Athenz IO - Explore
Explore<br>Case Studies<br>Customer Stories<br>Documentation<br>Comparison
Slack
Github
Contact
General
Management
Service Identity Support
Authorization Support
Extensibility
Athenz vs. SPIRE Comparison
General
Athenz
SPIRE
License
Apache v2
Apache v2
Components
Management Server (Java)
Token Server (Java)
UI (Node.js)
Server (Go)
User Community
Small
Big
License
Both technologies are available under fully open source licenses.
Components
Athenz includes 3 major components: Management Server, Token Server and UI. The servers are written in Java<br>using Jetty 9.4.x. The servers provide a REST interface with clients libraries available in Java and Go. The Athenz UI is a<br>Node.Js 12.x application. The service identity agents and various utilities are all Go applications. The major component in Spire<br>is the server written in Go. The identity agents are also Go applications. Client libraries are available in Go, Java and C++ languages.
User Community
Spire has a big user community and is hosted by the Cloud Native Computing Foundation (CNCF) as an incubation-level<br>project. While Athenz powers most of workloads deployed within Yahoo with identity certificates, it is just starting to<br>focus on building its user community by joining CNCF and applying as a sandbox-level project.
Athenz vs. SPIRE Comparison
Management
Athenz
SPIRE
Delegated Management Support
Yes
No
Full Featured Self Serve UI
Yes
No
Tenancy Support
Yes
Multiple instances through federation
Delegated Management Support
In Spire setup a single instance is associated with a unique trust domain and administrator invokes commands against the server directly.
Athenz, on other hand, has the concept of User Authorities where you integrate with your existing User Authentication System such as Okta,<br>LDAP or even Unix users. The system administrator then creates a top level domain for each product in the same instance and assigns<br>administrator access for those domains to individual users or groups. For example, sports and mail products have their own completely<br>separate domains with their own administrators. If sports and mail administrators want to register their own services, the server<br>authenticates and authorizes those requests and allows them to complete those requests. Furthermore, each product domain can create<br>their own subdomains with further delegated management. For example, the sports domain administrator can create 3 separate sub-domains:<br>sports.prod, sports.stage, and sports.dev where sports.prod only allows their production engineers access while sports.stage and<br>sports.dev have developers access to those domains.
Full Featured Self Serve UI
Athenz provides a full features UI (a Node.js application) where domain administrators can login and create roles, groups, policies and<br>services for their domains. It also provides the capability to register services and authorize which providers can launch them<br>(e.g. sports may deploy their api service in Kubernetes), so it will authorize Kubernetes agent to launch any instance with api service,<br>while they might also deploy their backend service in AWS thus only authorize AWS agent to deploy instances with backend service.<br>The UI also provides easy access to review and confirm/reject any role member access operations to satisfy Governance, Risk and Compliance<br>requirements if required.
Tenancy Support
To support a single organization with different products and administrations, Spire requires multiple instances to be deployed and managed<br>and setup federation between those instances in order to provide interoperability between services of those products.<br>Athenz only provides a single deployment where each product is assigned its own top level/trust domain with their own set of administrators<br>(as described in the Delegated Management Support above). Having a single deployment allows a single team within the organization to manage<br>and secure that instance as opposed to managing and maintaining multiple independent instances.
Athenz vs. SPIRE Comparison
Service Identity Support
Athenz
SPIRE
Full SPIFFE Standard Implementation
Support for SPIFFE ID URIs<br>only in X.509 Certs
Yes
Issue both identity JWT Tokens<br>and X.509 certificates
X.509 Certificates
Yes
Kubernetes Support
Yes
Yes
AWS Support
EC2, ECS, EKS, Fargate, Lambda
EC2
Azure Support
Yes
Yes
GCP Support
No
Yes
SPIFFE Standard Implementation
The SPIFFE standard defines how services identity themselves using IDs implemented as Uniform Resource Identifiers (URIs),<br>how they're included in SPIFFE Verifiable Identity Document (SVIDs) such as X.509 Certificates and an API specification for issuing<br>and/or retrieving SVIDs known as the Workload API. The Spire is the reference implementation of SPIFFE specifications thus supports<br>the above listed items. Athenz supports issuing X.509 Certificates to registered services with SPIFEE IDs as URIs, however it does not<br>implement the Workload...