Skip to content

Commit

Permalink
Script updating gh-pages from d7e7acc. [ci skip]
Browse files Browse the repository at this point in the history
  • Loading branch information
ID Bot committed Mar 29, 2024
1 parent 3f1825e commit a2ea7ca
Show file tree
Hide file tree
Showing 2 changed files with 101 additions and 55 deletions.
110 changes: 71 additions & 39 deletions jsalowey-sa-diag/draft-salowey-wimse-arch.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1156,7 +1156,7 @@ <h2 id="name-copyright-notice">
<p id="section-toc.1-1.3.2.2.1"><a href="#section-3.2" class="auto internal xref">3.2</a>.  <a href="#name-workload-identity-use-cases" class="internal xref">Workload Identity Use Cases</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.2.2.1">
<p id="section-toc.1-1.3.2.2.2.1.1"><a href="#section-3.2.1" class="auto internal xref">3.2.1</a>.  <a href="#name-basic-service-authenticatio" class="internal xref">Basic Service Authentication</a></p>
<p id="section-toc.1-1.3.2.2.2.1.1"><a href="#section-3.2.1" class="auto internal xref">3.2.1</a>.  <a href="#name-basic-service-authenticatio" class="internal xref">Basic Service Authentication and Authorization</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.2.2.2">
<p id="section-toc.1-1.3.2.2.2.2.1"><a href="#section-3.2.2" class="auto internal xref">3.2.2</a>.  <a href="#name-security-context-establishm" class="internal xref">Security Context Establishment and Propagation</a></p>
Expand Down Expand Up @@ -1394,12 +1394,12 @@ <h4 id="name-identity-credentials">
<h3 id="name-workload-identity-use-cases">
<a href="#section-3.2" class="section-number selfRef">3.2. </a><a href="#name-workload-identity-use-cases" class="section-name selfRef">Workload Identity Use Cases</a>
</h3>
<div id="basic-service-authentication">
<div id="basic-service-authentication-and-authorization">
<section id="section-3.2.1">
<h4 id="name-basic-service-authenticatio">
<a href="#section-3.2.1" class="section-number selfRef">3.2.1. </a><a href="#name-basic-service-authenticatio" class="section-name selfRef">Basic Service Authentication</a>
<a href="#section-3.2.1" class="section-number selfRef">3.2.1. </a><a href="#name-basic-service-authenticatio" class="section-name selfRef">Basic Service Authentication and Authorization</a>
</h4>
<p id="section-3.2.1-1">One of the most basic use cases for workload identity is authentication of one workload to another, such as in the case where one service is making a request to another service within a larger application. Even in this simple case the identity of a workload is often composed of many attributes such as:<a href="#section-3.2.1-1" class="pilcrow"></a></p>
<p id="section-3.2.1-1">One of the most basic use cases for workload identity is authentication of one workload to another, such as in the case where one service is making a request to another service as part of a larger, more complex application. Following authentication, the request to the service offered by the workload it needs to be authorized. Even in this simple case the identity of a workload is often composed of many attributes such as:<a href="#section-3.2.1-1" class="pilcrow"></a></p>
<ul class="normal">
<li class="normal" id="section-3.2.1-2.1">
<p id="section-3.2.1-2.1.1">Trigger Information<a href="#section-3.2.1-2.1.1" class="pilcrow"></a></p>
Expand Down Expand Up @@ -1453,43 +1453,75 @@ <h4 id="name-basic-service-authenticatio">
<p id="section-3.2.1-6.3.1">TLS authentication of the server and HTTP request signing using a secret key.<a href="#section-3.2.1-6.3.1" class="pilcrow"></a></p>
</li>
</ul>
<div id="section-3.2.1-7">
<div class="alignLeft art-svg artwork" id="section-3.2.1-7.1">
<svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="352" width="456" viewBox="0 0 456 352" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
<path d="M 8,32 L 8,96" fill="none" stroke="black"></path>
<path d="M 8,144 L 8,320" fill="none" stroke="black"></path>
<path d="M 32,192 L 32,272" fill="none" stroke="black"></path>
<path d="M 72,80 L 72,208" fill="none" stroke="black"></path>
<path d="M 152,32 L 152,96" fill="none" stroke="black"></path>
<path d="M 160,192 L 160,272" fill="none" stroke="black"></path>
<path d="M 280,192 L 280,272" fill="none" stroke="black"></path>
<path d="M 416,192 L 416,272" fill="none" stroke="black"></path>
<path d="M 448,144 L 448,320" fill="none" stroke="black"></path>
<path d="M 8,32 L 152,32" fill="none" stroke="black"></path>
<path d="M 8,96 L 152,96" fill="none" stroke="black"></path>
<path d="M 8,144 L 272,144" fill="none" stroke="black"></path>
<path d="M 392,144 L 448,144" fill="none" stroke="black"></path>
<path d="M 32,192 L 160,192" fill="none" stroke="black"></path>
<path d="M 280,192 L 416,192" fill="none" stroke="black"></path>
<path d="M 152,240 L 288,240" fill="none" stroke="black"></path>
<path d="M 32,272 L 160,272" fill="none" stroke="black"></path>
<path d="M 280,272 L 416,272" fill="none" stroke="black"></path>
<path d="M 8,320 L 448,320" fill="none" stroke="black"></path>
<polygon class="arrowhead" points="296,240 284,234.4 284,245.6" fill="black" transform="rotate(0,288,240)"></polygon>
<polygon class="arrowhead" points="160,240 148,234.4 148,245.6" fill="black" transform="rotate(180,152,240)"></polygon>
<polygon class="arrowhead" points="80,208 68,202.4 68,213.6" fill="black" transform="rotate(90,72,208)"></polygon>
<polygon class="arrowhead" points="80,80 68,74.4 68,85.6" fill="black" transform="rotate(270,72,80)"></polygon>
<g class="text">
<text x="84" y="52">Workload</text>
<text x="84" y="68">(external)</text>
<text x="296" y="148">Trust</text>
<text x="356" y="148">Boundary</text>
<text x="76" y="228">Workload</text>
<text x="324" y="228">Workload</text>
</g>
</svg><a href="#section-3.2.1-7.1" class="pilcrow"></a>
<p id="section-3.2.1-7"><a href="#arch-chain" class="auto internal xref">Figure 2</a> illustrates the communication between different workloads. Two aspects are important
to highlight: First, there is a need to consider the interaction with workloads that are external
to the trust domain (sometimes called cross-domain). Second, the interaction does
not only occur between workloads that directly interact with each other but instead may also
take place across intermediate workloads (in an end-to-end style).<a href="#section-3.2.1-7" class="pilcrow"></a></p>
<span id="name-workload-to-workload-commun"></span><div id="arch-chain">
<figure id="figure-2">
<div id="section-3.2.1-8.1">
<div class="alignLeft art-svg artwork" id="section-3.2.1-8.1.1">
<svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="384" width="520" viewBox="0 0 520 384" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
<path d="M 8,32 L 8,96" fill="none" stroke="black"></path>
<path d="M 8,144 L 8,352" fill="none" stroke="black"></path>
<path d="M 32,192 L 32,304" fill="none" stroke="black"></path>
<path d="M 72,80 L 72,208" fill="none" stroke="black"></path>
<path d="M 128,192 L 128,304" fill="none" stroke="black"></path>
<path d="M 152,32 L 152,96" fill="none" stroke="black"></path>
<path d="M 216,192 L 216,304" fill="none" stroke="black"></path>
<path d="M 312,192 L 312,304" fill="none" stroke="black"></path>
<path d="M 400,192 L 400,304" fill="none" stroke="black"></path>
<path d="M 496,192 L 496,304" fill="none" stroke="black"></path>
<path d="M 512,144 L 512,352" fill="none" stroke="black"></path>
<path d="M 8,32 L 152,32" fill="none" stroke="black"></path>
<path d="M 8,96 L 152,96" fill="none" stroke="black"></path>
<path d="M 8,144 L 272,144" fill="none" stroke="black"></path>
<path d="M 392,144 L 512,144" fill="none" stroke="black"></path>
<path d="M 32,192 L 128,192" fill="none" stroke="black"></path>
<path d="M 216,192 L 312,192" fill="none" stroke="black"></path>
<path d="M 400,192 L 496,192" fill="none" stroke="black"></path>
<path d="M 120,240 L 224,240" fill="none" stroke="black"></path>
<path d="M 304,240 L 408,240" fill="none" stroke="black"></path>
<path d="M 80,288 L 440,288" fill="none" stroke="black"></path>
<path d="M 32,304 L 128,304" fill="none" stroke="black"></path>
<path d="M 216,304 L 312,304" fill="none" stroke="black"></path>
<path d="M 400,304 L 496,304" fill="none" stroke="black"></path>
<path d="M 8,352 L 512,352" fill="none" stroke="black"></path>
<polygon class="arrowhead" points="448,288 436,282.4 436,293.6" fill="black" transform="rotate(0,440,288)"></polygon>
<polygon class="arrowhead" points="416,240 404,234.4 404,245.6" fill="black" transform="rotate(0,408,240)"></polygon>
<polygon class="arrowhead" points="312,240 300,234.4 300,245.6" fill="black" transform="rotate(180,304,240)"></polygon>
<polygon class="arrowhead" points="232,240 220,234.4 220,245.6" fill="black" transform="rotate(0,224,240)"></polygon>
<polygon class="arrowhead" points="128,240 116,234.4 116,245.6" fill="black" transform="rotate(180,120,240)"></polygon>
<polygon class="arrowhead" points="88,288 76,282.4 76,293.6" fill="black" transform="rotate(180,80,288)"></polygon>
<polygon class="arrowhead" points="80,208 68,202.4 68,213.6" fill="black" transform="rotate(90,72,208)"></polygon>
<polygon class="arrowhead" points="80,80 68,74.4 68,85.6" fill="black" transform="rotate(270,72,80)"></polygon>
<g class="text">
<text x="84" y="52">Workload</text>
<text x="84" y="68">(external)</text>
<text x="296" y="148">Trust</text>
<text x="356" y="148">Boundary</text>
<text x="168" y="196">Hop-by-</text>
<text x="352" y="196">Hop-by-</text>
<text x="152" y="212">Hop</text>
<text x="336" y="212">Hop</text>
<text x="76" y="228">Workload</text>
<text x="172" y="228">Security</text>
<text x="260" y="228">Workload</text>
<text x="356" y="228">Security</text>
<text x="444" y="228">Workload</text>
<text x="72" y="292">O</text>
<text x="448" y="292">O</text>
<text x="168" y="308">E2E</text>
<text x="352" y="308">E2E</text>
</g>
</svg><a href="#section-3.2.1-8.1.1" class="pilcrow"></a>
</div>
</div>
<figcaption><a href="#figure-2" class="selfRef">Figure 2</a>:
<a href="#name-workload-to-workload-commun" class="selfRef">Workload-to-Workload Communication.</a>
</figcaption></figure>
</div>
</section>
</div>
<div id="security-context-establishment-and-propagation">
Expand Down
46 changes: 30 additions & 16 deletions jsalowey-sa-diag/draft-salowey-wimse-arch.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,7 @@ Table of Contents
3.1.1. Bootstrapping Workload Identity
3.1.2. Identity Credentials
3.2. Workload Identity Use Cases
3.2.1. Basic Service Authentication
3.2.1. Basic Service Authentication and Authorization
3.2.2. Security Context Establishment and Propagation
3.2.3. Delegation and Impersonation
3.2.4. Asynchronous and Batch Requests
Expand Down Expand Up @@ -274,12 +274,14 @@ Table of Contents

3.2. Workload Identity Use Cases

3.2.1. Basic Service Authentication
3.2.1. Basic Service Authentication and Authorization

One of the most basic use cases for workload identity is
authentication of one workload to another, such as in the case where
one service is making a request to another service within a larger
application. Even in this simple case the identity of a workload is
one service is making a request to another service as part of a
larger, more complex application. Following authentication, the
request to the service offered by the workload it needs to be
authorized. Even in this simple case the identity of a workload is
often composed of many attributes such as:

* Trigger Information
Expand Down Expand Up @@ -321,25 +323,37 @@ Table of Contents
* TLS authentication of the server and HTTP request signing using a
secret key.

Figure 2 illustrates the communication between different workloads.
Two aspects are important to highlight: First, there is a need to
consider the interaction with workloads that are external to the
trust domain (sometimes called cross-domain). Second, the
interaction does not only occur between workloads that directly
interact with each other but instead may also take place across
intermediate workloads (in an end-to-end style).

+-----------------+
| Workload |
| (external) |
| ^ |
+-------+---------+
|
|
+-------+-------------------------Trust Boundary-------+
| | |
| | |
| +----+----------+ +----------------+ |
| | v | | | |
| | Workload | | Workload | |
| | <+--------------+> | |
| | | | | |
| +---------------+ +----------------+ |
| |
| |
+------------------------------------------------------+
+-------+-------------------------Trust Boundary---------------+
| | |
| | |
| +----+------+ Hop-by- +-----------+ Hop-by- +-----------+ |
| | v | Hop | | Hop | | |
| | Workload | Security | Workload | Security | Workload | |
| | <+----------+> <+----------+> | |
| | | | | | | |
| | | | | | | |
| | O<-----+----------+-----------+----------+---->O | |
| +-----------+ E2E +-----------+ E2E +-----------+ |
| |
| |
+--------------------------------------------------------------+

Figure 2: Workload-to-Workload Communication.

3.2.2. Security Context Establishment and Propagation

Expand Down

0 comments on commit a2ea7ca

Please sign in to comment.