技术经理的职责

技术经理与架构师是两个完全不一样的角色,遗憾的是,在很多公司或团队里,Boss 认为是一个角色,于是让一个人来承担。

架构师的职责很清晰,就是设计系统或项目的技术架构,达到“多”、“快”、“好”、“省”、“稳”等多个目标,至于目标优先级排序,就看具体的项目诉求了。但本质来说,架构师只需用负责解决“从机器视角看到的问题”,纯技术问题。顺便插一句,项目排期,资源,进度等,属于项目经理的职责范围,在这里不展开讨论。

技术经理的职责其实更广也更复杂,团队的成长体系,工作安排,KPI,重点方向选择,投入产出比,线上服务稳定,需求响应速度等等,都是需用考虑的范围。总结起来,大约三大块:

  1. 团队管理:氛围风格,老中青能力层次,每层的成员的成长方向,成长速度,招聘,绩效等等
  2. 方向把握:团队的工作内容选择,重点方向,什么是必须做好的,什么是次优先的,什么是可以做的,什么是不能做的。虽然很多时候技术经理没有绝对的决定权,但大多数时候,技术经理都是可以发挥自己的影响力的
  3. 执行力建设:在氛围风格已定的情况下,基础设施建设,生产工具链建设,运维工具体系建设三大件就成了决定因素

 

分享: Netflix Culture:Freedom & Responsibility

1. Netflix Culture:Freedom & Responsibility 1
2. We Seek ExcellenceOur culture focuses on helping us achieve excellence 2
3. Seven Aspects of our Culture• Values are what we Value• High Performance• Freedom & Responsibility• Context, not Control• Highly Aligned, Loosely Coupled• Pay Top of Market• Promotions & Development 3
4. Many companies have nice sounding value statements displayed in the lobby, such as: Integrity Communication Respect Excellence 4
5. Enron, whose leaders went to jail, and which went bankrupt from fraud,had these values displayed in their lobby: Integrity Communication Respect Excellence (These values were not, however, what was really valued at Enron) 5
6. The actual company values, as opposed to the nice-sounding values, are shown by who getsrewarded, promoted, or let go 6
7. Actual company values are the behaviors and skills that are valued in fellow employees 7
8. At Netflix, we particularly value thefollowing nine behaviors and skills in our colleagues… …meaning we hire and promote people who demonstrate these nine 8
9. You make wise decisions (people, technical, business, and creative) despite ambiguity You identify root causes, and getJudgment beyond treating symptoms You think strategically, and can articulate what you are, and are not, trying to do You smartly separate what must be done well now, and what can be improved later 9
10. You listen well, instead of reacting fast, so you can better understand You are concise and articulate inCommunication speech and writing You treat people with respect independent of their status or disagreement with you You maintain calm poise in stressful situations 10
11. You accomplish amazing amounts of important work You demonstrate consistently strong performance soImpact colleagues can rely upon you You focus on great results rather than on process You exhibit bias-to-action, and avoid analysis-paralysis 11
12. You learn rapidly and eagerly You seek to understand our strategy, market, customers, and suppliersCuriosity You are broadly knowledgeable about business, technology and entertainment You contribute effectively outside of your specialty 12
13. You re-conceptualize issues to discover practical solutions to hard problems You challenge prevailingInnovation assumptions when warranted, and suggest better approaches You create new ideas that prove useful You keep us nimble by minimizing complexity and finding time to simplify 13
14. You say what you think even if it is controversial You make tough decisions without agonizingCourage You take smart risks You question actions inconsistent with our values 14
15. You inspire others with your thirst for excellence You care intensely about Netflix‘s successPassion You celebrate wins You are tenacious 15
16. You are known for candor and directness You are non-political when you disagree with othersHonesty You only say things about fellow employees you will say to their face You are quick to admit mistakes 16
17. You seek what is best for Netflix, rather than best for yourself or your group You are ego-less when searchingSelflessness for the best ideas You make time to help colleagues You share information openly and proactively 17
18. Seven Aspects of our Culture• Values are what we Value• High Performance• Freedom & Responsibility• Context, not Control• Highly Aligned, Loosely Coupled• Pay Top of Market• Promotions & Development 18
19. Imagine if every person at Netflix is someone you respect and learn from… 19
20. Great Workplace is Stunning Colleagues Great workplace is not espresso, lush benefits, sushi lunches, grand parties, or nice officesWe do some of these things, but only if they are efficient at attracting and retaining stunning colleagues 20
21. Like every company, we try to hire well 21
22. Unlike many companies, we practice:adequate performance gets agenerous severance package 22
23. We’re a team, not a family We’re like a pro sports team, not a kid’s recreational team Netflix leaders hire, develop and cut smartly,so we have stars in every position 23
24. The Keeper Test Managers Use: Which of my people, if they told me they were leaving, for a similar job at a peer company, would I fight hard to keep at Netflix? 24
25. The other people should get a generous severance now,so we can open a slot to try to find a star for that roleThe Keeper Test Managers Use: Which of my people, if they told me they were leaving, for a similar job at a peer company, would I fight hard to keep at Netflix? 25
26. Honesty AlwaysAs a leader, no one in your groupshould be materially surprised of your views 26
27. Honesty Always Candor is not just a leader’s responsibility, and you should periodically ask your manager: “If I told you I wereleaving, how hard would you work to change my mind?” 27
28. All of Us are Responsiblefor Ensuring We Live our Values “You question actions inconsistent with our values” is part of the Courage value Akin to the honor code pledge: “I will not lie, nor cheat, nor steal, nor tolerate those who do” 28
29. Pro Sports Team Metaphor is Good, but Imperfect Athletic teams have a fixed number of positions, so team members are always competing with each other for one of the precious slots 29
30. Corporate Team The more talent we have, the more we can accomplish,so our people assist each other all the time Internal “cutthroat” or “sink or swim” behavior is rare and not tolerated 30
31. We Help Each Other To Be Great 31
32. Isn’t Loyalty Good?What about Hard Workers?What about Brilliant Jerks? 32
33. Loyalty is Good• Loyalty is good as a stabilizer• People who have been stars for us, and hit a bad patch, get a near term pass because we think they are likely to become stars for us again• We want the same: if Netflix hits a temporary bad patch, we want people to stick with us• But unlimited loyalty to a shrinking firm, or to an ineffective employee, is not what we are about 33
34. Hard Work – Not Relevant• We don’t measure people by how many hours they work or how much they are in the office• We do care about accomplishing great work• Sustained B-level performance, despite “A for effort”, generates a generous severance package, with respect• Sustained A-level performance, despite minimal effort, is rewarded with more responsibility and great pay 34
35. Brilliant Jerks• Some companies tolerate them• For us, cost to effective teamwork is too high• Diverse styles are fine – as long as person embodies the 9 values 35
36. Why are we so insistent on high performance? In procedural work, the best are 2x better than the average. In creative/inventive work, the best are 10xbetter than the average, so huge premium on creating effective teams of the best 36
37. Why are we so insistent on high performance? Great Workplace is Stunning Colleagues 37
38. Our High Performance Culture Not Right for Everyone• Many people love our culture, and stay a long time – They thrive on excellence and candor and change – They would be disappointed if given a severance package, but lots of mutual warmth and respect• Some people, however, value job security and stability over performance, and don’t like our culture – They feel fearful at Netflix – They are sometimes bitter if let go, and feel that we are political place to work• We’re getting better at attracting only the former, and helping the latter realize we are not right for them 38
39. Seven Aspects of our Culture• Values are what we Value• High Performance• Freedom & Responsibility• Context, not Control• Highly Aligned, Loosely Coupled• Pay Top of Market• Promotions & Development 39
40. The Rare Responsible Person• Self motivating• Self aware• Self disciplined• Self improving• Acts like a leader• Doesn’t wait to be told what to do• Picks up the trash lying on the floor 40
41. Responsible People Thrive on Freedom,and are Worthy of Freedom 41
42. Our model is to increase employee freedom as we grow, rather than limit it,to continue to attract and nourish innovative people, so we have better chance of sustained success 42
43. Most CompaniesCurtail Freedom as they get Bigger Bigger Employee Freedom 43
44. Why Do Most Companies Curtail Freedomand Become Bureaucratic as they Grow? 44
45. Desire for Bigger Positive Impact Creates Growth Growth 45
46. Growth Increases Complexity Complexity 46
47. Growth Also Often Shrinks Talent Density Complexity % High Performance Employees 47
48. Chaos EmergesChaos and errors spike here – businesshas become too complex to runinformally with this talent level Complexity % High Performance Employees 48
49. Process Emerges to Stop the Chaos Procedures No one loves process, but feels good compared to the pain of chaos “Time to grow up” becomes the professional management’s mantra 49
50. Process-focus Drives More Talent Out % High Performance Employees 50
51. Process Brings Seductively Strong Near-Term Outcome• A highly-successful process-driven company – With leading share in its market – Minimal thinking required – Few mistakes made – very efficient – Few curious innovator-mavericks remain – Very optimized processes for its existing market – Efficiency has trumped flexibility 51
52. Then the Market Shifts…• Market shifts due to new technology or competitors or business models• Company is unable to adapt quickly – because the employees are extremely good at following the existing processes, and process adherence is the value system• Company generally grinds painfully into irrelevance 52
53. Seems Like Three Bad Options1. Stay creative by staying small, but therefore have less impact2. Avoid rules as you grow, and suffer chaos3. Use process as you grow to drive efficient execution of current model, but cripple creativity, flexibility, and ability to thrive when your market eventually changes 53
54. A Fourth Option• Avoid Chaos as you grow with Ever More High Performance People – not with Rules – Then you can continue to mostly run informally with self-discipline, and avoid chaos – The run informally part is what enables and attracts creativity 54
55. The Key: Increase Talent Density faster than Complexity Grows 55
56. Increase Talent Density • Top of market compensation • Attract high-value people through freedom to make big impact • Be demanding about high performance culture 56
57. Minimize Complexity Growth• Few big products vs many small ones• Eliminate distracting complexity (barnacles)• Be wary of efficiency optimizations that increase complexity and rigidity Note: sometimes long-term simplicity is achieved only through bursts of complexity to rework current systems 57
58. With the Right People, Instead of aCulture of Process Adherence, We have a Culture ofCreativity and Self-Discipline, Freedom and Responsibility 58
59. Is Freedom Absolute?Are all rules & processes bad? 59
60. Freedom is not absolute Like “free speech” there are some limited exceptions to “freedom at work” 60
61. Two Types of Necessary Rules1. Prevent irrevocable disaster – Financials produced are wrong – Hackers steal our customers’ credit card info2. Moral, ethical, legal issues – Dishonesty, harassment are intolerable 61
62. Mostly, though, Rapid Recovery is the Right Model• Just fix problems quickly – High performers make very few errors• We’re in a creative-inventive market, not a safety-critical market like medicine or nuclear power• You may have heard preventing error is cheaper than fixing it – Yes, in manufacturing or medicine, but… – Not so in creative environments 62
63. “Good” versus “Bad” Process• “Good” process helps talented people get more done – Letting others know when you are updating code – Spend within budget each quarter so don’t have to coordinate every spending decision across departments – Regularly scheduled strategy and context meetings• “Bad” process tries to prevent recoverable mistakes – Get pre-approvals for $5k spending – 3 people to sign off on banner ad creative – Permission needed to hang a poster on a wall – Multi-level approval process for projects – Get 10 people to interview each candidate 63
64. Rule Creep• “Bad” processes tend to creep in – Preventing errors just sounds so good• We try to get rid of rules when we can, to reinforce the point 64
65. Example: Netflix Vacation Policy and Tracking Until 2004 we had the standard model of N days per year 65
66. Meanwhile…We’re all working online some nights and weekends, responding to emails at odd hours, spending some afternoons onpersonal time, and taking good vacations 66
67. An employee pointed out…We don’t track hours worked per dayor per week, so why are we tracking days of vacation per year? 67
68. We realized… We should focus on what people get done, not on how many days workedJust as we don’t have an 9am-5pm workday policy, we don’t need a vacation policy 68
69. Netflix Vacation Policy and Tracking “there is no policy or tracking” 69
70. Netflix Vacation Policy and Tracking “there is no policy or tracking” There is also no clothing policy at Netflix, but no one comes to work nakedLesson: you don’t need policies for everything 70
71. No Vacation Policy Doesn’t Mean No Vacation Netflix leaders set good examples by taking big vacations – and coming back inspired to find big ideas 71
72. Another Example of Freedom and Responsibility… 72
73. Most companies have complex policies around what you canexpense, how you travel, what gifts you can accept, etc.Plus they have whole departments to verify compliance with these policies 73
74. Netflix Policiesfor Expensing, Entertainment, Gifts & Travel: “Act in Netflix’s Best Interest” (5 words long) 74
75. “Act in Netflix’s Best Interest” Generally Means…1. Expense only what you would otherwise not spend, and is worthwhile for work2. Travel as you would if it were your own money3. Disclose non-trivial vendor gifts4. Take from Netflix only when it is inefficient to not take, and inconsequential – “taking” means, for example, printing personal documents at work or making personal calls on work phone: inconsequential and inefficient to avoid 75
76. Freedom and Responsibility• Many people say one can’t do it at scale• But since going public in 2002, which is traditionally the end of freedom, we’ve substantially increased talent density and employee freedom 76
77. Summary of Freedom & Responsibility: As We Grow, Minimize Rules Inhibit Chaos with Ever More High Performance People Flexibility is More Importantthan Efficiency in the Long Term 77
78. Seven Aspects of our Culture• Values are what we Value• High Performance• Freedom & Responsibility• Context, not Control• Highly Aligned, Loosely Coupled• Pay Top of Market• Promotions & Development 78
79. If you want to build a ship, dont drum up the people to gather wood, divide the work, and give orders.Instead, teach them to yearnfor the vast and endless sea. -Antoine De Saint-Exupery, Author of The Little Prince 79
80. The best managers figure out how to get great outcomes by setting the appropriate context, rather than by trying to control their people 80
81. Context, not Control Provide the insight and understanding to enable sound decisionsContext (embrace) Control (avoid)• Strategy • Top-down decision-making• Metrics • Management approval• Assumptions • Committees• Objectives • Planning and process valued• Clearly-defined roles more than results• Knowledge of the stakes• Transparency around decision-making 81
82. Good Context• Link to company/functional goals• Relative priority (how important/how time sensitive) – Critical (needs to happen now), or… – Nice to have (when you can get to it)• Level of precision & refinement – No errors (credit cards handling, etc…), or… – Pretty good / can correct errors (website), or… – Rough (experimental)• Key stakeholders• Key metrics / definition of success 82
83. Managers: When one of your talented people does something dumb, don’t blame them Instead, ask yourself what context you failed to set 83
84. Managers: When you are tempted to “control” your people, askyourself what context you could set instead Are you articulate and inspiring enough about goals and strategies? 84
85. Why Managing Through Context? High performance people will dobetter work if they understand the context 85
86. Investing in Context This is why we do new employee college, frequent department meetings, and why we are so openinternally about strategies and results 86
87. Exceptions to “Context, not Control”• Control can be important in emergency – No time to take long-term capacity-building view• Control can be important when someone is still learning their area – Takes time to pick up the necessary context• Control can be important when you have the wrong person in a role – Temporarily, no doubt 87
88. Seven Aspects of our Culture• Values are what we Value• High Performance• Freedom & Responsibility• Context, not Control• Highly Aligned, Loosely Coupled• Pay Top of Market• Promotions & Development 88
89. Three Models of Corporate Teamwork1. Tightly Coupled Monolith2. Independent Silos3. Highly Aligned, Loosely Coupled 89
90. Tightly Coupled Monolith• Senior management reviews nearly all tactics – e.g., CEO reviews all job offers or advertising• Lots of x-departmental buy-in meetings• Keeping other internal groups happy has equal precedence with pleasing customers• Mavericks get exhausted trying to innovate• Highly coordinated through centralization, but very slow, and slowness increases with size 90
91. Independent Silos• Each group executes on their objectives with little coordination – Everyone does their own thing• Work that requires coordination suffers• Alienation and suspicion between departments• Only works well when areas are independent – e.g., aircraft engines and blenders for GE 91
92. #3 is the Netflix Choice1. Tightly Coupled Monolith2. Independent Silos3. Highly Aligned, Loosely Coupled 92
93. Highly Aligned, Loosely Coupled• Highly Aligned – Strategy and goals are clear, specific, broadly understood – Team interactions focused on strategy and goals, rather than tactics – Requires large investment in management time to be transparent and articulate and perceptive• Loosely Coupled – Minimal cross-functional meetings except to get aligned on goals and strategy – Trust between groups on tactics without previewing/approving each one – so groups can move fast – Leaders reaching out proactively for ad-hoc coordination and perspective as appropriate – Occasional post-mortems on tactics necessary to increase alignment 93
94. Highly Aligned, Loosely Coupled teamwork effectiveness depends on high performance people and good context Goal is to be Big and Fast and Flexible 94
95. Seven Aspects of our Culture• Values are what we Value• High Performance• Freedom & Responsibility• Context, not Control• Highly Aligned, Loosely Coupled• Pay Top of Market• Promotions & Development 95
96. Pay Top of Market is Core to High Performance Culture One outstanding employee gets more doneand costs less than two adequate employees We endeavor to have only outstanding employees 96
97. Three Tests for Top of Market for a Person1. What could person get elsewhere?2. What would we pay for replacement?3. What would we pay to keep that person? – If they had a bigger offer elsewhere Confidential 97
98. Takes Great Judgment• Goal is to keep each employee at top of market for that person – Pay them more than anyone else likely would – Pay them as much as a replacement would cost – Pay them as much as we would pay to keep them if they had higher offer from elsewhere 98
99. Titles Not Very Helpful• Lots of people have the title “Major League Pitcher” but they are not all equally effective• Similarly, all people with the title “Senior Marketing Manager” or “Director of Engineering” are not equally effective• So the art of compensation is answering the Three Tests for each employee 99
100. Annual Comp Review• At many firms, when employees are hired, market compensation applies • But at comp review time, it no longer applies!• At Netflix, market comp always applies: – Essentially, top of market comp is re-established each year for high performing employees – At annual comp review, manager has to answer the Three Tests for the personal market for each of their employees Confidential 100
101. No Fixed Budgets• There are no centrally administered “raise pools” each year• Instead, each manager aligns their people to top of market each year – the market will be different in different areas 101
102. Compensation Over Time• Some people will move up in comp very quickly because their value in the marketplace is moving up quickly, driven by increasing skills and/or great demand for their area• Some people will stay flat because their value in the marketplace has done that – Depends in part on inflation and economy – Always top of market, though, for that person 102
103. Compensation Not Dependent on Netflix Success• Whether Netflix is prospering or floundering, we pay at the top of the market – i.e., sports teams with losing records still pay talent the market rate• Employees can choose how much they want to link their economic destiny to Netflix by deciding how many Netflix stock options they want to hold 103
104. Bad Comp Practices• Manager sets pay at Nth percentile of title- linked compensation data – The “Major League Pitcher” problem• Manager cares about internal parity instead of external market value – Fairness in comp is being true to the market• Manager gives everyone a 4% raise – Very unlikely to reflect the market 104
105. When Top of Market Comp Done Right…• We will rarely counter with higher comp when someone is voluntarily leaving because we have already moved comp to our max for that person• Employees will feel they are getting paid well relative to their other options in the market 105
106. Versus Traditional Model• Traditional model is good prior year earns a raise, independent of market – Problem is employees can get materially under- or over-paid relative to the market, over time – When materially under-paid, employees switch firms to take advantage of market-based pay on hiring – When materially over-paid, employees are trapped in current firm• Consistent market-based pay is better model 106
107. Employee Success• It’s pretty ingrained in our society that the size of one’s raise is the indicator of how well one did the prior year – but for us the other factor is the outside market• Employee success is still a big factor in comp because it influences market value – In particular, how much we would pay to keep the person 107
108. Good For Each Employee to Understand Their Market Value• It’s a healthy idea, not a traitorous one, to understand what other firms would pay you, by interviewing and talking to peers at other companies – Talk with your manager about what you find in terms of comp – Stay mindful of company confidential information 108
109. Efficiency• Big salary is the most efficient form of comp – Most motivating for any given expense level – No bonuses, no free stock options, no philanthropic match – Instead, put all that expense into big salaries, and give people freedom to spend their salaries as they think best• Health benefits: employees get $10k per year – If they choose Netflix plans that are less than $10k, they keep the difference – If they don’t need benefits from us, they keep all $10k – CEO or receptionist: everyone gets $10k for benefits 109
110. Optional Options• Employees get top of market salary, and then can request to trade salary for stock options• Some people take all cash, some people request half their comp in options – Both are OK• This is consistent with freedom and responsibility, and lets employees decide how much risk/reward is comfortable for them 110
111. Details on Stock Options• The options are fully vested and are 10-years-to- exercise options, independent of how long one stays at Netflix• These fully vested options are granted monthly at the then current stock price, so employees get price averaging on their exercise price• These options cost employees less than half of what such options would cost in the open market, and are from pre-tax salary, so are a great deal• Employees can change their option request annually• Options become valuable only if Netflix stock climbs 111
112. No Vesting or Deferred Comp• We don’t want managers to “own” their people with vesting – all comp is fully vested• We want managers to be responsible for creating a great place to work, and paying at the top of market• Employees are free to leave us anytime, without penalty, but nearly everyone stays• Employees stay because they are passionate about their work, and well paid, not because of a deferred compensation system 112
113. No Ranking Against Other Employees• We avoid “top 30%” and “bottom 10%” rankings amongst employees• We don’t want employees to feel competitive with each other• We want all of our employees to be “top 10%” relative to the pool of global candidates• We want employees to help each other, and they do 113
114. Seven Aspects of our Culture• High Performance• Values are what we Value• Freedom & Responsibility• Context, not Control• Highly Aligned, Loosely Coupled• Pay Top of Market• Promotions & Development 114
115. In some time periods, in some groups, there will be lots ofopportunity and growth at Netflix Some people, through both luck and talent, will have extraordinary career growth 115
116. Baseball Analogy: Minors to Majors• Very talented people usually get to move up, but only true for the very talented• Some luck in terms of what positions open up and what the competition is• Some people move to other teams to get the opportunity they want• Great teams keep their best talent• Some minor league players keep playing even though they don’t move up because they love the game 116
117. Netflix Doesn’t Have to Be for Life• In some times, in some groups, there may not be enough growth opportunity for everyone• In which case we should celebrate someone leaving Netflix for a bigger job that we didn’t have available to offer them – If that is what the person prefers 117
118. Two Necessary Conditions for Promotion1. Job has to be big enough – We might have an incredible manager of something, but we don’t need a director of it because job isn’t big enough • If the incredible manager left, we would replace with a manager, not with a director2. Person has to be a superstar in current role – Could get the next level job here if applying from outside and we knew their talents well – Could get the next level job at peer firm that knew their talents well 118
119. Timing• If a manager would promote to prevent an employee from leaving, the manager should promote now instead of waiting• Both tests still have to be passed 1. Job big enough 2. Superstar in current role 119
120. Development• We develop people by giving them the opportunity to develop themselves, by surrounding them with stunning colleagues and giving them big challenges to work on – Mediocre colleagues or unchallenging work is what kills progress of a person’s skills 120
121. Career “Planning” Not for Us• Formalized development is rarely effective, and we don’t try to do it – e.g., Mentor assignment, rotation around a firm, multi-year career paths, etc. 121
122. We Support Self-Improvement• High performance people are generally self- improving through experience, observation, introspection, readin g, and discussion – As long as they have stunning colleagues and big challenges to work on – We all try to help each other grow – We are very honest with each other 122
123. We want people to manage their own career growth,and not rely on a corporation for “planning” their careers 123
124. Your Economic Security is based on your Skills and Reputation We try hard to consistently provide opportunity to grow both by surrounding you with great talent 124
125. Seven Aspects of our Culture• Values are what we Value• High Performance• Freedom & Responsibility• Context, not Control• Highly Aligned, Loosely Coupled• Pay Top of Market• Promotions & Development 125
126. We keep improvingour culture as we grow We try to get betterat seeking excellence 126

身份认证之内部认证

前面两篇文字,都是作为“内部认证”这个话题的一个引子存在的。其实我想讨论的,是“内部认证”应该是什么样的,应该怎么做的问题。

什么是内部认证?简而言之,就是公司内部其它部门,或外部可信的合作伙伴在使用平台的时候,进行的一种身份认证方式。

微博做了一个开放平台,将微博的大部分功能开放出来,供第三方应用和网站使用。第三方应用或网站需要使用微博的功能的时候,或者说需要替用户操作他/她在微博上的数据的时候,需要征得该用户的同意,即授权。微博在收到“A用户授权B应用操作其在微博上的C类数据”这样的明确授权后,即允许应用进行相应的操作,如发微博,加关注。如果授权泄露,则收回授权。这里的泄露包含两层意思:一,用户不小心授权给这个应用,或这个应用未明确告知用户它获取了某些权限会做某些操作,用户可能会承担一定的后果,比如“被发微博”,“被加关注”,但危害性仅限于这个用户,而且被用户自己发现后,可以恢复,可以投诉(很少有应用偷偷做删微博,删关注这种用户无法自己恢复的操作行为的,因为这种行为对应用不产生任何价值,纯粹“损人不利己”);二,应用不小心泄露了用户给自己的授权,被别的应用恶意使用,这种情况,平台一般会直接收回所有对这个应用的授权即可。

但在内部认证的场景下,比如微博搜索功能,微博相册功能,对于微博平台来说,就是一个内部应用,它们的特征是:

  1. 不以用户为维度进行授权,即默认所有用户都“授权”给这些应用。
  2. 不以功能为维度进行授权,即默认大部分功能都“授权”给这些应用(某些高权限的功能,如私信,是严格控制授权的)。
  3. 正常情况下,权限验证对这些应用来说都是额外开销,因为他们都是可信来源。所以,正常的权限验证需要尽可能的轻量。
  4. 如果被滥用或恶意使用,后果很严重,你懂的。
  5. 即使出现某些问题,对整个应用“收回授权”,甚至临时的限制,都是不可接受的。必须采取其它的补救措施,比如封ip。

设计这个方案之前,我们首先确定一下我们的认证方案需要解决的问题:

  • 正常情况下不影响应用使用微博的功能,异常情况下也不能影响正常的功能使用
  • 防止微博功能被恶意使用或滥用,如应用方开发人员开后门加关注,开后门删微博等
  • 尽量防止微博功能被不小心误用,如测试环境,对方的代码bug等
  • 还有一点,验证的代价不能太高,最好能做到大部分情况下不依赖任何外部资源。
我们还需要确认一下哪些不应该属于我们的方案解决的问题:
  • 应用方系统故障或代码bug导致认证失败,进而导致应用方服务异常。这种情况,我们只需要提供恢复方案即可。
  • 应用方线上环境被侵入,正常代码被篡改或者被上传木马,引起微博功能被恶意使用。内部认证有一个前提,那就是必须要有最基本的信任,只有这样,才能将方案的复杂度降低到可以接受的程度。不管选择什么样的信任方式,对方的线上环境肯定是最终信任的载体,因为正常的请求就是从那里发出来的。所以,对方线上环境出问题,那就只能对方负全责。当然,服务提供方需要尽量发现这种情况并进行警告,这是另外一个话题了。

那么,我们该如何来设计这样一种认证方案?

(未完待续)

身份认证漫谈之第三方认证

在大家都热衷于做“平台”,特别是“开放平台”的时代,第三方认证渐渐的成了一种标配了。

 openid 的目标是:不用注册,就想认出你是谁。后来发展应用的更多的还是各大网站的 “connect” 功能,如 google,fb,微博,qq 等,但已经失去了 openid 的设计初衷了。

 Oauth 和 Oauth2 的目标是:第三方网站想操作你的数据,问你给不给。

第三方认证的接受程度越来越高。但总体来说,第三方认证相比起用户认证来说,还是复杂的多,便捷性和安全性很难兼得。主要的设计实现目标应该包括:

  • 安全性:第三方身份确认,用户身份确认,用户授权确认,任何一个环节出问题,都可能是大问题
  • 便捷性:代码实现方便,异常自助恢复(服务中断,网络问题,如gfw等)

对于第三方认证来说,很多时候我们知道当前的方案和实现都有一些这样那样的问题,但无法从本质上进行任何的改善,只能在已有方案的基础上进行小修小补,或寻找技术之外的解决办法。为什么?因为它已经是一个生态系统,已经不是一个人,一个团队,一个公司能主导的一个事情了。

(未完待续)

身份认证漫谈之用户认证

身份认证,按照百度百科的定义:

身份认证是在计算机网络中确认操作者身份的过程。身份认证可分为用户与主机间的认证和主机与主机之间的认证,用户与主机之间的认证可以基于如下一个或几个因素:用户所知道的东西:例如口令、密码等,用户拥有的东西,例如印章、智能卡(如信用卡等);用户所具有的生物特征:例如指纹、声音、视网膜、签字、笔迹等。

普通网站提供的用户注册,用户登陆功能,目的就是验证用户的身份。从技术实现上看,用户认证功能的目标应该包括:

  • 正常用户能够方便的通过认证,快速进入后续的功能使用过程。最近“用户体验”呼声越来越高,具体到用户认证这个环节,确实应该首先考虑不影响正常用户的正常功能使用。
  • 保障安全,避免恶意使用。认证功能的核心价值就在于避免用户的数据泄露,不管是被抓包,还是xss,还是网站数据库被侵入,甚至别的网站被侵入,而用户恰好使用相同的用户名密码,这都是设计用户认证功能的时候需要考虑解决的问题。
  • 另一个需要顺便考虑的问题是,避免滥用。比如垃圾用户,DDOS 。

具体的实现就不展开了,简单说来无非是这么几个点:简单的注册流程,但注册后不能立即使用所有功能(用户信用制度);https 登陆页;验证码;存储加盐(salt);操作记录(如上次登陆时间)+异常检测(非常用ip等);危险操作二次确认+可回滚(删除数据,转账等)。

100% 的安全实现方案是不存在的,我们可以做的,是根据自己的业务需要,在安全与实现代价,安全与方便之间进行权衡取舍:单个用户账号泄露,被恶意使用的危害有多大?普通用户对于认证过程的复杂性容忍度有多大?能接收多大代价的实现成本?

登陆线上服务器要求使用动态密码,网上银行要求使用 usb key,支付宝转账要求必须绑定手机,而发微博只要求提供用户名密码即可。

(未完待续)

ThinkinLAMP TDcon 2012 上我的讲稿

2012年10月14号,上海,ThinkinLAMP 的 TDCon 2012 (数据库大会) 上,我做了一个名为《一个NoSQL的故事》的演讲,跟大家分享了关于微博上的计数器的发展历程,每个阶段的问题,解决方案及优劣势比较。讲稿上的内容较少,主要内容都是在现场演讲里,但遗憾的是,现场没有摄像或录音。