Upgrade to Pro — share decks privately, control downloads, hide ads and more …

マイクロサービスにおける内部通信の認証について

pospome
August 22, 2019
Technology
26
72k

 マイクロサービスにおける内部通信の認証について

"Backend Engineer’s meetup ~マイクロサービスにおける認証認可基盤~"の発表資料です。
https://connpass.com/event/142624/

pospome

August 22, 2019
Tweet

More Decks by pospome

See All by pospome
マイクロサービス環境におけるToilを削減するTerraformの活用 in DMMプラットフォーム
pospome
1
220
組織のコード品質を向上させる “レビューシステム”の取り組み
pospome
7
4.8k
120名の開発組織を支える、技術マネジメントと選定
pospome
10
6.6k
マルチテナント型EKSを活用したプラットフォームエンジニアリングの光と闇
pospome
0
1.9k
マイクロサービスとk8sにおける責任境界設計とリソース管理
pospome
0
3.1k
DMMプラットフォームのマイクロサービス戦略 オーナーシップの落とし穴
pospome
5
4.4k
DMMプラットフォーム ゼロから始めるKubernetes運用 課題と改善
pospome
0
2.5k

Other Decks in Technology

See All in Technology
2023-09-05_OCIJP_まれによくあるマルチクラウドでDB-AP分離構成のこと
hk_shino
2
200
React Suspenseを使って遷移体験を向上させる
kobayang
3
470
ドラッグ&ドロップを支える技術
takatsunobuhiro
0
130
WASMを実行する自作Microkernel, mavisの紹介
riru
0
120
DevOpsDays Taipei 2023 行前攻略
devopstaiwan
0
350
Swift Package Mangerのバグを直した話
k_koheyi
2
150
視え方と文字の大きさ
lemon
1
160
refactoring-serverless
gawa
1
630
動画配信サービスの 人気番組配信のスパイクアクセスに、 サーバレスキャッシュで立ち向かう
miu_crescent
1
570
Advancing Equity and Inclusion for Deaf Students in Higher Education
3playmarketing
0
130
サーバーレス技術とDevSecOps: 安全かつ迅速なデプロイメントの新時代
gl_tsukasa
1
520
Designing an Incident Response Process at Scale
opeonikute
0
160

Featured

See All Featured
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
33
8.6k
Docker and Python
trallard
31
2.3k
Designing the Hi-DPI Web
ddemaree
274
33k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
239
20k
Agile that works and the tools we love
rasmusluckow
323
20k
Building Adaptive Systems
keathley
29
1.6k
Documentation Writing (for coders)
carmenintech
55
3.3k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
49
15k
Building Better People: How to give real-time feedback that sticks.
wjessup
349
18k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
101
6.4k
Build The Right Thing And Hit Your Dates
maggiecrowley
23
1.7k
Debugging Ruby Performance
tmm1
68
11k

Transcript

  1. ϚΠΫϩαʔϏεͷ಺෦௨৴ʹ͓͚Δ
    ೝূʹ͍ͭͯ
    @pospome

    View Slide

  2. ໊લ: pospome
    ಡΈํ: ϙεϙϝ
    Twitter: @pospome
    ઐ໳:
    ɹΞϓϦέʔγϣϯΞʔΩςΫνϟ
    ɹ࣮૷ύλʔϯͱ͔DDDͱ͔͕ಘҙͰ͢

    View Slide

  3. ϝϧϖΠೝূج൫νʔϜ
    ϝϧΧϦɺϝϧϖΠʹ͓͚Δ
    ೝূೝՄΛ։ൃɺӡ༻͢ΔͨΊͷνʔϜ

    View Slide

  4. ೝূج൫νʔϜʹ͍ͭͯ͸ϒϩάॻ͖·ͨ͠
    https://www.pospome.work/entry/2019/06/12/125841

    View Slide

  5. ݱঢ়
    ɾϢʔβʔΞΧ΢ϯτ؅ཧͱϩάΠϯॲཧ͸ͦΕͧΕͷνʔϜʹ೚
    ͍ͤͯΔɻ
    ɾϝϧΧϦɺϝϧϖΠͷैۀһͷ؅ཧʢೖࣾɺୀ৬ʣ΍OktaʹΑΔ
    πʔϧ΁ͷSSO͸؅ཧ͍ͯ͠ͳ͍ɻ͍ΘΏΔࣾ಺ITͷΑ͏ͳ͜ͱ͸
    ͍ͯ͠ͳ͍ɻ
    ɾηΩϡϦςΟ໘ʹؔͯ͠͸ηΩϡϦςΟνʔϜͱ౎౓૬ஊ͍ͯ͠
    Δɻ
    ɾͦΕҎ֎ͷೝূೝՄ͸Ұ௨Γೝূج൫νʔϜ͕୲౰͍ͯ͠Δɻ

    View Slide

  6. ۩ମతʹԿΛ͍ͯ͠Δͷ͔?
    ɾ֎෦ʹରͯ͠OIDCͳͲͷೝՄͷ࢓૊ΈΛఏڙ͢Δɻ
    ɾ಺෦ͷϚΠΫϩαʔϏεؒ௨৴ͷೝূͷ࢓૊ΈΛఏڙ͢Δɻ

    View Slide

  7. ࠓ೔࿩͢ͷ͸͜Ε
    ɾ֎෦ʹରͯ͠OIDCͳͲͷೝՄͷ࢓૊ΈΛఏڙ͢Δɻ
    ɾ಺෦ͷϚΠΫϩαʔϏεؒ௨৴ͷೝূͷ࢓૊ΈΛఏڙ͢Δɻ

    View Slide

  8. ݱঢ়ͷγεςϜΞʔΩςΫνϟͱϦΫΤετϑϩʔ
    ϝϧΧϦΞϓϦ
    ύʔτφʔαΠτ
    3rd Party
    Gateway
    AuthorityService
    XxxService
    YyyService
    Mercari API
    2nd Party

    View Slide

  9. ೝূج൫νʔϜ͸AuthorityServiceͱ͍͏
    ϚΠΫϩαʔϏεΛ։ൃɾӡ༻͓ͯ͠ΓɺҎԼΛఏڙ͍ͯ͠Δ
    ɾ֎෦ʹର͢ΔOIDCͳͲͷೝՄͷ࢓૊Έ
    ɾ಺෦ͷϚΠΫϩαʔϏεؒ௨৴ͷೝূͷ࢓૊Έ

    View Slide

  10. ΫϥΠΞϯτ͔ΒͷϦΫΤετϑϩʔ͸େ͖͘෼͚ͯ2ͭ
    ϝϧΧϦΞϓϦ
    ύʔτφʔαΠτ
    3rd Party
    Gateway
    AuthorityService
    XxxService
    YyyService
    Mercari API
    2nd Party

    View Slide

  11. 1.ϝϧΧϦAPIΛར༻͢Δύλʔϯ
    ϝϧΧϦΞϓϦ
    ύʔτφʔαΠτ
    3rd Party
    Gateway
    AuthorityService
    XxxService
    YyyService
    Mercari API
    2nd Party

    View Slide

  12. 2.ϚΠΫϩαʔϏεΛར༻͢Δύλʔϯ
    ϝϧΧϦΞϓϦ
    ύʔτφʔαΠτ
    3rd Party
    Gateway
    AuthorityService
    XxxService
    YyyService
    Mercari API
    2nd Party

    View Slide

  13. AuthorityService͸ϦΫΤετΛड͚ͯ
    ۩ମతʹԿΛ͍ͯ͠Δͷ͔?
    ϝϧΧϦΞϓϦ
    ύʔτφʔαΠτ
    3rd Party
    Gateway
    AuthorityService
    XxxService
    YyyService
    Mercari API
    2nd Party

    View Slide

  14. AuthorityService͸ԿΛ͍ͯ͠Δͷ͔?
    1.֎෦͔ΒͷϦΫΤετͷݕূ
    2.಺෦௨৴ʹར༻͢Δ಺෦௨৴༻τʔΫϯͷੜ੒

    View Slide

  15. AuthorityService͸ԿΛ͍ͯ͠Δͷ͔?
    1.֎෦͔ΒͷϦΫΤετͷݕূ
    2.಺෦௨৴ʹར༻͢Δ಺෦௨৴༻τʔΫϯͷੜ੒

    View Slide

  16. ɾࡶʹݴ͏ͱϦΫΤετ͕࣋ͭΞΫηετʔΫϯͱ͔Λݕূ͍ͯ͠Δɻ
    ɾશͯͷϦΫΤετΛAuthorityService͕ݕূͰ͖ΔΘ͚Ͱ͸ͳ͍ɻ
    ɾϦΫΤετͷݕূ͕ՄೳͳϚΠΫϩαʔϏεʹݕূͯ͠΋Β͏ɻ
    ɾݕূ͕ෆཁͳϦΫΤετ͸ݕূ͠ͳ͍ɻ
    ɾ֤ϚΠΫϩαʔϏε͸ݕূࡁΈͷϦΫΤετΛड͚औΔɻ
    Gateway
    AuthorityService
    AaaService BbbService Mercari API
    ϝϧΧϦΞϓϦ
    ύʔτφʔαΠτ
    3rd Party
    2nd Party

    View Slide

  17. AuthorityService͸ԿΛ͍ͯ͠Δͷ͔?
    1.֎෦͔ΒͷϦΫΤετͷݕূ
    2.಺෦௨৴ʹར༻͢Δ಺෦௨৴༻τʔΫϯͷੜ੒

    View Slide

  18. ɾAuthorityService͸֎෦͔ΒͷϦΫΤετΛݕূͨ͋͠ͱʹɺ಺෦༻௨৴
    τʔΫϯΛੜ੒ͯ͠Gatewayʹฦ͍ͯ͠Δɻ
    ɾGateway͸಺෦༻௨৴τʔΫϯΛ෇༩ͨ͠ϦΫΤετΛ֤ϚΠΫϩαʔϏ
    εʹྲྀ͢ɻ
    Gateway
    AuthorityService
    AaaService BbbService Mercari API
    ϝϧΧϦΞϓϦ
    ύʔτφʔαΠτ
    3rd Party
    2nd Party
    XxxService
    ಺෦௨৴༻τʔΫϯΛฦ͢
    ಺෦௨৴༻τʔΫϯΛ
    ෇༩ͨ͠ϦΫΤετ

    View Slide

  19. ɾϚΠΫϩαʔϏεؒͷ௨৴ʹ͸಺෦௨৴༻τʔΫϯΛར༻͢Δɻ
    ɾ಺෦௨৴༻τʔΫϯ͸֎෦͔ΒͷϦΫΤετʹར༻͢ΔτʔΫϯͱ͸ผͷ΋ͷɻ
    ɾ֤ϚΠΫϩαʔϏε͸಺෦௨৴༻τʔΫϯΛݕূ͢Δɻ
    ϝϧΧϦΞϓϦ
    ύʔτφʔαΠτ Gateway
    AuthorityService
    XxxService
    YyyService
    Mercari API
    ZzzService WwwService
    3rd Party
    2nd Party

    View Slide

  20. ͜ͷ಺෦௨৴༻τʔΫϯ͕
    ϚΠΫϩαʔϏεؒͷ௨৴Λࢧ͍͑ͯΔ

    View Slide

  21. 1ϦΫΤετ1τʔΫϯ
    ɾAuthorityService͸1ϦΫΤετ͝ͱʹ1ͭͷτʔΫϯ
    Λੜ੒͢Δɻ
    ɾ֤ϚΠΫϩαʔϏε͸ϦΫΤετ಺ͷτʔΫϯΛݕূ
    ͢Δɻ

    View Slide

  22. ֤ϚΠΫϩαʔϏε͕ݕূ͢ΔτʔΫϯ͸ಉ͡΋ͷ
    ϝϧΧϦΞϓϦ
    ύʔτφʔαΠτ Gateway
    AuthorityService
    XxxService
    YyyService
    Mercari API
    ZzzService WwwService
    3rd Party
    2nd Party

    View Slide

  23. ಺෦τʔΫϯ͸JWTΛ࠾༻
    ɾ֤ϚΠΫϩαʔϏε͸AuthorityService͕ఏڙ͢Δެ։
    伴Λऔಘ͠ɺτʔΫϯΛݕূ͢Δɻ
    ɾ֤ϚΠΫϩαʔϏε͸ެ։伴ΛΩϟογϡ͢ΔͷͰɺ
    τʔΫϯΛݕূ͢ΔͨΊʹAuthorityServiceʹΞΫηε
    ͢Δඞཁ͸ͳ͍ɻ
    ɾ೚ҙͷ஋Λ࣋ͨͤΔ͜ͱ͕Ͱ͖Δɻ

    View Slide

  24. ಺෦τʔΫϯ༻ͷSDKΛఏڙ
    ɾೝূج൫νʔϜ͕ఏڙ͍ͯ͠ΔSDK͸GoݴޠͷΈ
    ɾ֤ϚΠΫϩαʔϏεͰಉ͡ϩδοΫΛॻ͘ඞཁ͸ͳ͍

    View Slide

  25. ಺෦τʔΫϯ༻ͷSDK͕ఏڙ͢Δػೳ
    ɾ಺෦τʔΫϯΛݕূ͢ΔgRPCͷintercepter&HTTPͷ
    middlewareΛఏڙ
    ɾ಺෦τʔΫϯͷ֤ΫϨʔϜΛ͍͍ײ͡ʹऔಘ͢Δ͜ͱ
    ͕Ͱ͖Δ࢓૊Έ
    ɾgoroutineΛ্ཱͪ͛ͯఆظతʹެ։伴Λऔಘ͠ɺSDK
    ಺෦ʹΩϟογϡ͢Δ࢓૊ΈΛఏڙ

    View Slide

  26. ෳ਺छྨͷIDΛѻ͑ΔSubjectID
    ɾ಺෦τʔΫϯ͸SubjectIDͱ͍͏IDΛ࣋ͭɻ
    ɾෳ਺छྨͷIDΛ࣋ͭͷͰͦΕΒΛ1ͭͷIDମܥͰѻ͑
    ΔΑ͏ʹͨ͠࢓૊Έɻ
    ɾSubjectID͸จࣈྻͰ͋ΓɺType෦෼ͱValue෦෼Ͱߏ
    ੒͞ΕΔɻex. mercari_app:100, partner_site:aaa
    ɾ֤ϚΠΫϩαʔϏε͸Type, ValueʹΑͬͯϦΫΤετ
    ͷόϦσʔγϣϯ͕ՄೳʹͳΔɻ

    View Slide

  27. ϚΠΫϩαʔϏεؒͷΞΫηε੍ޚ
    ɾϚΠΫϩαʔϏεؒͷ௨৴͸಺෦௨৴Ͱ͸͋Δ͕ɺͦ
    ΕΛ׬શʹ৴༻͢ΔͷͰ͸ͳ͘ɺద੾ͳΞΫηε੍ޚ͸
    ඞཁʹͳΔɻ
    ɾྫ͑͹ʮܾࡁͱ͍͏ϢʔεέʔεͰ͸
    TransactionServiceʹͷΈΞΫηεͰ͖Δʯͱ͔ɻ
    ɾ࣮૷ϛε΍ૢ࡞ϛεʹΑΔຊདྷҙਤ͠ͳ͍ΞΫηεΛ
    ๷͙ɻ

    View Slide

  28. ಺෦είʔϓͱ͸
    ɾΠϝʔδͱͯ͠͸OIDCͱ͔Ͱར༻͢ΔೝՄείʔϓͷ
    ಺෦௨৴൛ɻ
    ɾϚΠΫϩαʔϏεؒͷΞΫηεΛ੍ޚ͢ΔͨΊͷ࢓૊
    Έɻ
    ɾ಺෦τʔΫϯ͸಺෦είʔϓΛ࣋ͭɻ

    View Slide

  29. ಺෦είʔϓ͸֤ϚΠΫϩαʔϏε͕࣋ͭϦιʔεʹରͯ͠ఆٛ͢Δɻ
    ྫ͑͹UserService͕Userͱ͍͏ϦιʔεΛ͍࣋ͬͯͨͱ͢Δͱɺ”user”ͱ͍͏಺෦είʔϓΛఆٛ͢Δɻ
    ͜ΕʹΑΓɺUserServiceͷUserͱ͍͏ϦιʔεʹΞΫηε͢Δʹ͸ɺ
    ”user”ͱ͍͏಺෦είʔϓΛ͍࣋ͬͯΔ಺෦τʔΫϯ͕ඞཁʹͳΔ
    ϝϧΧϦΞϓϦ
    ύʔτφʔαΠτ
    3rd Party
    Gateway
    AuthorityService
    UserService
    Mercari API
    internal_scope=“user”

    View Slide

  30. ݱࡏɺ಺෦είʔϓ͸3rd Party͔ΒͷϦΫΤετʹରͯ͠ͷΈར༻͍ͯ͠Δɻ
    ཧ༝ͱͯ͠͸3rd Partyʹఏڙ͢ΔΞΫηετʔΫϯʹ͸ೝՄείʔϓ͕ඥ͍͍ͮͯΔ͔Βɻ
    ˎ3rd Partyʹఏڙ͢ΔΞΫηετʔΫϯʹඥͮ͘ೝՄείʔϓΛ֎෦είʔϓͱݺͼ·͢ɻ
    ϝϧΧϦΞϓϦ
    ύʔτφʔαΠτ
    3rd Party
    Gateway
    AuthorityService
    UserService
    Mercari API
    external_scope=“user”

    View Slide

  31. ֎෦είʔϓΛͦͷ··಺෦είʔϓʹηοτ͢Δ͜ͱ͕Ͱ͖Δɻ
    ϝϧΧϦΞϓϦ
    ύʔτφʔαΠτ
    3rd Party
    Gateway
    AuthorityService
    UserService
    Mercari API
    internal_scope=“user”
    external_scope=“user”
    external_scopeͷ஋Λ಺෦είʔϓͱͯ͠
    ಺෦τʔΫϯʹηοτ͢Δ

    View Slide

  32. ֎෦είʔϓͱ಺෦είʔϓ͕Ұக͍ͯ͠ͳ͍৔߹͕͋Δ
    ϝϧΧϦΞϓϦ
    ύʔτφʔαΠτ
    3rd Party
    Gateway
    AuthorityService
    Transaction
    Service
    Mercari API
    external_scope=“transaction”
    internal_scope=“transaction”
    UserService
    internal_scope=“transaction”

    View Slide

  33. ֎෦ΫϥΠΞϯτͷೝՄείʔϓ͕૿͑Δͨͼʹ
    ֤ϚΠΫϩαʔϏε΋ड͚ೖΕՄೳͳείʔϓΛ૿΍͞ͳ͚Ε͹ͳΒͳ͍
    ϝϧΧϦΞϓϦ
    ύʔτφʔαΠτ
    3rd Party
    Gateway
    AuthorityService
    Listing
    Service
    Mercari API
    external_scope=“listing”
    internal_scope=“listing”
    UserService
    internal_scope=“listing”
    internal_scope=“transaction”
    internal_scope=“user”

    View Slide

  34. ຊདྷ͋Δ΂͖࢟
    ϝϧΧϦΞϓϦ
    ύʔτφʔαΠτ
    ύʔτφʔ
    Gateway
    AuthorityService
    Transaction
    Service
    Mercari API
    external_scope=“transaction”
    internal_scope=“transaction”
    UserService
    internal_scope=“user”

    View Slide

  35. ͳͥ͜͏͍͏໰୊͕ى͜Δͷ͔?
    ֎෦είʔϓˠϢʔεέʔεϕʔε
    ಺෦είʔϓˠϦιʔεϕʔε

    View Slide

  36. AuthorityServiceͰείʔϓಉ࢜ΛϚοϐϯά͢ΔςʔϒϧΛ
    ؅ཧ͢Δ͜ͱͰղܾ͢Δ
    ֎෦είʔϓ ಺෦είʔϓ
    user user
    transaction transaction,user
    listing listing,user

    View Slide

  37. AuthorityService͸external_scope=“transaction”ʹରԠ͢Δ
    internal_scope=“transaction”ͱ”user”Λ಺෦είʔϓʹηοτ͢Δɻ
    ͜ΕʹΑͬͯ಺෦τʔΫϯ͕TransactionServiceͱUserServiceʹΞΫηεͰ͖ΔΑ͏ʹͳΔɻ
    ϝϧΧϦΞϓϦ
    ύʔτφʔαΠτ
    3rd Party
    Gateway
    AuthorityService
    Transaction
    Service
    Mercari API
    external_scope=“transaction”
    internal_scope=“transaction”
    UserService
    internal_scope=“user”
    external_scope=transaction

    internal_scope=“transaction”, “user”

    View Slide

  38. ͦͷଞͷ಺෦௨৴༻τʔΫϯͷϝϦοτ
    ɾϚΠΫϩαʔϏε͕ѻ͏τʔΫϯΛ1छྨʹͰ͖Δɻ
    ɾ֎෦ͷΫϥΠΞϯτ͔Β௚઀ϚΠΫϩαʔϏεʹΞΫ
    ηε͞ΕΔ͜ͱΛ๷͙͜ͱ͕Ͱ͖Δɻ
    ɾAuthorityServiceʹΑͬͯݕূࡁΈͷϦΫΤετͰ͋Δ
    ͜ͱΛอূͰ͖Δɻ
    ɾ֎෦ͷΫϥΠΞϯτ͕࣋ͭΞΫηετʔΫϯΑΓ΋୹
    ͍༗ޮظݶΛઃఆͰ͖Δɻ

    View Slide

  39. ͪΌΜͱͰ͖ͯΔҹ৅Λ͔࣋ͬͨ΋͠Ε·ͤΜ͕ɺ
    ·ͩ·ͩ՝୊͸͋ΔͷͰҾ͖ଓ͖ؤு͍͖ͬͯ·͢
    ʢ´ɾωɾ`ʣ

    View Slide

  40. ͓ΘΓ

    View Slide