Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up
for free
Authz
ma2k8
July 29, 2020
Technology
0
190
Authz
社内勉強会用
ma2k8
July 29, 2020
Tweet
Share
More Decks by ma2k8
See All by ma2k8
ma2k8
0
16
ma2k8
0
15
ma2k8
0
2.6k
ma2k8
3
6.4k
ma2k8
1
27
ma2k8
0
32
ma2k8
1
1.4k
ma2k8
1
1.5k
Other Decks in Technology
See All in Technology
soracom
0
450
djain2405
1
110
ishiayaya
PRO
0
160
taichinakamura
0
950
mixi_engineers
0
260
line_developers_tw2
0
560
adarapata
2
320
finengine
0
370
mita2
0
160
takayukihayashi
1
280
nasrinjp
0
500
opdavies
0
2.5k
Featured
See All Featured
paulrobertlloyd
71
3.7k
jakevdp
776
200k
bryan
32
3.5k
sstephenson
146
12k
edds
56
9.4k
dougneiner
120
8k
nonsquared
81
3.5k
cassininazir
347
20k
akmur
252
19k
lynnandtonic
274
17k
tmm1
62
9.9k
davidbonilla
71
3.6k
Transcript
AuthZ
Agenda 1. AuthZͱAuthNͷҧ͍ 2. ೝՄͷछྨ 3. AuthzIOͷσʔλߏ 4. AuthzIOͷίϚϯυ 5.
·ͱΊ
1. AuthZͱAuthNͷҧ͍
େલఏ ೝূʢAuthNʣͱೝՄʢAuthZʣ ࣅͯඇͳΔ֓೦Ͱ͋Δ
ೝূ ~AutheNtication ~ ର͕ʮ୭ʯͰ͋Δ͔Λಛఆ͢Δ
ೝՄ ~AuthoriZation ~ ҙͷϦιʔεʹର͠ɺ ҙͷΞΫγϣϯͷڐՄ/ڋ൱Λ੍ޚ͢Δ
զʑਓؒɺࢹ֮,ௌ֮,ᄿ֮ͳͲ ༷ʑͳใΛͬͯଞਓΛೝূ͍ͯ͠Δɻ ͦͯ͠ɺೝূͨ͠ଞਓ͕ʮ୭ʯͰ͋Δ͔ʹΑͬ ͯߦಈΛೝՄ͍ͯ͠Δɻ(ΑͶʁ)
※Βͳ͍ਓʢೝূΤϥʔʣʹ ͍͖ͳΓ͔͚ΒΕͨΒʢೝՄΤϥʔʣϏϏΓ·͢ɻɹ
γϯϓϧͳཁ݅Ͱ ೝূͱೝՄࠞಉ͞Ε͕ͪɻ
୭Ͱ͋Δ͔͕͔Εɺ ԿΛೝՄ͢Δ͔ࣗ໌͔ʁ
͜ͷ͍ ʮҕৡʯͷඞཁ͕ͳ͚Εਅ ͋ΕِͱͳΔ
γϯϓϧͳೝূ/ೝՄ ᶃೝূཁٻ(ID/Pass) ᶄೣഎϚϯͰ͋Δ͜ͱΛ֬ೝ ᶅೣഎϚϯʹೝՄ͞Εͨ ΞΫγϣϯΛ࣮ߦͰ͖Δ ϢʔβʔೣഎϚϯ ͘͢͝γϯϓϧͳγεςϜ
࣮Λߟ͑ͯΈΔ • ೝূ • ϩάΠϯޭͨ͠ΒτʔΫϯΛฦ͢ • ͦΕͧΕͷAPIτʔΫϯ͕ਖ਼ৗͳΒޙଓͷॲཧΛڐՄ͢ Δ • ͜͜ʹೝՄΛ࣮͢Δͱͨ͠Βʁ
• (Ϣʔβʔ|ϩʔϧ)ݻ༗ͰڐՄ͍ͨ͠ΞΫγϣϯΦϖϨʔ λʔIDϩʔϧIDͱඥ͚ͯϗϫΠτϦετ/ϒϥοΫϦ ετͰอଘ͠ɺAPIͷॲཧͷલఏ݅ͱ͢Δ
ҕৡ༗Γೝূ/ೝՄ ᶃӾཡݖݶΛҕৡͨ͠ΩʔΛൃߦ ϢʔβʔೣഎϚϯ botͷҙͷ࣮ߦऀ APIΩʔ ᶄΩʔΛར༻͠ɺҕৡ͞ΕͨΞΫγϣϯΛ࣮ߦ͢Δɻ ɹΩʔͷೝূߦ͏͕ɺೣഎϚϯ͔൱͔ɺ ɹ࣮ߦऀ͕୭Ͱ͋Δ͔ͷೝূߦΘͳ͍ɻ ͘͢͝ෳࡶͳγεςϜ
࣮Λߟ͑ͯΈΔ • ೝূ • ϢʔβʔAPIΩʔΛ࡞ΕɺͦΕΛͤࣗͷID/PassΛڞ༗ͤͣͱࣗ ͷ࣋ͭݖݶΛҕৡͰ͖Δ • APIΩʔͷೝূߦ͏(firebaseͰͬͯ·͢Ͷ) • APIΩʔిंͷූͷΑ͏ͳͷɻූΛങͬͨਓ֬ೝ͠ͳ͍͚Ͳ
ූ֬ೝ͢Δ • ೝՄ • લड़ͷϢʔβʔϩʔϧʹඥ͚ͮͯͷೝՄॲཧ࣮Λߦ͏ͱڽूͷ͍࣮ ʹͳΔͷ͕ΠϝʔδͰ͖ΔͩΖ͏͔ɾɾɾ • લड़ͷ࣮ͩͱɺූͷ֬ೝΛߦ͍͍ͨͷʹɺූͷൃߦऀ·ͰͨͲΔ͜ ͱʹͳͬͯ͠·͏ɻ
APIΩʔΛྫʹग़͕ͨ͠ɺ͔ͬ͠Γ࡞Ε inviteϦϯΫʹͬͯΔτʔΫϯͳͲ৭Μͳॴʹྲྀ༻ՄೳͰ͢ɻ ʢ͢Δ͔ผͷ) ಉ͡Α͏ͳॲཧΛ ৭Μͳॴʹಠ࣮ࣗͤͣʹࡁΉ
2. ೝՄͷछྨ
ACL ʢAccess Control Listʣ ▪ͲΜͳͭʁ □ ΞΫηεϦετ □ ໊લ͕ొ͞ΕͯΕOKͳγϯϓϧͳͭ ▪Pros
□ γϯϓϧ ▪Cons □ γϯϓϧ͗ͯ͢ࡉ੍͔͍ޚͰ͖ͳ͍
RBAC ʢRole-Based Access Controlʣ ▪ͲΜͳͭʁ □ ϩʔϧΛׂΓৼΔͭ ▪Pros □ υϝΠϯݴޠͱϚον͍ͤ͢͞
□ ACLΑΓࡉ੍͔͍ޚ͕Մೳ ▪Cons □ Role explosion ίϯςΩετAͰϩʔϧAɺίϯςΩετBͰϩʔϧBͳͲɺ ෳࡶߋʹࡉ੍͔͍ޚ͕ͨ͘͠ͳΔͱϩʔϧ͕૿͑͗ͯ͢ഁ͢Δ ʢRoleAʹActionAΛՃ͍͚ͨͩ͠ͳͷʹ৽ͨͳϩʔϧΛ࡞͢Δ…) □ ׂʹറΒΕ͗͢Δ Ұ࣌తͳݖݶɺϢʔβʔͷଐੑΞΫγϣϯͳͲʹΑͬͯॊೈʹݖݶ༩͢Δ͜ͱ͕͍͠ ʢࣄલʹϩʔϧΛ༻ҙ͠ͳ͍ͱ͍͚ͳ͍ͷͰ)
ABAC ʢAttribute-Based Access Controlʣ ▪ͲΜͳͭʁ □ ڐՄ/ڋ൱͢ΔΞΫγϣϯଐੑΛׂΓৼΔͭ ▪Pros □ RBACΑΓॊೈ͔ͭࡉ੍͔͍ޚ͕Մೳ
▪Cons □࣮͕େม
AuthzIOABACͰ͢ ※Action-Attributeʹߜ͍ͬͯΔ
3. AuthZIOͷσʔλߏ
ߏཁૉ AttachedPolicy ├AccountId └Seq[Policy] ├Action ├PermissionReason ├Seq[Resource] └ExpirationDate
AttachedPolicy • AccountId + AccountʹׂΓͯΒΕͨϙϦγʔͷϦετ ΛͭAuthzίϯςΩετͷू • AccountID + AccountType
͔ΒΓɺOperator,API KeyͷPrincipalΛಉ͡ܕͰཧͰ͖ΔͷͰݖݶΛಉ͡ σʔλߏͰҰݩతʹཧ͢Δ͜ͱ͕Ͱ͖Δ
Policy • ݖݶͷجຊ୯Ґ • Action + PermissionReason + Seq[Resource] +
ExpirationDateͰߏ͞ΕΔ
Action • ͦͷ໊ͷ௨ΓAction • ADTͰఆ͓ٛͯ͠ΓɺStringʹΤϯίʔυ͢ΔͱͷΑ͏ ͳܗʹͳΔɻ(DBʹೖΔͱ͖͜Ε) • s"${αʔϏε໊}:${Action༰}" • “Dashboard:AnalysisViewer”
తͳ • αʔϏεͷ୯ҐίϯςΩετʹ͢Δ͔
ExpirationDate • ݖݶͷ༗ޮظݶ • ݖݶ՝ۚใΛ֬ೝͯ͠όονͳͲͰఆظత ʹফͨ͠Γ͢Δͱࡶʹͳ͍ͬͯ͘ͷͰظݶ͕͖ Ε͍ͯΔݖݶϥΠϑαΠΫϧͰࣗવʹফ͑ͯ ͍͘Α͏ʹ͢Δ
Resource • ΞΫγϣϯͷର • ResourceΛࢦఆͤͣʹߦ͏ActionͰར༻͠ͳ͍ • ݱঢ়ResourceຖʹظݶΛઃఆ͍ͨ͠߹2ͭϙϦ γʔΛ࡞͍ͬͯΔʢॲཧ؆ུԽͷͨΊ)
PermissionReason • ݖݶ͕༩͞Εͨཧ༝(༝དྷ) • ※ྫɿ • CloudSignͰܖΛ݁Μͩ • खಈͰҰ࣌తʹ༩ͨ͠ •
τϥΠΞϧͰظؒݶఆ༩ • ͜ΕίϯςΩετ͝ͱʹϞδϡʔϧΛΔஅΛԼͨ͠ γεςϜಛ༗ͷ͋ͬͨ΄͏͕ྑ͍ใͱ͍͑Δ͔ • ڽूੑΛߴΊΔͨΊʹ͜ͷใ͕ඞਢ
PermissionReasonΛগ͠ਂ΅Δ
ίϯςΩετΛ·͙ͨݖݶ༩/ണୣͷॲཧΛ࣮ߦ͢Δࡍʹɺ ॲཧ࣮ߦݩͷίϯςΩετReason͍͑ͬͯ͞Εྑ͍ͷͰ ࣮͕ͱͯγϯϓϧʹͳΔ
ྫͱͯ͠ ͱ͋ΔτϥΠΞϧݖݶΛ আ͢ΔॲཧΛߟ͑Δ
Authzͷఆظόον AuthN-API PermissionReasonφγ ͷͺͯ͌ʔΜ Authz-DB ͦͷଞͷίϯςΩετ ֎෦API ᶃτϥΠΞϧঢ়ଶ͕༗ޮͰ͋Δ͔֬ೝ ᶄτϥΠΞϧҎ֎ͷํ๏Ͱݖݶ͕ ༩͞Ε͍ͯΔՄೳੑΛ֬ೝ
ᶅݖݶΛআ
ॲཧͷରͱ͍ͨ͠ݖݶ͕Կ༝དྷ͔ γϯϓϧͳγεςϜͳΒݩσʔλݟΕ͍ ͍͡ΌΜͰࡁΉ͕ɺෳࡶʹͳΔͱࢀরઌ͕ ૿͔͑ͯͳΓେม
Authzͷఆظόον PermissionReasonΞϦ ͷͺͯ͌ʔΜ Authz-DB ᶃReason͕τϥΠΞϧͷݖݶΛআ
ଞʹ
ݖݶͱݖݶ༩ཧ༝ͷ ϛεϚον • - ଟॏ՝͕ۚ͋Δ߹͕ଟ͍ͷͰϢʔβʔ௨͢Δඞཁ͕͋Δ • - ଟॏݖݶͳ͍έʔεଟʑ͋ΔʢτϥΠΞϧͱຊܖ͕͔Ϳͬͯͯผʹྑ͍ΑͶతͳ) • -
AuthzͷReasonͰଟॏݖݶΛཧ͠ɺPaymentͰଟॏ՝ۚΛཧ͢ΔɻೝՄΛͯ͠ͳ͔ͬͨ ΓɺReason͕ͳ͔ͬͨΓ͢Δͱ͜͜ͷ۠ผ͕͍͠ • - ҙࣝ͠ͳ͍͜ͱʹΑΔརศੑ͋Δ͋ΔͷͰɺ • ҙࣝ͠ͳ͍͜ͱʹΑΔརศੑྫ • ͱΓ͋͑ͣࡶʹݖݶΛফ͍ͨ͠έʔε • ෳͷखஈͰ՝ۚ͞Ε͍ͯΔ߹ͷΈΤϥʔʹ͢ΔɻτϥΠΞϧ+1ͭͷ՝ۚखஈͷ߹྆ ํফ͢ɻτϥΠΞϧͷΈ|1ͭͷ՝ۚखஈͷΈͷ߹ফ͢ͷཁ݅) • ͷΑ͏ʹɺ݁ہࡶʹফͤͳ͍ͷͰҙࣝ͢Δ͔ɺΤϥʔέʔεΛࣺͯΔ͔ʹͳΔɻ
4. AuthZIOͷίϚϯυ
͜Ε͚ͩ • ࢀর/ߋ৽(Show/Add/Remove) • Request(ResourceࢦఆΞϦ/φγ)
ίʔυ sealed abstract class AuthzIO[A] {} // support case class
ShowPolicy(principal: AccountId) extends AuthzIO[AttachedPolicy] // manage case class AddPolicy(principal: AccountId, policy: Policy) extends AuthzIO[AttachedPolicy] case class AddPolicies(principal: AccountId, policies: Seq[Policy]) extends AuthzIO[AttachedPolicy] case class RemovePolicy(principal: AccountId, policy: Policy) extends AuthzIO[AttachedPolicy] case class RemovePolicies(principal: AccountId, policies: Seq[Policy]) extends AuthzIO[AttachedPolicy] // request case class RequestPolicy(principal: AccountId, actionSeq: Seq[Action]) extends AuthzIO[Unit] case class RequestPolicyToResource( principal: AccountId, principalActionSeq: Seq[Action], // ࢦఆͨͯ͢͠ͷΞΫγϣϯʹର͠ɺ resourceSeq: Seq[Resource], // ରͷresource͕ڐՄ͞Εͯͳ͚ΕNGͱ͢Δ resourceAllowedActionSeq: Seq[Action] ) extends AuthzIO[Unit] // requestBool case class RequestBoolPolicy(principal: AccountId, actionSeq: Seq[Action]) extends AuthzIO[Boolean] case class RequestBoolPolicyToResource( principal: AccountId, principalActionSeq: Seq[Action], // ࢦఆͨͯ͢͠ͷΞΫγϣϯʹର͠ɺ resourceSeq: Seq[Resource], // ରͷresource͕ڐՄ͞Εͯͳ͚ΕNGͱ͢Δ resourceAllowedActionSeq: Seq[Action] ) extends AuthzIO[Boolean]
͍ํΠϝʔδᶃ • RequestBoolΛෳύλʔϯ࣮ߦͯ݁͠ՌΛ߹ͯ͠Α͠ • requestBoolbooleanΛฦ͢ͷͰෳͷ݁ՌΛղͯ͠νΣοΫͯ͠OK(ͷදݱྗΛ ࣋ͭ(Bool) • ৄ͘͠ ͷهࣄΛࢀর •
https://www.slideshare.net/oarat/ss-55487535 • ෛݩ(ϚΠφε)͕ͳͯ͘Ճ๏+๏ͷ͋Δू߹ͷ͜ͱͰɺཁॱ൪Λม͑ͯ݁ՌมΘ ΒΜΑͶɻҙຯͰଊ͑Δͱྑ͍(Ϋιͬ͘͟ΓͰ͝ΊΜͳ͍͞) • requestBooleanΛ͍͍ͪͪఆ͢Δͷ͕໘ͳέʔεଟ͍ͷͰUnitΛฦ͠ɺfalseͷ߹ Either.leftΛEffʹಥͬࠐΜͰฦͯ͘͠ΕΔͷͰ݁Ռͷ߹͕ෆཁͳ߹͜ΕΛ͏ • ShowͰPolicyҾͬு͖֤ͬͯͯίϯςΩετͰࡉ͔͍ॲཧͯ͠Α͠ʢ͋·Γఆ͍ͯ͠ͳ͍) • enforce(σʔλͷϑΟϧλ)ɺAuthzIOʹRepositoryͯ͠InterpreterͰϑΟϧλͰ͖ΔΑ͏ ʹ͢Δͷߟ͕͑ͨநߴ͘ͳΓ͗͢Δׂʹ͍ʹ͍͘͠ɺΧόʔͰ͖Δ༻్ڱ͘ͳΓͦ͏ ͩͬͨͷͰɺΘ͔Γ֤͘͢ίϯςΩετͷDomainServiceͰrequestͷ݁ՌΛݩʹϑΟϧλ͢Δ ͷ͕ྑ͍ͱஅͨ͠ɻ
͍ํΠϝʔδᶄ
͍ํΠϝʔδᶅ • ͜ͷΑ͏ʹɺఆ͢Δཁૉ͕͍ͭ͘૿͑ͯ|| &&ͷԋࢉ ͰରॲͰ͖Δ • ྫ͑ɺ͓͔ΘΓϓϥϯ nճ͔ͭɺΩϟϯϖʔϯίʔ υhogeΛར༻ͨ͜͠ͱ͕͋ΓɺաڈʹTOEIC,egs,Bizʹ ೖͬͨ͜ͱ͋Δ͚ͭͩʹݖݶΛ༩͑ΔʂΈ͍ͨͳཁ
݅γϯϓϧʹදݱͰ͖Δʢଋͩͱ͍
ͱଋ • ଋScalaͷܕͷAny <-> Nothing ΛΠϝʔδ͢ΕOK • ࢝ͱऴ͕ܾ·͓ͬͯΓɺͦͷؒͷͲΕ͔ʹܕଐ͢Δ • ݖݶΛ͜ͷߏͰදݱ͢Δͱɺ͋ΒΏΔΈ߹ΘͤΛܕʹམͱ͢ඞཁ͕͋Γɺexplosion͢Δ
ʢݱঢ়ɺEgsAndTOEIC, EgsAndBiz, EgsAndPersonalCoachͳͲΛbitԋࢉΆ͘ѻͬͯΔͷ Ͱগ͠Ϛγ͕ͩɺ͜ΕʹҰͭҰͭܕΛ͚ͭΔͱ͖ͼ͍͠) • BooleanΛΠϝʔδ͢ΕOK(Booleanͱ४ಉܕͰ͋ΔɻBool) • ධՁ͢Δॱ൪Λม͑ͯ݁ՌมΘΒͳ͍ • ͱੵͷ2ͭͷԋࢉΛͭू߹Ͱɺަ,݁߹,ͷଇΛຬͨ͢ • A = (true && false) => false • B = (false || true) => true • C = A && B = false • A,Bʹग़ͯ͘Δɺtrue,falseΛͲ͏ೖΕସ͑ͯCͷ݁ՌมΘΒͳ͍ΑͶΈ͍ͨͳ͜ͱ͕ݴ͍͍ͨ (Ϋιͬ͘͟ΓͰ͝ΊΜͳ͍͞) • ݖݶ৭ΜͳཁૉΛߟྀ͢Δඞཁ͕͋Δ͔Β͜ͷߏ͕ࢫ͍
5. ·ͱΊ
• ೝূͱೝՄ͠ͳ͍ͱෳࡶͳཁ݅Λ࣮ݱ͢Δࡍʹ௧ΈΛ͏ • ೝՄํࣜABACΛ࠾༻ • AuthzߏΛ࠾༻ͯ͠Δͧ(ܕϨϕϧʹΤϯίʔυͯ͠ͳ͍) • enforcedomainServiceͰrequest/requestBoolΛ࣮ͬͯͯ͠ ͍ͧ͘ •
ϑϩϯτͰݖݶͰϋϯυϦϯά͍ͨ͠έʔε͋ΔͷͰɺͲΜͳ ܗͰฦ͔͢૬ஊ͍ͨ͠(isAnalysis=true,Έ͍ͨͳͷΛແݶʹ૿ ͍͍ͯ͠͠ɺshowPolicyͰऔΕΔ݁ՌΛͦͷ··ͯ͠OK)ɹ • ͜ͷهࣄ࠷ߴͳͷͰಡΉͱྑ͍ • https://kenfdev.hateblo.jp/entry/2020/01/13/115032
͓ΘΓ
ma2k8
soracom
djain2405
ishiayaya
taichinakamura
mixi_engineers
line_developers_tw2
adarapata
finengine
mita2
takayukihayashi
nasrinjp
opdavies
paulrobertlloyd
jakevdp
bryan
sstephenson
edds
dougneiner
nonsquared
cassininazir
akmur
lynnandtonic
tmm1
davidbonilla
![ߏཁૉ AttachedPolicy ├AccountId └Seq[Policy] ├Action ├PermissionReason ├Seq[Resource] └ExpirationDate](https://files.speakerdeck.com/presentations/3e05f63875344065bcdd992e678e4776/slide_22.jpg){kind=link}
![Policy • ݖݶͷجຊ୯Ґ • Action + PermissionReason + Seq[Resource] +](https://files.speakerdeck.com/presentations/3e05f63875344065bcdd992e678e4776/slide_24.jpg){kind=link}
![ίʔυ sealed abstract class AuthzIO[A] {} // support case class](https://files.speakerdeck.com/presentations/3e05f63875344065bcdd992e678e4776/slide_39.jpg){kind=link}
