GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → YahooArchive → spartan

YahooArchive / spartan

Licence: other
A Scalable Client Authentication & Authorization System for Container-based Environments

Programming Languages

javascript
184084 projects - #8 most used programming language
HTML
75241 projects

Labels

tlsauthorizationspartanclient-authservice-authentication

Projects that are alternatives of or similar to spartan

gotrue
A JWT based API for managing users and issuing JWT tokens
Stars: ✭ 325 (+1811.76%)
Mutual labels:  authorization, client-auth
Athenz
Open source platform for X.509 certificate based service authentication and fine grained access control in dynamic infrastructures. Athenz supports provisioning and configuration (centralized authorization) use cases as well as serving/runtime (decentralized authorization) use cases.
Stars: ✭ 570 (+3252.94%)
Mutual labels:  tls, authorization
brookframework
Microframework which helps to develop web Pascal applications.
Stars: ✭ 161 (+847.06%)
Mutual labels:  tls
authorization-proxy
No description or website provided.
Stars: ✭ 31 (+82.35%)
Mutual labels:  authorization
macaroons
An Erlang Macaroons library compatible with libmacaroons
Stars: ✭ 27 (+58.82%)
Mutual labels:  authorization
azure-functions-auth
Authentication and Authorization for Azure Functions (with OAuth 2.0 and JWT)
Stars: ✭ 20 (+17.65%)
Mutual labels:  authorization
cert-manager
Automatically provision and manage TLS certificates in Kubernetes
Stars: ✭ 8,781 (+51552.94%)
Mutual labels:  tls
angular-authentication
An Angular application that demonstrates best practices for user authentication & authorization flows.
Stars: ✭ 122 (+617.65%)
Mutual labels:  authorization
mbedtls-esp8266
Updated and Upgraded mbedTLS library for the ESP8266 (probably ESP32 too)
Stars: ✭ 13 (-23.53%)
Mutual labels:  tls
concerto
A command line tool and a library to generate TLS certificates for development purposes.
Stars: ✭ 34 (+100%)
Mutual labels:  tls
node-js-jwt-auth
Node.js Demo for Token Based Authentication (JWT) with MySQL database
Stars: ✭ 161 (+847.06%)
Mutual labels:  authorization
dictator
Dictates what your users see. Plug-based authorization.
Stars: ✭ 77 (+352.94%)
Mutual labels:  authorization
actix-web-grants
Authorization extension for actix-web to validate user permissions
Stars: ✭ 85 (+400%)
Mutual labels:  authorization
open-psd2
An open source framework for using banking API's built for PSD2 regulation.
Stars: ✭ 20 (+17.65%)
Mutual labels:  authorization
redis-tls-dockerfile
Redis + TLS Docker image
Stars: ✭ 23 (+35.29%)
Mutual labels:  tls
restify-jwt-community
Restify middleware that validates a JsonWebToken
Stars: ✭ 24 (+41.18%)
Mutual labels:  authorization
spring-boot-security-postgresql
Spring Boot, Spring Security, PostgreSQL: JWT Authentication & Authorization example
Stars: ✭ 65 (+282.35%)
Mutual labels:  authorization
praetorian
A minimalist Crystal authorization system inspired by https://github.com/varvet/pundit.
Stars: ✭ 54 (+217.65%)
Mutual labels:  authorization
django-sitegate
Reusable application for Django to ease sign up & sign in processes
Stars: ✭ 32 (+88.24%)
Mutual labels:  authorization
Casbin4D
An authorization library that supports access control models like ACL, RBAC, ABAC in Delphi
Stars: ✭ 25 (+47.06%)
Mutual labels:  authorization
View All Similar Projects ➔

Spartan

A Scalable Client Authentication & Authorization System for Container-based Environments

Please note: This repo contains known security vulnerabilities. Use at your own risk!

[Alpha release, not production ready]

USENIX UCMS 2015 Presentation slides: here

An X509 based architecture called SpartanX is described here

npm version dependency status Build Status

Background

Container technologies are revolutionizing the way we develop, build and deploy applications in large scale production environments. Applications running in containers often need to connect to various internal/external services that require authentication and authorization. Authenticating client application to a server is a challenge in such dynamic environments because we cannot rely on traditional IP or hostname based checks. IP based authentication no longer works because (1) container IP is dynamic and often repurposed (2) containers often share IPs. Alternate options include the use of TLS client certs and other key based authentication schemes. TLS client certificates provide authentication, but not authorization capabilities by its own and is not easy to configure and operate at scale - think about CICD pipeline spawning hundreds of containers that live only for few minutes!

What is spartan

Spartan is a role based identity system that provides both authentication and authorization to clients in an automated, easy to configure, scalable fashion. The system comprises of

  • Command line tools and APIs for node and application provisioners to manage and publish public key fingerprints
  • Provisioner service that provides grouping of public key fingerprints of nodes/applications to roles that represents a capability
  • Attestation service for the nodes & applications to get a signed tokens on demand that asserts the requested node's role membership.

Your server application (service provider) maps the role with service specific capabilities and the requests are validated against the auth tokens placed by the client while making requests to the server. The system is designed from ground up based on our experience with an existing IP based authorization system, keeping practicality, flexibility and security in mind. The implementation makes use of modern security and crypto practices and such as ECDSA and JWT.

Is spartan a replacement for TLS in my application ?

Spartan is complimentary to TLS. Spartan's primary goal is to enable client authentication and authorization capabilities. However it can provide mutual authentication as well. TLS is recommended for server authentication and transport security. TLS for client authentication is possible but is hard to operationalize at scale, especially in dynamic environments. Authorization capabilities in TLS certificates is also limited, if not impossible. Spartan is light weight form of PKI that provides identity, authentication and authorization capabilities. Transport security is also possible with ECDHE key exchange.

[Update] An X509 based architecture called SpartanX is described here

Is this something for me?

Spartan would be useful if you have experienced any of the following problems:

  • Enable fine granular access control for your application
  • You have a HTTPS service, but want to enable client authentication and authrorization capabilities
  • You are using client IP whitelists for access control, but find it less effective on shared IP environments like containers, NATs etc.
  • Spartan as an alternate to manual client IP whitelisting technique

Features

  • No key management hassles. Private keys are not distributed, passed around or reused
  • Based on open standards - JSON Web Tokens, OpenID Connect, ECDSA etc.
  • Easy to deploy and use
  • Easy to integrate with corp identity systems
  • Applications can authentice over non-secure network (HTTP)
  • Extend to fit your requirements. For example, you may write a reverse and forward proxy spartan plugins
  • Protection against replay attacks and scoped capabilities

Getting Started

Please refer to Getting Started Guide

Language Bindings

Following are the Spartan API language bindings. APIs are available to

  1. Get tokens from attestation service (typically needed on your client application)
  2. Validate tokens received in the request(typically needed on your server which accepts requests)

Acknowledgements

Yahoo Paranoids team

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].