Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up for free
サーバーレスなマルチテナントSaaSの権限管理 / Serverless Multitenant SaaS Auth Management
ykarakita
August 31, 2018
Technology
3
1.5k
サーバーレスなマルチテナントSaaSの権限管理 / Serverless Multitenant SaaS Auth Management
2018/08/31 Serverless Meetup Tokyo #10
ykarakita
August 31, 2018
Tweet
Share
More Decks by ykarakita
See All by ykarakita
ユーザー企業における サーバーレスな Web APIバックエンド開発 / Developping serverless Web API Backend
ykarakita
2
1.9k
Fitbit APIのススメ / Effective usage of fitbit API
ykarakita
0
590
Fitbit ✕ Music 〜Fitbit APIで最高のトレーニングを〜 / Great Training with Fitbit API
ykarakita
5
590
Other Decks in Technology
See All in Technology
Security Hub のマルチアカウント 管理・運用をサーバレスでやってみる
ch6noota
0
850
Strategyパターン
hankehly
0
140
リファインメントは楽しいかね?
kitamu_mu
1
520
インフラのCI/CDはGitHub Actionsに任せた
mihyon
0
110
eBPF for Security Observability
lizrice
0
190
Data in Google I/O - IO Extended GDG Seoul
kennethanceyer
0
150
【SAP知らない人向け】SAP on AWS 個人学習メモ/sap-on-aws-study
emiki
3
2.3k
ROS再入門-はじめてのSLAM-
miura55
0
410
2024卒_freee_エンジニア職(ポテンシャル採用)_説明資料
freee
0
260
モブに早く慣れたい人のためのガイド / A Guide to Getting Started Quickly with Mob Programming
cybozuinsideout
PRO
2
1.8k
MoT TechTalk #12 タクシーアプリ『GO』大規模トラフィックを捌く分析データ基盤の全容に迫る!
mot_techtalk
1
380
What's new in Vision
satotakeshi
0
220
Featured
See All Featured
Raft: Consensus for Rubyists
vanstee
126
5.4k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
236
1M
Rebuilding a faster, lazier Slack
samanthasiow
62
7.2k
Teambox: Starting and Learning
jrom
123
7.7k
Navigating Team Friction
lara
175
11k
Producing Creativity
orderedlist
PRO
334
37k
Building an army of robots
kneath
299
40k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
119
28k
How GitHub (no longer) Works
holman
296
140k
What the flash - Photography Introduction
edds
62
10k
Facilitating Awesome Meetings
lara
29
4k
Writing Fast Ruby
sferik
612
57k
Transcript
αʔόʔϨεͳ ϚϧνςφϯτSaaSͷݖݶཧ Serverless Meetup Tokyo #10 2018/08/31 @ykarakita
Profile ඦా ༤྄ʢYusuke Karakitaʣ ϋϯζϥϘגࣜձࣾʗαʔϏε։ൃνʔϜ ୲ɿΠϯϑϥઃܭɺAPIόοΫΤϯυ։ൃ @ykarakita
ը૾Ͱͬͱɺചͱͭͳ͕Δ ίϛϡχέʔγϣϯαʔϏε
ϚϧνςφϯτΞϓϦέʔγϣϯ
ϚϧνςφϯτΞϓϦέʔγϣϯ • ҰͭͷΞϓϦέʔγϣϯϓϥοτϑΥʔϜΛ ෳͷ৫Ͱڞ༗ γεςϜ ∟৫A ∟ϢʔβʔA ∟ϢʔβʔB ∟৫B ∟ϢʔβʔC
∟ϢʔβʔD
ϚϧνςφϯτΞϓϦέʔγϣϯ Ͱߟྀ͕ඞཁͳ͜ͱ
Ϛϧνςφϯτͷߟྀ • ݖݶཧ • ςφϯτཧʢϓϥϯͷมߋͳͲʣ • σʔλྖҬʢσʔλʣ • ϦιʔεཧʢϝϞϦɺσΟεΫɺCPUͳͲʣ •
ͳͲ
ࠓͷ༰ αʔόʔϨεͰϚϧνςφϯτ ΞϓϦΛߏங͢Δ্Ͱͷ ݖݶཧͷϊϋ
ϚϧνςφϯτΞϓϦͷ ݖݶཧͬͯͲΜͳײ͡ʁ
Ϛϧνςφϯτͷݖݶཧ • Ϣʔβʔͷෳͷଐੑ͔ΒΞΫηεՄೳͳϦ ιʔε͕ܾఆ͢Δ ɾςφϯτ →tenant-Aɺtenant-B… ɾςφϯτͷར༻ϓϥϯ →freeɺstandardɺpremium… ɾϢʔβʔ →User-AɺUser-B…
ɾϢʔβʔͷϩʔϧ →AdminɺUser… ɾϢʔβʔͷͦͷଞͷଐੑʢॴଐΤϦΞͳͲʣ →Area-AɺArea-B…
ϚϧνςφϯτΞϓϦͷ ηΩϡϦςΟཁ݅ • ex1) σʔλͷΞΫηεͷೝՄ • tenant-Aʹଐ͢ΔϢʔβʔtenant-Aͷσʔ λͷΈΞΫηε͕ڐՄ͞ΕΔ • ex2)
API ͷೝՄ • AdminϩʔϧͷϢʔβʔͯ͢ͷAPIϦΫ Τετ͕ڐՄ͞ΕΔ͕UserϩʔϧͷϢʔβʔ GETϝιουͷΈΞΫηε͕ڐՄ͞ΕΔ
ͭ·ΓϚϧνςφϯτΞϓϦ ɾڞ௨ͷγεςϜͷதͰ ɾϢʔβʔͷଐੑ͝ͱʹ ɾΞΫηε੍ޚ͕ඞཁ
Ұൠతʹɾɾ • WebϑϨʔϜϫʔΫϛυϧΣΞϨϕϧͰ੍ޚ
αʔόʔϨεͰϚϧνςφϯτɾɾ ɾɾશવࣄྫͳ͍ʘ(^o^)ʗ
AWSωΠςΟϒͳΞϓϦͳΒ Cognito + IAM Ͱ࣮ݱͰ͖Δ
Ϣʔβʔͷݖݶ༩ ϢʔβʔʹΑͬͯΞΫηεՄೳͳϦιʔε͕ҟͳΔͨΊɺ LambdaϑΝϯΫγϣϯݖݶΛ༩͢ΔͷͰͳ͘ɺ ϢʔβʔࣗʹݖݶΛ͚Δ ݖݶ༩
Cognito User Pool άϧʔϓͷઃఆ Cognito Tenant-A User Group Admin Group
Billing Group tenant_a_user_role tenant_a_billing_role tenant_a_admin_role Cognito Tenant-B Cognito Tenant-C • ςφϯτ͝ͱʹUser PoolΛ࡞͠ɺͦͷதʹΞϓϦͰͷϩʔϧ͝ͱʹCognitoά ϧʔϓΛ࡞͢ΔɻάϧʔϓʹIAMϩʔϧΛΞλονɻ
άϧʔϓͷIAMϩʔϧ tenant_a_admin_role ɹɹɹɹɹɹɹɹộ { "Action": [ "s3:GetObject" "s3:PutObject" ], "Resource":
“arn:aws:s3:::myapp/tenant_a/*”, "Effect": "Allow" }, ɹɹɹɹɹɹɹɹộ tenant_a_user_role ɹɹɹɹɹɹɹɹộ { "Action": [ "s3:GetObject" ], "Resource": “arn:aws:s3:::myapp/tenant_a/*”, "Effect": "Allow" }, ɹɹɹɹɹɹɹɹộ ΞΫηεՄೳͳϦιʔεΛ੍ݶ ΞϓϦͰͷϩʔϧผʹ࣮ߦՄೳͳૢ࡞Λ੍ݶ
API GatewayͷೝՄ ᶃLogin with username & password ᶄReturn Token(JWT) ᶅAPI
Request with ID Token(JWT) ᶆJWTͷ༗ޮੑΛ֬ೝʢॺ໊νΣοΫɾ༗ޮظݶνΣοΫʣ ᶇJWT͔ΒϢʔβʔͷଐੑΛऔಘ ᶈೝՄ͢ΔAPIΛܾఆ CognitoʹΧελϜଐੑͱͯ͠tierͳͲΛઃఆ͓ͯ͘͜͠ͱͰɺ ϓϥϯͳͲʹΑΔݖݶܾఆϩδοΫΛΈࠐΉ͜ͱՄೳ Custom Authorizer ᶉೝՄ͞Εͨૢ࡞ͳΒ ϦΫΤετଓߦ
ϦιʔεͷΞΫηε JWT Token JWT Token JWT Token Token͔ΒҰ࣌ೝূใΛੜ Ұ࣌ೝূใΛͬͯΞΫηε ίϯϐϡʔτࣗͷϩʔϧʹS3ͷΞΫηεݖݶΛ༩͍ͯ͠ͳ͍
ͯ͢ͷϦιʔεΞΫηεΛϢʔβʔʹ༩͞ΕͨϩʔϧΛͬ ࣮ͯߦ͢Δ͜ͱͰΠϯϑϥϨϕϧͰͷΞΫηε੍ޚ͕Մೳʹ
"1*(BUFXBZ 4FSWJDF" 4FSWJDF# 4FSWJDF$ ϚΠΫϩαʔϏεͰಈ͍ͯ·͢ • Shared API Gateway •
API GatewayͱΧελϜΦʔιϥΠβʔΛαʔ Ϗεڞ௨Ͱ༻
ϚΠΫϩαʔϏεؒͷΓͱΓΠϕϯτ υϦϒϯ • αʔόʔϨεͷϙςϯγϟϧΛ࠷େݶʹҾ͖ग़͢ ͨΊʹΠϕϯτυϦϒϯͳΞʔΩςΫνϟ͕࠷ ద 4FSWJDF" Pub Sub SNS
Topic 4FSWJDF# Pub SNS Topic ඇಉظͰૄ݁߹ͳΞʔΩςΫνϟ✨✨ඒ͍͠ɾɾ
4FSWJDF" ΠϕϯτυϦϒϯ • αʔϏεؒͰ࿈ܞ͕ඞཁͳ߹ඇಉظతʹॲཧ͢Δ • ଞͷαʔϏεͷσʔλ͕ඞཁ߹ɺऔಘଆ͕Λ࣋ͬͯ Sub͢Δ • Πϕϯτσʔλͷઃܭࣄલʹ͔ͬ͠ΓΒͳ͍ͱޙʑେม 4FSWJDF#
4FSWJDF$ Pub Pub Pub Sub Sub SNS Topic
4FSWJDF" ͔͠͠ɺ 4FSWJDF# 4FSWJDF$ Pub Pub Pub Sub Sub SNS
Topic ͲͷLambdaϑΝϯΫγϣϯϦιʔεΞΫηεݖݶΛ࣋ͨͳ͍
IDτʔΫϯΛҾ͖ͣΓճ͢ 4FSWJDF" 4FSWJDF# Pub Pub Sub JWT Token • ΠϕϯτσʔλʹඞͣIDτʔΫϯΛؚΊΔ
• Ͳ͜·ͰҾ͖ͣΓճ͢ • τʔΫϯͷ༗ޮظݶʹҙ͢Δʢ̍࣌ؒʣ JWT Token