从角色到基于属性的访问控制的迁移

Grab has always regarded security as one of our top priorities; this is especially important for data platform teams. We need to control access to data and resources in order to protect our consumers and ensure compliance with various, continuously evolving security standards.

Grab 一直将安全视为我们的首要任务之一;这对数据平台团队来说尤其重要。我们需要控制对数据和资源的访问,以保护我们的消费者,确保符合各种不断发展的安全标准。

Additionally, we want to keep the process convenient, simple, and easily scalable for teams. However, as Grab continues to grow, we have more services and resources to manage and it becomes increasingly difficult to keep the process frictionless. That’s why we decided to move from Role-Based Access Control (RBAC) to Attribute-Based Access Control (ABAC) for our Kafka Control Plane (KCP).

此外,我们希望为团队保持方便、简单和容易扩展的过程。然而,随着 Grab 公司的不断发展,我们有更多的服务和资源需要管理,要保持流程无摩擦变得越来越困难。这就是为什么我们决定将Kafka控制平面(KCP)从基于角色的访问控制(RBAC)转移到基于属性的访问控制(ABAC)。

In this article, you will learn how Grab’s streaming data platform team (Coban) deleted manual role and permission management of hundreds of roles and resources, and reduced operational overhead of requesting or approving permissions to zero by moving from RBAC to ABAC.

在这篇文章中,你将了解到Grab的流媒体数据平台团队(Coban)如何通过从RBAC到ABAC的转变,删除了数百个角色和资源的手动角色和权限管理,并将请求或批准权限的操作开销降低到零。

Introduction

简介

Kafka is widely used across Grab teams as a streaming platform. For decentralised Kafka resource (e.g. topic) management, teams have the right to create, update, or delete based on their needs. As the data platform team, we implemented a KCP to ensure that these operations are only performed by authorised parties, especially on multi-tenant Kafka clusters.

Kafka作为一个流媒体平台在Grab团队中被广泛使用。对于分散的Kafka资源(如话题)管理,各团队有权根据自己的需要进行创建、更新或删除。作为数据平台团队,我们实施了一个KCP,以确保这些操作只由授权方执行,特别是在多租户Kafka集群上。

For internal access management, Grab uses its own Identity and Access Management (IAM) service, based on RBAC, to support authentication and authorisation processes:

对于内部访问管理,Grab 使用自己的身份和访问管理(IAM)服务,基于 RBAC,以支持认证和授权过程。

  • Authentication verifies the identity of a user or service, for example, if the p...
开通本站会员,查看完整译文。

Accueil - Wiki
Copyright © 2011-2024 iteam. Current version is 2.137.1. UTC+08:00, 2024-11-15 12:55
浙ICP备14020137号-1 $Carte des visiteurs$