Skip to main content
Engineering, Backend, Data / ML

Attribute-Based Access Control at Uber

13 July 2023 / Global
Featured image for Attribute-Based Access Control at Uber
Image
Figure 1: Basic policy model is made with a permission for resource matcher and actions associated with actor matchers.
Image
Figure 2: Sample Policies – the first one allows service ‘bar’ invoke ‘method1’ of service ‘foo’; the second one allows employees in group ‘querybuilder-development’ to read and write query reports.
Image
Figure 3: System Architecture – policy authors manage policies at the Charter service; the policies are distributed to hosts where the service is running; the service calls authorization APIs from authfx library to evaluate the policies for authorization decision.
Image
Figure 4: The basic policy model  with an optional “condition” field for each permission. This condition is a boolean expression that can be based on a variety of attributes.
Image
Figure 5: Updated System Architecture – the authorization engine leverages an expression engine to evaluate condition expression, which calls attribute store for attribute values.
Image
Figure 6: Attribute Store Interfaces
Image
Figure 7: Policy file extended with condition field
Image
Figure 8: A policy allows an Uber employee to manage Kafka topic if he/she has “Develop” role on the topic from ‘uOwn’
Alan Cao

Alan Cao

Alan is a Staff Software Engineer on the Core Security Engineering team at Uber. He works on the unified authorization platform for Uber’s services and infrastructure.

Posted by Alan Cao