サーバーレス化を支える認証認可の話

Transcript

1. αʔόʔϨεԽΛࢧ͑Δ
   ೝূೝՄͷ࿩ /3*ωοτίϜגࣜձࣾɹ ࠤʑ໦୓࿠  +"846(
   ͍ͨ͞·ࢧ෦ɹୈճษڧձ
   ʙ೥ॳΊ೔ຊͰҰ൪ૣ͍SF$BQ
   
   ৽೥ձʙ

2. ࠤʑ໦୓࿠
   ϫΠϯ޷͖ͳ"84ΤϯδχΞ
   CMPH
   IUUQCMPHUBLVSPTOFU
   UXJUUFS
   !ELGK ࣗݾ঺հ

3. ͪΐͬͱએ఻ "NB[PO
   8FC
   4FSWJDFT
   
   ۀ຿γεςϜઃܭɾҠߦΨΠυ
   
   Ұ൪େ੾ͳ஌ࣝͱٕज़͕਎ʹͭ͘
   
   
   IUUQBN[OUPNK0*B9 ೥݄೔ൃച։࢝ʂʂ

4. ΋͏̍ͭએ఻ "NB[PO
   8FC
   4FSWJDFT
   
   ύλʔϯผߏஙɾӡ༻ΨΠυ
   
   Ұ൪େ੾ͳ஌ࣝͱٕज़͕਎ʹͭ͘
   
   
   IUUQBN[OUP#-J:D0 "84ͷೋ൪໨ʹ෼ް͍ຊ
   ʢେ༰ྔϖʔδʣ

5. ·ͩ·ͩએ఻ "NB[PO
   8FC
   4FSWJDFT
   
   Ϋϥ΢υωΠςΟϒɾΞϓϦέʔγϣϯ։ൃٕ๏
   
   Ұ൪େ੾ͳ஌ࣝͱٕज़͕਎ʹͭ͘
   
   
   IUUQBN[OUP3ZZ-Z "84ͷΞϓϦຊ
   ʢେ༰ྔϖʔδʣ

6. αʔόϨεΞʔΩςΫνϟͰߏங͢Δࡍͷ
   ೝূೝՄɺΞΫηε੍ݶͷύλʔϯΛ
   Կͱͳ͘஌ͬͯ໯͍·͢ ࠓ೔ͷ໨త

7. αʔόϨεΞʔΩςΫνϟʁ ར༻Ͱ͖ΔਓΛ੍ݶ͍ͨ͠৔߹͸ʁ API Gateway Lambda DynamoDB ΫϥΠΞϯτ ϞόΠϧ CloudFront S3

   ίϯςϯπͷ औಘ ϩδοΫ WebαΠτΛαʔόϨεԽͨ͠ྫ

8. ೝূೝՄͱΞΫηε੍ݶ

9. ᶃ*% 1BTTXPSE౳ ར༻ऀ ᶄਖ਼౰ੑͷ֬ೝ ೝূہ ᶅຊਓੑͷอূ ᶆϦιʔεͷׂ౰ αʔϏε ೝূ
   ʢ"VUIFOUJDBUJPOʣ

   ೝՄ
   ʢ"VUIPSJ[BUJPOʣ ೝূͱೝՄ ࣮ࡍ͸ɺೝূೝՄ͕ηοτʹͳ͍ͬͯΔࣄ͕ଟ͍ ୭Ͱ͋Δ͔ʁ ୭͕୭ʹ
   ԿͷݖݶΛ༩͑Δ͔

10. "1*ͷੈքͰ͸ʁ τʔΫϯͷӡ༻ΛͲ͏͢Δ͔ɺ৭ʑͳઃܭํ๏͕͋Δ ೝূɾೝՄγεςϜ "1*܈ ར༻ऀ ᶃ*% 1BTTXPSE౳ ᶄΞΫηετʔΫϯ ᶅʙϦΫΤετ
    XJUI
    τʔΫϯ ॳճΞΫηεɿ*%

    1BTTXPSE
    ೋճ໨Ҏ߱ɹɿτʔΫϯ 㱺ೝূ࿈ܞʢϑΣσϨʔγϣϯʣ

11. *%࿈ܞٕज़ʢ0"VUI
    0QFO*% 4".-ʣ 0QFO*%
    ೝূͷϓϩτίϧ *EFOUJUZ
    "VUIFOUJDBUJPO
    
    0"VUI
    
    
    0QFO*%
    $POOFDU 0"VUIೝՄͷϓϩτίϧ اۀ಺ͷγεςϜؒ࿈ܞ͸ɺ
    

    4".-͕ଟ͍

12. ͪΌΜͱ஌Γ͍ͨਓ͸ɺ͜ΕΛಡΜͰ͍ͩ͘͞ IUUQTXXXTMJEFTIBSFOFUULVEPPBVUIPJEDBQJTFDVSJUZZV[BXBXT

13. ΞΫηε੍ݶ ΞΫηεݩ৘ใʹΑΔΞΫηε੍ݶ
    ɾ*1
    "EESFTT
    ɾϔομʔ৘ใʢϢʔβʔΤʔδΣϯτ౳ʣ
    ɾભҠݩʹΑΔ੍ݶʢϦϑΝϥʔʣ
    ɾFUD ϢʔβʔೝূʹΑΔΞΫηε੍ݶ
    ɾ*%ɺύεϫʔυ
    ɾτʔΫϯ
    ɾFUD

    ຊਓೝূͳ͠ͰɺϦιʔεͷར༻Λ੍ݶ͢Δ͜ͱ΋͋Δ

14. "84ͷ৔߹ͷ࣮ݱํ๏͸ʁ
    ·ͣ͸ɺ"1*
    (BUFXBZͱ$PHOJUPͷ
    ػೳ঺հ

15. $PHOJUP ೝূೝՄͷαʔϏεɻ
    "1*ͱ૬ੑͽͬͨΓ $PHOJUP
    6TFS
    1PPM
    Ϣʔβʔ؅ཧʢ%#ʣαʔϏε
    αΠϯΠϯɾαΠϯΞ΢τͳͲೝূΛ୲౰
    .'"΍ύεϫʔυϙϦγʔ౳ɺҰ௨Γͷػೳ͕ଗ͍ͬͯΔ
    $PHOJUP
    'FEFSBUFE
    *EFOUJUJFT
    ೝূ෦෼͸ɺ֎෦ϓϩόΠμʹҠৡɻೝՄͷαʔϏε
    ֎෦ϓϩόΠμͱͯ͠ɺ'BDFCPPL΍5XJUUFS౳͕ར༻Մೳ
    

    ೝূͨ͠ϢʔβʔʹҰ࣌తͳ"84ͷར༻ݖݶΛ෇༩
    "84
    454Λ؆୯ʹ࢖͑ΔΑ͏ʹͨ͠΋ͷ
    

16. *EFOUJUZ
    1SPWJEFST
    'BDFCPPL (PPHMF 5XJUUFS FUD ΫϥΠΞϯτ୺຤ *%
    1BTTXPSE τʔΫϯ

    $PHOJUP Ұ࣌తূ໌ͷ
    ෇༩ τʔΫϯ*% Ұ࣌త
    ར༻ݖݶ "84ͷ
    ֤छϦιʔε ݖݶʹԠͯ͡
    ར༻Մೳ ೝՄ ೝূ $PHOJUPͷಈ࡞Πϝʔδ

17. "1*
    (BUFXBZ 8FC
    "1*ͷ࡞੒ɾอޢɾӡ༻ͱ
    ެ։Λ؅ཧ͢ΔαʔϏε 3&45
    "1*ͷ࡞੒αʔϏε
    -BNCEB
    )551
    1SPYZ
    "84
    1SPYZ -BNCEBݺͼग़͠ API Gateway

    Lambda EC2 )551
    1SPYZ "84
    1SPYZ AWSαʔϏε ֤छ

18. "1*
    (BUFXBZͷೝূػೳ ೝূํ๏
    "
    *".ΞΫηεݖݶ
    #
    ΧελϜΦʔαϥΠβʔ
    $
    $PHOJUP
    Ϣʔβʔϓʔϧ API Gateway Lambda Cognito User

    Pool ΫϥΠΞϯτ "
    *".ΞΫηεݖݶ #
    ΧελϜ
    ΦʔαϥΠβʔ $
    $PHOJUP
    Ϣʔβʔϓʔϧ

19. "1*
    (BUFXBZͷΞΫηε੍ݶ ੍ݶํ๏
    "
    ΫϥΠΞϯτূ໌ॻ
    #
    "1*Ωʔ
    $
    ϦΫΤετͷݕূ API Gateway ΫϥΠΞϯτ "
    ΫϥΠΞϯτূ໌ॻ #
    "1*Ωʔ

    vKC5ZoO1tz7WH H6dfuZdd3zq9ShZ TnJzaCNONs9v $
    ϦΫΤετݕূ ϔομʔɺ ຊจ etc

20. "1*
    (BUFXBZͷ*1ΞυϨεʹΑΔ੍ݶ "84
    8"' $MPVE'SPOU
    8"'ͷ*1
    .BUDI
    $POEJUJPOΛར༻
    8"'Λར༻͢ΔͨΊʹɺ$MPVE'SPOU΋ར༻ API Gateway ΫϥΠΞϯτ WAF CloudFront

    ΫϥΠΞϯτ *1
    .BUDI
    $POEJUJPOͰ൑ఆ 999:::;;;""" """:::;;;999 ̋ ❌ $MPVE'SPOU "1*
    (BUFXBZͱ͍͏ແବͳଆ໘΋

21. "1*
    (BUFXBZͷ*1ΞυϨεʹΑΔ੍ݶᶃ *".ʹΑΔ੍ݶ
    "1*
    (BUFXBZͷೝূͰɺ*".Λར༻͢Δ
    *".ͷ$POEJUJPOͰɺ*1੍ݶΛֻ͚Δ ར༻ऀ͕"84ϢʔβͷΈͰ͋Ε͹खஈͷ̍ͭ API Gateway ΫϥΠΞϯτ ಛఆͷ৔ॴͷΈ༗ޮͳ伴

22. Ϣʔεέʔε͝ͱͷ
    ΞʔΩςΫνϟ
    $PHOJUPฤ

23. ৽نͰαʔϏεͷ্ཱͪ͛ $PHOJUP
    6TFS1PPM͕͓קΊ
    "1*
    (BUFXBZͷೝূͰɺ*".Λར༻͢Δ
    *".ͷ$POEJUJPOͰɺ*1੍ݶΛֻ͚Δ API Gateway ΫϥΠΞϯτ Cognito User Pool

    Lambda ೝূ ॲཧ

24. طଘͷγεςϜʹ"1*௥Ճ ΧελϜΦʔαϥΠβʔͰطଘ%#Λࢀর
    -BNCEBͰࣗલͰೝূॲཧΛ࣮૷
    طଘγεςϜʹ*%ɾύεϫʔυͷਖ਼౰ੑΛ໰͍߹Θͤ API Gateway ΫϥΠΞϯτ ΧελϜ ΦʔαϥΠβʔ ೝূ

    طଘγεςϜ ໰͍߹Θͤ Lambda ॲཧ

25. طଘγεςϜΛ$PHOJUP
    6TFS
    1PPMʹҠߦ͍ͨ͠ ͭΒ͍
    $PHOJUP
    6TFS
    1PPMʹ͸ɺσʔλΠϯϙʔτػೳ͸͋Δ
    ͨͩ͠ɺύεϫʔυ͸ҠߦͰ͖ͳ͍
    ύεϫʔυͷ࠶ൃߦͷ࢓૊ΈͰɺॳճϩάΠϯ࣌มߋΛଅ͢
    େن໛Ҡߦͷ࣌ʹɺͭΒ͍
    ΞϓϦͷ࡞ΓࠐΈͰɺճආ͢Δํ๏͸͋Δ΋ͷͷɻɻɻɻ Ͳ͏ͨ͠Βྑ͍ͷͰ͠ΐ͏Ͷʁ

26. $PHOJUP
    6TFS1PPMͷσʔλΛόοΫΞοϓ͍ͨ͠ Ͱ͖ͳ͍
    ݱࡏɺ6TFS1PPMͷόοΫΞοϓʗΤΫεϙʔτ͕Ͱ͖ͳ͍
    σʔλ͸"84͕੹೚࣋ͬͯकͬͯΔͱ
    ඞਢͷ৔߹͸ɺ%ZOBNP%#౳ʹϢʔβ৘ใΛอଘ
    "84͞Μɺ͓ئ͍ʂʂ

27. 8PSME
    8JEFͳαʔϏεͰ$PHOJUP࢖͍͍ͨ ݱঢ়ͷ$PHOJUP͸ϦʔδϣϯؒͰͷϨϓϦέʔγϣϯػೳͳ͠
    8PSME
    8JEFͰ୯Ұͷ$PHOJUPͩͱೝূͷϨΠςϯγ͕໰୊
    %ZOBNP%#ΫϩεϦʔδϣϯϨϓϦέʔγϣϯͰղܾʁ
    ϢʔβʔσʔλΛ%ZOBNP%#ʹอଘ
    ඞཁͳϦʔδϣϯʹ$PHOJUP
    'FEFSBUFE
    *EFOUJUJFTΛ༻ҙ͢Δ "84͞Μɺ͓ئ͍ʂʂ

28. "1*
    (BUFXBZͰͷࠔΓࣄ
    ͱ͍͏͔Ξϯνύλʔϯ

29. 4/*
    ඇରԠΫϥΠΞϯτʹରԠ͢Δ "1*
    (BUFXBZͷ4/*ϕʔεͷ44-5-4
    
    ݹ͍ϒϥ΢β΍ɺϓϩάϥϜݴޠ͸4/*ʹରԠ͍ͯ͠ͳ͍৔߹ ΋
    ໰୊ʹͳΓ΍͍͢ͷ͸ɺ+BWBҎલ
    ରԠࡦ
    
    "1*
    (BUFXBZͰ͸ͳ͘ɺ௚઀-BNCEBΛݺͼग़͢
    "1*
    (BUFXBZͷલʹɺ&-#&$Λ͓͘
    ࣅͨΑ͏ͳ໰୊ʹɺIUUQͰ"1*
    (BUFXBZʹΞΫηε͍ͨ͠ͱ͔ ͲΕ΋ΠϚΠνͳͷͰɺΫϥΠΞϯτଆͷߋվ͕ྑ͍

30. 71$಺Ͱར༻͍ͨ͠ "1*
    (BUFXBZ͸ɺ71$಺ʹ഑ஔ͸ग़དྷͳ͍
    -BNCEB͸ɺ71$಺Ͱ΋ىಈ͸Մೳ
    4UFQ
    'VODUJPOTͱซ༻ͰτϦοΩʔͳىಈ͸Մೳ
    71$ϦϯΫ /-#Ͱɺ71$಺ͷϦιʔε͕ར༻Մೳ API Gateway Step Functions

    Lambda Network Load Balancer VPCϦϯΫ

31. "1*
    (BUFXBZܦ༝ͰόονతॲཧΛΩοΫ͍ͨ͠ "1*
    (BUFXBZͷ౷߹ͷλΠϜΞ΢τ͸ඵ
    
    όοΫΤϯυͷॲཧ͕௕͍৔߹͸஫ҙ
    ۩ମతʹ͸ɺόονతͳॲཧΛݺͼग़͢৔߹
    ରԠࡦ
    
    όοΫΤϯυͱͷ౷߹Λඇಉظܕʹ͢Δ
    ݺͼग़͠੒ޭ࣌ʹɺϦΫΤετ*%౳Λฦ٫͢Δ
    ͦ΋ͦ΋"1*
    (BUFXBZ͔ΒΩοΫ͢Δඞཁ͕͋Δͷ͔ߟ͑Δ API Gateway

    AWSͷ֤छϦιʔε ᶃϦΫΤετ ᶄϨεϙϯε ΫϥΠΞϯτ ᶅඇಉظݺͼग़͠

32. $PHOJUPɺ"1*
    (BUFXBZ͸
    Ԟ͕ਂ͍

33. ిࢠॻ੶ɺࣥචͷػӡ IUUQTUPHFUUFSDPNMJ

34. SF$BQ
    

35. ͝੩ௌɺ͋Γ͕ͱ͏͍͟͝·ͨ͠ɻ