[Sandbox] heimdall

Question

[Sandbox] heimdall

Closed this issue a month ago · 13 comments

dadrus commented 6 months ago

Application contact emails

dadrus@gmx.de

Project Summary

Cloud-native authentication & authorization proxy

Project Description

The project helps orchestrating available authentication and authorization systems to streamline corresponding security requirements, providing secure defaults and simplifying the code base of the actual upstream services. It can be used to implement edge level authentication / access control architectures as well as a side car of the service it should protect.

Org repo URL (provide if all repos under the org are in scope of the application)

https://github.com/dadrus/heimdall

Project repo URL in scope of application

https://github.com/dadrus/heimdall

Additional repos in scope of the application

None

Website URL

https://dadrus.github.io/heimdall

Roadmap

https://github.com/dadrus/heimdall/milestones

Roadmap context

The priority is given by the requests from the community as well as by the requirements I see in the projects I'm involved into.

Contributing Guide

https://github.com/dadrus/heimdall/blob/main/CONTRIBUTING.md

Code of Conduct (CoC)

https://github.com/dadrus/heimdall/blob/main/CODE_OF_CONDUCT.md

Adopters

There are multiple organizations in Germany, Canada, Sweden and some other countries which use heimdall in production. However, I don't have any related links yet.

https://github.com/dadrus/heimdall/blob/main/ADOPTERS.md

Contributing or Sponsoring Org

No response

Maintainers file

Actually, that more or less only me

https://github.com/dadrus/heimdall/blob/main/MAINTAINERS.md

IP Policy

If the project is accepted, I agree the project will follow the CNCF IP Policy

Trademark and accounts

If the project is accepted, I agree to donate all project trademarks and accounts to the CNCF

Why CNCF?

In my opinion the project addresses a field, which is not yet covered. I think it is very helpful, can significantly contribute to the security of services using it and make addressing at least the field of authentication and authorization a bit simpler. Though, it is not reducing complexity in this regard, but making it better manageable. Contributing the project to CNCF could create a much stronger community around it, make it better and help much more projects solving corresponding challenges. At least this is my hope.

Benefit to the Landscape

There are no comparable projects in the CNCF landscape.

Cloud Native 'Fit'

Heimdall does not only implement a set of kube-native controllers and APIs for validation and management of corresponding rules (CRs), it goes beyond k8s as also described in the Cloud Native Integration section below. Therefore, I feel it fits the Cloud Native landscape pretty well.

Cloud Native 'Integration'

This project complements any authorization and authentication projects, like e.g OPA and OpenFGA as well as any proxy supporting forward/external auth integration and converts those to a manageable API gateway, like e.g. Envoy Proxy, Contour, HAProxy and many more. But there are much more options. There are no dependencies to other projects.

You can find guided examples under https://dadrus.github.io/heimdall/v0.14.0-alpha/docs/getting_started/protect_an_app/ and https://dadrus.github.io/heimdall/v0.14.0-alpha/guides/authz/openfga/, as well as examples as code under https://github.com/dadrus/heimdall/tree/main/examples

Cloud Native Overlap

There are no overlaps.

Similar projects

N/A

Landscape

No

Business Product or Service to Project separation

There are many projects named heimdall out there and even companies. Currently, me and actually also the small community around the project are looking for another name, which would also reflect what the project does.

Project presentations

Not yet. I was working to update the available documentation first to make it more comprehensive. You can find the results by choosing the dev version from the drop down menu.
Indeed, I recommend taking the look at that version, which is going to be release within the next few weeks: https://dadrus.github.io/heimdall/dev/, with
https://dadrus.github.io/heimdall/dev/docs/getting_started/discover_heimdall/ being the entry point to the actual documentation of the upcoming version. It is much better structured and will give a very good overview about what the project addresses as well as the related concepts.

In the meantime the new version is released. If you just follow the Website URL (https://dadrus.github.io/heimdall), you'll be redirected to the new documentation.

Project champions

No response

Additional information

There is Ory Oathkeeper and also Authorino from RedHat (under the umbrella of the Kuadrant project) which are addressing the similar challenges.

Answer 1 · 2024-03-27T05:50:01.000Z

@dadrus you mention overlap with Kaudrant sub-projects - have you considered speaking with the Kaudrant maintainers about merging Heimdall with Kaudrant?

Answer 2 · 2024-03-27T05:55:43.000Z

Already did that without however receiving a real feedback.

Even there is definitely an overlap with Authorino, heimdall goes much further by e.g. not being limited to kubernetes deployments only and by supporting defaults, which are neither possible with Authorino, nor Oathkeeper. But the ideas are indeed very similar.

To be honest, I also contacted the people from Ory for the same purpose. Until now I just got "you did an amazing work" (from both, Kuadrant maintainers and Ory).

Answer 3 · 2024-03-27T15:32:29.000Z

@dadrus was kind enough to reach out a few weeks ago and indeed learning more about Heimdall has been in my TODO list since then.

From the little I know so far, Heimdall did manage to solve a few use cases that were not under our radar for Authorino, and I'm sure the opposite is also true. The two projects can surely benefit from each other and grow together!

@dadrus, perhaps you'd like to join us for one our community calls. It happens every Tuesday 3pm UTC. We'd love to hear more about Heimdall if you're interested in running a 10-15 min presentation for us.

Answer 4 · 2024-03-27T16:00:01.000Z

Hi @guicassolato. Sure. Will be glad to join and do the short presentation. 😀

Answer 5 · 2024-03-27T17:40:13.000Z

That's awesome, @dadrus! Adding you to the agenda. Thank you so much!

Answer 6 · 2024-03-27T20:11:07.000Z

not being limited to kubernetes deployments only and by supporting defaults, which are neither possible with Authorino

Forgot to reply on this. Indeed Authorino is for Kube only. If it runs outside of Kubernetes (not really a use case), it still expects to be connected to a cluster where to read its configs from.

As for defaults, there’s actually support in Authorino, including with fallback at multiple levels (based on the hostname wildcards.)

But I believe feature-wise the main difference with Heimdall is proxy mode, which Authorino does not offer.

Authorino integrates with several (if not all!) API gateways and L7 reverse proxies, just like Heimdall. It was thought for Envoy and gRPC, but has a second interface for more generic integrations. Also like Heimdall, Authorino can act as Validating Webhook service, with auto detection of AdmissionReview requests.

Answer 7 · 2024-08-06T14:32:05.000Z

@dadrus I know this is short notice, but, TAG Network are working on the Heimdal project review to support your Sandbox application. I don't think you have presented to TAG Network yet. We do not want to delay your application, as we do fully support it but, I was wondering if you had time to demo Heimdal at the TAG Network meeting at 9PST on Thursday. I appreciate this is late notice and it does not affect your application but we have an opening and would love to chat with you if you had the time. If not we would love to have you present at a later date.

Answer 8 · 2024-08-06T19:18:24.000Z

Hi @nicholasjackson. Thank you for reaching out to me. Indeed, I have never attended any of the TAG Network meetings yet, but would love to do a presentation.
Could you please share the meeting details with me?

Answer 9 · 2024-08-06T19:27:36.000Z

Hey, apologies but I can’t directly link to the meeting on Thursday in the CNCF calendar, but our next meeting is
Thu Aug 8th 5:00pm - 5:55pm (BST). I appreciate this is short notice for this week, we meet every other Thursday the next meeting being the 22nd.

https://zoom.us/my/cncftagnetwork?pwd=RmpmZ3NFN09JUzFSOUI5bUh5TXVFUT09

https://www.cncf.io/calendar/

I am @NicJ on the CNCF slack if you would prefer to ping me there.

Answer 10 · 2024-08-09T23:14:31.000Z

TAG Contributor strategy has reviewed this project and found the following:

The contributor guide is simple, but pretty good for a one-person project
There is no written governance yet. There is a security policy, although it needs work.
The roadmap is milestone-tagged issues, a practice which started for the current release.
There is one maintainer, the founder and submitter of the project.

This review is for the TOC’s information only. Sandbox projects are not required to have full governance or contributor documentation.

Answer 11 · 2024-08-12T09:39:02.000Z

I’d like to clarify/comment the third bullet point from the previous comment.

This practice has actually been in place from the beginning of the project. However, for the most recent release, I updated the CI workflows responsible for dependency management and release automation. These updates now allow for patch releases, incorporating updated dependencies and bug fixes, to be conducted concurrently with regular releases (you can see that based on the two pending release PRs under https://github.com/dadrus/heimdall/pulls).

This approach benefits users by providing them with updates and fixes without having to wait for the next planned (milestone-tagged) release. Additionally, it eliminates the need to shorten the scope of planned releases or expedite their creation to address urgent bug fixes or security updates.

Answer 12 · 2024-08-13T16:05:59.000Z

@dadrus
Thank you so much for your application to the CNCF, at this time the TOC will not be moving the application to a vote.

We would like to see this project with more maturity, at least one additional maintainer, and increased interest and activity by the ecosystem. We have the following recommendations that may benefit the project:

socialization and awareness of this project with the OpenSSF: https://github.com/ossf
presentation and discussion of the project at TAG Security Note: Several TAG Security community members are also in OpenSSF, they may be able to direct you to the best aligned SIG in OpenSSF.

Answer 13 · 2024-08-15T06:20:58.000Z

Hi CNCF TOC Team,

Thank you very much for taking the time to review my application. While I’m disappointed that the application won’t be moving forward to a vote at this time, I understand the importance of ensuring that the project is mature, well-maintained, and actively supported by the community and really appreciate the feedback and recommendations you’ve provided.

I’ll work on maturing the project and also connect with OpenSSF and TAG Security and potentially even with the TAG App groups as recommended.

Thanks again for your guidance—I’m committed to making the project stronger and more aligned with the community.

Cheers ;)