 Hello, my name is Lin Tao. I'm from HP. Today, I'm going to talk about how we use issue and open policy agents for authorization. So first, I would like to talk about authorization. Authorization is to verify if an identity has the permission to do something. And there are many common approaches to do authorization, like role-based access control, which grants access by roles. It is cost-grained. Typical example is Kubernetes RBAC. And there's also policy or attribute-based access control which grants access by policies. It is more fine-grained. Typical example is AWS IM policies. And we are using both of these approaches in our current project. So a little background on our project is called a fish station platform, which is a customer shoe platform. We have many third-party partners developing their service on our platform using our platform API. And the service built by these partners are running the same Kubernetes cluster as our platform services. So it's a challenge for the platform network security and access control. So we divide these services into layers. So we have layer one, which are our partner service. And we have layer two, which are platform services and layer three for internal services. And on each layer, we apply different authorization to this game. So in layer one, we are enforcing role-based access control in infrastructure layer. That's where ECL mixer comes in. So we have customized all the adapter on the mixer. So all the request to layer one service will be handled by our adapter. The adapter will authorize with our central flight authorization service. And here's how we convict the adapter. We have a rule basically says that only the request to the service with layer equals L1 will be handled by the adapter. And here's the adapter template. It defines all the attributes from ECL that will be used by the adapter. So the adapter knows who is trying to access our API. And then the adapter can authorize with our authorization service using role-based authorization. So that's L1 authorization. So we are basically checking if the user is able to access our API. It's cost-grained, but it's what we want in L1 services. But in L2, we have service from different partners. And resources from different partners, we want the more fine-grained access control. So for instance, company A cannot access company B's resources. So that's where Open Policy Agent comes in. So we have a library called Aussie Client, which all L2 services are integrated with. So this client will send the authorize request to Open Policy Agent. So a little background on Open Policy Agent. It's a general purpose authorization engine from CNCF. I think it's just graduated. And basically, your service will send a query to Open Policy Agent. And Open Policy Agent will make an authorization decision for you based on the policy and the data you configured. So here's a typical example. So in our order service, we have Aussie Client integrated. And let's say the user Alice trying to request orders from company HP. Our Aussie Client will extract attributes from current request and pack them into a JSON payload. So these attributes include user attributes and API attributes and request attributes. And they will be sent to Open Policy Agent. And on the other side, Open Policy Agent is configured with our policy and data. So this policy defines that our user is only able to access orders from his own company. And the data here, we defined the relationship between the user and companies. So with these three pieces of information, Open Policy Agent is able to make an authorization decision and return the result to our service. So that's basically how we enforce the fine-grained access control in our L2 services. And here's the overview. In L1, we enforce the role-based as control with the user manager. And in L2, with a back using Open Policy Agent. And in L3, it's our internal services. We are applying some network policies to limit access to the L2 services. So thank you. Because the time is limited, I can dive into details. But if you are interested, please feel free to reach out to me. I will be happy to answer. Thank you.