Build Systems that Drive Business
June 11–12, 2018: Training
June 12–14, 2018: Tutorials & Conference
San Jose, CA

The distributed authorization system: A Netflix case study

Manish Mehta (Netflix), Torin Sandall (Open Policy Agent Project)
1:15pm–1:55pm Thursday, June 14, 2018
Distributed Systems
Location: LL21 A/B Level: Intermediate
Secondary topics: Resilient, Performant & Secure Distributed Systems
Average rating: ****.
(4.33, 6 ratings)

Who is this presentation for?

  • Engineers working with distributed systems

Prerequisite knowledge

  • Experience building (or seeking to build) security platforms

What you'll learn

  • Learn how Netflix solves authorization across the stack in cloud-native environments


Since 2008, Netflix has been on the cutting edge of cloud-based microservice deployments and is now recognized as an industry leader in building and operating cloud-native systems at scale. Like many organizations, Netflix has unique security requirements for many of its workloads. This variety requires a holistic approach to authorization to address “who can do what” across a range of resources, enforcement points, and execution environments.

Manish Mehta and Torin Sandall explain how Netflix is solving authorization across the stack in cloud-native environments. You’ll learn how Netflix enforces authorization decisions at scale across various kinds of resources (e.g., HTTP APIs, gRPC methods, and SSH), enforcement points (e.g., microservices, proxies, and host-level daemons), and execution environments (e.g., VMs and containers) without introducing unreasonable latency. They then lead a deep dive into the architecture of Netflix’s distributed authorization system and demonstrate how authorization decisions can be offloaded to an open source, general purpose policy engine (Open Policy Agent).

Photo of Manish Mehta

Manish Mehta


Manish Mehta is a senior security software engineer at Netflix, where he designs and develops solutions around secure bootstrapping, authentication (service and user), and authorization for cloud-native infrastructure. He focuses on cybersecurity, particularly security solutions anchored in cryptography, and has authored several research and conference publications in the field. Manish holds both an MS and a PhD in computer science from the University of Missouri – Kansas City.

Photo of Torin Sandall

Torin Sandall

Open Policy Agent Project

Torin Sandall is the cofounder and technical lead of the recent open source Open Policy Agent project. He spent 10 years as a software engineer working on large-scale distributed systems projects. Previously, Torin was a senior software engineer at Cyan (acquired by Ciena), where he designed and developed core components of its SDN/NFV platform. He’s a frequent speaker on policy-related topics in Kubernetes at KubeCon, ContainerDaysPDX, Kubernetes meetups, and more.