cause mission-critical apps to miss SLAs. This talk with introduce the audience to these problems and their common causes. We will also demonstrate how to find and fix these problems quickly, as well as prevent such problems from happening in the first place. Speakers: Dr. Shivnath Babu is a Co-founder and CTO of Unravel and Associate Professor of Computer Science at Duke University. With more than a decade of experience researching the ease of use and manageability of data-intensive systems, he leads the Starfish project at Duke, which pioneered the automation of Hadoop application tuning, problem diagnosis, and resource management. Shivnath has more than 80 peer-reviewed publications to his credit and has received the U.S. National Science Foundation CAREER Award, the HP Labs Innovation Award, and three IBM Faculty Awards.

February 2017 HUG: Slow, Stuck, or Runaway Apps? Learn How to Quickly Fix Pro...

Yahoo Developer Network

Apache Apex (http://apex.apache.org/) is a stream processing platform that helps organizations to build processing pipelines with fault tolerance and strong processing guarantees. It was built to support low processing latency, high throughput, scalability, interoperability, high availability and security. The platform comes with Malhar library - an extensive collection of processing operators and a wide range of input and output connectors for out-of-the-box integration with an existing infrastructure. In the talk I am going to describe how connectors together with the distributed checkpointing (a mechanism used by the Apex to support fault tolerance and high availability) provide exactly-once end-to-end processing guarantees. Speakers: Vlad Rozov is Apache Apex PMC member and back-end engineer at DataTorrent where he focuses on the buffer server, Apex platform network layer, benchmarks and optimizing the core components for low latency and high throughput. Prior to DataTorrent Vlad worked on distributed BI platform at Huawei and on multi-dimensional database (OLAP) at Hyperion Solutions and Oracle.

February 2017 HUG: Exactly-once end-to-end processing with Apache Apex

Yahoo Developer Network

In the analysis of big data there are problematic queries that don’t scale because they require huge compute resources and time to generate exact results. Examples include count distinct, quantiles, most frequent items, joins, matrix computations, and graph analysis. If approximate results are acceptable, there is a class of sub-linear, stochastic streaming algorithms, called "sketches", that can produce results orders-of magnitude faster and with mathematically proven error bounds. For interactive queries there may not be other viable alternatives, and in the case of extracting results for these problem queries in real-time, sketches are the only known solution. For any analysis system that requires these problematic queries from big data, sketches are a required toolkit that should be tightly integrated into the system's analysis capabilities. This technology has helped Yahoo successfully reduce data processing times from days to hours, or minutes to seconds on a number of its internal platforms. This talk covers the current state of our Open Source DataSketches.github.io library, which includes adaptations and example code for Pig, Hive, Spark and Druid and gives architectural examples of use and a case study. Speakers: Jon Malkin is a scientist at Yahoo working to extend the DataSketches library. His previous roles have involved large scale data processing for sponsored search, display advertising, user counting, ad targeting, and cross-device user identity modeling. Alexander Saydakov is a senior software engineer at Yahoo working on the open source Data Sketches project. In his previous roles he has been involved in building large-scale back-end data processing systems and frameworks for data analytics and experimentation based on Torque, Hadoop, Pig, Hive and Druid. Alexander’s education background is in the field of applied mathematics.

February 2017 HUG: Data Sketches: A required toolkit for Big Data Analytics

Yahoo Developer Network

Yahoo recently open-sourced Pulsar, a highly scalable, low latency pub-sub messaging system running on commodity hardware. It provides simple pub-sub messaging semantics over topics, guaranteed at-least-once delivery of messages, automatic cursor management for subscribers, and cross-datacenter replication. Pulsar is used across various Yahoo applications for large scale data pipelines. Learn more about Pulsar architecture and use-cases in this talk. Speakers: Matteo Merli from Pulsar team at Yahoo

October 2016 HUG: Pulsar, a highly scalable, low latency pub-sub messaging s...

Yahoo Developer Network

Splice Machine is an open-source database that combines the benefits of modern lambda architectures with the full expressiveness of ANSI-SQL. Like lambda architectures, it employs separate compute engines for different workloads - some call this an HTAP database (Hybrid Transactional and Analytical Platform). This talk describes the architecture and implementation of Splice Machine V2.0. The system is powered by a sharded key-value store for fast short reads and writes, and short range scans (Apache HBase) and an in-memory, cluster data flow engine for analytics (Apache Spark). It differs from most other clustered SQL systems such as Impala, SparkSQL, and Hive because it combines analytical processing with a distributed Multi-Value Concurrency Method that provides fine-grained concurrency which is required to power real-time applications. This talk will highlight the Splice Machine storage representation, transaction engine, cost-based optimizer, and present the detailed execution of operational queries on HBase, and the detailed execution of analytical queries on Spark. We will compare and contrast how Splice Machine executes queries with other HTAP systems such as Apache Phoenix and Apache Trafodian. We will end with some roadmap items under development involving new row-based and column-based storage encodings. Speakers: Monte Zweben, is a technology industry veteran. Monte’s early career was spent with the NASA Ames Research Center as the Deputy Chief of the Artificial Intelligence Branch, where he won the prestigious Space Act Award for his work on the Space Shuttle program. He then founded and was the Chairman and CEO of Red Pepper Software, a leading supply chain optimization company, which merged in 1996 with PeopleSoft, where he was VP and General Manager, Manufacturing Business Unit. In 1998, he was the founder and CEO of Blue Martini Software – the leader in e-commerce and multi-channel systems for retailers. Blue Martini went public on NASDAQ in one of the most successful IPOs of 2000, and is now part of JDA. Following Blue Martini, he was the chairman of SeeSaw Networks, a digital, place-based media company. Monte is also the co-author of Intelligent Scheduling and has published articles in the Harvard Business Review and various computer science journals and conference proceedings. He currently serves on the Board of Directors of Rocket Fuel Inc. as well as the Dean’s Advisory Board for Carnegie-Mellon’s School of Computer Science.

October 2016 HUG: Architecture of an Open Source RDBMS powered by HBase and ...

Yahoo Developer Network

More from Yahoo Developer Network (20)

Developing Mobile Apps for Performance - Swapnil Patel, Verizon Media

Athenz & SPIFFE, Tatsuya Yano, Yahoo Japan

CICD at Oath using Screwdriver

Big Data Serving with Vespa - Jon Bratseth, Distinguished Architect, Oath

How @TwitterHadoop Chose Google Cloud, Joep Rottinghuis, Lohit VijayaRenu

The Future of Hadoop in an AI World, Milind Bhandarkar, CEO, Ampool

Apache YARN Federation and Tez at Microsoft, Anupam Upadhyay, Adrian Nicoara,...

Containerized Services on Apache Hadoop YARN: Past, Present, and Future, Shan...

HDFS Scalability and Security, Daryn Sharp, Senior Engineer, Oath

Hadoop {Submarine} Project: Running deep learning workloads on YARN, Wangda T...

Moving the Oath Grid to Docker, Eric Badger, Oath

Architecting Petabyte Scale AI Applications

Introduction to Vespa – The Open Source Big Data Serving Engine, Jon Bratseth...

Jun 2017 HUG: YARN Scheduling – A Step Beyond

Jun 2017 HUG: Large-Scale Machine Learning: Use Cases and Technologies

February 2017 HUG: Slow, Stuck, or Runaway Apps? Learn How to Quickly Fix Pro...

February 2017 HUG: Exactly-once end-to-end processing with Apache Apex

February 2017 HUG: Data Sketches: A required toolkit for Big Data Analytics

October 2016 HUG: Pulsar, a highly scalable, low latency pub-sub messaging s...

October 2016 HUG: Architecture of an Open Source RDBMS powered by HBase and ...

Recently uploaded

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

Corporate and higher education. Two industries that, in the past, have had a clear divide with very little crossover. The difference in goals, learning styles and objectives paved the way for differing learning technologies platforms to evolve. Now, those stark lines are blurring as both sides are discovering they have content that’s relevant to the other. Join Tammy Rutherford as she walks through the pros and cons of corporate and higher ed collaborating. And the challenges of these different technology platforms working together for a brighter future.

Corporate and higher education May webinar.pptx

Rustici Software

Data Cloud, More than a CDP by Matt Robison

Anna Loughnan Colquhoun

This presentations targets students or working professionals. You may know Google for search, YouTube, Android, Chrome, and Gmail, but did you know Google has many developer tools, platforms & APIs? This comprehensive yet still high-level overview outlines the most impactful tools for where to run your code, store & analyze your data. It will also inspire you as to what's possible. This talk is 50 minutes in length.

Powerful Google developer tools for immediate impact! (2023-24 C)

wesley chun

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

Created by Mozilla Research in 2012 and now part of Linux Foundation Europe, the Servo project is an experimental rendering engine written in Rust. It combines memory safety and concurrency to create an independent, modular, and embeddable rendering engine that adheres to web standards. Stewardship of Servo moved from Mozilla Research to the Linux Foundation in 2020, where its mission remains unchanged. After some slow years, in 2023 there has been renewed activity on the project, with a roadmap now focused on improving the engine’s CSS 2 conformance, exploring Android support, and making Servo a practical embeddable rendering engine. In this presentation, Rakhi Sharma reviews the status of the project, our recent developments in 2023, our collaboration with Tauri to make Servo an easy-to-use embeddable rendering engine, and our plans for the future to make Servo an alternative web rendering engine for the embedded devices industry. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://ossna2024.sched.com/event/1aBNF/a-year-of-servo-reboot-where-are-we-now-rakhi-sharma-igalia

A Year of the Servo Reboot: Where Are We Now?

Igalia

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Juan lago vázquez

Automating Google Workspace (GWS) & more with Apps Script

wesley chun

MySQL Webinar, presented on the 25th of April, 2024. Summary: MySQL solutions enable the deployment of diverse Database Architectures tailored to specific needs, including High Availability, Disaster Recovery, and Read Scale-Out. With MySQL Shell's AdminAPI, administrators can seamlessly set up, manage, and monitor these solutions, ensuring efficiency and ease of use in their administration. MySQL Router, on the other hand, provides transparent routing from the application traffic to the backend servers in the architectures, requiring minimal configuration. Completely built in-house and supported by Oracle, these solutions have been adopted by enterprises of all sizes for their business-critical applications. In this presentation, we'll delve into various database architecture solutions to help you choose the right one based on your business requirements. Focusing on technical details and the latest features to maximize the potential of these solutions.

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Miguel Araújo

MS Copilot expands with MS Graph connectors

Nanddeep Nachan

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

Webinar Recording: https://www.panagenda.com/webinars/why-teams-call-analytics-is-critical-to-your-entire-business Nothing is as frustrating and noticeable as being in an important call and being unable to see or hear the other person. Not surprising then, that issues with Teams calls are among the most common problems users call their helpdesk for. Having in depth insight into everything relevant going on at the user’s device, local network, ISP and Microsoft itself during the call is crucial for good Microsoft Teams Call quality support. To ensure a quick and adequate solution and to ensure your users get the most out of their Microsoft 365. But did you know that ‘bad calls’ are also an excellent indicator of other problems arising? Precisely because it is so noticeable!? Like the canary in the mine, bad calls can be early indicators of problems. Problems that might otherwise not have been noticed for a while but can have a big impact on productivity and satisfaction. Join this session by Christoph Adler to learn how true Microsoft Teams call quality analytics helped other organizations troubleshoot bad calls and identify and fix problems that impacted Teams calls or the use of Microsoft365 in general. See what it can do to keep your users happy and productive! In this session we will cover - Why CQD data alone is not enough to troubleshoot call problems - The importance of attributing call problems to the right call participant - What call quality analytics can do to help you quickly find, fix-, and prevent problems - Why having retrospective detailed insights matters - Real life examples of how others have used Microsoft Teams call quality monitoring to problem shoot problems with their ISP, network, device health and more.

Why Teams call analytics are critical to your entire business

panagenda

Real Time Object Detection Using Open CV

Khem

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on the deployment of external web forms using Jotform for Bonterra Impact Management. This solution can be customized to your organization’s needs and deployed to support the common use cases below: - Intake and consent - Assessments - Surveys - Applications - Program registration Interested in deploying web form automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Jeffrey Haguewood

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

Zilliz

A Beginners Guide to Building a RAG App Using Open Source Milvus

Zilliz

Accelerating FinTech Innovation: Unleashing API Economy and GenAI Vasa Krishnan, Chief Technology Officer - FinResults Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

apidays

ICT role in 21st century education and its challenges

rafiqahmad00786416

Whatsapp Number Escorts Call girls 8617370543 Available 24x7 Navi Mumbai Call Girls Service Offer Genuine VIP Model Escorts Call Girls in Your Budget. Navi Mumbai Call Girls Service Provide Real Call Girls Number. Make Your Sexual Pleasure Memorable with Our Navi Mumbai Call Girls at Affordable Price. Top VIP Escorts Call Girls, High Profile Independent Escorts Call Girls, Housewife Women Escorts Call Girl, College Girls Escorts Call Girls, Russian Escorts Call girls Service in Your Budget.

Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model

Deepika Singh

MINDCTI Revenue Release Quarter One 2024

MIND CTI

Recently uploaded (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors

Corporate and higher education May webinar.pptx

Data Cloud, More than a CDP by Matt Robison

Powerful Google developer tools for immediate impact! (2023-24 C)

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

A Year of the Servo Reboot: Where Are We Now?

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Automating Google Workspace (GWS) & more with Apps Script

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

MS Copilot expands with MS Graph connectors

Boost Fertility New Invention Ups Success Rates.pdf

Why Teams call analytics are critical to your entire business

Real Time Object Detection Using Open CV

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

A Beginners Guide to Building a RAG App Using Open Source Milvus

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

ICT role in 21st century education and its challenges

Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model

MINDCTI Revenue Release Quarter One 2024

Athenz with Istio - Single Access Control Model in Cloud Infrastructures, Tatsuya Yano, Yahoo Japan

1. Athenz with Istio: Single Access Control Model in Cloud Infrastructures

2. Agenda • What is Athenz? • Service Authentication • Authorization • Multi-cloud in Yahoo Japan • How do we integrate with Istio? • Why Istio? • Benefit of using Athenz with Istio

3. About • Tatsuya Yano • Platform Developer, Yahoo Japan Corporation • Contributor to Athenz • Open Source Summit Japan (https://sched.co/FDjp)

4. Athenz: Open Source System Created by Yahoo Inc. • Service Authentication • Provide secure identity in the form short lived x.509 certificate to every workload / service in modern environments • Authorization • Provides fine-grained Role Based Access Control (RBAC)

5. Service Authentication

6. Authentication • User Authentication • AD / LDAP / Kerberos / etc • Service Authentication • Instances within a service with a unique identity to enable secure communication • IP / Networks ACLs / iptable • Headless/Automation users • Shared secrets • Mutual TLS with x.509 certificates

7. Certificate Based Authentication • Every instance / service in your cloud has its own identity • Stronger security by Mutual TLS Authentication • Zero-trust security • Short Lived Certificates

8. Copper Argos • Generalized model for authorized service providers to launch other service identities in an authorized way through a callback-based verification model. Providers OpenStack Kubernetes Screwdriver Amazon EC2 AWS ECS AWS Lambda

9. Bootstrapping Athenz Identity

10. Authorization

11. Athenz Data Model

12. Domain data example (YAML)

13. Authorization - Centralized Access Control

14. Authorization - Decentralized Access Control

15. Advantages of Athenz • To provide service identity X.509 certificates for services running in common providers like Kubernetes, OpenStack or AWS that can be used for mutual TLS authentication. • To have precise and frequently configurable access controls with single source of truth.

16. Athenz in Yahoo Japan

17. How do we integrate with Istio?

18. Why use Istio? • Automatic load balancing. • Fine-grained control of traffic behavior. • A pluggable policy layer and configuration API. • Automatic metrics, logs, and traces for all traffic. • Secure service-to-service communication. Referred from: https://istio.io/docs/concepts/what-is-istio/

19. Benefits of using Athenz with Istio • Istio is in CNCF landscape. • Service mesh strongly supports microservices architecture. + • Athenz enables single access control model in multi cloud.

20. Basics of Istio Mixer

21. Example integration: Athenz Istio Mixer adapter Referred from: https://istio.io/blog/2017/adapter-model/

22. Example integration: Athenz Istio Mixer adapter

23. Other use-case: Simplified mTLS authN/Z using Istio/Athenz

24. Simplified mTLS authN/Z using Istio/Athenz Athenz Istio Auth Controller Kubernetes API Fetch role/policy information from Athenz Setup a watch on namespaces Create/update/delete Istio CRs - ServiceRole and ServiceRolebinding based on fetched Athenz data Athenz Istio Auth Controller translates Athenz defined roles/policies into Istio CRs - ServiceRole and ServiceRolebinding Watch ServiceRole and ServiceRoleBinding https://github.com/yahoo/k8s-athenz-istio-auth

25. Prototype Demo

26. Future plans •Currently • On Premises and AWS Provisioning •Planned • Provide Athenz servers with Docker images • Helm charts • Productionize Athenz x509 certificate provisioning • Productionize the authorization flow using Istio Envoy

27. Resources • Website : http://www.athenz.io • Github: https://github.com/yahoo/athenz • Slack Channel: https://athenz.slack.com/ • Discussion Group: • Google Group: Athenz-Users • Questions or Comments: • Tatsuya Yano: tatyano@yahoo-corp.jp

28. Join Ushttp://www.athenz.io

29. Thank you

30. Q & A

Athenz with Istio - Single Access Control Model in Cloud Infrastructures, Tatsuya Yano, Yahoo Japan

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Athenz with Istio - Single Access Control Model in Cloud Infrastructures, Tatsuya Yano, Yahoo Japan

Similar to Athenz with Istio - Single Access Control Model in Cloud Infrastructures, Tatsuya Yano, Yahoo Japan (20)

More from Yahoo Developer Network

More from Yahoo Developer Network (20)

Recently uploaded

Recently uploaded (20)

Athenz with Istio - Single Access Control Model in Cloud Infrastructures, Tatsuya Yano, Yahoo Japan