Access control in message-driven systems - Marc Klefter - NDC Porto 2023

Описание: This talk was recorded at NDC Porto in Porto, Portugal. #ndcporto #ndcconferences #architecture #cloud #softwaredeveloper

Attend the next NDC conference near you:
https://ndcconferences.com
https://ndcporto.com/

Subscribe to our YouTube channel and learn every day:
/‪@NDC‬

Follow us on our Social Media:
  / ndcconferences  
  / ndc_conferences  
  / ndc_conferences  

Protecting resources in a message-driven application poses difficult challenges due to its asynchronous nature, where an incoming user request entails backend processing at a later point in time, multiple message types (commands, events and queries) with different semantics and the triggering of complex, potentially long-running workflows.

Whereas a synchronous (request/response) invocation involves immediate authorization of known parties, e.g. one microservice directly calling another, the complexity of enforcing permissions in a decoupled, dynamic system (where the producer of a message has no knowledge of who consumes it, and when) has typically limited access control to be performed at the application boundary, commonly in API gateways; this leaves internal services and assets vulnerable to threats by any unauthorized subject, violating key principles of a zero trust environment.

This session focuses on securing access in a message-driven architecture using a token based approach with Open Policy Agent (OPA), allowing for verification of each message and the claims of users and services at critical points throughout the asynchronous communication flow. The characteristics of disparate message types (e.g. a command routed to a single target handler vs an event that reaches one or more subscribers, may be stored long-term, replayed and possibly cross application boundaries), and their implications for how, where and when to perform access control will be detailed with concrete examples, along with a discussion of performance and scalability aspects as well as how to implement and deploy permission policies.

As we move towards building message-driven systems that operate in constantly-changing conditions, implementing novel access control measures that support zero trust and emerging interaction patterns becomes essential; this talk will help you achieve that.