Beyond RBAC: Avoid broken ACLs in control planes with declarative Relation-based Access Control

Presented at Disobey 2024, Feb. 16, 2024, 9 p.m. (60 minutes).

The top 1 security risk in OWASP's latest API Security Risks lists is "Broken Object Level Authorization", and the third one "Broken Object Property Level Authorization". Thus, helping developers mitigate these risks through best-practices and frameworks can be highly beneficial for our community. This talk will discuss some means that could be applied to build API servers (or more generally, control plane) in a way they are less susceptible to these attacks: through * uniformity of API server structure (this is probably quite known to most security professionals, but good to cover), and * relation-based access control (ReBAC), a superset of both RBAC and ABAC, which allows for finer-grained and declarative access control. This gives us, a way to avoid "oops, I forgot to implement the authorization if check for this API resource (or field)" and escape the inevitability of an unmaintainable amount of imperative if checks in the API servers such as "if the authenticated user belongs to a group with magic string ‘employees', it should have access to all documents with prefix /company_public". A declarative model of the authorization model, and a graph based structure of the authorization state can be audited, visualized and pentested more easily than custom code for each resource in the API. In the end, Lucas will do a demo of this paradigm working in action. All code is open source and fully reproducible for anyone. The audience will after this talk have practical knowledge about how they can formalize their access control in an extensible, uniform and auditable way for their projects.

Presenters:

  • Lucas Käldström
    Lucas is a Kubernetes and cloud native expert who has been serving the CNCF community in lead positions for 8 years. He was awarded Top CNCF Ambassador 2017 with Sarah Novotny. Lucas was a co-lead for Kubernetes SIG Cluster Lifecycle, co-created kubeadm, ported Kubernetes to ARM and is one of the top 50 most active contributors to Kubernetes. Lucas runs cloud native meetups in Helsinki, Tampere and Turku, co-created Cloud Native Nordics and has spoken at 8 KubeCons. Recently, Lucas wrote his BSc thesis on cloud native principles, and is working on realizing a vision of using Kubernetes API Machinery as a secure, generic control plane framework.

Links:

Similar Presentations: