Athenz is a role-based authorization (RBAC) system for provisioning and configuration (centralized authorization) use cases as well as serving/runtime (decentralized authorization) use cases.
Branch: master
Clone or download
jeffreytolar and havetisyan Update Go dependencies (#631)
Also switch to using lumberjack's preferred import path on gopkg.in.
Latest commit e941984 Feb 16, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
assembly [maven-release-plugin] prepare for next development iteration Feb 5, 2019
aws-setup [maven-release-plugin] prepare for next development iteration Feb 5, 2019
clients Remove bootstrap dependency from zpe, zts, auth_core nodejs package (#… Feb 7, 2019
containers/jetty [maven-release-plugin] prepare for next development iteration Feb 5, 2019
core [maven-release-plugin] prepare for next development iteration Feb 5, 2019
docs documentation readme update (#610) Dec 18, 2018
examples update packages to their latest releases (#576) Oct 12, 2018
libs Remove bootstrap dependency from zpe, zts, auth_core nodejs package (#… Feb 7, 2019
rdl/rdl-gen-athenz-server [maven-release-plugin] prepare for next development iteration Feb 5, 2019
servers support for multiple service on a single instance (#630) Feb 9, 2019
travis Travis deploy update Nov 7, 2018
ui [maven-release-plugin] prepare for next development iteration Feb 5, 2019
utils Update Go dependencies (#631) Feb 16, 2019
.gitignore Implement Copper Argos based ZTS provider (#613) Jan 2, 2019
.travis.yml build with go 1.11.x (#579) Oct 15, 2018
LICENSE Initial commit Dec 31, 2016
README.md one more minor update to readme (#612) Dec 20, 2018
athenz-checkstyle.xml Remove LineLength from checkstyle - generated code has too many warnings Feb 1, 2017
go.mod Update Go dependencies (#631) Feb 16, 2019
go.sum Update Go dependencies (#631) Feb 16, 2019
mkdocs.yml prepare for github pages (#604) Dec 4, 2018
pom.xml [maven-release-plugin] prepare for next development iteration Feb 5, 2019

README.md

Athenz

Athenz

Build Status

Athenz is a set of services and libraries supporting service authentication and role-based authorization (RBAC) for provisioning and configuration (centralized authorization) use cases as well as serving/runtime (decentralized authorization) use cases. Athenz authorization system utilizes x.509 certificates and two types of tokens: Principal Tokens (N-Tokens) and RoleTokens (Z-Tokens). The use of x.509 certificates is strongly recommended over tokens. The name "Athenz" is derived from "AuthNZ" (N for authentication and Z for authorization).

Table of Contents

Background

Athenz is an open source platform for X.509 certificate based service authentication and fine grained role based access control in dynamic infrastructures. It provides support for the following three major functional areas.

Service Authentication

Athenz provides secure identity in the form of short lived X.509 certificate for every workload or service deployed in private (e.g. Openstack, K8S, Screwdriver) or public cloud (e.g. AWS EC2, ECS, Fargate, Lambda). Using these X.509 certificates clients and services establish secure connections and through mutual TLS authentication verify each other's identity. The service identity certificates are valid for 30 days only and the service identity agents (SIA) part of those frameworks automatically refresh them daily. The term service within Athenz is more generic than a traditional service. A service identity could represent a command, job, daemon, workflow, as well as both an application client and an application service.

Since Athenz service authentication is based on X.509 certificates, it is important that you have a good understanding what X.509 certificates are and how they're used to establish secure connections in Internet protocols such as TLS.

Role-Based Authorization (RBAC)

Once the client is authenticated with its x.509 certificate, the service can then check if the given client is authorized to carry out the requested action. Athenz provides fine-grained role-based access control (RBAC) support for a centralized management system with support for control-plane access control decisions and a decentralized enforcement mechanism suitable for data-plane access control decisions. It also provides a delegated management model that supports multi-tenant and self-service concepts.

AWS Temporary Credentials Support

When working with AWS, Athenz provides support to access AWS services from on-prem services with using AWS temporary credentials rather than static credentials. Athenz ZTS server can be used to request AWS temporary credentials for configured AWS IAM roles.

Install

Usage

Contribute

Please refer to the contributing file for information about how to get involved. We welcome issues, questions, and pull requests.

You can also contact us for any user and development discussions through our groups:

License

Copyright 2016 Yahoo Inc.

Licensed under the Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0