Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up for free
AuthzCtx - Alp社内共有会
ma2k8
PRO
April 22, 2022
Technology
0
21
AuthzCtx - Alp社内共有会
Alp社内共有会用
ma2k8
PRO
April 22, 2022
Tweet
Share
More Decks by ma2k8
See All by ma2k8
アルプの 認証/認可分離戦略と手法
ma2k8
PRO
2
430
アルプのEff独自エフェクト集 / Alp-original ’Eff’ pearls
ma2k8
PRO
1
520
Scalebaseバックエンド構成について/the backend design of Scalebase
ma2k8
PRO
0
4.1k
SQL Meisterへの道 ~更新編~ / sql-meister-CUD
ma2k8
PRO
0
1.5k
SQL Meisterへの道 ~基礎〜参照編~ / sql-meister-R
ma2k8
PRO
0
1.7k
Authz
ma2k8
PRO
0
260
CQRS+ESをKinesis,Spark,RDB,S3でやってみた
ma2k8
PRO
0
2.8k
The advantage of using ’Eff’ in Scala Project
ma2k8
PRO
2
11k
let_s_use_Eff.pdf
ma2k8
PRO
1
38
Other Decks in Technology
See All in Technology
オンラインでのサーバー切替事例紹介/ColoplTech-05-01
colopl
0
140
LINE Search - Recruiting
line_recruiting
0
180
Data in Google I/O - IO Extended GDG Seoul
kennethanceyer
0
140
出張スクラムマスターとしての FEARLESS CHANGE な生き方
naitosatoshi
1
1.1k
Custom GitHub Actions by Java
kazamori
0
250
What's Data Lake ? Azure Data Lake best practice
ryomaru0825
2
710
機械学習システムアーキテクチャ入門 #1
asei
3
1.1k
多様な成熟度のデータ活用を総合支援するKADOKAWA Connectedのデータ組織について
kadokawaconnected
PRO
0
170
Scrum Fest Osaka 2022 段階的スクラムマスターのススメ
orimomo
0
650
トランザクションスクリプトは何がダメなのか?
polidog
2
1.2k
ROS再入門-はじめてのSLAM-
miura55
0
330
OpsJAWS Meetup21 システム運用アンチパターンのすすめ
yoshiiryo1
0
1.3k
Featured
See All Featured
Happy Clients
brianwarren
89
5.6k
The World Runs on Bad Software
bkeepers
PRO
57
5.3k
Fashionably flexible responsive web design (full day workshop)
malarkey
396
62k
The Pragmatic Product Professional
lauravandoore
19
2.9k
Intergalactic Javascript Robots from Outer Space
tanoku
261
25k
It's Worth the Effort
3n
172
25k
Code Reviewing Like a Champion
maltzj
506
37k
Designing for humans not robots
tammielis
241
23k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
315
19k
How to train your dragon (web standard)
notwaldorf
58
3.8k
Documentation Writing (for coders)
carmenhchung
48
2.5k
The Mythical Team-Month
searls
209
39k
Transcript
Authz 2 0 2 2 / 0 4 / 2
2 υ ϝ Π ϯ ڞ ༗ ձ M A C H U
2 ΞδΣϯμ • ೝՄ͍͠ͱ͜Ζ͓͞Β͍ • ೝՄج൫v1ͰରԠ͍ͯͨ͠෦͓͞Β͍ • v1ͰԿ͕Ͱ͖͍ͯͳ͔͔ͬͨ • Scope༩ํ๏ղઆ
• ࡉ͔͍Έ • ϑϩϯτͱͷΓͱΓ • SATͷ࡞Γํ • ࠓޙͷԠ༻ • ࠷ޙʹ
3 ೝՄ͍͠ͱ͜Ζ͓͞Β͍
4 ೝՄͷ͍͠ ద༻ൣғ͕͍ Operator,System,Token,֤ Ctx,Adpt,UseCase,Domain etc… ೝՄͷ֓೦͕ᐆດͰɺ ѻ͍͕͍͠ ϩδοΫͱ ີʹͳΓ͍͢
5 ద༻ൣғ͕͍ Presenter Controller Repository(DB etc..) UseCase Domain Masking item
Execute endpoint Filter resource read/write auhorization Execute UseCase Ramification domainLogic Execute domainLogic ֤ͰೝՄΛద༻͍ͨ͠໘͕͜Ε͚ͩ͋Γ·͢ɻ͜ΕΒΛผʑͷΈͰ࣮ͯ͠͠·͏ͱ ख͕ଟ͘ͳΓ͗͢Δ͠ɺΈಉ࢜ͷ߹ੑΛઁΔ͜ͱ͘͠ͳΓ·͢ɻ
6 ద༻ൣғ͕͍ Presenter Controller Repository(DB etc..) UseCase Domain Presenter Controller
Repository(DB etc..) UseCase Domain Presenter Controller Repository(DB etc..) UseCase Domain Ctx-A Ctx-B Ctx-C ͔͠ɺͦͷ͕ෳͷίϯςΩετʹ·͕ͨΓ·͢ɻ ౷ҰతʹऔΓѻ͏ೝՄج൫͕ͳ͍ͱख͕૿͑͗͢Δ͠ɺظͨ͠ڍಈΛಘΔͷอͭͷ͘͠ͳΓ·͢ɻ ·ͨɺॲཧͷϑϩʔෳࡶԽ͕ͪ͠Ͱ͢ɻ
7 ೝՄͷ֓೦͕ᐆດͰɺѻ͍͕͍͠ Presenter Controller Repository(DB etc..) UseCase Domain Masking item
Execute endpoint Filter resource read/write auhorization Execute UseCase Ramification domainLogic Execute domainLogic ͜Ε͚֤ͩʹ͓͍༷ͯʑͳ࡞༻͕͋ΔͷͰɺͲͷΑ͏ͳ֓೦ͱͯ͠औΓѻ͏͔͍͕͠ ͋Γ·͢ɻ
8 ϩδοΫͱີʹͳΓ͍͢ ୯७ʹॻ͘ͱɺݖݶ͕ଘࡏ͢Δ͔ͷνΣοΫΛ৭ʑͳͱ͜ΖʹࠐΉ͜ͱʹͳΓ·͢ `If (Operator.policy. fi nd(_ == CanWriteContract)) ~
` ͱ͍ͬͨ۩߹Ͱ͢ɻ ͜Ε͚ͩͳΒ·ͩϚγͰ͕͢ɺ࣮ࡍ `If ( (Operator.policy.exixts(_ == AllAllow) || Operator.policy.exixts(_ == CanWriteContract)) && Operator.policy.exixts(_ != AllDeny)) )` ͳͲɺͲΜͲΜංେԽ͍͖ͯ͠ɺͦΕ͕৭ʑͳͱ͜Ζʹࢄ Βͬͯ͠·͍·͢ɻϑϩϯτʹ·ͰඈͼՐͯ͠ີʹͳΓ·͢ɻ
9 ೝՄج൫v1ͰରԠ͍ͯͨ͠෦͓͞Β͍
1 0 ੳػೳ෦తʹద༻͍ͯͨ͠ೝՄج൫v1Ͱ ɺ͜ΕΒͷʹ͋ΔఔରԠͰ͖͍ͯͨ
11 ద༻ൣғ͕͍ Operator,System,Token,֤ Ctx,UseCase,Domain etc… ߏʹΑΔॊೈͳදݱ PrincipalIdʹΑΔೝՄओମநԽ
1 2 AuthzCtxͷΓग़͠ͱɺ ೝՄؔ࿈Ϟσϧͷlibஔ ೝՄͷ֓೦͕ᐆດͰɺ ѻ͍͕͍͠
1 3 - EffͰͷΤϑΣΫτநԽʹΑΔؔ৺ - AuthzCtxʹΑΔɺSupport,Manage,Decideͱɺ Enforceͷ ϩδοΫͱີʹͳΓ ͍͢
1 4 Support,Manage,DecideͱɺEnforceͷͱ ‘XACML Reference Architecture’ ʹ ͋ΔݟͰɺೝՄͷͷ୯ҐΛ͜ͷ4ͭʹ͚͍ͯΔ ScalebaseͰ Decide,ManageΛAuthzCtxʹด͡ࠐΊɺAuthzIOͰૢ
࡞ͷίϚϯυΛΤϑΣΫτநԽ Enforce,SupportجຊతͳఆAuthzCtxʹدͤɺ BooleanΛฦ͢͜ͱʹΑͬͯߏΛར༻֤ͯ͠Ctx Ͱͷఆͱ߹ͯ͠ఆ͕Ͱ͖ΔΑ͏ʹ͍ͯ͠Δ ※SupportAuthzCtxܦ༝ʹ͢Δύλʔϯ͋ΔͷͰ ࠓޙศརͳํΛબ͍ͯ͘͠
1 5 ͜ͷล👇ͷࢿྉΛࢀর͍ͩ͘͞🙏 https://speakerdeck.com/ma2k8/authz
1 6 v1ͰԿ͕Ͱ͖͍ͯͳ͔͔ͬͨ
1 7 ͡Ό͋Կ͕Ͱ͖ͯͳ͔ͬͨΜ͚ͩͬ
1 8 ೝՄج൫v1ͷΧόʔൣғ Presenter Controller Repository(DB etc..) UseCase Domain Masking
item Execute endpoint Filter resource read/write auhorization Execute UseCase Ramification domainLogic Execute domainLogic
1 9 ೝՄج൫v2(ࠓͬͯΔͭ)ͷΧόʔൣғ Presenter Controller Repository(DB etc..) UseCase Domain Masking
item Execute endpoint Filter resource read/write auhorization Execute UseCase Ramification domainLogic Execute domainLogic ※͜͜PresenterΛEffʹੵΊͰ͖ΔΑ͏ʹͳΔ
2 0 ࠩ Execute endpoint read/write auhorization Execute UseCase ͕
2 1 ͷঢ়ଶͱ දݱͰ͖Δ͕ɺہॴతͳݖݶఆ͕͔ͳ Γͷྔʹͳͬͯ͠·͍ɺӡ༻͕ਏ͍ for { hasViewerPermission <- AuthzIO.requestBoolPolicy[R](
ActionComposing.Literal( principalId = operatorId.toPrincipalId, action = DashboardAnalysisView, resourceIds = Nil ) ) hasExplorerPermission <- AuthzIO.requestBoolPolicy[R]( ActionComposing.Literal( principalId = operatorId.toPrincipalId, action = DashboardAnalysisExplore, resourceIds = Nil ) ) lookerRole <- fromPpError[R, LookerRole] { if (hasViewerPermission) Right(SimpleViewer) else if (hasExplorerPermission) Right(SimpleExplorer) else Left(PpError.UnauthorizedError()) } …
2 2 ࠓճͷཁ݅
2 3 ReadOnlyͳݖݶ
2 4 ద༻ൣғ͕͍ʂ
2 5 ·͞ʹɹ͕ϒο͞Δཁ݅
2 6 ͜Ε·ͰͷScalebaseͷॲཧશͯʹ ͜ͷذΛ͢ͷɺେਓͰ͔͠ճͤͳ͍γεςϜͷ ೖΓޱͱͳΓ͏Δ͠ɺγϯϓϧʹઈରόάΔɻආ͚͍ͨɻ
2 7 υϝΠϯϩδοΫͷݖݶఆذʮہॴతͰͳ͚ΕͳΒͳ͍ʯ͕ɺ ΑΓେ͖ͳείʔϓతͳ֓೦ɺҙͷείʔϓΛઃఆͨ͠Βউखʹద༻͞Εͯ΄͍͠ͳ͊ ɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹ
2 8 ࡞Γ·ͨ͠
2 9 Scope༩ํ๏ղઆ
3 0 ·ͣContractʹ είʔϓ༩͢ΔܗͰղઆ͠·͢
3 1 ؆୯ 4εςοϓ
3 2 ᶃContractͷRead/WriteʹඞཁͳScopeΛ༩ implicit val scopeAllocator: ScopeAllocator[ContractId] = ScopeAllocator.allocate( readScope
= List(Action.ContractRead), writeScope = List(Action.ContractWrite) ) domainʹ͋ΔɺContractIdͱContractͷίϯύχΦϯΦϒδΣΫτʹscopeAllocatorΛઃఆ͠ ·͢ɻ
3 3 ᶄContractRepositoryͷγάχνϟʹͯ ฦΓΛࢦఆͷܕͰғ͏ def findById[R: _authzio: _trantask]( providerId: ProviderId,
id: ContractId ): Eff[R, ReadAuthzScopeRepoFilter[Option[Contract]]] def store[R: _authzio: _trantask: _clockm: _ppErrorEither]( entity: Contract ): Eff[R, WriteAuthzScope[Contract]] ReadScopeΛར༻͢ΔRepositoryͷϝιου ReadAuthzScopeRepoFilterɺ WriteScopeΛར༻͢ΔϝιουɺWriteAuthzScope Ͱғ͍·͢ Repositoryɺ͜ͷΠϯλʔϑΣʔεʹͳ͍ͬͯͳ͍ͱίϯύΠϧΤϥʔʹ͢Δscala fi xϧʔϧ ༻ҙͯ͠ΔͷͰྑ͖λΠϛϯάͰద༻͍͖͍ͯͨ͠ͱࢥ͍ͬͯ·͢ɻ
3 4 ᶅContractRepositoryImplʹͯ ࢦఆͷܕͰғͬͯฦ͢ // ReadScopeͷ༩ A => ReadAuthzScopeRepoFilter[A] yield
ReadAuthzScopeRepoFilter(maybe) // WriteScopeͷ༩ A => Eff[R, WriteAuthzScope[A]] contract <- fromPpError(stored.toRight(ResourceNotFoundError(resourceName = "contract", identifier = entity.id))) contractWithScope <- WriteAuthzScope(contract) WriteɺReadAuthzScopeRepoFilter.apply ͰWriteAuthzScopeͰแΉࡍʹscopeΛ༩͍ͯ͠ΔͷͰ A => Eff[R, WriteAuthzScope[A]] ͱͳΔͷͰforࣜͰapply͠·͢ɻ ReadɺReadAuthzScopeRepoFilter. fi lteredValueͰΛऔΓग़͢ࡍʹscopeΛ༩͍ͯ͠ΔͷͰɺA => ReadAuthzScopeRepoFilter[A]ͱͳΔͷͰyieldͳͲͰapply͠·͢ɻ
3 5 ᶆ࠷ޙʹPrimaryAdapterͰrun! runAuthz or runAll Ͱ࣮ߦ͢ΔͱɺࢦఆͷScopeʹର͢ΔݖݶΛ͍࣋ͬͯͳ͚Ε `ೝՄΤϥʔ` ʹͳΓ·͢ɻ BatchAdapterͰɺೝՄΛεΩοϓ͍ͨ͠ͷͰ
runAuthzIOWithoutRequest or runAllWithoutAuthzIORequestͱ͢ΔͱೝՄΛεΩοϓ͢Δ͜ͱͰ͖·͢ɻ
3 6 ͜Ε͚ͩͰ౷Ұతͳ είʔϓ੍͕ޚ͕ߦ͑·͢
3 7 ؆୯Ͱ͢Ͷʂ
3 8 Scopeͷࡉ͔͍Έ
3 9 ScopeΛStateͰදݱ͠ɺ ΤϑΣΫτελοΫʹಥͬࠐΜͰ͍Δ ೝՄScope͕༩͞Ε͍ͯΔ͜ͱΛࣔ͢ܕΫϥεͷapply࣌ʹɺimplictlyͰScopeAllocatorΛಋग़ ͠ɺStateʹScopeΛੵΜͰ͍·͢ɻ
4 0 ݱঢ়RepositoryͷΈ͕ͩͲ͜ͰੵΊΔ ͠ɺͲ͜ͰੵΜͰಉ͡StateͰཧͰ͖Δ Presenter Controller Repository(DB etc..) UseCase Domain
Set Scope A Set Scope B Set Scope C,D Set Scope E Set Scope F State[List[A,B,C,D,E,F], X] ͪΖΜɺෳͷRepositoryΛͬͯͦΕͧΕͰඞཁͳScope͕ηοτ͞ΕͨState͕खʹೖΓ ·͢ɻ
4 1 PrincipalStateͰཧ͍ͯ͠Δ HttpAdapterͷOperatorExtractorͱ͍͏JWTτʔΫϯ͔ΒOperatorIdΛExtract͢ΔॲཧͷதͰɺ PrincipalΛηοτ͍ͯ͠·͢ɻ ݱঢ়OperatorͷΈͰ͕͢ɺTokenͳͲ͜ͷํ๏ͰTokenId(?)ͳͲΛηοτ͠·͢ɻ _ <- AuthzIO.setPrincipal[R](operator.id.toPrincipalId)
4 2 runAuthzIO࣌ʹ ೝՄνΣοΫͷίϚϯυΛࠐΉ Runͷॲཧɺࣜʹରͯ͠Ұ͔͠ߦΘΕͳ͍ͷͰೝՄνΣοΫͷ໋ྩΛڬΉλΠϛϯάͱ͠ ͔ͯͳΓదͰ͢ɻ͜ΕʹΑͬͯԣஅతͳείʔϓͷνΣοΫΛҰͷॲཧͰޮతʹߦ͏͜ ͱ͕Ͱ͖·͢ɻ
4 3 ͋ͱೝՄνΣοΫͷίϚϯυ Λॲཧ͢Δ͚ͩ ೝՄRequestͷίϚϯυͰɺPrincipalIdͱScopeΛState͔ΒऔΓग़͠ɺPrincipalIdΛݩʹAuthzCtx͔Β AttachedPolicyΛऔಘ͠ɺScopeͱಥ߹͠ɺAllow/DenyΛఆ͠·͢ɻ RejectionͳͲͷॲཧ͋ΔͷͰׂͱෳࡶͰ͕͢ɺૄʹอ͍ͯͯ·͢ɻ(͜Ε͕֤ॴʹࢄΔͷׂͱ͋Γ͕ͪ…)
4 4 ɺॲཧΛͨ͠Γมߋ͢ΔͨͼʹೝՄΛҙࣝ͢Δඞཁ͕ͳ͘ ͳΓɺυϝΠϯϞσϧՃ࣌ʹ͚ͩҙࣝ͢ΕΑ͘ͳͬͨ υϝΠϯϞσϧՃ࣌ɺߟྀ͕࿙ΕͨΒίϯύΠϧΤϥʔͰݕ Ͱ͖ΔΑ͏ʹͳͬͨ(scala fi x࠷ߴ)
4 5 Ϙϒ͓͡͞Μ͕ʮηΩϡϦςΟΞϓϦέʔγϣϯಛ༗ͷؔ৺͝ ͱͰ͋ΓɺϏδωεΦϒδΣΫτ͜ͷ͜ͱʹ͍ͭͯҙࣝ͠ͳ ͍ʯతͳ͜ͱΛݴ͍ͬͯ·͕ͨ͠ɺݸਓతʹʮͦͷέʔε͋ Γɺͦ͏Ͱͳ͍έʔε͋Δʯͱߟ͍͑ͯ·͢ɻ
4 6 υϝΠϯϩδοΫͷذɺॲཧ༰ͦͷͷʹؔ༩͢Δέʔε ͱɺϏδωεΦϒδΣΫτ͕ҙࣝ͠ͳͯ͘ྑ͍Scopeͱ͍͏ܗͷ ྆ํΛόϥϯεΑ͘දݱͰ͖͍ͯΔ
4 7 ϑϩϯτͱͷΓͱΓ
4 8 ·ͣ FEͱBEͷೝՄͷϞνϕࠩʹ ͍ͭͯղઆ
4 9 BEͷೝՄͷϞνϕ - ೝՄઈରͷ੍ - ͜Ε͕कΒΕͳ͔ͬͨΒଈηΩϡϦςΟϦεΫ - ࠷ޙͷཁ
5 0 FEͷೝՄͷϞνϕ - ϢʔβʔͷೝෆՄΛԼ͛ɺମݧΛΑ͘͢ΔͨΊʹBEଆͰઃఆ͞Ε͍ͯΔೝՄใΛར༻͠ ͍ͨ - ࡉ͔͍ೝՄଐੑใΛΔඞཁͳ͘ɺʮΤϯυϙΠϯτ͕͚ͨͨΔݖݶΛ༗͢Δ͔൱͔ʯ ͘Β͍ͷཻͰ͔Εɺίϯϙʔωϯτͷඇ׆ੑԽʹ͑Δ -
࠷ѱɺඇ׆ੑԽ͞Εͳͯ͘BEଆͰೝՄΤϥʔͱͳΕOK
5 1 BEଆͰཧ͍ͯ͠Δࡉ͔͍ೝՄଐੑΛFEͰఆʹ͏ͱɺFE,BEͷ ີ݁߹ʹͭͳ͕ΓؾָʹೝՄଐੑΛมߋ͠ʹ͍͘ঢ়ଶʹͳΔɻ Կ͔Ұͭɺ͔·͍ͤͨ
5 2 ϑϩϯτଆ͕ղऍ͍͢͠ ܗʹೝՄใΛՃ͢Δ
5 3 SAT (Scalebase Authorization target)
5 4 ཁIAMͷScalebase൛Ͱ͢ - ΤϯυϙΠϯτͱ1-1ͰରԠ͢ΔrouteNameͱɺprincipalͷใΛදݱ͠·͢
5 5 SATͷ࡞Γํ
5 6 ΤϯυϙΠϯτΛՃ͢Δࡍʹ RPCΛఆٛ͢Δ ͜Ε·Ͱɺrequest,response͚ͩఆٛͯ͠·͕ͨ͠ɺrpcఆٛ͢ΔΑ͏ʹ͠·͢ɻ ͜ͷrpcͰBEͷRouteҰཡΛFEͱڞ༗͠·͢ɻ BEଆͰSATͷΈཱͯ࣌ʹར༻͠·͢ɻ
5 7 SATConverterͰม FEΦϖϨʔλʔʹඥ͍ͮͨSATΛOperatorPolicyAPIͰऔಘ͠ɺݖݶͷͳ͍ػೳͷಋઢΛඇ ׆ੑԽͨ͠Γ͠·͢ɻ ΤϯυϙΠϯτΛՃͨ͠ΒRPCͷϓϩόϑͱɺSATConverterΛ͍͡Δඞཁ͕͋ΔͷͰҙ ʢ͜ͷลࣗಈͰΑ͠ͳʹ͍ͨ͠ɾɾɾ͕ɺ࠷ѱ࿙ΕͯBEೝՄΤϥʔʹͳΔͷͰηΩϡϦ ςΟϦεΫʹͳΒͳ͍ʣ
5 8 ϑϩϯτଆͷରԠ ͻ·ͷ͕͋γϡοͱ͚ͭΒΕΔΑ͏ʹͯ͘͠Ε͍ͯΔɻ
5 9 ੍ޚ͍ͨ͠ίϯϙʔωϯτΛ PermissionͰғ͏͚ͩ https://www.notion.so/alpinc/ADR-1667a3385947474e926567413512cf91?p=252d0ed6f3634037b78b704e8ead87ba https://www.notion.so/alpinc/ADR-1667a3385947474e926567413512cf91?p=2c7e0b82c44646feb8f15ba6cc411a0e ৄ͍͍͠ํ👇👇👇
6 0 StorybookͰ֬ೝͰ͖ΔΑ͏ʹͳ͍ͬͯΔɻ Allowed/Denied ProviderΛఆٛ͢Δ͚ͩ
6 1 ࠓޙͷԠ༻
6 2 ResourceIdϑΟϧλͷޮԽ ͕݅ଟ͘ͳΔͱϑΟϧλΛΞϓϦଆͰΔͷ͔ͳΓඇޮͳͷͰɺDaoEffʹੵΈɺSQL ͷwhere۟ʹresoruceIdΛࠐΊΔΑ͏ʹ͍ͨ͠
6 3 PresenterͷEffԽ PresenterΛEffʹੵΉͱɺPresenterͷॲཧͰAuthz͕γʔϜϨεʹར༻Ͱ͖ΔΑ͏ʹͳΔͷ Ͱɺͨͱ͑ʮಛఆͷใΛϚεΫ͍ͨ͠ʯͳͲͷཁ݅ʹ؆୯ʹରԠͰ͖ΔΑ͏ʹͳΓ· ͢ɻཁ͕݅ग़͖ͯͨΒ͍͖͍ͬͯͨɻ
6 4 ݖݶཧը໘ ݖݶཧը໘ɺ݁ߏΉ͍ͣɻϑϩϯτʹೝՄͷৄࡉΛ͑Δඞཁ͕ͳ͍ͷͰSATΛ༻ҙ͠· ͕ͨ͠ɺOperatorʹࡉ͔͑͘Δඞཁ͕͋Δɻ AWSͷIAMΤσΟλΛࢀߟʹ࡞͍͖͍͍͍͍͍ͬͯͨɻʢݱঢ়ɺOperator࡞࣌ʹͳΜͰͰ ͖ΔݖݶΛ༩͍ͯ͠Δ + όονͰݖݶՃͰ͖ΔΑ͏ʹ͍ͯ͠·͢ɻʣ
6 5 ࠷ޙʹ
6 6 ·ͩվળͷ༨͋Δ͕ɺ ͔ͳΓ͍͍ײ͡ʹ࡞Εͨ
6 7
6 8 ͝ਗ਼ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠