Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Authz

C6a8cb5e13aa716521d522471ec4e4cd?s=47 ma2k8
July 29, 2020

 Authz

社内勉強会用

C6a8cb5e13aa716521d522471ec4e4cd?s=128

ma2k8

July 29, 2020
Tweet

Transcript

  1. AuthZ

  2. Agenda 1. AuthZͱAuthNͷҧ͍ 2. ೝՄͷछྨ 3. AuthzIOͷσʔλߏ଄ 4. AuthzIOͷίϚϯυ 5.

    ·ͱΊ
  3. 1. AuthZͱAuthNͷҧ͍

  4. େલఏ ೝূʢAuthNʣͱೝՄʢAuthZʣ ͸ ࣅͯඇͳΔ֓೦Ͱ͋Δ

  5. ೝূ ~AutheNtication ~ ର৅͕ʮ୭ʯͰ͋Δ͔Λಛఆ͢Δ

  6. ೝՄ ~AuthoriZation ~ ೚ҙͷϦιʔεʹର͠ɺ ೚ҙͷΞΫγϣϯͷڐՄ/ڋ൱Λ੍ޚ͢Δ

  7. զʑਓؒ΋ɺࢹ֮,ௌ֮,ᄿ֮ͳͲ ༷ʑͳ৘ใΛ࢖ͬͯଞਓΛೝূ͍ͯ͠Δɻ ͦͯ͠ɺೝূͨ͠ଞਓ͕ʮ୭ʯͰ͋Δ͔ʹΑͬ ͯߦಈΛೝՄ͍ͯ͠Δɻ(ΑͶʁ)

  8. ※஌Βͳ͍ਓʢೝূΤϥʔʣʹ ͍͖ͳΓ੠͔͚ΒΕͨΒʢೝՄΤϥʔʣϏϏΓ·͢ɻɹ

  9. γϯϓϧͳཁ݅Ͱ͸ ೝূͱೝՄ͸ࠞಉ͞Ε͕ͪɻ

  10. ୭Ͱ͋Δ͔͕෼͔Ε͹ɺ ԿΛೝՄ͢Δ͔͸ࣗ໌͔ʁ

  11. ͜ͷ໰͍͸ ʮҕৡʯͷඞཁ͕ͳ͚Ε͹ਅ ͋Ε͹ِͱͳΔ

  12. γϯϓϧͳೝূ/ೝՄ ᶃೝূཁٻ(ID/Pass) ᶄೣഎϚϯͰ͋Δ͜ͱΛ֬ೝ ᶅೣഎϚϯʹೝՄ͞Εͨ ΞΫγϣϯΛ࣮ߦͰ͖Δ ϢʔβʔೣഎϚϯ ͘͢͝γϯϓϧͳγεςϜ

  13. ࣮૷Λߟ͑ͯΈΔ • ೝূ • ϩάΠϯ੒ޭͨ͠ΒτʔΫϯΛฦ͢ • ͦΕͧΕͷAPI͸τʔΫϯ͕ਖ਼ৗͳΒޙଓͷॲཧΛڐՄ͢ Δ • ͜͜ʹೝՄΛ࣮૷͢Δͱͨ͠Βʁ

    • (Ϣʔβʔ|ϩʔϧ)ݻ༗ͰڐՄ͍ͨ͠ΞΫγϣϯ͸ΦϖϨʔ λʔID΍ϩʔϧIDͱඥ෇͚ͯϗϫΠτϦετ/ϒϥοΫϦ ετͰอଘ͠ɺAPIͷॲཧͷલఏ৚݅ͱ͢Δ
  14. ҕৡ༗Γೝূ/ೝՄ ᶃӾཡݖݶΛҕৡͨ͠ΩʔΛൃߦ ϢʔβʔೣഎϚϯ bot౳ͷ೚ҙͷ࣮ߦऀ APIΩʔ ᶄΩʔΛར༻͠ɺҕৡ͞ΕͨΞΫγϣϯΛ࣮ߦ͢Δɻ ɹΩʔͷೝূ͸ߦ͏͕ɺೣഎϚϯ͔൱͔΍ɺ ɹ࣮ߦऀ͕୭Ͱ͋Δ͔ͷೝূ͸ߦΘͳ͍ɻ ͘͢͝ෳࡶͳγεςϜ

  15. ࣮૷Λߟ͑ͯΈΔ • ೝূ • Ϣʔβʔ͸APIΩʔΛ࡞ΕɺͦΕΛ౉ͤ͹ࣗ෼ͷID/PassΛڞ༗ͤͣͱ΋ࣗ෼ ͷ࣋ͭݖݶΛҕৡͰ͖Δ • APIΩʔͷೝূ͸ߦ͏(firebaseͰ΍ͬͯ·͢Ͷ) • APIΩʔ͸ిंͷ੾ූͷΑ͏ͳ΋ͷɻ੾ූΛങͬͨਓ͸֬ೝ͠ͳ͍͚Ͳ੾

    ූ͸֬ೝ͢Δ • ೝՄ • લड़ͷϢʔβʔ΍ϩʔϧʹඥ͚ͮͯͷೝՄॲཧ࣮૷Λߦ͏ͱڽू౓ͷ௿͍࣮ ૷ʹͳΔͷ͕ΠϝʔδͰ͖ΔͩΖ͏͔ɾɾɾ • લड़ͷ࣮૷ͩͱɺ੾ූͷ֬ೝΛߦ͍͍ͨͷʹɺ੾ූͷൃߦऀ·ͰͨͲΔ͜ ͱʹͳͬͯ͠·͏ɻ
  16. APIΩʔΛྫʹग़͕ͨ͠ɺ͔ͬ͠Γ࡞Ε͹ inviteϦϯΫʹ࢖ͬͯΔτʔΫϯͳͲ৭Μͳॴʹྲྀ༻ՄೳͰ͢ɻ ʢ͢Δ͔͸ผͷ࿩) ಉ͡Α͏ͳॲཧΛ ৭Μͳॴʹಠ࣮ࣗ૷ͤͣʹࡁΉ

  17. 2. ೝՄͷछྨ

  18. ACL ʢAccess Control Listʣ ▪ͲΜͳ΍ͭʁ □ ΞΫηεϦετ □ ໊લ͕ొ࿥͞ΕͯΕ͹OKͳγϯϓϧͳ΍ͭ ▪Pros

    □ γϯϓϧ ▪Cons □ γϯϓϧ͗ͯ͢ࡉ੍͔͍ޚ͸Ͱ͖ͳ͍
  19. RBAC ʢRole-Based Access Controlʣ ▪ͲΜͳ΍ͭʁ □ ϩʔϧΛׂΓৼΔ΍ͭ ▪Pros □ υϝΠϯݴޠͱϚονͤ͞΍͍͢

    □ ACLΑΓࡉ੍͔͍ޚ͕Մೳ ▪Cons □ Role explosion ίϯςΩετAͰ͸ϩʔϧAɺίϯςΩετBͰ͸ϩʔϧBͳͲɺ ෳࡶ౓΍ߋʹࡉ੍͔͍ޚ͕ͨ͘͠ͳΔͱϩʔϧ͕૿͑͗ͯ͢ഁ୼͢Δ ʢRoleAʹActionAΛ௥Ճ͍͚ͨͩ͠ͳͷʹ৽ͨͳϩʔϧΛ࡞੒͢Δ౳…) □ ໾ׂʹറΒΕ͗͢Δ Ұ࣌తͳݖݶ΍ɺϢʔβʔͷଐੑ΍ΞΫγϣϯͳͲʹΑͬͯॊೈʹݖݶ෇༩͢Δ͜ͱ͕೉͍͠ ʢࣄલʹϩʔϧΛ༻ҙ͠ͳ͍ͱ͍͚ͳ͍ͷͰ)
  20. ABAC ʢAttribute-Based Access Controlʣ ▪ͲΜͳ΍ͭʁ □ ڐՄ/ڋ൱͢ΔΞΫγϣϯ΍ଐੑΛׂΓৼΔ΍ͭ ▪Pros □ RBACΑΓॊೈ͔ͭࡉ੍͔͍ޚ͕Մೳ

    ▪Cons □࣮૷͕େม
  21. AuthzIO͸ABACͰ͢ ※Action-Attributeʹߜ͍ͬͯΔ

  22. 3. AuthZIOͷσʔλߏ଄

  23. ߏ੒ཁૉ AttachedPolicy ├AccountId └Seq[Policy] ├Action ├PermissionReason ├Seq[Resource] └ExpirationDate

  24. AttachedPolicy • AccountId + AccountʹׂΓ౰ͯΒΕͨϙϦγʔͷϦετ Λ΋ͭAuthzίϯςΩετͷू໿ • Account͸ID + AccountType

    ͔Β੒ΓɺOperator,API Key౳ͷPrincipalΛಉ͡ܕͰ؅ཧͰ͖ΔͷͰݖݶΛಉ͡ σʔλߏ଄ͰҰݩతʹ؅ཧ͢Δ͜ͱ͕Ͱ͖Δ
  25. Policy • ݖݶͷجຊ୯Ґ • Action + PermissionReason + Seq[Resource] +

    ExpirationDateͰߏ੒͞ΕΔ
  26. Action • ͦͷ໊ͷ௨ΓAction • ADTͰఆ͓ٛͯ͠ΓɺStringʹΤϯίʔυ͢ΔͱͷΑ͏ ͳܗʹͳΔɻ(DBʹೖΔͱ͖΋͜Ε) • s"${αʔϏε໊}:${Action಺༰}" • “Dashboard:AnalysisViewer”

    తͳ • αʔϏεͷ୯Ґ͸ίϯςΩετʹ͢Δ͔΋
  27. ExpirationDate • ݖݶͷ༗ޮظݶ • ݖݶ͸՝ۚ৘ใ౳Λ֬ೝͯ͠όονͳͲͰఆظత ʹফͨ͠Γ͢Δͱ൥ࡶʹͳ͍ͬͯ͘ͷͰظݶ͕͖ Ε͍ͯΔݖݶ͸ϥΠϑαΠΫϧ಺Ͱࣗવʹফ͑ͯ ͍͘Α͏ʹ͢Δ

  28. Resource • ΞΫγϣϯͷର৅ • ResourceΛࢦఆͤͣʹߦ͏ActionͰ͸ར༻͠ͳ͍ • ݱঢ়͸ResourceຖʹظݶΛઃఆ͍ͨ͠৔߹͸2ͭϙϦ γʔΛ࡞͍ͬͯΔʢॲཧ؆ུԽͷͨΊ)

  29. PermissionReason • ݖݶ͕෇༩͞Εͨཧ༝(༝དྷ) • ※ྫɿ • CloudSignͰܖ໿Λ݁Μͩ • खಈͰҰ࣌తʹ෇༩ͨ͠ •

    τϥΠΞϧͰظؒݶఆ෇༩౳ • ͜Ε͸ίϯςΩετ͝ͱʹϞδϡʔϧΛ੾Δ൑அΛԼͨ͠ γεςϜಛ༗ͷ͋ͬͨ΄͏͕ྑ͍৘ใͱ͍͑Δ͔΋ • ڽूੑΛߴΊΔͨΊʹ͜ͷ৘ใ͕ඞਢ
  30. PermissionReasonΛগ͠ਂ΅Δ

  31. ίϯςΩετΛ·͙ͨݖݶ෇༩/ണୣͷॲཧΛ࣮ߦ͢Δࡍʹɺ ॲཧ࣮ߦݩͷίϯςΩετ͸Reason͑͞஌͍ͬͯΕ͹ྑ͍ͷͰ ࣮૷͕ͱͯ΋γϯϓϧʹͳΔ

  32. ྫͱͯ͠ ͱ͋ΔτϥΠΞϧݖݶΛ ࡟আ͢ΔॲཧΛߟ͑Δ

  33. Authzͷఆظόον AuthN-API PermissionReasonφγ ͷͺͯ͌ʔΜ Authz-DB ͦͷଞͷίϯςΩετ΍ ֎෦API ᶃτϥΠΞϧঢ়ଶ͕༗ޮͰ͋Δ͔֬ೝ ᶄτϥΠΞϧҎ֎ͷํ๏Ͱݖݶ͕ ෇༩͞Ε͍ͯΔՄೳੑΛ֬ೝ

    ᶅݖݶΛ࡟আ
  34. ॲཧͷର৅ͱ͍ͨ͠ݖݶ͕Կ༝དྷ͔͸ γϯϓϧͳγεςϜͳΒݩσʔλݟΕ͹͍ ͍͡ΌΜͰࡁΉ͕ɺෳࡶʹͳΔͱࢀরઌ͕ ૿͔͑ͯͳΓେม

  35. Authzͷఆظόον PermissionReasonΞϦ ͷͺͯ͌ʔΜ Authz-DB ᶃReason͕τϥΠΞϧͷݖݶΛ࡟আ

  36. ଞʹ΋

  37. ݖݶͱݖݶ෇༩ཧ༝ͷ ϛεϚον • - ଟॏ՝ۚ͸໰୊͕͋Δ৔߹͕ଟ͍ͷͰϢʔβʔ΁௨஌͢Δඞཁ͕͋Δ • - ଟॏݖݶ͸໰୊ͳ͍έʔε΋ଟʑ͋ΔʢτϥΠΞϧͱຊܖ໿͕͔Ϳͬͯͯ΋ผʹྑ͍ΑͶతͳ) • -

    AuthzͷReasonͰଟॏݖݶΛ؅ཧ͠ɺPaymentͰଟॏ՝ۚΛ؅ཧ͢ΔɻೝՄΛ෼཭ͯ͠ͳ͔ͬͨ ΓɺReason͕ͳ͔ͬͨΓ͢Δͱ͜͜ͷ۠ผ͕೉͍͠ • - ҙࣝ͠ͳ͍͜ͱʹΑΔརศੑ΋͋Δ͸͋ΔͷͰɺ • ҙࣝ͠ͳ͍͜ͱʹΑΔརศੑྫ • ͱΓ͋͑ͣࡶʹݖݶΛফ͍ͨ͠έʔε • ෳ਺ͷखஈͰ՝ۚ͞Ε͍ͯΔ৔߹ͷΈΤϥʔʹ͢ΔɻτϥΠΞϧ+1ͭͷ՝ۚखஈͷ৔߹͸྆ ํফ͢ɻτϥΠΞϧͷΈ|1ͭͷ՝ۚखஈͷΈͷ৔߹΋ফ͢౳ͷཁ݅) • ͷΑ͏ʹɺ݁ہࡶʹ͸ফͤͳ͍ͷͰҙࣝ͢Δ͔ɺΤϥʔέʔεΛࣺͯΔ͔ʹͳΔɻ
  38. 4. AuthZIOͷίϚϯυ

  39. ͜Ε͚ͩ • ࢀর/ߋ৽(Show/Add/Remove) • Request(ResourceࢦఆΞϦ/φγ)

  40. ίʔυ sealed abstract class AuthzIO[A] {} // support case class

    ShowPolicy(principal: AccountId) extends AuthzIO[AttachedPolicy] // manage case class AddPolicy(principal: AccountId, policy: Policy) extends AuthzIO[AttachedPolicy] case class AddPolicies(principal: AccountId, policies: Seq[Policy]) extends AuthzIO[AttachedPolicy] case class RemovePolicy(principal: AccountId, policy: Policy) extends AuthzIO[AttachedPolicy] case class RemovePolicies(principal: AccountId, policies: Seq[Policy]) extends AuthzIO[AttachedPolicy] // request case class RequestPolicy(principal: AccountId, actionSeq: Seq[Action]) extends AuthzIO[Unit] case class RequestPolicyToResource( principal: AccountId, principalActionSeq: Seq[Action], // ࢦఆͨ͢͠΂ͯͷΞΫγϣϯʹର͠ɺ resourceSeq: Seq[Resource], // ର৅ͷresource͕ڐՄ͞Εͯͳ͚Ε͹NGͱ͢Δ resourceAllowedActionSeq: Seq[Action] ) extends AuthzIO[Unit] // requestBool case class RequestBoolPolicy(principal: AccountId, actionSeq: Seq[Action]) extends AuthzIO[Boolean] case class RequestBoolPolicyToResource( principal: AccountId, principalActionSeq: Seq[Action], // ࢦఆͨ͢͠΂ͯͷΞΫγϣϯʹର͠ɺ resourceSeq: Seq[Resource], // ର৅ͷresource͕ڐՄ͞Εͯͳ͚Ε͹NGͱ͢Δ resourceAllowedActionSeq: Seq[Action] ) extends AuthzIO[Boolean]
  41. ࢖͍ํΠϝʔδᶃ • RequestBoolΛෳ਺ύλʔϯ࣮ߦͯ݁͠ՌΛ߹੒ͯ͠΋Α͠ • requestBool͸booleanΛฦ͢ͷͰෳ਺ͷ݁ՌΛ෼ղͯ͠νΣοΫͯ͠΋OK(൒؀ͷදݱྗΛ ࣋ͭ(Bool୅਺͸൒؀) • ৄ͘͠͸ ͷهࣄΛࢀর •

    https://www.slideshare.net/oarat/ss-55487535 • ൒؀͸ෛݩ(ϚΠφε)͕ͳͯ͘Ճ๏+৐๏ͷ͋Δू߹ͷ͜ͱͰɺཁ͸ॱ൪Λม͑ͯ΋݁ՌมΘ ΒΜΑͶɻҙຯͰଊ͑Δͱྑ͍(Ϋιͬ͘͟ΓͰ͝ΊΜͳ͍͞) • request͸BooleanΛ͍͍ͪͪ൑ఆ͢Δͷ͕໘౗ͳέʔε΋ଟ͍ͷͰUnitΛฦ͠ɺfalseͷ৔߹͸ Either.leftΛEffʹಥͬࠐΜͰฦͯ͘͠ΕΔͷͰ݁Ռͷ߹੒͕ෆཁͳ৔߹͸͜ΕΛ࢖͏ • ShowͰPolicyҾͬு͖֤ͬͯͯίϯςΩετͰࡉ͔͍ॲཧͯ͠΋Α͠ʢ͋·Γ૝ఆ͸͍ͯ͠ͳ͍) • enforce(σʔλͷϑΟϧλ౳)͸ɺAuthzIOʹRepository౉ͯ͠InterpreterͰϑΟϧλͰ͖ΔΑ͏ ʹ͢Δͷ΋ߟ͕͑ͨந৅౓ߴ͘ͳΓ͗͢Δׂʹ࢖͍ʹ͍͘͠ɺΧόʔͰ͖Δ༻్΋ڱ͘ͳΓͦ͏ ͩͬͨͷͰɺΘ͔Γ΍֤͘͢ίϯςΩετͷDomainServiceͰrequestͷ݁ՌΛݩʹϑΟϧλ͢Δ ͷ͕ྑ͍ͱ൑அͨ͠ɻ
  42. ࢖͍ํΠϝʔδᶄ

  43. ࢖͍ํΠϝʔδᶅ • ͜ͷΑ͏ʹɺ൑ఆ͢Δཁૉ͕͍ͭ͘૿͑ͯ΋|| &&ͷԋࢉ ͰରॲͰ͖Δ • ྫ͑͹ɺ͓͔ΘΓϓϥϯ nճ໨͔ͭɺΩϟϯϖʔϯίʔ υhogeΛར༻ͨ͜͠ͱ͕͋ΓɺաڈʹTOEIC,egs,Bizʹ ೖͬͨ͜ͱ΋͋Δ΍͚ͭͩʹݖݶΛ༩͑ΔʂΈ͍ͨͳཁ

    ݅΋γϯϓϧʹදݱͰ͖Δʢଋͩͱ΍͹͍
  44. ൒؀ͱଋ • ଋ͸ScalaͷܕͷAny <-> Nothing ΛΠϝʔδ͢Ε͹OK • ࢝఺ͱऴ఺͕ܾ·͓ͬͯΓɺͦͷؒͷͲΕ͔ʹܕ͸ଐ͢Δ • ݖݶΛ͜ͷߏ଄Ͱදݱ͢Δͱɺ͋ΒΏΔ૊Έ߹ΘͤΛܕʹམͱ͢ඞཁ͕͋Γɺexplosion͢Δ

    ʢݱঢ়͸ɺEgsAndTOEIC, EgsAndBiz, EgsAndPersonalCoachͳͲΛbitԋࢉΆ͘ѻͬͯΔͷ Ͱগ͠Ϛγ͕ͩɺ͜ΕʹҰͭҰͭܕΛ͚ͭΔͱ͖ͼ͍͠) • ൒؀͸BooleanΛΠϝʔδ͢Ε͹OK(Booleanͱ४ಉܕͰ͋ΔɻBool؀) • ධՁ͢Δॱ൪Λม͑ͯ΋݁Ռ͸มΘΒͳ͍ • ࿨ͱੵͷ2ͭͷԋࢉΛ΋ͭू߹Ͱɺަ׵,݁߹,෼഑ͷଇΛຬͨ͢ • A = (true && false) => false • B = (false || true) => true • C = A && B = false • A,Bʹग़ͯ͘Δɺtrue,falseΛͲ͏ೖΕସ͑ͯ΋Cͷ݁Ռ͸มΘΒͳ͍ΑͶΈ͍ͨͳ͜ͱ͕ݴ͍͍ͨ (Ϋιͬ͘͟ΓͰ͝ΊΜͳ͍͞) • ݖݶ͸৭ΜͳཁૉΛߟྀ͢Δඞཁ͕͋Δ͔Β͜ͷߏ଄͕ࢫ͍
  45. 5. ·ͱΊ

  46. • ೝূͱೝՄ͸෼཭͠ͳ͍ͱෳࡶͳཁ݅Λ࣮ݱ͢Δࡍʹ௧ΈΛ൐͏ • ೝՄํࣜ͸ABACΛ࠾༻ • Authz͸൒؀ߏ଄Λ࠾༻ͯ͠Δͧ(ܕϨϕϧʹΤϯίʔυ͸ͯ͠ͳ͍) • enforce͸domainServiceͰrequest/requestBoolΛ࢖࣮ͬͯ૷ͯ͠ ͍ͧ͘ •

    ϑϩϯτͰ΋ݖݶͰϋϯυϦϯά͍ͨ͠έʔε͸͋ΔͷͰɺͲΜͳ ܗͰฦ͔͢͸૬ஊ͍ͨ͠(isAnalysis=true,Έ͍ͨͳͷΛແݶʹ૿΍ ͯ͠΋͍͍͠ɺshowPolicyͰऔΕΔ݁ՌΛͦͷ··౉ͯ͠΋OK)ɹ • ͜ͷهࣄ࠷ߴͳͷͰಡΉͱྑ͍ • https://kenfdev.hateblo.jp/entry/2020/01/13/115032
  47. ͓ΘΓ