A Scalable Client Authentication & Authorization Service for Container-Based Environments

Container technologies are revolutionizing the way we develop, build and deploy applications in large scale production environments. At Yahoo we use containers in our CI build farms and production environments, that are on-demand and dynamic in nature. Applications running in containers often need to connect to various internal/external services that require authentication and authorization. Authenticating client application to a server is a challenge in such dynamic environments because we cannot rely on traditional IP or hostname based checks. IP based authentication no longer works because (1) container IP is dynamic and often repurposed (2) containers often share IPs. Alternate options include the use of TLS client certs and other key based authentication schemes. TLS client certificates provide authentication, but not authorization capabilities by its own and is not easy to configure and operate at scale ­ think about build pipeline spawning hundreds of containers that live only for few minutes!

In this session, we present a novel way of role based identity that provides both authentication and authorization to clients in a fully­automated, easy to configure, scalable fashion. The system comprises of (a) APIs for node and application provisioners to manage and publish public keys (b) Service that provides grouping of public key fingerprints of nodes/applications to form a service role that represents a capability and (c) Attestation service for the nodes to get a signed certificate on demand that asserts the requested node's role membership. The service provider maps the role with service specific capabilities and the requests are validated against the auth certificate placed by the client while making requests to the server. The system is designed from ground up based on our experience with an existing IP based authorization system, keeping practicality, flexibility and security in mind. The implementation makes use of modern security and crypto practices and such as ECDSA, JWT with service delegation capabilities, and works seamlessly with Docker and Chef.

Aditya Mahendrakar is a senior security engineer in the Paranoid Labs team at Yahoo. He has worked on a number of projects including a key management system, static code analysis framework, and input validation libraries. He received his Master's degree at Carnegie Mellon.

Binu Ramakrishnan is a senior security engineer at yahoo with extensive experience in Internet­-scale systems development, anti­abuse and application security. In this role, Binu manages security engagements with Yahoo mail, works with product engineers and leaders to help define and implement security strategy and programs with in Yahoo mail. Prior to this role, Binu worked as a lead engineer with Security and Platforms engineering team, built hosted key management service and managed various shared components that are used across Yahoo.