landscape, spiffe, opa, vault


alexis richardson
 

All,

Question about the landscape.


- do we want to put OPA in the top layer, either inside, or next to App Def?
- what about identity - spiffe and spire?
- do we think key management should move to top layer?

a



Nick Chase
 

I think OPA belongs in the top layer but I don't think it fits in any of the existing subcategories.  In fact I feel that way about all three.

---- Nick


On Wednesday, November 15, 2017, Alexis Richardson via cncf-toc <cncf-toc@...> wrote:
All,

Question about the landscape.


- do we want to put OPA in the top layer, either inside, or next to App Def?
- what about identity - spiffe and spire?
- do we think key management should move to top layer?

a



alexis richardson
 

That was where I was going...

Do others agree?


On Wed, Nov 15, 2017 at 2:58 PM, Nick Chase <nchase@...> wrote:
I think OPA belongs in the top layer but I don't think it fits in any of the existing subcategories.  In fact I feel that way about all three.

---- Nick


On Wednesday, November 15, 2017, Alexis Richardson via cncf-toc <cncf-toc@...> wrote:
All,

Question about the landscape.


- do we want to put OPA in the top layer, either inside, or next to App Def?
- what about identity - spiffe and spire?
- do we think key management should move to top layer?

a




Guru Chahal
 

Similar functions have often been classified as "AAA" in traditional systems (Authentication, Authorization, Accounting). I agree that no box really captures these well today - the closest are likely 'coordination and service discover' or perhaps 'service management'. I'd imagine 'service management' is the the likely best current home... Istio is listed there as well today (most adjacent to these projects today). 

-Guru


On Wed, Nov 15, 2017 at 6:59 AM, Alexis Richardson via cncf-toc <cncf-toc@...> wrote:
That was where I was going...

Do others agree?


On Wed, Nov 15, 2017 at 2:58 PM, Nick Chase <nchase@...> wrote:
I think OPA belongs in the top layer but I don't think it fits in any of the existing subcategories.  In fact I feel that way about all three.

---- Nick


On Wednesday, November 15, 2017, Alexis Richardson via cncf-toc <cncf-toc@...> wrote:
All,

Question about the landscape.


- do we want to put OPA in the top layer, either inside, or next to App Def?
- what about identity - spiffe and spire?
- do we think key management should move to top layer?

a




_______________________________________________
cncf-toc mailing list
cncf-toc@...
https://lists.cncf.io/mailman/listinfo/cncf-toc



Tim Hinrichs
 

+1 to the Authentication (SPIFFE, spire), Authorization (OPA), Audit (?).  Classically these are part of Security, but there's no box for that.  

AAA is typically cross-cutting.  OPA, for example, has integrations with Kube (orchestration), Istio (app), Terraform (provisioning), AWS (cloud).

Tim


On Wed, Nov 15, 2017 at 7:33 AM Guru Chahal via cncf-toc <cncf-toc@...> wrote:
Similar functions have often been classified as "AAA" in traditional systems (Authentication, Authorization, Accounting). I agree that no box really captures these well today - the closest are likely 'coordination and service discover' or perhaps 'service management'. I'd imagine 'service management' is the the likely best current home... Istio is listed there as well today (most adjacent to these projects today). 

-Guru


On Wed, Nov 15, 2017 at 6:59 AM, Alexis Richardson via cncf-toc <cncf-toc@...> wrote:
That was where I was going...

Do others agree?


On Wed, Nov 15, 2017 at 2:58 PM, Nick Chase <nchase@...> wrote:
I think OPA belongs in the top layer but I don't think it fits in any of the existing subcategories.  In fact I feel that way about all three.

---- Nick


On Wednesday, November 15, 2017, Alexis Richardson via cncf-toc <cncf-toc@...> wrote:
All,

Question about the landscape.


- do we want to put OPA in the top layer, either inside, or next to App Def?
- what about identity - spiffe and spire?
- do we think key management should move to top layer?

a




_______________________________________________
cncf-toc mailing list
cncf-toc@...
https://lists.cncf.io/mailman/listinfo/cncf-toc


_______________________________________________
cncf-toc mailing list
cncf-toc@...
https://lists.cncf.io/mailman/listinfo/cncf-toc


Sunil James
 

+1 to this framing, particularly to its cross-cutting nature. While I agree 'security' is a natural starting bucket, the value propositions these (and other) projects address go beyond this (over time).

Visually, perhaps the TOC should consider a "AAA" box (or something more elegantly worded) to the right (or left) of 'Service Management'?


---
SJ | sunil@... | Scytale & SPIFFE



On Wed, Nov 15, 2017 at 8:13 AM, Tim Hinrichs via cncf-toc <cncf-toc@...> wrote:
+1 to the Authentication (SPIFFE, spire), Authorization (OPA), Audit (?).  Classically these are part of Security, but there's no box for that.  

AAA is typically cross-cutting.  OPA, for example, has integrations with Kube (orchestration), Istio (app), Terraform (provisioning), AWS (cloud).

Tim


On Wed, Nov 15, 2017 at 7:33 AM Guru Chahal via cncf-toc <cncf-toc@...> wrote:
Similar functions have often been classified as "AAA" in traditional systems (Authentication, Authorization, Accounting). I agree that no box really captures these well today - the closest are likely 'coordination and service discover' or perhaps 'service management'. I'd imagine 'service management' is the the likely best current home... Istio is listed there as well today (most adjacent to these projects today). 

-Guru


On Wed, Nov 15, 2017 at 6:59 AM, Alexis Richardson via cncf-toc <cncf-toc@...> wrote:
That was where I was going...

Do others agree?


On Wed, Nov 15, 2017 at 2:58 PM, Nick Chase <nchase@...> wrote:
I think OPA belongs in the top layer but I don't think it fits in any of the existing subcategories.  In fact I feel that way about all three.

---- Nick


On Wednesday, November 15, 2017, Alexis Richardson via cncf-toc <cncf-toc@...> wrote:
All,

Question about the landscape.


- do we want to put OPA in the top layer, either inside, or next to App Def?
- what about identity - spiffe and spire?
- do we think key management should move to top layer?

a




_______________________________________________
cncf-toc mailing list
cncf-toc@...
https://lists.cncf.io/mailman/listinfo/cncf-toc


_______________________________________________
cncf-toc mailing list
cncf-toc@...
https://lists.cncf.io/mailman/listinfo/cncf-toc

_______________________________________________
cncf-toc mailing list
cncf-toc@...
https://lists.cncf.io/mailman/listinfo/cncf-toc



alexis richardson
 

would you suggest moving key management to AAA?

On Wed, Nov 15, 2017 at 6:09 PM, Sunil James via cncf-toc <cncf-toc@...> wrote:
+1 to this framing, particularly to its cross-cutting nature. While I agree 'security' is a natural starting bucket, the value propositions these (and other) projects address go beyond this (over time).

Visually, perhaps the TOC should consider a "AAA" box (or something more elegantly worded) to the right (or left) of 'Service Management'?


---
SJ | sunil@... | Scytale & SPIFFE



On Wed, Nov 15, 2017 at 8:13 AM, Tim Hinrichs via cncf-toc <cncf-toc@...> wrote:
+1 to the Authentication (SPIFFE, spire), Authorization (OPA), Audit (?).  Classically these are part of Security, but there's no box for that.  

AAA is typically cross-cutting.  OPA, for example, has integrations with Kube (orchestration), Istio (app), Terraform (provisioning), AWS (cloud).

Tim


On Wed, Nov 15, 2017 at 7:33 AM Guru Chahal via cncf-toc <cncf-toc@...> wrote:
Similar functions have often been classified as "AAA" in traditional systems (Authentication, Authorization, Accounting). I agree that no box really captures these well today - the closest are likely 'coordination and service discover' or perhaps 'service management'. I'd imagine 'service management' is the the likely best current home... Istio is listed there as well today (most adjacent to these projects today). 

-Guru


On Wed, Nov 15, 2017 at 6:59 AM, Alexis Richardson via cncf-toc <cncf-toc@...> wrote:
That was where I was going...

Do others agree?


On Wed, Nov 15, 2017 at 2:58 PM, Nick Chase <nchase@...> wrote:
I think OPA belongs in the top layer but I don't think it fits in any of the existing subcategories.  In fact I feel that way about all three.

---- Nick


On Wednesday, November 15, 2017, Alexis Richardson via cncf-toc <cncf-toc@...> wrote:
All,

Question about the landscape.


- do we want to put OPA in the top layer, either inside, or next to App Def?
- what about identity - spiffe and spire?
- do we think key management should move to top layer?

a




_______________________________________________
cncf-toc mailing list
cncf-toc@...
https://lists.cncf.io/mailman/listinfo/cncf-toc


_______________________________________________
cncf-toc mailing list
cncf-toc@...
https://lists.cncf.io/mailman/listinfo/cncf-toc

_______________________________________________
cncf-toc mailing list
cncf-toc@...
https://lists.cncf.io/mailman/listinfo/cncf-toc



_______________________________________________
cncf-toc mailing list
cncf-toc@...
https://lists.cncf.io/mailman/listinfo/cncf-toc



Sunil James
 

Tough one, but I'd say "yes."

FWIW, we should probably read through RFC 2989 (specifically the agreed-upon terminology) for historical context.

---
SJ | sunil@... | Scytale & SPIFFE



On Wed, Nov 15, 2017 at 11:32 AM, Alexis Richardson <alexis@...> wrote:
would you suggest moving key management to AAA?

On Wed, Nov 15, 2017 at 6:09 PM, Sunil James via cncf-toc <cncf-toc@...> wrote:
+1 to this framing, particularly to its cross-cutting nature. While I agree 'security' is a natural starting bucket, the value propositions these (and other) projects address go beyond this (over time).

Visually, perhaps the TOC should consider a "AAA" box (or something more elegantly worded) to the right (or left) of 'Service Management'?


---
SJ | sunil@... | Scytale & SPIFFE



On Wed, Nov 15, 2017 at 8:13 AM, Tim Hinrichs via cncf-toc <cncf-toc@...> wrote:
+1 to the Authentication (SPIFFE, spire), Authorization (OPA), Audit (?).  Classically these are part of Security, but there's no box for that.  

AAA is typically cross-cutting.  OPA, for example, has integrations with Kube (orchestration), Istio (app), Terraform (provisioning), AWS (cloud).

Tim


On Wed, Nov 15, 2017 at 7:33 AM Guru Chahal via cncf-toc <cncf-toc@...> wrote:
Similar functions have often been classified as "AAA" in traditional systems (Authentication, Authorization, Accounting). I agree that no box really captures these well today - the closest are likely 'coordination and service discover' or perhaps 'service management'. I'd imagine 'service management' is the the likely best current home... Istio is listed there as well today (most adjacent to these projects today). 

-Guru


On Wed, Nov 15, 2017 at 6:59 AM, Alexis Richardson via cncf-toc <cncf-toc@...> wrote:
That was where I was going...

Do others agree?


On Wed, Nov 15, 2017 at 2:58 PM, Nick Chase <nchase@...> wrote:
I think OPA belongs in the top layer but I don't think it fits in any of the existing subcategories.  In fact I feel that way about all three.

---- Nick


On Wednesday, November 15, 2017, Alexis Richardson via cncf-toc <cncf-toc@...> wrote:
All,

Question about the landscape.


- do we want to put OPA in the top layer, either inside, or next to App Def?
- what about identity - spiffe and spire?
- do we think key management should move to top layer?

a




_______________________________________________
cncf-toc mailing list
cncf-toc@...
https://lists.cncf.io/mailman/listinfo/cncf-toc


_______________________________________________
cncf-toc mailing list
cncf-toc@...
https://lists.cncf.io/mailman/listinfo/cncf-toc

_______________________________________________
cncf-toc mailing list
cncf-toc@...
https://lists.cncf.io/mailman/listinfo/cncf-toc



_______________________________________________
cncf-toc mailing list
cncf-toc@...
https://lists.cncf.io/mailman/listinfo/cncf-toc




alexis richardson
 



On Wed, Nov 15, 2017 at 7:52 PM, Sunil James <sunil@...> wrote:
Tough one, but I'd say "yes."

I am ok with that.  Wonder what others think?


 

FWIW, we should probably read through RFC 2989 (specifically the agreed-upon terminology) for historical context.

Is that an offer? ;-)

a
 

---
SJ | sunil@... | Scytale & SPIFFE



On Wed, Nov 15, 2017 at 11:32 AM, Alexis Richardson <alexis@...> wrote:
would you suggest moving key management to AAA?

On Wed, Nov 15, 2017 at 6:09 PM, Sunil James via cncf-toc <cncf-toc@...> wrote:
+1 to this framing, particularly to its cross-cutting nature. While I agree 'security' is a natural starting bucket, the value propositions these (and other) projects address go beyond this (over time).

Visually, perhaps the TOC should consider a "AAA" box (or something more elegantly worded) to the right (or left) of 'Service Management'?


---
SJ | sunil@... | Scytale & SPIFFE



On Wed, Nov 15, 2017 at 8:13 AM, Tim Hinrichs via cncf-toc <cncf-toc@...> wrote:
+1 to the Authentication (SPIFFE, spire), Authorization (OPA), Audit (?).  Classically these are part of Security, but there's no box for that.  

AAA is typically cross-cutting.  OPA, for example, has integrations with Kube (orchestration), Istio (app), Terraform (provisioning), AWS (cloud).

Tim


On Wed, Nov 15, 2017 at 7:33 AM Guru Chahal via cncf-toc <cncf-toc@...> wrote:
Similar functions have often been classified as "AAA" in traditional systems (Authentication, Authorization, Accounting). I agree that no box really captures these well today - the closest are likely 'coordination and service discover' or perhaps 'service management'. I'd imagine 'service management' is the the likely best current home... Istio is listed there as well today (most adjacent to these projects today). 

-Guru


On Wed, Nov 15, 2017 at 6:59 AM, Alexis Richardson via cncf-toc <cncf-toc@...> wrote:
That was where I was going...

Do others agree?


On Wed, Nov 15, 2017 at 2:58 PM, Nick Chase <nchase@...> wrote:
I think OPA belongs in the top layer but I don't think it fits in any of the existing subcategories.  In fact I feel that way about all three.

---- Nick


On Wednesday, November 15, 2017, Alexis Richardson via cncf-toc <cncf-toc@...> wrote:
All,

Question about the landscape.


- do we want to put OPA in the top layer, either inside, or next to App Def?
- what about identity - spiffe and spire?
- do we think key management should move to top layer?

a




_______________________________________________
cncf-toc mailing list
cncf-toc@...
https://lists.cncf.io/mailman/listinfo/cncf-toc


_______________________________________________
cncf-toc mailing list
cncf-toc@...
https://lists.cncf.io/mailman/listinfo/cncf-toc

_______________________________________________
cncf-toc mailing list
cncf-toc@...
https://lists.cncf.io/mailman/listinfo/cncf-toc



_______________________________________________
cncf-toc mailing list
cncf-toc@...
https://lists.cncf.io/mailman/listinfo/cncf-toc





Sunil James
 

I've been reading it this morning. I think SPIFFE/SPIRE, OPA, and Vault fit nicely within that framing. Frankly, I think proxies fit within the AAA category, too.

Maybe we're even talking about "AAA" being a new horizontal layer below "Orchestration & Management," within which include the following four (4) categories:

1) Authentication
2) Authorization
3) Key Management
4) Proxies

That said, I'm happy to defer to more thoughtful evaluations :)


---
SJ | sunil@... | Scytale & SPIFFE



On Wed, Nov 15, 2017 at 11:55 AM, Alexis Richardson <alexis@...> wrote:


On Wed, Nov 15, 2017 at 7:52 PM, Sunil James <sunil@...> wrote:
Tough one, but I'd say "yes."

I am ok with that.  Wonder what others think?


 

FWIW, we should probably read through RFC 2989 (specifically the agreed-upon terminology) for historical context.

Is that an offer? ;-)

a
 

---
SJ | sunil@... | Scytale & SPIFFE



On Wed, Nov 15, 2017 at 11:32 AM, Alexis Richardson <alexis@...> wrote:
would you suggest moving key management to AAA?

On Wed, Nov 15, 2017 at 6:09 PM, Sunil James via cncf-toc <cncf-toc@...> wrote:
+1 to this framing, particularly to its cross-cutting nature. While I agree 'security' is a natural starting bucket, the value propositions these (and other) projects address go beyond this (over time).

Visually, perhaps the TOC should consider a "AAA" box (or something more elegantly worded) to the right (or left) of 'Service Management'?


---
SJ | sunil@... | Scytale & SPIFFE



On Wed, Nov 15, 2017 at 8:13 AM, Tim Hinrichs via cncf-toc <cncf-toc@...> wrote:
+1 to the Authentication (SPIFFE, spire), Authorization (OPA), Audit (?).  Classically these are part of Security, but there's no box for that.  

AAA is typically cross-cutting.  OPA, for example, has integrations with Kube (orchestration), Istio (app), Terraform (provisioning), AWS (cloud).

Tim


On Wed, Nov 15, 2017 at 7:33 AM Guru Chahal via cncf-toc <cncf-toc@...> wrote:
Similar functions have often been classified as "AAA" in traditional systems (Authentication, Authorization, Accounting). I agree that no box really captures these well today - the closest are likely 'coordination and service discover' or perhaps 'service management'. I'd imagine 'service management' is the the likely best current home... Istio is listed there as well today (most adjacent to these projects today). 

-Guru


On Wed, Nov 15, 2017 at 6:59 AM, Alexis Richardson via cncf-toc <cncf-toc@...> wrote:
That was where I was going...

Do others agree?


On Wed, Nov 15, 2017 at 2:58 PM, Nick Chase <nchase@...> wrote:
I think OPA belongs in the top layer but I don't think it fits in any of the existing subcategories.  In fact I feel that way about all three.

---- Nick


On Wednesday, November 15, 2017, Alexis Richardson via cncf-toc <cncf-toc@...> wrote:
All,

Question about the landscape.


- do we want to put OPA in the top layer, either inside, or next to App Def?
- what about identity - spiffe and spire?
- do we think key management should move to top layer?

a




_______________________________________________
cncf-toc mailing list
cncf-toc@...
https://lists.cncf.io/mailman/listinfo/cncf-toc


_______________________________________________
cncf-toc mailing list
cncf-toc@...
https://lists.cncf.io/mailman/listinfo/cncf-toc

_______________________________________________
cncf-toc mailing list
cncf-toc@...
https://lists.cncf.io/mailman/listinfo/cncf-toc



_______________________________________________
cncf-toc mailing list
cncf-toc@...
https://lists.cncf.io/mailman/listinfo/cncf-toc






alexis richardson
 

anyone else want to chip in?

On Wed, Nov 15, 2017 at 8:11 PM, Sunil James <sunil@...> wrote:
I've been reading it this morning. I think SPIFFE/SPIRE, OPA, and Vault fit nicely within that framing. Frankly, I think proxies fit within the AAA category, too.

Maybe we're even talking about "AAA" being a new horizontal layer below "Orchestration & Management," within which include the following four (4) categories:

1) Authentication
2) Authorization
3) Key Management
4) Proxies

That said, I'm happy to defer to more thoughtful evaluations :)


---
SJ | sunil@... | Scytale & SPIFFE



On Wed, Nov 15, 2017 at 11:55 AM, Alexis Richardson <alexis@...> wrote:


On Wed, Nov 15, 2017 at 7:52 PM, Sunil James <sunil@...> wrote:
Tough one, but I'd say "yes."

I am ok with that.  Wonder what others think?


 

FWIW, we should probably read through RFC 2989 (specifically the agreed-upon terminology) for historical context.

Is that an offer? ;-)

a
 

---
SJ | sunil@... | Scytale & SPIFFE



On Wed, Nov 15, 2017 at 11:32 AM, Alexis Richardson <alexis@...> wrote:
would you suggest moving key management to AAA?

On Wed, Nov 15, 2017 at 6:09 PM, Sunil James via cncf-toc <cncf-toc@...> wrote:
+1 to this framing, particularly to its cross-cutting nature. While I agree 'security' is a natural starting bucket, the value propositions these (and other) projects address go beyond this (over time).

Visually, perhaps the TOC should consider a "AAA" box (or something more elegantly worded) to the right (or left) of 'Service Management'?


---
SJ | sunil@... | Scytale & SPIFFE



On Wed, Nov 15, 2017 at 8:13 AM, Tim Hinrichs via cncf-toc <cncf-toc@...> wrote:
+1 to the Authentication (SPIFFE, spire), Authorization (OPA), Audit (?).  Classically these are part of Security, but there's no box for that.  

AAA is typically cross-cutting.  OPA, for example, has integrations with Kube (orchestration), Istio (app), Terraform (provisioning), AWS (cloud).

Tim


On Wed, Nov 15, 2017 at 7:33 AM Guru Chahal via cncf-toc <cncf-toc@...> wrote:
Similar functions have often been classified as "AAA" in traditional systems (Authentication, Authorization, Accounting). I agree that no box really captures these well today - the closest are likely 'coordination and service discover' or perhaps 'service management'. I'd imagine 'service management' is the the likely best current home... Istio is listed there as well today (most adjacent to these projects today). 

-Guru


On Wed, Nov 15, 2017 at 6:59 AM, Alexis Richardson via cncf-toc <cncf-toc@...> wrote:
That was where I was going...

Do others agree?


On Wed, Nov 15, 2017 at 2:58 PM, Nick Chase <nchase@...> wrote:
I think OPA belongs in the top layer but I don't think it fits in any of the existing subcategories.  In fact I feel that way about all three.

---- Nick


On Wednesday, November 15, 2017, Alexis Richardson via cncf-toc <cncf-toc@...> wrote:
All,

Question about the landscape.


- do we want to put OPA in the top layer, either inside, or next to App Def?
- what about identity - spiffe and spire?
- do we think key management should move to top layer?

a




_______________________________________________
cncf-toc mailing list
cncf-toc@...
https://lists.cncf.io/mailman/listinfo/cncf-toc


_______________________________________________
cncf-toc mailing list
cncf-toc@...
https://lists.cncf.io/mailman/listinfo/cncf-toc

_______________________________________________
cncf-toc mailing list
cncf-toc@...
https://lists.cncf.io/mailman/listinfo/cncf-toc



_______________________________________________
cncf-toc mailing list
cncf-toc@...
https://lists.cncf.io/mailman/listinfo/cncf-toc