README
¶
Athenz
Athenz is an open source platform for X.509 certificate based service authentication and fine-grained access control in dynamic infrastructures. It supports provisioning and configuration (centralized authorization) use cases as well as serving/runtime (decentralized authorization) use cases. Athenz authorization system utilizes x.509 certificates and industry standard mutual TLS bound oauth2 access tokens. The name “Athenz” is derived from “AuthNZ” (N for authentication and Z for authorization).
Table of Contents
Background
Athenz is an open source platform for X.509 certificate based service authentication and fine-grained role based access control in dynamic infrastructures. It provides support for the following three major functional areas.
Service Authentication
Athenz provides secure identity in the form of short lived X.509 certificate for every workload or service deployed in private (e.g. Openstack, K8S, Screwdriver) or public cloud (e.g. AWS EC2, ECS, Fargate, Lambda). Using these X.509 certificates clients and services establish secure connections and through mutual TLS authentication verify each other's identity. The service identity certificates are valid for 30 days only, and the service identity agents (SIA) part of those frameworks automatically refresh them daily. The term service within Athenz is more generic than a traditional service. A service identity could represent a command, job, daemon, workflow, as well as both an application client, and an application service.
Since Athenz service authentication is based on X.509 certificates, it is important that you have a good understanding of what X.509 certificates are and how they're used to establish secure connections in Internet protocols such as TLS.
Role-Based Authorization (RBAC)
Once the client is authenticated with its x.509 certificate, the service can then check if the given client is authorized to carry out the requested action. Athenz provides fine-grained role-based access control (RBAC) support for a centralized management system with support for control-plane access control decisions and a decentralized enforcement mechanism suitable for data-plane access control decisions. It also provides a delegated management model that supports multi-tenant and self-service concepts.
AWS Temporary Credentials Support
When working with AWS, Athenz provides support to access AWS services from on-prem services with using AWS temporary credentials rather than static credentials. Athenz ZTS server can be used to request AWS temporary credentials for configured AWS IAM roles.
Install
- Development Environment
- Local/Development/Production Environment Setup
- AWS Production Environment Setup
Usage
- Architecture
- Features
- Developer Guide
- Customizing Athenz
- User Guide
Contribute
Please refer to the contributing file for information about how to get involved. We welcome issues, questions, and pull requests.
You can also contact us for any user and development discussions through our groups:
- Athenz-Dev for development discussions
- Athenz-Users for users questions
The sourcespy dashboard provides a high level overview of the repository including module dependencies, module hierarchy, external libraries, web services, and other components of the system.
License
Licensed under the Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
Directories
¶
| Path | Synopsis |
|---|---|
|
clients
|
|
|
go/msd
Package msd contains a client library to talk to Athenz MSD.
|
Package msd contains a client library to talk to Athenz MSD. |
|
go/zms
Package zms contains a client library to talk to Athenz ZMS.
|
Package zms contains a client library to talk to Athenz ZMS. |
|
go/zms/examples/get-access
Get-access is a demo program to query if the current principal has "Access" to a specified resource, in a given domain.
|
Get-access is a demo program to query if the current principal has "Access" to a specified resource, in a given domain. |
|
go/zts
Package zts contains a client library to talk to Athenz ZTS.
|
Package zts contains a client library to talk to Athenz ZTS. |
|
go/zts/examples/get-role-token
Get-role-token is a demo program to use the service cert present locally on the box to talk to ZTS and fetch a role token.
|
Get-role-token is a demo program to use the service cert present locally on the box to talk to ZTS and fetch a role token. |
|
libs
|
|
|
go/zmscli
Package zmscli is ZMS Client application library to manage an Athenz domain in ZMS Server.
|
Package zmscli is ZMS Client application library to manage an Athenz domain in ZMS Server. |
|
go/zmssvctoken
Package zmssvctoken generates/validates Athenz NTokens given private/public keys.
|
Package zmssvctoken generates/validates Athenz NTokens given private/public keys. |
|
go/ztsroletoken
Package ztsroletoken generates roletokens.
|
Package ztsroletoken generates roletokens. |
|
provider
|
|
|
rdl
|
|
|
utils
|
|
|
athenz-conf
Athenz-conf is a program to generate an athenz.conf file based on service details stored in ZMS Server.
|
Athenz-conf is a program to generate an athenz.conf file based on service details stored in ZMS Server. |
|
msd-agent
Package msd-agent contains a client library to update Athenz MSD with host services identity.
|
Package msd-agent contains a client library to update Athenz MSD with host services identity. |
|
msd-agent/client
Package mock_client is a generated GoMock package.
|
Package mock_client is a generated GoMock package. |
|
zms-cli
Zms-cli is a program to manage your Athenz domain in ZMS Server.
|
Zms-cli is a program to manage your Athenz domain in ZMS Server. |
|
zms-svctoken
Zms-svctoken is a program to generate service tokens based on given private key and service details
|
Zms-svctoken is a program to generate service tokens based on given private key and service details |
|
zpe-updater
Package zpu is a utility library to update ZPE Policy.
|
Package zpu is a utility library to update ZPE Policy. |
|
zpe-updater/cmd/tools
Tools is a program that runs zpu.PolicyUpdater.
|
Tools is a program that runs zpu.PolicyUpdater. |
|
zpe-updater/devel
Package devel provides utility functions for testing (StartMockServer and CreateFile).
|
Package devel provides utility functions for testing (StartMockServer and CreateFile). |
|
zpe-updater/test_data
Package test_data contains test data for zpe-updater as .go files.
|
Package test_data contains test data for zpe-updater as .go files. |
|
zpe-updater/util
Package util provides utility types and functions for zpe-updater.
|
Package util provides utility types and functions for zpe-updater. |
|
zts-accesstoken
ZTS OAuth2 Access Token Client application in Go to request an access token from ZTS Server for the given identity to access a role in a provider domain:
|
ZTS OAuth2 Access Token Client application in Go to request an access token from ZTS Server for the given identity to access a role in a provider domain: |
|
zts-idtoken
ZTS OIDC ID Token Client application in Go to request an id token from ZTS Server for the given identity
|
ZTS OIDC ID Token Client application in Go to request an id token from ZTS Server for the given identity |
|
zts-rolecert
Zts-rolecert is a program to use Athenz Service Identity certificate to request a X509 Certificate for the requested role from ZTS Server.
|
Zts-rolecert is a program to use Athenz Service Identity certificate to request a X509 Certificate for the requested role from ZTS Server. |
|
zts-roletoken
Zts-roletoken is a program to request a role token from ZTS Server for the given identity to access a role in a provider domain.
|
Zts-roletoken is a program to request a role token from ZTS Server for the given identity to access a role in a provider domain. |
|
zts-svccert
Zts-svccert is a program to generate service token, generate a CSR and request a X509 Certificate for that service token from ZTS Server.
|
Zts-svccert is a program to generate service token, generate a CSR and request a X509 Certificate for that service token from ZTS Server. |