Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
サーバーレスなマルチテナントSaaSの権限管理 / Serverless Multitenant SaaS Auth Management
Search
ykarakita
August 31, 2018
Technology
3
1.8k
サーバーレスなマルチテナントSaaSの権限管理 / Serverless Multitenant SaaS Auth Management
2018/08/31 Serverless Meetup Tokyo #10
ykarakita
August 31, 2018
Tweet
Share
More Decks by ykarakita
See All by ykarakita
ユーザー企業における サーバーレスな Web APIバックエンド開発 / Developping serverless Web API Backend
ykarakita
2
2.2k
Fitbit APIのススメ / Effective usage of fitbit API
ykarakita
0
660
Fitbit ✕ Music 〜Fitbit APIで最高のトレーニングを〜 / Great Training with Fitbit API
ykarakita
5
760
Other Decks in Technology
See All in Technology
4年前、あるじゃん老害エンジニアLT合戦に登壇、米国西海岸コンピュータ歴史博物館体験記の続編
toshi_atsumi
0
190
最近たまに見かけるTiDBってなんだ? - Findy
pingcap0315
2
520
強みを伸ばすキャリアデザイン
yug1224
0
200
コンパウンドスタートアップのためのスケーラブルでセキュアなInfrastructure as Codeパイプラインを考える / Scalable and Secure Infrastructure as Code Pipeline for a Compound Startup
yuyatakeyama
3
1.8k
日本におけるデータエンジニアリングのこれまでとこれから
foursue
9
2k
Microsoft Cloudで開発ライフサイクルを保護する
kkamegawa
0
140
なぜ NOT A HOTEL が Web3 に取り組むのか - NOT A HOTEL TECH TALK
ynunokawa
0
160
SIEMを用いて、セキュリティログ分析の可視化と分析を実現し、PDCAサイクルを回してみた
coconala_engineer
0
200
SREとその組織類型
tatsuo48
8
1.5k
入社後初めてのタスクでk8sアップグレードした話.pdf
kkato1
0
380
Data and AI Governance: Existing Challenges and Emerging Trends
scotthsieh825
0
140
Autonomous Database Cloud 技術詳細 / adb-s_technical_detail_jp
oracle4engineer
PRO
13
35k
Featured
See All Featured
Building an army of robots
kneath
300
41k
A better future with KSS
kneath
230
16k
How to name files
jennybc
64
92k
The Cult of Friendly URLs
andyhume
73
5.7k
Why Our Code Smells
bkeepers
PRO
331
56k
Practical Orchestrator
shlominoach
181
9.7k
Music & Morning Musume
bryan
40
5.6k
VelocityConf: Rendering Performance Case Studies
addyosmani
319
23k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
226
16k
GitHub's CSS Performance
jonrohan
1023
450k
Producing Creativity
orderedlist
PRO
336
39k
Build The Right Thing And Hit Your Dates
maggiecrowley
23
2k
Transcript
αʔόʔϨεͳ ϚϧνςφϯτSaaSͷݖݶཧ Serverless Meetup Tokyo #10 2018/08/31 @ykarakita
Profile ඦా ༤྄ʢYusuke Karakitaʣ ϋϯζϥϘגࣜձࣾʗαʔϏε։ൃνʔϜ ୲ɿΠϯϑϥઃܭɺAPIόοΫΤϯυ։ൃ @ykarakita
ը૾Ͱͬͱɺചͱͭͳ͕Δ ίϛϡχέʔγϣϯαʔϏε
ϚϧνςφϯτΞϓϦέʔγϣϯ
ϚϧνςφϯτΞϓϦέʔγϣϯ • ҰͭͷΞϓϦέʔγϣϯϓϥοτϑΥʔϜΛ ෳͷ৫Ͱڞ༗ γεςϜ ∟৫A ∟ϢʔβʔA ∟ϢʔβʔB ∟৫B ∟ϢʔβʔC
∟ϢʔβʔD
ϚϧνςφϯτΞϓϦέʔγϣϯ Ͱߟྀ͕ඞཁͳ͜ͱ
Ϛϧνςφϯτͷߟྀ • ݖݶཧ • ςφϯτཧʢϓϥϯͷมߋͳͲʣ • σʔλྖҬʢσʔλʣ • ϦιʔεཧʢϝϞϦɺσΟεΫɺCPUͳͲʣ •
ͳͲ
ࠓͷ༰ αʔόʔϨεͰϚϧνςφϯτ ΞϓϦΛߏங͢Δ্Ͱͷ ݖݶཧͷϊϋ
ϚϧνςφϯτΞϓϦͷ ݖݶཧͬͯͲΜͳײ͡ʁ
Ϛϧνςφϯτͷݖݶཧ • Ϣʔβʔͷෳͷଐੑ͔ΒΞΫηεՄೳͳϦ ιʔε͕ܾఆ͢Δ ɾςφϯτ →tenant-Aɺtenant-B… ɾςφϯτͷར༻ϓϥϯ →freeɺstandardɺpremium… ɾϢʔβʔ →User-AɺUser-B…
ɾϢʔβʔͷϩʔϧ →AdminɺUser… ɾϢʔβʔͷͦͷଞͷଐੑʢॴଐΤϦΞͳͲʣ →Area-AɺArea-B…
ϚϧνςφϯτΞϓϦͷ ηΩϡϦςΟཁ݅ • ex1) σʔλͷΞΫηεͷೝՄ • tenant-Aʹଐ͢ΔϢʔβʔtenant-Aͷσʔ λͷΈΞΫηε͕ڐՄ͞ΕΔ • ex2)
API ͷೝՄ • AdminϩʔϧͷϢʔβʔͯ͢ͷAPIϦΫ Τετ͕ڐՄ͞ΕΔ͕UserϩʔϧͷϢʔβʔ GETϝιουͷΈΞΫηε͕ڐՄ͞ΕΔ
ͭ·ΓϚϧνςφϯτΞϓϦ ɾڞ௨ͷγεςϜͷதͰ ɾϢʔβʔͷଐੑ͝ͱʹ ɾΞΫηε੍ޚ͕ඞཁ
Ұൠతʹɾɾ • WebϑϨʔϜϫʔΫϛυϧΣΞϨϕϧͰ੍ޚ
αʔόʔϨεͰϚϧνςφϯτɾɾ ɾɾશવࣄྫͳ͍ʘ(^o^)ʗ
AWSωΠςΟϒͳΞϓϦͳΒ Cognito + IAM Ͱ࣮ݱͰ͖Δ
Ϣʔβʔͷݖݶ༩ ϢʔβʔʹΑͬͯΞΫηεՄೳͳϦιʔε͕ҟͳΔͨΊɺ LambdaϑΝϯΫγϣϯݖݶΛ༩͢ΔͷͰͳ͘ɺ ϢʔβʔࣗʹݖݶΛ͚Δ ݖݶ༩
Cognito User Pool άϧʔϓͷઃఆ Cognito Tenant-A User Group Admin Group
Billing Group tenant_a_user_role tenant_a_billing_role tenant_a_admin_role Cognito Tenant-B Cognito Tenant-C • ςφϯτ͝ͱʹUser PoolΛ࡞͠ɺͦͷதʹΞϓϦͰͷϩʔϧ͝ͱʹCognitoά ϧʔϓΛ࡞͢ΔɻάϧʔϓʹIAMϩʔϧΛΞλονɻ
άϧʔϓͷIAMϩʔϧ tenant_a_admin_role ɹɹɹɹɹɹɹɹộ { "Action": [ "s3:GetObject" "s3:PutObject" ], "Resource":
“arn:aws:s3:::myapp/tenant_a/*”, "Effect": "Allow" }, ɹɹɹɹɹɹɹɹộ tenant_a_user_role ɹɹɹɹɹɹɹɹộ { "Action": [ "s3:GetObject" ], "Resource": “arn:aws:s3:::myapp/tenant_a/*”, "Effect": "Allow" }, ɹɹɹɹɹɹɹɹộ ΞΫηεՄೳͳϦιʔεΛ੍ݶ ΞϓϦͰͷϩʔϧผʹ࣮ߦՄೳͳૢ࡞Λ੍ݶ
API GatewayͷೝՄ ᶃLogin with username & password ᶄReturn Token(JWT) ᶅAPI
Request with ID Token(JWT) ᶆJWTͷ༗ޮੑΛ֬ೝʢॺ໊νΣοΫɾ༗ޮظݶνΣοΫʣ ᶇJWT͔ΒϢʔβʔͷଐੑΛऔಘ ᶈೝՄ͢ΔAPIΛܾఆ CognitoʹΧελϜଐੑͱͯ͠tierͳͲΛઃఆ͓ͯ͘͜͠ͱͰɺ ϓϥϯͳͲʹΑΔݖݶܾఆϩδοΫΛΈࠐΉ͜ͱՄೳ Custom Authorizer ᶉೝՄ͞Εͨૢ࡞ͳΒ ϦΫΤετଓߦ
ϦιʔεͷΞΫηε JWT Token JWT Token JWT Token Token͔ΒҰ࣌ೝূใΛੜ Ұ࣌ೝূใΛͬͯΞΫηε ίϯϐϡʔτࣗͷϩʔϧʹS3ͷΞΫηεݖݶΛ༩͍ͯ͠ͳ͍
ͯ͢ͷϦιʔεΞΫηεΛϢʔβʔʹ༩͞ΕͨϩʔϧΛͬ ࣮ͯߦ͢Δ͜ͱͰΠϯϑϥϨϕϧͰͷΞΫηε੍ޚ͕Մೳʹ
"1*(BUFXBZ 4FSWJDF" 4FSWJDF# 4FSWJDF$ ϚΠΫϩαʔϏεͰಈ͍ͯ·͢ • Shared API Gateway •
API GatewayͱΧελϜΦʔιϥΠβʔΛαʔ Ϗεڞ௨Ͱ༻
ϚΠΫϩαʔϏεؒͷΓͱΓΠϕϯτ υϦϒϯ • αʔόʔϨεͷϙςϯγϟϧΛ࠷େݶʹҾ͖ग़͢ ͨΊʹΠϕϯτυϦϒϯͳΞʔΩςΫνϟ͕࠷ ద 4FSWJDF" Pub Sub SNS
Topic 4FSWJDF# Pub SNS Topic ඇಉظͰૄ݁߹ͳΞʔΩςΫνϟ✨✨ඒ͍͠ɾɾ
4FSWJDF" ΠϕϯτυϦϒϯ • αʔϏεؒͰ࿈ܞ͕ඞཁͳ߹ඇಉظతʹॲཧ͢Δ • ଞͷαʔϏεͷσʔλ͕ඞཁ߹ɺऔಘଆ͕Λ࣋ͬͯ Sub͢Δ • Πϕϯτσʔλͷઃܭࣄલʹ͔ͬ͠ΓΒͳ͍ͱޙʑେม 4FSWJDF#
4FSWJDF$ Pub Pub Pub Sub Sub SNS Topic
4FSWJDF" ͔͠͠ɺ 4FSWJDF# 4FSWJDF$ Pub Pub Pub Sub Sub SNS
Topic ͲͷLambdaϑΝϯΫγϣϯϦιʔεΞΫηεݖݶΛ࣋ͨͳ͍
IDτʔΫϯΛҾ͖ͣΓճ͢ 4FSWJDF" 4FSWJDF# Pub Pub Sub JWT Token • ΠϕϯτσʔλʹඞͣIDτʔΫϯΛؚΊΔ
• Ͳ͜·ͰҾ͖ͣΓճ͢ • τʔΫϯͷ༗ޮظݶʹҙ͢Δʢ̍࣌ؒʣ JWT Token