WEBVTT

00:00.000 --> 00:11.880
Welcome to the Identity and Access Management Devroom.

00:11.880 --> 00:18.280
Our next presenter is Danny Altairder, and he will be talking about Nubbus.

00:18.280 --> 00:19.280
Welcome.

00:19.280 --> 00:20.280
Thank you.

00:20.280 --> 00:27.520
Welcome, I'm Daniel Triller, I'm Software Architect at Innovation.

00:27.520 --> 00:33.840
This is my first time at Foster, and I'm enjoying it quite a much, maybe too much.

00:33.840 --> 00:39.320
So when I practice this yesterday, I noticed that I need way too long, and this is a deaf

00:39.320 --> 00:40.320
room.

00:40.320 --> 00:47.560
So I guess you all want to see also some under the hood stuff, and so I'm going to try to skip

00:47.560 --> 00:55.160
over the corporate stuff, just to work as a small company in Germany, with developers

00:55.160 --> 01:03.960
from Spain, the states, and Germany, and the IAM, it produces all open source.

01:03.960 --> 01:12.400
It's all a ferro, it keeps you free, and while it also works in small and medium businesses,

01:12.400 --> 01:18.560
it's mostly our target group, is the public sector, and the educational sector, educational

01:18.560 --> 01:25.360
sectors are very interesting for IAMs, because you have these domains in schools, and then

01:25.360 --> 01:31.480
you have the school authorities, which is like a domain of domains, so like a forest or something,

01:31.480 --> 01:39.120
and then you have the states, the ministries that are domains, or there are like collections

01:39.120 --> 01:45.400
of school authorities, so you have like lots of levels, and at every level you have different

01:45.400 --> 01:57.840
authorization, but come authentication, so it's very interesting context for IAMs, and

01:57.840 --> 02:05.440
our vision is digital sovereignty, and we think the IAM is like the foundation for that,

02:05.440 --> 02:10.120
if you don't control your identities, then you're missing like the foundation for your

02:10.120 --> 02:19.920
environment, because you cannot control what's going on, and so our founders part of the

02:19.920 --> 02:28.720
open source business alliance, and it's European partner April, so you find Nubus as an IAM

02:28.720 --> 02:33.920
at the core of other products, I mean, who needs an IAM, now IAM is the ever wants to do anything

02:33.920 --> 02:40.680
with them, they're interested in the applications, right? And in most environments, you

02:40.680 --> 02:49.680
have already an IAM, like an active directory, Octa, and entering, how are they all called,

02:49.680 --> 02:54.080
and so an IAM needs to integrate with that, and also, of course, needs to integrate the

02:54.080 --> 03:02.160
applications, which are the actual value for the end users, and this is an example of how

03:02.240 --> 03:07.680
Nubus is, for example, deployed and opened this, that's the office and collaborations

03:07.680 --> 03:18.720
with of the German government, that it's issuing to its officers, and there it integrates

03:18.720 --> 03:24.600
lots of applications with the upstream identity management systems, which already exists,

03:24.680 --> 03:34.680
of course, and you find Nubus in two variants, one where it was originally developed

03:34.680 --> 03:41.320
for is the N-based distribution, actually it's a deviant-based distribution, it's really

03:41.320 --> 03:53.320
is deviant under the hood, plus lots of custom packages, and just for years ago we started

03:53.320 --> 03:59.320
ripping out all the core parts of Nubus and putting them into containers and splitting them up

03:59.320 --> 04:07.880
into more containers, and so on, until it is, well, clouds of where you would call it, so you

04:07.880 --> 04:14.520
install it from a DVD, or either image, whatever, in your virtual machine, or on their metal,

04:15.240 --> 04:23.240
and you get like a trendy solution, that scales well until, I know, 100,000 users may be on a

04:23.240 --> 04:30.440
few servers, right, 20 servers or something, and all you install it by a helm, with one command

04:30.440 --> 04:36.920
into Kubernetes, and then it's meant to scale upwards, or actually you can also, you don't

04:36.920 --> 04:48.440
work, it's runs on my notebook, so it's needs more or less the same memory, yeah, like I said,

04:48.440 --> 04:57.480
we're targeting so medium-sized organizations, so 100,000 to million users, and works with more

04:57.480 --> 05:07.720
less to. Nubus is split up into functional components, you get the identity provider, which is

05:07.720 --> 05:14.120
a heat-low, the portal, which tells each user what applications they have access to,

05:15.000 --> 05:21.080
self-service, so you don't bother the help desk, and so on directory manager is the API to access

05:21.080 --> 05:29.960
the data in the LDAP, which is called identity store here, and an authorization service that

05:29.960 --> 05:40.840
is new, it's a rest API where you can add rules and conditions and combine those to create

05:40.920 --> 05:50.280
rules and permission sets, which you can then use to authorize access to attributes or objects,

05:50.280 --> 05:55.720
or actions, depends on the application, so application needs to use that, and in the back end of

05:55.720 --> 06:03.720
that works, or policy agent, the great software, and the rules are generated from that API into the

06:03.720 --> 06:13.800
API, and then there's a provision service, which generates events for changes in the back end,

06:13.800 --> 06:23.000
from the LDAP, so that you can hear where it was that, so that like objects change can be provisioned,

06:23.560 --> 06:31.640
but kind of provisioned users and groups from changes in the LDAP. Okay, so this is basically what

06:31.720 --> 06:39.480
NuBus offers way to get identities into the identity store and code them, validate them, store them,

06:39.480 --> 06:49.800
and all of that, and then to issue events to your third party applications, and that's all

06:49.800 --> 06:56.920
then I am usually done, plus our single sign on obviously, and okay, so this is like the data flow

06:56.920 --> 07:02.120
that you usually have, you don't have only interactive settings of users, obviously you have

07:02.120 --> 07:09.480
upstream systems or import processes where data gets into your IAM, and you have authentication

07:09.480 --> 07:19.080
authorization, then everything, and then somehow that data gets sent out filtered, obviously you

07:19.160 --> 07:24.680
don't need to send the birth day to get in to provision the main account, for example,

07:24.680 --> 07:31.480
and so on to the applications, and so if you're a developer, for example, and you want to

07:31.480 --> 07:38.840
your software to be accessible, you know, usable by users that have been created in an

07:38.840 --> 07:45.560
octa or Microsoft Entra on Active Directory or whatever, then you don't want to usually connect to

07:45.640 --> 07:54.040
all of those IAMs yourself, and what you can use here is that you connect to the

07:54.040 --> 08:00.360
almighty, well that you authorize using almighty connect with kick-load, and that you connect

08:00.360 --> 08:09.320
to the event API that tells you when there is a change in the laptop directory, and so you work

08:09.400 --> 08:18.520
only with rest API, so I think very comfortable for developers, and of course, so every environment,

08:18.520 --> 08:23.960
every customer, every user is different, and so you need to customize stuff, and you need to integrate

08:23.960 --> 08:31.720
it into the environment where things should be run, and there you have of course customization,

08:31.720 --> 08:39.000
which means CSS, and buttons, and icons, and stuff, right, for the front end, and then you have

08:39.000 --> 08:45.880
the data model, which is, well, you can create custom objects, and you have users and groups and

08:45.880 --> 08:53.720
computers, and DNS, but if you need bananas, well, you can create a banana object, and then you

08:53.720 --> 09:03.320
also want to add attributes like user as enabled for next cloud, or, I don't know, color of

09:04.360 --> 09:11.560
her color or whatever, and so on, so you want to change the data model, so this must be

09:12.200 --> 09:20.920
like extensible, and then, and I, of course, also the encoding of all the data and so on, right,

09:21.240 --> 09:27.560
and then you want to issue all of it, you want to integrate the applications that are the actual

09:27.560 --> 09:42.040
value for the end user, and that is done through interfaces, and so as I said, portal, and it's

09:42.040 --> 09:49.240
well, it's all the front end stuff, so you have can add content there, CSS and so on, then you can

09:49.240 --> 10:00.280
add properties, and encoding, and business logic, and, okay, so I'm going to shortcut this time's running.

10:01.160 --> 10:07.800
Maybe interesting is we're working on a skin server for the input and a skin client for the output

10:07.800 --> 10:16.520
to move from like our own data model, which is custom, and not everybody knows that,

10:17.480 --> 10:25.800
to standardize data model, and extensions are installed using like a package, where you can put

10:25.800 --> 10:33.640
all of that inside, and then add that package to your Kubernetes cluster, or the virtual machine,

10:33.640 --> 10:38.760
it's a bit different, but basically the same thing, and there we had a problem, because the whole

10:38.840 --> 10:50.120
thing should be BSI compliant, or BSI as the German federal cyber security policy making institution,

10:50.120 --> 10:57.240
and they say, for example, that root fault systems in containers must be read only, and

10:58.360 --> 11:03.400
container images must be cryptographically signed, and so with these two things, how do we add

11:03.480 --> 11:12.600
code to our model, how do we change the look and feel, and that was a bit of a problem at first,

11:12.600 --> 11:19.560
and then we find out where we can do that, and actually, quite simple, you create a container

11:19.560 --> 11:25.880
of your extensions, and that container you can sign, right, and it's, well, not changeable,

11:26.440 --> 11:32.120
and at runtime, or at deployment time, at runtime, you can't change stuff, but at deployment time,

11:32.440 --> 11:39.720
container is mounted as an internal container, how it is, image for that, right, and

11:41.880 --> 11:49.480
the unit containers are executed one after another, so first in container stores the original

11:49.480 --> 11:54.600
content of the directory, where you want to add extensions, and then the extensions added one after

11:54.600 --> 12:03.800
another to that, and that is mounted as a volume onto the actual program, and then you have

12:05.160 --> 12:10.760
immutable artifacts, the attribute cryptographically signed, but still you have the possibility to add

12:10.760 --> 12:18.440
stuff to your application, and to the data model and so on, and I will show you the later,

12:18.440 --> 12:26.920
if I have enough time, the structure is cut off, no, it's okay, it's very simple, in all that you need,

12:26.920 --> 12:35.000
in your container is such a file system structure, where you have the plug-in types that are supported

12:36.280 --> 12:43.800
by nubos, so let's add up schema, add up ACLs, UDM is this, was the data model, and that the

12:43.800 --> 12:51.080
handler for that to use those groups and stuff, and management console is the UI for management,

12:52.200 --> 12:59.240
and directly content, of course, you may want to add some example users or a directory structure

12:59.240 --> 13:05.960
in the allowed, so you need a way to add objects, and that also using the general file,

13:05.960 --> 13:14.200
and we use this method ourselves, or on code, the portal for example is optional, or actually

13:14.200 --> 13:22.120
all, almost all, components of nubos are optional to install, and so they must use the same mechanism

13:22.120 --> 13:30.920
to add the data, and the images and stuff that they need, dynamically, but not dynamically,

13:30.920 --> 13:56.920
but at start time, okay, demo time, no, no, wait, yes, okay, as I said before, I started a small

13:57.720 --> 14:03.400
gelatin cluster on my laptop using kind, very nice software, but works also with other

14:03.400 --> 14:10.840
criminals, single node distributions, and so there will be a pod running, which pod is a few containers,

14:12.120 --> 14:19.320
and if we now look for example at the UDM rest API, so that's the API to provision objects

14:19.320 --> 14:47.640
in order to see this code of for me, is it complete for you, yes, yeah, so somehow this screen is not

14:47.640 --> 15:01.320
full screen for me, okay, let's just fill this pod, and it will immediately spawn in U1,

15:04.840 --> 15:10.840
and now we see that it multiple containers were created, there's one called compatibility and use

15:10.840 --> 15:17.320
your commit, ignore that, there's loads internal plugins, load portload extensions, and then the

15:17.320 --> 15:27.880
actual container, UDM rest API, and these, if we now look at them, they do copy operations,

15:28.680 --> 15:37.800
trivial Cp1 to 1, so from the source to something called slash target, icons here and so on,

15:38.440 --> 15:45.000
and then there's a load portload extensions, which is to add the extension that we need for the portal,

15:46.200 --> 15:51.240
and here you can see it skips the plugin types that are not supported because there's nothing

15:51.240 --> 15:57.640
at the target, so it cannot copy anything, and then it copies the stuff where it has found plugins,

15:58.600 --> 16:08.680
so that's UDM handlers and the set icons and syntax, which is encoders, and module,

16:10.120 --> 16:24.600
and let's really the whole magic, where is that, yeah, so if you look at the

16:25.400 --> 16:40.120
portload extension container, you can actually look into the plugin directory and see

16:40.120 --> 16:47.480
there's really that what I showed in the presentation, I just those files, and the embarrassing

16:47.480 --> 17:00.360
symbol loader is this crazy code, that this is just copying, and that's legal, and that's

17:00.360 --> 17:06.360
a secure, because the source and the target are signed, and there is no nothing in between,

17:06.360 --> 17:16.680
that does that, so we all code is signed and not changed at runtime, so plugins are

17:16.760 --> 17:24.680
simple to create, but what's the other side, the other side is integration, and that's done using

17:24.680 --> 17:43.720
the freely API, wrong, wrong, what the, oh yeah, okay here, so that's the provision API,

17:43.720 --> 17:50.680
one that issues events, well actually that offers to download events, so yes, you can subscribe

17:50.680 --> 17:58.440
as a consumer, and then you get a name, you'll also subscribe to it, and when you subscribe,

17:58.440 --> 18:05.160
you'll say for what objects you want to subscribe, like users, groups, DNS, entries, whatever,

18:05.160 --> 18:12.200
and then updates about those objects will be streams to queue, and you'll everyone

18:12.200 --> 18:16.280
can join us in their own queue, so all consumers can work in parallel and us synchronously,

18:16.280 --> 18:35.480
and so I'll demo this, so we import HTTP client, and this is hanging, the password is already running,

18:35.480 --> 18:40.920
so it's there, and here we've got a list of subscriptions, so that means consumers,

18:41.560 --> 18:47.080
and we have the portal consumer, because it creates a kind of cash for the portal about users,

18:47.080 --> 18:53.080
their groups, and what applications they can see, and then there's the self-service consumer that

18:53.960 --> 19:01.160
sends emails for new registers that email users, but okay we need our own test user, right,

19:01.160 --> 19:07.720
so we call it test, it is interested in users and groups, and it has a cool password,

19:07.720 --> 19:20.200
so a shared secret, and created, and there you see our consumer is now there, and okay let's

19:20.200 --> 19:30.120
look at get me the next message, and then it's, we do long polling, we could have done a

19:30.120 --> 19:40.200
how's it called, web service, you know, interactive HTTP, APIs, so anyway we do long polling,

19:40.200 --> 19:46.520
if there's nothing, then you get nothing, see, you get an empty JSON response, but if there is

19:46.520 --> 19:51.320
something, you get an immediate return with a new object, there's no change, because we haven't done

19:51.320 --> 20:11.560
anything in the directory, so I'm going to change a user, let me test one, not found, how is it possible?

20:21.560 --> 20:29.480
I don't know, what's wrong here, I was one's to her, so a user has been changed, and I

20:29.480 --> 20:40.200
find no now look for messages, I immediately get a change, so the administrator had the

20:40.200 --> 20:55.400
hour first name was admin, and the new first name is admin test one, so we did change an

20:55.400 --> 21:06.120
object in the directory and got an event for that, and if I look for changes again, I will get

21:06.120 --> 21:15.000
the same change, because we are first to acknowledge this change, so that's if you're application

21:15.000 --> 21:20.600
crashes, and then get up again, it can just ask again, if are there any changes, and if there

21:20.600 --> 21:27.480
were none, then you will still get the same message, so you can do the same, if you crashed,

21:27.480 --> 21:32.760
you can just ask again, you will get the same message, and finish your task, and only when you

21:32.840 --> 21:46.200
finish your task, you set the state, you acknowledge the thing, and so that was the message number one,

21:47.880 --> 21:53.320
and then you have acknowledged the change and you can move on to that the next event,

21:54.040 --> 22:08.520
okay, times drying out, yeah, funny works, okay, so time short, you can contact me via email

22:08.520 --> 22:15.560
or there are document documents online for architect operators and developers, and we have a

22:16.600 --> 22:22.760
forum, we can also contact us, and you will find me here if you have questions with

22:22.760 --> 22:33.560
two, a few minutes, are you? So we have almost seven minutes, actually, we have one question

22:33.560 --> 22:43.800
through metrics, so I will read it for you, on this slide about the setup with Kubernetes,

22:43.800 --> 22:52.680
there was a line, BSI compliant for the higher security levels, yes, so the question

22:52.680 --> 23:02.520
is, do you know about any uses in VS and MIT compliant environments? I got there, this is something

23:03.240 --> 23:13.160
German, government compliant specific, can you repeat the other words? Yes, and FD compliant,

23:13.880 --> 23:21.720
I'm sorry, I don't know what that is, okay, maybe you can show in metrics and collaborate with

23:21.720 --> 23:33.480
okay, I will look there, thank you, any questions? Okay, thank you very much, thank you