Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up
for free
Authz
ma2k8
July 29, 2020
Technology
0
170
Authz
社内勉強会用
ma2k8
July 29, 2020
Tweet
Share
More Decks by ma2k8
See All by ma2k8
ma2k8
0
12
ma2k8
0
11
ma2k8
0
2.6k
ma2k8
3
5.8k
ma2k8
1
26
ma2k8
0
29
ma2k8
1
1.4k
ma2k8
1
1.5k
Other Decks in Technology
See All in Technology
koukyo1994
3
450
imdigitallab
0
160
pg0084
1
130
gobeyond20xx
0
180
eayedi
2
140
yshr1200
0
170
ihcomega56
1
540
nisshii0313
1
150
nitya
0
230
norioikedo
0
220
benzookapi
1
370
inductor
1
120
Featured
See All Featured
chrislema
231
16k
colly
188
14k
mthomps
38
2.3k
orderedlist
PRO
328
36k
dotmariusz
94
5.5k
bermonpainter
342
26k
malarkey
119
16k
iamctodd
19
2k
searls
205
36k
hannesfritz
28
950
jrom
116
7.2k
mojombo
359
62k
Transcript
AuthZ
Agenda 1. AuthZͱAuthNͷҧ͍ 2. ೝՄͷछྨ 3. AuthzIOͷσʔλߏ 4. AuthzIOͷίϚϯυ 5.
·ͱΊ
1. AuthZͱAuthNͷҧ͍
େલఏ ೝূʢAuthNʣͱೝՄʢAuthZʣ ࣅͯඇͳΔ֓೦Ͱ͋Δ
ೝূ ~AutheNtication ~ ର͕ʮ୭ʯͰ͋Δ͔Λಛఆ͢Δ
ೝՄ ~AuthoriZation ~ ҙͷϦιʔεʹର͠ɺ ҙͷΞΫγϣϯͷڐՄ/ڋ൱Λ੍ޚ͢Δ
զʑਓؒɺࢹ֮,ௌ֮,ᄿ֮ͳͲ ༷ʑͳใΛͬͯଞਓΛೝূ͍ͯ͠Δɻ ͦͯ͠ɺೝূͨ͠ଞਓ͕ʮ୭ʯͰ͋Δ͔ʹΑͬ ͯߦಈΛೝՄ͍ͯ͠Δɻ(ΑͶʁ)
※Βͳ͍ਓʢೝূΤϥʔʣʹ ͍͖ͳΓ͔͚ΒΕͨΒʢೝՄΤϥʔʣϏϏΓ·͢ɻɹ
γϯϓϧͳཁ݅Ͱ ೝূͱೝՄࠞಉ͞Ε͕ͪɻ
୭Ͱ͋Δ͔͕͔Εɺ ԿΛೝՄ͢Δ͔ࣗ໌͔ʁ
͜ͷ͍ ʮҕৡʯͷඞཁ͕ͳ͚Εਅ ͋ΕِͱͳΔ
γϯϓϧͳೝূ/ೝՄ ᶃೝূཁٻ(ID/Pass) ᶄೣഎϚϯͰ͋Δ͜ͱΛ֬ೝ ᶅೣഎϚϯʹೝՄ͞Εͨ ΞΫγϣϯΛ࣮ߦͰ͖Δ ϢʔβʔೣഎϚϯ ͘͢͝γϯϓϧͳγεςϜ
࣮Λߟ͑ͯΈΔ • ೝূ • ϩάΠϯޭͨ͠ΒτʔΫϯΛฦ͢ • ͦΕͧΕͷAPIτʔΫϯ͕ਖ਼ৗͳΒޙଓͷॲཧΛڐՄ͢ Δ • ͜͜ʹೝՄΛ࣮͢Δͱͨ͠Βʁ
• (Ϣʔβʔ|ϩʔϧ)ݻ༗ͰڐՄ͍ͨ͠ΞΫγϣϯΦϖϨʔ λʔIDϩʔϧIDͱඥ͚ͯϗϫΠτϦετ/ϒϥοΫϦ ετͰอଘ͠ɺAPIͷॲཧͷલఏ݅ͱ͢Δ
ҕৡ༗Γೝূ/ೝՄ ᶃӾཡݖݶΛҕৡͨ͠ΩʔΛൃߦ ϢʔβʔೣഎϚϯ botͷҙͷ࣮ߦऀ APIΩʔ ᶄΩʔΛར༻͠ɺҕৡ͞ΕͨΞΫγϣϯΛ࣮ߦ͢Δɻ ɹΩʔͷೝূߦ͏͕ɺೣഎϚϯ͔൱͔ɺ ɹ࣮ߦऀ͕୭Ͱ͋Δ͔ͷೝূߦΘͳ͍ɻ ͘͢͝ෳࡶͳγεςϜ
࣮Λߟ͑ͯΈΔ • ೝূ • ϢʔβʔAPIΩʔΛ࡞ΕɺͦΕΛͤࣗͷID/PassΛڞ༗ͤͣͱࣗ ͷ࣋ͭݖݶΛҕৡͰ͖Δ • APIΩʔͷೝূߦ͏(firebaseͰͬͯ·͢Ͷ) • APIΩʔిंͷූͷΑ͏ͳͷɻූΛങͬͨਓ֬ೝ͠ͳ͍͚Ͳ
ූ֬ೝ͢Δ • ೝՄ • લड़ͷϢʔβʔϩʔϧʹඥ͚ͮͯͷೝՄॲཧ࣮Λߦ͏ͱڽूͷ͍࣮ ʹͳΔͷ͕ΠϝʔδͰ͖ΔͩΖ͏͔ɾɾɾ • લड़ͷ࣮ͩͱɺූͷ֬ೝΛߦ͍͍ͨͷʹɺූͷൃߦऀ·ͰͨͲΔ͜ ͱʹͳͬͯ͠·͏ɻ
APIΩʔΛྫʹग़͕ͨ͠ɺ͔ͬ͠Γ࡞Ε inviteϦϯΫʹͬͯΔτʔΫϯͳͲ৭Μͳॴʹྲྀ༻ՄೳͰ͢ɻ ʢ͢Δ͔ผͷ) ಉ͡Α͏ͳॲཧΛ ৭Μͳॴʹಠ࣮ࣗͤͣʹࡁΉ
2. ೝՄͷछྨ
ACL ʢAccess Control Listʣ ▪ͲΜͳͭʁ □ ΞΫηεϦετ □ ໊લ͕ొ͞ΕͯΕOKͳγϯϓϧͳͭ ▪Pros
□ γϯϓϧ ▪Cons □ γϯϓϧ͗ͯ͢ࡉ੍͔͍ޚͰ͖ͳ͍
RBAC ʢRole-Based Access Controlʣ ▪ͲΜͳͭʁ □ ϩʔϧΛׂΓৼΔͭ ▪Pros □ υϝΠϯݴޠͱϚον͍ͤ͢͞
□ ACLΑΓࡉ੍͔͍ޚ͕Մೳ ▪Cons □ Role explosion ίϯςΩετAͰϩʔϧAɺίϯςΩετBͰϩʔϧBͳͲɺ ෳࡶߋʹࡉ੍͔͍ޚ͕ͨ͘͠ͳΔͱϩʔϧ͕૿͑͗ͯ͢ഁ͢Δ ʢRoleAʹActionAΛՃ͍͚ͨͩ͠ͳͷʹ৽ͨͳϩʔϧΛ࡞͢Δ…) □ ׂʹറΒΕ͗͢Δ Ұ࣌తͳݖݶɺϢʔβʔͷଐੑΞΫγϣϯͳͲʹΑͬͯॊೈʹݖݶ༩͢Δ͜ͱ͕͍͠ ʢࣄલʹϩʔϧΛ༻ҙ͠ͳ͍ͱ͍͚ͳ͍ͷͰ)
ABAC ʢAttribute-Based Access Controlʣ ▪ͲΜͳͭʁ □ ڐՄ/ڋ൱͢ΔΞΫγϣϯଐੑΛׂΓৼΔͭ ▪Pros □ RBACΑΓॊೈ͔ͭࡉ੍͔͍ޚ͕Մೳ
▪Cons □࣮͕େม
AuthzIOABACͰ͢ ※Action-Attributeʹߜ͍ͬͯΔ
3. AuthZIOͷσʔλߏ
ߏཁૉ AttachedPolicy ├AccountId └Seq[Policy] ├Action ├PermissionReason ├Seq[Resource] └ExpirationDate
AttachedPolicy • AccountId + AccountʹׂΓͯΒΕͨϙϦγʔͷϦετ ΛͭAuthzίϯςΩετͷू • AccountID + AccountType
͔ΒΓɺOperator,API KeyͷPrincipalΛಉ͡ܕͰཧͰ͖ΔͷͰݖݶΛಉ͡ σʔλߏͰҰݩతʹཧ͢Δ͜ͱ͕Ͱ͖Δ
Policy • ݖݶͷجຊ୯Ґ • Action + PermissionReason + Seq[Resource] +
ExpirationDateͰߏ͞ΕΔ
Action • ͦͷ໊ͷ௨ΓAction • ADTͰఆ͓ٛͯ͠ΓɺStringʹΤϯίʔυ͢ΔͱͷΑ͏ ͳܗʹͳΔɻ(DBʹೖΔͱ͖͜Ε) • s"${αʔϏε໊}:${Action༰}" • “Dashboard:AnalysisViewer”
తͳ • αʔϏεͷ୯ҐίϯςΩετʹ͢Δ͔
ExpirationDate • ݖݶͷ༗ޮظݶ • ݖݶ՝ۚใΛ֬ೝͯ͠όονͳͲͰఆظత ʹফͨ͠Γ͢Δͱࡶʹͳ͍ͬͯ͘ͷͰظݶ͕͖ Ε͍ͯΔݖݶϥΠϑαΠΫϧͰࣗવʹফ͑ͯ ͍͘Α͏ʹ͢Δ
Resource • ΞΫγϣϯͷର • ResourceΛࢦఆͤͣʹߦ͏ActionͰར༻͠ͳ͍ • ݱঢ়ResourceຖʹظݶΛઃఆ͍ͨ͠߹2ͭϙϦ γʔΛ࡞͍ͬͯΔʢॲཧ؆ུԽͷͨΊ)
PermissionReason • ݖݶ͕༩͞Εͨཧ༝(༝དྷ) • ※ྫɿ • CloudSignͰܖΛ݁Μͩ • खಈͰҰ࣌తʹ༩ͨ͠ •
τϥΠΞϧͰظؒݶఆ༩ • ͜ΕίϯςΩετ͝ͱʹϞδϡʔϧΛΔஅΛԼͨ͠ γεςϜಛ༗ͷ͋ͬͨ΄͏͕ྑ͍ใͱ͍͑Δ͔ • ڽूੑΛߴΊΔͨΊʹ͜ͷใ͕ඞਢ
PermissionReasonΛগ͠ਂ΅Δ
ίϯςΩετΛ·͙ͨݖݶ༩/ണୣͷॲཧΛ࣮ߦ͢Δࡍʹɺ ॲཧ࣮ߦݩͷίϯςΩετReason͍͑ͬͯ͞Εྑ͍ͷͰ ࣮͕ͱͯγϯϓϧʹͳΔ
ྫͱͯ͠ ͱ͋ΔτϥΠΞϧݖݶΛ আ͢ΔॲཧΛߟ͑Δ
Authzͷఆظόον AuthN-API PermissionReasonφγ ͷͺͯ͌ʔΜ Authz-DB ͦͷଞͷίϯςΩετ ֎෦API ᶃτϥΠΞϧঢ়ଶ͕༗ޮͰ͋Δ͔֬ೝ ᶄτϥΠΞϧҎ֎ͷํ๏Ͱݖݶ͕ ༩͞Ε͍ͯΔՄೳੑΛ֬ೝ
ᶅݖݶΛআ
ॲཧͷରͱ͍ͨ͠ݖݶ͕Կ༝དྷ͔ γϯϓϧͳγεςϜͳΒݩσʔλݟΕ͍ ͍͡ΌΜͰࡁΉ͕ɺෳࡶʹͳΔͱࢀরઌ͕ ૿͔͑ͯͳΓେม
Authzͷఆظόον PermissionReasonΞϦ ͷͺͯ͌ʔΜ Authz-DB ᶃReason͕τϥΠΞϧͷݖݶΛআ
ଞʹ
ݖݶͱݖݶ༩ཧ༝ͷ ϛεϚον • - ଟॏ՝͕ۚ͋Δ߹͕ଟ͍ͷͰϢʔβʔ௨͢Δඞཁ͕͋Δ • - ଟॏݖݶͳ͍έʔεଟʑ͋ΔʢτϥΠΞϧͱຊܖ͕͔Ϳͬͯͯผʹྑ͍ΑͶతͳ) • -
AuthzͷReasonͰଟॏݖݶΛཧ͠ɺPaymentͰଟॏ՝ۚΛཧ͢ΔɻೝՄΛͯ͠ͳ͔ͬͨ ΓɺReason͕ͳ͔ͬͨΓ͢Δͱ͜͜ͷ۠ผ͕͍͠ • - ҙࣝ͠ͳ͍͜ͱʹΑΔརศੑ͋Δ͋ΔͷͰɺ • ҙࣝ͠ͳ͍͜ͱʹΑΔརศੑྫ • ͱΓ͋͑ͣࡶʹݖݶΛফ͍ͨ͠έʔε • ෳͷखஈͰ՝ۚ͞Ε͍ͯΔ߹ͷΈΤϥʔʹ͢ΔɻτϥΠΞϧ+1ͭͷ՝ۚखஈͷ߹྆ ํফ͢ɻτϥΠΞϧͷΈ|1ͭͷ՝ۚखஈͷΈͷ߹ফ͢ͷཁ݅) • ͷΑ͏ʹɺ݁ہࡶʹফͤͳ͍ͷͰҙࣝ͢Δ͔ɺΤϥʔέʔεΛࣺͯΔ͔ʹͳΔɻ
4. AuthZIOͷίϚϯυ
͜Ε͚ͩ • ࢀর/ߋ৽(Show/Add/Remove) • Request(ResourceࢦఆΞϦ/φγ)
ίʔυ sealed abstract class AuthzIO[A] {} // support case class
ShowPolicy(principal: AccountId) extends AuthzIO[AttachedPolicy] // manage case class AddPolicy(principal: AccountId, policy: Policy) extends AuthzIO[AttachedPolicy] case class AddPolicies(principal: AccountId, policies: Seq[Policy]) extends AuthzIO[AttachedPolicy] case class RemovePolicy(principal: AccountId, policy: Policy) extends AuthzIO[AttachedPolicy] case class RemovePolicies(principal: AccountId, policies: Seq[Policy]) extends AuthzIO[AttachedPolicy] // request case class RequestPolicy(principal: AccountId, actionSeq: Seq[Action]) extends AuthzIO[Unit] case class RequestPolicyToResource( principal: AccountId, principalActionSeq: Seq[Action], // ࢦఆͨͯ͢͠ͷΞΫγϣϯʹର͠ɺ resourceSeq: Seq[Resource], // ରͷresource͕ڐՄ͞Εͯͳ͚ΕNGͱ͢Δ resourceAllowedActionSeq: Seq[Action] ) extends AuthzIO[Unit] // requestBool case class RequestBoolPolicy(principal: AccountId, actionSeq: Seq[Action]) extends AuthzIO[Boolean] case class RequestBoolPolicyToResource( principal: AccountId, principalActionSeq: Seq[Action], // ࢦఆͨͯ͢͠ͷΞΫγϣϯʹର͠ɺ resourceSeq: Seq[Resource], // ରͷresource͕ڐՄ͞Εͯͳ͚ΕNGͱ͢Δ resourceAllowedActionSeq: Seq[Action] ) extends AuthzIO[Boolean]
͍ํΠϝʔδᶃ • RequestBoolΛෳύλʔϯ࣮ߦͯ݁͠ՌΛ߹ͯ͠Α͠ • requestBoolbooleanΛฦ͢ͷͰෳͷ݁ՌΛղͯ͠νΣοΫͯ͠OK(ͷදݱྗΛ ࣋ͭ(Bool) • ৄ͘͠ ͷهࣄΛࢀর •
https://www.slideshare.net/oarat/ss-55487535 • ෛݩ(ϚΠφε)͕ͳͯ͘Ճ๏+๏ͷ͋Δू߹ͷ͜ͱͰɺཁॱ൪Λม͑ͯ݁ՌมΘ ΒΜΑͶɻҙຯͰଊ͑Δͱྑ͍(Ϋιͬ͘͟ΓͰ͝ΊΜͳ͍͞) • requestBooleanΛ͍͍ͪͪఆ͢Δͷ͕໘ͳέʔεଟ͍ͷͰUnitΛฦ͠ɺfalseͷ߹ Either.leftΛEffʹಥͬࠐΜͰฦͯ͘͠ΕΔͷͰ݁Ռͷ߹͕ෆཁͳ߹͜ΕΛ͏ • ShowͰPolicyҾͬு͖֤ͬͯͯίϯςΩετͰࡉ͔͍ॲཧͯ͠Α͠ʢ͋·Γఆ͍ͯ͠ͳ͍) • enforce(σʔλͷϑΟϧλ)ɺAuthzIOʹRepositoryͯ͠InterpreterͰϑΟϧλͰ͖ΔΑ͏ ʹ͢Δͷߟ͕͑ͨநߴ͘ͳΓ͗͢Δׂʹ͍ʹ͍͘͠ɺΧόʔͰ͖Δ༻్ڱ͘ͳΓͦ͏ ͩͬͨͷͰɺΘ͔Γ֤͘͢ίϯςΩετͷDomainServiceͰrequestͷ݁ՌΛݩʹϑΟϧλ͢Δ ͷ͕ྑ͍ͱஅͨ͠ɻ
͍ํΠϝʔδᶄ
͍ํΠϝʔδᶅ • ͜ͷΑ͏ʹɺఆ͢Δཁૉ͕͍ͭ͘૿͑ͯ|| &&ͷԋࢉ ͰରॲͰ͖Δ • ྫ͑ɺ͓͔ΘΓϓϥϯ nճ͔ͭɺΩϟϯϖʔϯίʔ υhogeΛར༻ͨ͜͠ͱ͕͋ΓɺաڈʹTOEIC,egs,Bizʹ ೖͬͨ͜ͱ͋Δ͚ͭͩʹݖݶΛ༩͑ΔʂΈ͍ͨͳཁ
݅γϯϓϧʹදݱͰ͖Δʢଋͩͱ͍
ͱଋ • ଋScalaͷܕͷAny <-> Nothing ΛΠϝʔδ͢ΕOK • ࢝ͱऴ͕ܾ·͓ͬͯΓɺͦͷؒͷͲΕ͔ʹܕଐ͢Δ • ݖݶΛ͜ͷߏͰදݱ͢Δͱɺ͋ΒΏΔΈ߹ΘͤΛܕʹམͱ͢ඞཁ͕͋Γɺexplosion͢Δ
ʢݱঢ়ɺEgsAndTOEIC, EgsAndBiz, EgsAndPersonalCoachͳͲΛbitԋࢉΆ͘ѻͬͯΔͷ Ͱগ͠Ϛγ͕ͩɺ͜ΕʹҰͭҰͭܕΛ͚ͭΔͱ͖ͼ͍͠) • BooleanΛΠϝʔδ͢ΕOK(Booleanͱ४ಉܕͰ͋ΔɻBool) • ධՁ͢Δॱ൪Λม͑ͯ݁ՌมΘΒͳ͍ • ͱੵͷ2ͭͷԋࢉΛͭू߹Ͱɺަ,݁߹,ͷଇΛຬͨ͢ • A = (true && false) => false • B = (false || true) => true • C = A && B = false • A,Bʹग़ͯ͘Δɺtrue,falseΛͲ͏ೖΕସ͑ͯCͷ݁ՌมΘΒͳ͍ΑͶΈ͍ͨͳ͜ͱ͕ݴ͍͍ͨ (Ϋιͬ͘͟ΓͰ͝ΊΜͳ͍͞) • ݖݶ৭ΜͳཁૉΛߟྀ͢Δඞཁ͕͋Δ͔Β͜ͷߏ͕ࢫ͍
5. ·ͱΊ
• ೝূͱೝՄ͠ͳ͍ͱෳࡶͳཁ݅Λ࣮ݱ͢Δࡍʹ௧ΈΛ͏ • ೝՄํࣜABACΛ࠾༻ • AuthzߏΛ࠾༻ͯ͠Δͧ(ܕϨϕϧʹΤϯίʔυͯ͠ͳ͍) • enforcedomainServiceͰrequest/requestBoolΛ࣮ͬͯͯ͠ ͍ͧ͘ •
ϑϩϯτͰݖݶͰϋϯυϦϯά͍ͨ͠έʔε͋ΔͷͰɺͲΜͳ ܗͰฦ͔͢૬ஊ͍ͨ͠(isAnalysis=true,Έ͍ͨͳͷΛແݶʹ૿ ͍͍ͯ͠͠ɺshowPolicyͰऔΕΔ݁ՌΛͦͷ··ͯ͠OK)ɹ • ͜ͷهࣄ࠷ߴͳͷͰಡΉͱྑ͍ • https://kenfdev.hateblo.jp/entry/2020/01/13/115032
͓ΘΓ
ma2k8
koukyo1994
imdigitallab
pg0084
gobeyond20xx
eayedi
yshr1200
ihcomega56
nisshii0313
nitya
norioikedo
benzookapi
inductor
chrislema
colly
mthomps
orderedlist
dotmariusz
bermonpainter
malarkey
iamctodd
searls
hannesfritz
jrom
mojombo
![ߏཁૉ AttachedPolicy ├AccountId └Seq[Policy] ├Action ├PermissionReason ├Seq[Resource] └ExpirationDate](https://files.speakerdeck.com/presentations/3e05f63875344065bcdd992e678e4776/slide_22.jpg){kind=link}
![Policy • ݖݶͷجຊ୯Ґ • Action + PermissionReason + Seq[Resource] +](https://files.speakerdeck.com/presentations/3e05f63875344065bcdd992e678e4776/slide_24.jpg){kind=link}
![ίʔυ sealed abstract class AuthzIO[A] {} // support case class](https://files.speakerdeck.com/presentations/3e05f63875344065bcdd992e678e4776/slide_39.jpg){kind=link}
