Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makkar and Rahul Gulati, Saxo Bank

Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige

Hier ansehen

1 von 33 Anzeige

How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makkar and Rahul Gulati, Saxo Bank

Herunterladen, um offline zu lesen

Saxo Bank is on a growth journey and Kafka is a critical component to that success. Securing our financial event streams is a top priority for us and initially we started with an on-prem Kafka cluster secured with (the de-facto) Kerberos. However, as we modernize and scale, the demands of hybrid cloud, multiple domains, polyglot computing and Data Mesh require us to also modernize our approach to security. In this talk, we will describe how we took the default (non-production ready) Kafka OAuth implementation and productionized it to work with Kafka in Azure Cloud, including the Kafka stack and clients. By enabling both Kerberos and OAuth running on-prem and in the cloud, we now plan to gracefully retire Kerberos from our estate.

Saxo Bank is on a growth journey and Kafka is a critical component to that success. Securing our financial event streams is a top priority for us and initially we started with an on-prem Kafka cluster secured with (the de-facto) Kerberos. However, as we modernize and scale, the demands of hybrid cloud, multiple domains, polyglot computing and Data Mesh require us to also modernize our approach to security. In this talk, we will describe how we took the default (non-production ready) Kafka OAuth implementation and productionized it to work with Kafka in Azure Cloud, including the Kafka stack and clients. By enabling both Kerberos and OAuth running on-prem and in the cloud, we now plan to gracefully retire Kerberos from our estate.

Anzeige
Anzeige

Weitere Verwandte Inhalte

Diashows für Sie (20)

Ähnlich wie How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makkar and Rahul Gulati, Saxo Bank (20)

Anzeige

Weitere von HostedbyConfluent (20)

Aktuellste (20)

Anzeige

How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makkar and Rahul Gulati, Saxo Bank

  1. 1. Page 1 How We Eased Our Security Journey With OAuth (Goodbye Kerberos)
  2. 2. Page 2 Paul Makkar – Head of Data in Motion, Saxo Bank Rahul Gulati – Senior Data Platform Engineer, Saxo Bank
  3. 3. Page 3 Saxo Bank is a Global, Multi-Asset Facilitator We unbundle the value chain through our open architecture We source the best ideas, products, liquidity and services from the best providers Capital markets products, services and liquidity Saxo Bank facilitation Distribution to clients – The SaxoExperience We run and develop one global, multi-asset, multi-tenanted tech stack, and one set of global business processes We distribute capital market and asset management products and services through our platforms tied together by the SaxoExperience Trading platforms FIX / Open API CRM & CMS API OMS / EMS Broker connectivity Hosting services Clearing and settlement Client account structures Margin & risk management Market data connectivity Custody EOD files, FSSO & TENS Regulatory reporting Traders Investors Wholesale SaxoTraderPRO and SaxoTradersGO for self-directed traders SaxoInvestor for self-directed and delegating investors Outsourced capital markets infrastructure and client facing front ends Processes Open / FIX API Tech Stack Execution and trading Market data Custody and back office Reporting Business management Client management Integration
  4. 4. Page 4 Saxo and Kafka Building a Data Mesh Kafka self-service Domain Team Domain Team Domain Team Data In Motion Security is key to our success Education
  5. 5. Page 5 Authentication vs Authorization
  6. 6. Page 6 Phase I
  7. 7. Page 7 Cluster Components and Security On-prem Broker Zookeeper Broker SASL(Kerberos) + TLS SASL(Kerberos) Kafka Connect SASL(Kerberos) + TLS NA Schema Registry SASL(Kerberos) + TLS NA Control Center SASL(Kerberos) + TLS NA
  8. 8. Page 8 Challenges with Kerberos Cross realm authentication is hard! Authentication from the cloud using On Prem LDAP/AD not possible. Very difficult to debug.
  9. 9. Page 9
  10. 10. Page 10 OAuth with Kafka Looked possible, looked promising. Complete production ready solution not available out of the box
  11. 11. Page 11 OAuth with Kafka – Why Not Production Ready? Default implementation of OAuthbearer deals with Unsecured JWT tokens. Generates arbitrary tokens. Only suitable for DEV/TEST environments. No external Authorization server involved for granting tokens and authenticating clients.
  12. 12. Page 12 OAuth with Azure Active Directory (AAD)
  13. 13. Page 13 Introductio n OAuth is an authorization framework that enables you or your application to get access to an HTTP service either on behalf of resource owner or by allowing your application to obtain access on its own behalf.
  14. 14. Page 14 OAuth Terminology
  15. 15. Page 15 OAuth Terminology Grant Types Client Credentials An Access Token are the tokens used to access resources. A Refresh Token represents your next authorization. Grant Type or Flow specifies how you retrieve those tokens.
  16. 16. Page 16 Phase II
  17. 17. Page 17 Cluster Components and Security Azure Cluster Broker Zookeeper Broker SASL(OAuth) + TLS SASL(Digest) Kafka Connect SASL(OAuth) + TLS NA Schema Registry SASL(OAuth) + TLS NA Control Center SASL(OAuth) + TLS NA
  18. 18. Page 18 OAuth Authentication Flow in Kafka Azure AD Kafka Broker 1. Request Token(client id and secret) 2. Access Token 3. OAuth Access Token 4. Authenticated Brokers, Connect, Schema Registry, Control Center Clients
  19. 19. Page 19 OAuth Detailed Implementation (Authentication) Clients Brokers Azure AD Request Token Validate Access Token SASL Authentication Request (Access Token) SASL Authentication Response Produce/Consume Request Response
  20. 20. Page 20 Authentication with OAuth (JWT Token Retrieval & Validation)
  21. 21. Page 21 JWT (JSON WEB TOKENS) aaa.bbbbbbb.cccc Header Payload Signature
  22. 22. Page 22 Azure AD App Registration • Separate Apps for Brokers, Producers, Consumers, Connect, SR etc. across different environments i.e., Dev, Test & Prod. • Authentication based on client Id and Client secret of Apps.
  23. 23. Page 23 Retrieving Azure AD Token {"token_type":"Bearer","expires_in":"3599","ext_ expires_in":"3599","expires_on":"1596455877"," not_before":"1596451977","resource":"0000000 2-0000-0000-c000- 000000000000","access_token":"eyJ0eXAiOiJK V1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Imh1Tjk1SXZ QZmVocTM0R3pCRFoxR1hHaXJuTSIsImtpZCI6I mh1Tjk1SXZQZmVocTM0R3pCRFoxR1hHaXJuT SJ9.eyJhdW… Broker Logs Access Token
  24. 24. Page 24 Validating JWT (Brokers) • Validate Token Length. Valid token to have 3 parts i.e. Header, Payload, Signature. • Validate Token Signature: • Decode Token header. • Get token signing key. • Verify if token is signed by Azure AD keys. Decoded Header
  25. 25. Page 25 Validating JWT (Brokers, contd ) • Validate token expiry & audience based on token claims i.e., exp & aud. Decoded Payload • Broker Logs
  26. 26. Page 26 Phase I, Phase II.... Phase III
  27. 27. Page 27 Producers Consumers Broker 1 Broker 2 Kafka Cluster Zookeeper 1 Zookeeper 2 Zookeeper Cluster Kerberos Kerberos & TLS Connect Schema Registry Control Center Kerberos/TL S Producers Consumers Broker 1 Broker 2 Zookeeper 1 Zookeeper 2 Zookeeper Cluster Connect Control Center Schema Registry OAuth /TLS OAuth & TLS Digest OAuth/TLS Kerberos OAuth Security Setup – Different Phases OAuth Azure AD
  28. 28. Page 28 Authorization
  29. 29. Page 29 OAuth Detailed Implementation (Authorization) Zookeeper Get ACL's Authorizer Load ACL's Authorization Allow/Deny
  30. 30. Page 30 Kafka ACL’s – Azure AD App Client IDs Authorization Issues (Without granting Topic ACL’s). Producer/Consumer ACL’s Azure Client ID
  31. 31. Page 31 Enabling OAuth on Kafka Brokers Clients (Producer/Consumers)
  32. 32. Page 32 Brokers Configuration Supporting Multiple Listeners on Brokers
  33. 33. Page 33 Easy to authenticate Producers/Consumers Apps' running anywhere i.e. On Prem/Cloud. Cross domain authentication became possible (in fact, not even relevant). Much easier to onboard new clients and authenticate AD Apps. Debugging authentication issues became easier. Have started the journey to deprecate Kerberos. How Has The Journey Been So Far?

×