A Token Of Respect: Implementing Microservice Identity And Access Management In Go

Transcript

1. @jrbowes A Token of Respect Implementing microservice identity and access

   management in Go

2. The evolution of access management @jrbowes

3. Single user application @jrbowes

4. @jrbowes ¯\_(ツ)_/¯

5. Single user application @jrbowes

6. Multiple users @jrbowes

7. @jrbowes Auth n Authentication

8. Multiple users @jrbowes

9. Teams @jrbowes

10. Permission levels @jrbowes

11. Authorization @jrbowes Auth z

12. Permission levels @jrbowes

13. Support users, API keys @jrbowes

14. What do we build? @jrbowes

15. Design Decisions @jrbowes

16. Selecting a model for access control @jrbowes

17. @jrbowes

18. @jrbowes ACL-MON CAPABILITY -MON POLICY-MON AD-HOC -MON

19. @jrbowes @jrbowes

20. @jrbowes @jrbowes

21. ccess Role @jrbowes ased ontrol

22. @jrbowes // Subject of role-based access control, eg a user

    type Subject interface { Name() string }

23. @jrbowes // Subject of role-based access control, eg a user

    type Subject interface { Name() string Roles() []Role } // Role provides a list of permissions type Role struct { Label string Permissions []Permission }

24. @jrbowes // Subject of role-based access control, eg a user

    type Subject interface { Name() string Roles() []Role } // Role provides a list of permissions type Role struct { Label string Permissions []Permission } // Permission can be many things. // type Permission struct { }

25. @jrbowes // Subject of role-based access control, eg a user

    type Subject interface { Name() string Roles() []Role } // Role provides a list of permissions type Role struct { Label string Permissions []Permission } // Permission can be many things. For our use we need a verb and a // target to perform that verb on. type Permission struct { Verb Verb TargetID ID }

26. NIST HQ @jrbowes INCITS 359-2004

27. Access management can be complex @jrbowes

28. Must match user expectation (detective pikachu) @jrbowes

29. The alternative is inscrutable (sonic) @jrbowes

30. Keep access management simple and well-defined for users @jrbowes

31. Monolith @jrbowes

32. Microservices @jrbowes

33. Bounded contexts @jrbowes

34. Enforcement belongs with your data @jrbowes

35. Implementation @jrbowes

36. @jrbowes IDENTITY SERVICE A SERVICE B

37. @jrbowes IDENTITY SERVICE A SERVICE B • Authenticate • Determine

    permission set

38. @jrbowes IDENTITY SERVICE A SERVICE B • Authenticate • Determine

    permission set • Authorize

39. Tokens @jrbowes

40. @jrbowes eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9. eyJleHAiOjE1NTk3NjExODQsImp0aSI6IjIxaj NjMGQzajFweHYxcTNiZGQxZXo3M2J5ZXZnIiwi c3ViIjoiMjAwMms5dXJrbjV6azNtZXgwcmFtaH pqd2VrMjAifQ. 8C6W8WatwbJNsc943GE44BX4JO_ZaIkPyHyTyl RuOyFkrOSAEKtoqH3UbWmzrQ7HpaSM6bkU_l6n 6Z0WzH1MbA eyJhbGc

41. @jrbowes header. payload payload payload payload. signature signature signature

42. (not quite) enums @jrbowes

43. @jrbowes // Verb is a action that is encapsulated in

    a permission, and is // requested of the RBAC system to check a if a subject is permitted // to perform an action. type Verb uint64

44. @jrbowes // Verb is a action that is encapsulated in

    a permission, and is // requested of the RBAC system to check a if a subject is permitted // to perform an action. type Verb uint64 // All possible permission verbs // // // // const ( TeamCreate Verb TeamRead TeamUpdate TeamInvite TeamRemove TeamDelete // ... )

45. @jrbowes // Verb is a action that is encapsulated in

    a permission, and is // requested of the RBAC system to check a if a subject is permitted // to perform an action. type Verb uint64 // All possible permission verbs // // // // const ( TeamCreate Verb = 1 << iota TeamRead TeamUpdate TeamInvite TeamRemove TeamDelete // ... )

46. @jrbowes // Verb is a action that is encapsulated in

    a permission, and is // requested of the RBAC system to check a if a subject is permitted // to perform an action. type Verb uint64 // All possible permission verbs // // // // const ( TeamCreate Verb = 1 << iota // 00...000001 TeamRead // 00...000010 TeamUpdate // 00...000100 TeamInvite // 00...001000 TeamRemove // 00...010000 TeamDelete // 00...100000 // ... )

47. @jrbowes // Verb is a action that is encapsulated in

    a permission, and is // requested of the RBAC system to check a if a subject is permitted // to perform an action. type Verb uint64 // 64 possible permissions // All possible permission verbs // // IMPORTANT: maintain the order in this list, or else the bits // change, and a principal's permissions could be interpreted // differently between our services. const ( TeamCreate Verb = 1 << iota // 00...000001 TeamRead // 00...000010 TeamUpdate // 00...000100 TeamInvite // 00...001000 TeamRemove // 00...010000 TeamDelete // 00...100000 // ... )

48. @jrbowes

49. @jrbowes constant 18446744073709551616 overflows Verb

50. @jrbowes // MarshalText marshals a Verb to a string, for

    use in JSON. Verbs are // stored in raw base64 url (no trailing ==), with leading zero bytes // removed. This allows us to both store sparse Verbs efficiently, and // have forwards compatibility as additional verbs are added, growing // the bit length. func (v Verb) MarshalText() ([]byte, error) { b := make([]byte, 8) binary.BigEndian.PutUint64(b, uint64(v)) for len(b) > 0 && b[0] == 0x00 { b = b[1:] } o := make([]byte, base64.RawURLEncoding.EncodedLen(len(b))) base64.RawURLEncoding.Encode(o, b) return o, nil }

51. @jrbowes // UnmarshalText unmarshals a string into a Verb, for

    use from JSON. func (v *Verb) UnmarshalText(t []byte) error { i := make([]byte, base64.RawURLEncoding.DecodedLen(len(t))) base64.RawURLEncoding.Decode(i, t) // forwards compat if len(i) > 8 { i = i[len(i)-8:] } b := make([]byte, 8) copy(b[8-len(i):], i) *v = Verb(binary.BigEndian.Uint64(b)) return nil }

52. Bit manipulation @jrbowes

53. @jrbowes func (s *JWTSubject) Can(v Verb, target ID) bool {

    return v&s.perms[ID] > 0 } v&s.perms[ID] return v&s.perms[ID] > 0

54. Don’t be afraid of bitwise operations @jrbowes

55. Interfaces @jrbowes

56. @jrbowes // anonymousSubject is the type representing anonymous // (not

    authenticated) users. It is never verified, and has // no permissions. type anonymousSubject struct{} func (anonymousSubject) Verified() bool { return false } func (anonymousSubject) Can(rbac.Verb, ...ID) bool { return false } // ... // make sure the interface is satisfied at compile time var _ Subject = anonymousSubject // anonymousSubject is the type representing anonymous // (not authenticated) users. It is never verified, and has // no permissions. type anonymousSubject struct{} func (anonymousSubject) Verified() bool { return false } func (anonymousSubject) Can(rbac.Verb, ...ID) bool { return false }

57. The future @jrbowes

58. FIND ME github.com/jbowes twitter.com/jrbowes manifold.co Thank you! @jrbowes