Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up for free
Authz
ma2k8
PRO
July 29, 2020
Technology
0
290
Authz
社内勉強会用
ma2k8
PRO
July 29, 2020
Tweet
Share
More Decks by ma2k8
See All by ma2k8
アルプの 認証/認可分離戦略と手法
ma2k8
PRO
2
600
AuthzCtx - Alp社内共有会
ma2k8
PRO
0
36
アルプのEff独自エフェクト集 / Alp-original ’Eff’ pearls
ma2k8
PRO
1
850
Scalebaseバックエンド構成について/the backend design of Scalebase
ma2k8
PRO
0
5.3k
SQL Meisterへの道 ~更新編~ / sql-meister-CUD
ma2k8
PRO
0
1.7k
SQL Meisterへの道 ~基礎〜参照編~ / sql-meister-R
ma2k8
PRO
0
2k
CQRS+ESをKinesis,Spark,RDB,S3でやってみた
ma2k8
PRO
0
3k
The advantage of using ’Eff’ in Scala Project
ma2k8
PRO
2
12k
let_s_use_Eff.pdf
ma2k8
PRO
1
48
Other Decks in Technology
See All in Technology
Google Cloud Workflows: API automation, patterns and best practices
glaforge
0
110
SPA・SSGでSSRのようなOGP対応!
simo123
2
160
AWS re:Invent 2022で発表された新機能を試してみた ~Cloud OperationとSecurity~ / New Cloud Operation and Security Features Announced at AWS reInvent 2022
yuj1osm
1
220
マイクロサービス宣言から8年 振り返りとこれから / Eight Years After the Microservices Declaration A Look Back and A Look Ahead
eisuke
2
330
Oracle Transaction Manager for Microservices Free 22.3 製品概要
oracle4engineer
PRO
5
120
Periodic Multi-Agent Path Planning
hziwara
0
160
230125 古いタブレットの活用 かーでぃさん
comucal
PRO
0
17k
もし本番ネットワークをまるごと仮想環境に”コピー”できたらうれしいですか? / janog51
corestate55
0
390
データ分析基盤の要件分析の話(202201_JEDAI)
yabooun
0
400
DNS権威サーバのクラウドサービス向けに行われた攻撃および対策 / DNS Pseudo-Random Subdomain Attack and mitigations
kazeburo
5
1.3k
cdk deployに必要な権限ってなんだ?
kinyok
0
200
OPENLOGI Company Profile
hr01
0
12k
Featured
See All Featured
Making the Leap to Tech Lead
cromwellryan
117
7.7k
The Illustrated Children's Guide to Kubernetes
chrisshort
22
43k
Code Review Best Practice
trishagee
50
11k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
15
1.2k
GraphQLとの向き合い方2022年版
quramy
20
9.9k
We Have a Design System, Now What?
morganepeng
37
6k
Rails Girls Zürich Keynote
gr2m
87
12k
Web Components: a chance to create the future
zenorocha
304
40k
Art, The Web, and Tiny UX
lynnandtonic
284
18k
How To Stay Up To Date on Web Technology
chriscoyier
779
250k
Code Reviewing Like a Champion
maltzj
508
38k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
236
1.1M
Transcript
AuthZ
Agenda 1. AuthZͱAuthNͷҧ͍ 2. ೝՄͷछྨ 3. AuthzIOͷσʔλߏ 4. AuthzIOͷίϚϯυ 5.
·ͱΊ
1. AuthZͱAuthNͷҧ͍
େલఏ ೝূʢAuthNʣͱೝՄʢAuthZʣ ࣅͯඇͳΔ֓೦Ͱ͋Δ
ೝূ ~AutheNtication ~ ର͕ʮ୭ʯͰ͋Δ͔Λಛఆ͢Δ
ೝՄ ~AuthoriZation ~ ҙͷϦιʔεʹର͠ɺ ҙͷΞΫγϣϯͷڐՄ/ڋ൱Λ੍ޚ͢Δ
զʑਓؒɺࢹ֮,ௌ֮,ᄿ֮ͳͲ ༷ʑͳใΛͬͯଞਓΛೝূ͍ͯ͠Δɻ ͦͯ͠ɺೝূͨ͠ଞਓ͕ʮ୭ʯͰ͋Δ͔ʹΑͬ ͯߦಈΛೝՄ͍ͯ͠Δɻ(ΑͶʁ)
※Βͳ͍ਓʢೝূΤϥʔʣʹ ͍͖ͳΓ͔͚ΒΕͨΒʢೝՄΤϥʔʣϏϏΓ·͢ɻɹ
γϯϓϧͳཁ݅Ͱ ೝূͱೝՄࠞಉ͞Ε͕ͪɻ
୭Ͱ͋Δ͔͕͔Εɺ ԿΛೝՄ͢Δ͔ࣗ໌͔ʁ
͜ͷ͍ ʮҕৡʯͷඞཁ͕ͳ͚Εਅ ͋ΕِͱͳΔ
γϯϓϧͳೝূ/ೝՄ ᶃೝূཁٻ(ID/Pass) ᶄೣഎϚϯͰ͋Δ͜ͱΛ֬ೝ ᶅೣഎϚϯʹೝՄ͞Εͨ ΞΫγϣϯΛ࣮ߦͰ͖Δ ϢʔβʔೣഎϚϯ ͘͢͝γϯϓϧͳγεςϜ
࣮Λߟ͑ͯΈΔ • ೝূ • ϩάΠϯޭͨ͠ΒτʔΫϯΛฦ͢ • ͦΕͧΕͷAPIτʔΫϯ͕ਖ਼ৗͳΒޙଓͷॲཧΛڐՄ͢ Δ • ͜͜ʹೝՄΛ࣮͢Δͱͨ͠Βʁ
• (Ϣʔβʔ|ϩʔϧ)ݻ༗ͰڐՄ͍ͨ͠ΞΫγϣϯΦϖϨʔ λʔIDϩʔϧIDͱඥ͚ͯϗϫΠτϦετ/ϒϥοΫϦ ετͰอଘ͠ɺAPIͷॲཧͷલఏ݅ͱ͢Δ
ҕৡ༗Γೝূ/ೝՄ ᶃӾཡݖݶΛҕৡͨ͠ΩʔΛൃߦ ϢʔβʔೣഎϚϯ botͷҙͷ࣮ߦऀ APIΩʔ ᶄΩʔΛར༻͠ɺҕৡ͞ΕͨΞΫγϣϯΛ࣮ߦ͢Δɻ ɹΩʔͷೝূߦ͏͕ɺೣഎϚϯ͔൱͔ɺ ɹ࣮ߦऀ͕୭Ͱ͋Δ͔ͷೝূߦΘͳ͍ɻ ͘͢͝ෳࡶͳγεςϜ
࣮Λߟ͑ͯΈΔ • ೝূ • ϢʔβʔAPIΩʔΛ࡞ΕɺͦΕΛͤࣗͷID/PassΛڞ༗ͤͣͱࣗ ͷ࣋ͭݖݶΛҕৡͰ͖Δ • APIΩʔͷೝূߦ͏(firebaseͰͬͯ·͢Ͷ) • APIΩʔిंͷූͷΑ͏ͳͷɻූΛങͬͨਓ֬ೝ͠ͳ͍͚Ͳ
ූ֬ೝ͢Δ • ೝՄ • લड़ͷϢʔβʔϩʔϧʹඥ͚ͮͯͷೝՄॲཧ࣮Λߦ͏ͱڽूͷ͍࣮ ʹͳΔͷ͕ΠϝʔδͰ͖ΔͩΖ͏͔ɾɾɾ • લड़ͷ࣮ͩͱɺූͷ֬ೝΛߦ͍͍ͨͷʹɺූͷൃߦऀ·ͰͨͲΔ͜ ͱʹͳͬͯ͠·͏ɻ
APIΩʔΛྫʹग़͕ͨ͠ɺ͔ͬ͠Γ࡞Ε inviteϦϯΫʹͬͯΔτʔΫϯͳͲ৭Μͳॴʹྲྀ༻ՄೳͰ͢ɻ ʢ͢Δ͔ผͷ) ಉ͡Α͏ͳॲཧΛ ৭Μͳॴʹಠ࣮ࣗͤͣʹࡁΉ
2. ೝՄͷछྨ
ACL ʢAccess Control Listʣ ▪ͲΜͳͭʁ □ ΞΫηεϦετ □ ໊લ͕ొ͞ΕͯΕOKͳγϯϓϧͳͭ ▪Pros
□ γϯϓϧ ▪Cons □ γϯϓϧ͗ͯ͢ࡉ੍͔͍ޚͰ͖ͳ͍
RBAC ʢRole-Based Access Controlʣ ▪ͲΜͳͭʁ □ ϩʔϧΛׂΓৼΔͭ ▪Pros □ υϝΠϯݴޠͱϚον͍ͤ͢͞
□ ACLΑΓࡉ੍͔͍ޚ͕Մೳ ▪Cons □ Role explosion ίϯςΩετAͰϩʔϧAɺίϯςΩετBͰϩʔϧBͳͲɺ ෳࡶߋʹࡉ੍͔͍ޚ͕ͨ͘͠ͳΔͱϩʔϧ͕૿͑͗ͯ͢ഁ͢Δ ʢRoleAʹActionAΛՃ͍͚ͨͩ͠ͳͷʹ৽ͨͳϩʔϧΛ࡞͢Δ…) □ ׂʹറΒΕ͗͢Δ Ұ࣌తͳݖݶɺϢʔβʔͷଐੑΞΫγϣϯͳͲʹΑͬͯॊೈʹݖݶ༩͢Δ͜ͱ͕͍͠ ʢࣄલʹϩʔϧΛ༻ҙ͠ͳ͍ͱ͍͚ͳ͍ͷͰ)
ABAC ʢAttribute-Based Access Controlʣ ▪ͲΜͳͭʁ □ ڐՄ/ڋ൱͢ΔΞΫγϣϯଐੑΛׂΓৼΔͭ ▪Pros □ RBACΑΓॊೈ͔ͭࡉ੍͔͍ޚ͕Մೳ
▪Cons □࣮͕େม
AuthzIOABACͰ͢ ※Action-Attributeʹߜ͍ͬͯΔ
3. AuthZIOͷσʔλߏ
ߏཁૉ AttachedPolicy ├AccountId └Seq[Policy] ├Action ├PermissionReason ├Seq[Resource] └ExpirationDate
AttachedPolicy • AccountId + AccountʹׂΓͯΒΕͨϙϦγʔͷϦετ ΛͭAuthzίϯςΩετͷू • AccountID + AccountType
͔ΒΓɺOperator,API KeyͷPrincipalΛಉ͡ܕͰཧͰ͖ΔͷͰݖݶΛಉ͡ σʔλߏͰҰݩతʹཧ͢Δ͜ͱ͕Ͱ͖Δ
Policy • ݖݶͷجຊ୯Ґ • Action + PermissionReason + Seq[Resource] +
ExpirationDateͰߏ͞ΕΔ
Action • ͦͷ໊ͷ௨ΓAction • ADTͰఆ͓ٛͯ͠ΓɺStringʹΤϯίʔυ͢ΔͱͷΑ͏ ͳܗʹͳΔɻ(DBʹೖΔͱ͖͜Ε) • s"${αʔϏε໊}:${Action༰}" • “Dashboard:AnalysisViewer”
తͳ • αʔϏεͷ୯ҐίϯςΩετʹ͢Δ͔
ExpirationDate • ݖݶͷ༗ޮظݶ • ݖݶ՝ۚใΛ֬ೝͯ͠όονͳͲͰఆظత ʹফͨ͠Γ͢Δͱࡶʹͳ͍ͬͯ͘ͷͰظݶ͕͖ Ε͍ͯΔݖݶϥΠϑαΠΫϧͰࣗવʹফ͑ͯ ͍͘Α͏ʹ͢Δ
Resource • ΞΫγϣϯͷର • ResourceΛࢦఆͤͣʹߦ͏ActionͰར༻͠ͳ͍ • ݱঢ়ResourceຖʹظݶΛઃఆ͍ͨ͠߹2ͭϙϦ γʔΛ࡞͍ͬͯΔʢॲཧ؆ུԽͷͨΊ)
PermissionReason • ݖݶ͕༩͞Εͨཧ༝(༝དྷ) • ※ྫɿ • CloudSignͰܖΛ݁Μͩ • खಈͰҰ࣌తʹ༩ͨ͠ •
τϥΠΞϧͰظؒݶఆ༩ • ͜ΕίϯςΩετ͝ͱʹϞδϡʔϧΛΔஅΛԼͨ͠ γεςϜಛ༗ͷ͋ͬͨ΄͏͕ྑ͍ใͱ͍͑Δ͔ • ڽूੑΛߴΊΔͨΊʹ͜ͷใ͕ඞਢ
PermissionReasonΛগ͠ਂ΅Δ
ίϯςΩετΛ·͙ͨݖݶ༩/ണୣͷॲཧΛ࣮ߦ͢Δࡍʹɺ ॲཧ࣮ߦݩͷίϯςΩετReason͍͑ͬͯ͞Εྑ͍ͷͰ ࣮͕ͱͯγϯϓϧʹͳΔ
ྫͱͯ͠ ͱ͋ΔτϥΠΞϧݖݶΛ আ͢ΔॲཧΛߟ͑Δ
Authzͷఆظόον AuthN-API PermissionReasonφγ ͷͺͯ͌ʔΜ Authz-DB ͦͷଞͷίϯςΩετ ֎෦API ᶃτϥΠΞϧঢ়ଶ͕༗ޮͰ͋Δ͔֬ೝ ᶄτϥΠΞϧҎ֎ͷํ๏Ͱݖݶ͕ ༩͞Ε͍ͯΔՄೳੑΛ֬ೝ
ᶅݖݶΛআ
ॲཧͷରͱ͍ͨ͠ݖݶ͕Կ༝དྷ͔ γϯϓϧͳγεςϜͳΒݩσʔλݟΕ͍ ͍͡ΌΜͰࡁΉ͕ɺෳࡶʹͳΔͱࢀরઌ͕ ૿͔͑ͯͳΓେม
Authzͷఆظόον PermissionReasonΞϦ ͷͺͯ͌ʔΜ Authz-DB ᶃReason͕τϥΠΞϧͷݖݶΛআ
ଞʹ
ݖݶͱݖݶ༩ཧ༝ͷ ϛεϚον • - ଟॏ՝͕ۚ͋Δ߹͕ଟ͍ͷͰϢʔβʔ௨͢Δඞཁ͕͋Δ • - ଟॏݖݶͳ͍έʔεଟʑ͋ΔʢτϥΠΞϧͱຊܖ͕͔Ϳͬͯͯผʹྑ͍ΑͶతͳ) • -
AuthzͷReasonͰଟॏݖݶΛཧ͠ɺPaymentͰଟॏ՝ۚΛཧ͢ΔɻೝՄΛͯ͠ͳ͔ͬͨ ΓɺReason͕ͳ͔ͬͨΓ͢Δͱ͜͜ͷ۠ผ͕͍͠ • - ҙࣝ͠ͳ͍͜ͱʹΑΔརศੑ͋Δ͋ΔͷͰɺ • ҙࣝ͠ͳ͍͜ͱʹΑΔརศੑྫ • ͱΓ͋͑ͣࡶʹݖݶΛফ͍ͨ͠έʔε • ෳͷखஈͰ՝ۚ͞Ε͍ͯΔ߹ͷΈΤϥʔʹ͢ΔɻτϥΠΞϧ+1ͭͷ՝ۚखஈͷ߹྆ ํফ͢ɻτϥΠΞϧͷΈ|1ͭͷ՝ۚखஈͷΈͷ߹ফ͢ͷཁ݅) • ͷΑ͏ʹɺ݁ہࡶʹফͤͳ͍ͷͰҙࣝ͢Δ͔ɺΤϥʔέʔεΛࣺͯΔ͔ʹͳΔɻ
4. AuthZIOͷίϚϯυ
͜Ε͚ͩ • ࢀর/ߋ৽(Show/Add/Remove) • Request(ResourceࢦఆΞϦ/φγ)
ίʔυ sealed abstract class AuthzIO[A] {} // support case class
ShowPolicy(principal: AccountId) extends AuthzIO[AttachedPolicy] // manage case class AddPolicy(principal: AccountId, policy: Policy) extends AuthzIO[AttachedPolicy] case class AddPolicies(principal: AccountId, policies: Seq[Policy]) extends AuthzIO[AttachedPolicy] case class RemovePolicy(principal: AccountId, policy: Policy) extends AuthzIO[AttachedPolicy] case class RemovePolicies(principal: AccountId, policies: Seq[Policy]) extends AuthzIO[AttachedPolicy] // request case class RequestPolicy(principal: AccountId, actionSeq: Seq[Action]) extends AuthzIO[Unit] case class RequestPolicyToResource( principal: AccountId, principalActionSeq: Seq[Action], // ࢦఆͨͯ͢͠ͷΞΫγϣϯʹର͠ɺ resourceSeq: Seq[Resource], // ରͷresource͕ڐՄ͞Εͯͳ͚ΕNGͱ͢Δ resourceAllowedActionSeq: Seq[Action] ) extends AuthzIO[Unit] // requestBool case class RequestBoolPolicy(principal: AccountId, actionSeq: Seq[Action]) extends AuthzIO[Boolean] case class RequestBoolPolicyToResource( principal: AccountId, principalActionSeq: Seq[Action], // ࢦఆͨͯ͢͠ͷΞΫγϣϯʹର͠ɺ resourceSeq: Seq[Resource], // ରͷresource͕ڐՄ͞Εͯͳ͚ΕNGͱ͢Δ resourceAllowedActionSeq: Seq[Action] ) extends AuthzIO[Boolean]
͍ํΠϝʔδᶃ • RequestBoolΛෳύλʔϯ࣮ߦͯ݁͠ՌΛ߹ͯ͠Α͠ • requestBoolbooleanΛฦ͢ͷͰෳͷ݁ՌΛղͯ͠νΣοΫͯ͠OK(ͷදݱྗΛ ࣋ͭ(Bool) • ৄ͘͠ ͷهࣄΛࢀর •
https://www.slideshare.net/oarat/ss-55487535 • ෛݩ(ϚΠφε)͕ͳͯ͘Ճ๏+๏ͷ͋Δू߹ͷ͜ͱͰɺཁॱ൪Λม͑ͯ݁ՌมΘ ΒΜΑͶɻҙຯͰଊ͑Δͱྑ͍(Ϋιͬ͘͟ΓͰ͝ΊΜͳ͍͞) • requestBooleanΛ͍͍ͪͪఆ͢Δͷ͕໘ͳέʔεଟ͍ͷͰUnitΛฦ͠ɺfalseͷ߹ Either.leftΛEffʹಥͬࠐΜͰฦͯ͘͠ΕΔͷͰ݁Ռͷ߹͕ෆཁͳ߹͜ΕΛ͏ • ShowͰPolicyҾͬு͖֤ͬͯͯίϯςΩετͰࡉ͔͍ॲཧͯ͠Α͠ʢ͋·Γఆ͍ͯ͠ͳ͍) • enforce(σʔλͷϑΟϧλ)ɺAuthzIOʹRepositoryͯ͠InterpreterͰϑΟϧλͰ͖ΔΑ͏ ʹ͢Δͷߟ͕͑ͨநߴ͘ͳΓ͗͢Δׂʹ͍ʹ͍͘͠ɺΧόʔͰ͖Δ༻్ڱ͘ͳΓͦ͏ ͩͬͨͷͰɺΘ͔Γ֤͘͢ίϯςΩετͷDomainServiceͰrequestͷ݁ՌΛݩʹϑΟϧλ͢Δ ͷ͕ྑ͍ͱஅͨ͠ɻ
͍ํΠϝʔδᶄ
͍ํΠϝʔδᶅ • ͜ͷΑ͏ʹɺఆ͢Δཁૉ͕͍ͭ͘૿͑ͯ|| &&ͷԋࢉ ͰରॲͰ͖Δ • ྫ͑ɺ͓͔ΘΓϓϥϯ nճ͔ͭɺΩϟϯϖʔϯίʔ υhogeΛར༻ͨ͜͠ͱ͕͋ΓɺաڈʹTOEIC,egs,Bizʹ ೖͬͨ͜ͱ͋Δ͚ͭͩʹݖݶΛ༩͑ΔʂΈ͍ͨͳཁ
݅γϯϓϧʹදݱͰ͖Δʢଋͩͱ͍
ͱଋ • ଋScalaͷܕͷAny <-> Nothing ΛΠϝʔδ͢ΕOK • ࢝ͱऴ͕ܾ·͓ͬͯΓɺͦͷؒͷͲΕ͔ʹܕଐ͢Δ • ݖݶΛ͜ͷߏͰදݱ͢Δͱɺ͋ΒΏΔΈ߹ΘͤΛܕʹམͱ͢ඞཁ͕͋Γɺexplosion͢Δ
ʢݱঢ়ɺEgsAndTOEIC, EgsAndBiz, EgsAndPersonalCoachͳͲΛbitԋࢉΆ͘ѻͬͯΔͷ Ͱগ͠Ϛγ͕ͩɺ͜ΕʹҰͭҰͭܕΛ͚ͭΔͱ͖ͼ͍͠) • BooleanΛΠϝʔδ͢ΕOK(Booleanͱ४ಉܕͰ͋ΔɻBool) • ධՁ͢Δॱ൪Λม͑ͯ݁ՌมΘΒͳ͍ • ͱੵͷ2ͭͷԋࢉΛͭू߹Ͱɺަ,݁߹,ͷଇΛຬͨ͢ • A = (true && false) => false • B = (false || true) => true • C = A && B = false • A,Bʹग़ͯ͘Δɺtrue,falseΛͲ͏ೖΕସ͑ͯCͷ݁ՌมΘΒͳ͍ΑͶΈ͍ͨͳ͜ͱ͕ݴ͍͍ͨ (Ϋιͬ͘͟ΓͰ͝ΊΜͳ͍͞) • ݖݶ৭ΜͳཁૉΛߟྀ͢Δඞཁ͕͋Δ͔Β͜ͷߏ͕ࢫ͍
5. ·ͱΊ
• ೝূͱೝՄ͠ͳ͍ͱෳࡶͳཁ݅Λ࣮ݱ͢Δࡍʹ௧ΈΛ͏ • ೝՄํࣜABACΛ࠾༻ • AuthzߏΛ࠾༻ͯ͠Δͧ(ܕϨϕϧʹΤϯίʔυͯ͠ͳ͍) • enforcedomainServiceͰrequest/requestBoolΛ࣮ͬͯͯ͠ ͍ͧ͘ •
ϑϩϯτͰݖݶͰϋϯυϦϯά͍ͨ͠έʔε͋ΔͷͰɺͲΜͳ ܗͰฦ͔͢૬ஊ͍ͨ͠(isAnalysis=true,Έ͍ͨͳͷΛແݶʹ૿ ͍͍ͯ͠͠ɺshowPolicyͰऔΕΔ݁ՌΛͦͷ··ͯ͠OK)ɹ • ͜ͷهࣄ࠷ߴͳͷͰಡΉͱྑ͍ • https://kenfdev.hateblo.jp/entry/2020/01/13/115032
͓ΘΓ