fusillade 0.0.1

Fusillade (Federated User Identity Login & Access Decision Engine) is a service and library for managing user authentication and authorization in federated services. Fusillade is built to be simple and to leverage well-known auth protocols and standards toegther with existing global, scalable and supported IaaS APIs.

• The AuthN functionality in Fusillade consists of a login endpoint that delegates user authentication to any configured OpenID Connect compatible identity providers.

• The AuthZ part of Fusillade is an ABAC system leveraging the familiar syntax and reliable infrastructure of AWS IAM.

Together, these two subsystems provide an easy API for your application to answer the following questions:

• How do I instruct the user to log in?

• Who is the user performing this API request?

• Is this user authorized to perform action A on resource R?

• How do I delegate to the user an appropriately restricted ability to access cloud (IaaS) resources directly through IaaS (GCE, AWS) APIs?

To do this, your application should define an access control model consisting of the following:

• A list of trusted OIDC-compatible identity providers

• A naming schema for actions (for example, GetWidget, CreateFolder, DeleteAppointment, UpdateDocument)

• A naming schema for resources in the following format: arn:org-name:service-name:*:*:path/to/resource

• A default policy assigned to new users, for example: json { "Statement": [ { "Effect": "Allow", "Action": [ "dss:*", ], "Resource": "arn:hca:dss:*:*:subscriptions/FIXME/*" } ] }