Upgrade to Pro — share decks privately, control downloads, hide ads and more …

サーバーレスなマルチテナントSaaSの権限管理 / Serverless Multitenan...

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for ykarakita ykarakita
August 31, 2018
Technology
3
2k

サーバーレスなマルチテナントSaaSの権限管理 / Serverless Multitenant SaaS Auth Management

2018/08/31 Serverless Meetup Tokyo #10

Avatar for ykarakita

ykarakita

August 31, 2018
Tweet

More Decks by ykarakita

See All by ykarakita
ユーザー企業における サーバーレスな Web APIバックエンド開発 / Developping serverless Web API Backend
Avatar for ykarakita ykarakita
2
2.5k
Fitbit APIのススメ / Effective usage of fitbit API
Avatar for ykarakita ykarakita
0
720
Fitbit ✕ Music 〜Fitbit APIで最高のトレーニングを〜 / Great Training with Fitbit API
Avatar for ykarakita ykarakita
5
930

Other Decks in Technology

See All in Technology
類似画像検索モデルの開発ノウハウ
Avatar for LINEヤフーTech (LY Corporation Tech) lycorptech_jp
PRO
3
840
Introduction to Sansan for Engineers / エンジニア向け会社紹介
Avatar for Sansan, Inc. sansan33
PRO
6
72k
Sansan Engineering Unit 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
1
4k
Oracle Database@Azure:サービス概要のご紹介
Avatar for oracle4engineer oracle4engineer
PRO
4
1.1k
型を書かないRuby開発への挑戦
Avatar for Shia riseshia
0
170
「使いにくい」も「運用疲れ」も卒業する UIデザイナーとエンジニアが創る持続可能な内製開発
Avatar for NRI Netcom nrinetcom
PRO
1
780
A Gentle Introduction to Transformers
Avatar for Semantic Machine Intelligence Lab., Keio Univ. keio_smilab
PRO
1
110
Master Dataグループ紹介資料
Avatar for Sansan, Inc. sansan33
PRO
1
4.4k
Kaggleで鍛えたスキルの実務での活かし方 競技とプロダクト開発のリアル
Avatar for Recruit recruitengineers
PRO
1
130
大規模サービスにおける レガシーコードからReactへの移行
Avatar for MagicPod magicpod
1
120
Lookerの最新バージョンv26.2がやばい話
Avatar for Yuta Ozaki waiwai2111
1
150
AI時代にエンジニアはどう成長すれば良いのか?
Avatar for Recruit recruitengineers
PRO
1
130

Featured

See All Featured
[SF Ruby Conf 2025] Rails X
Avatar for Vladimir Dementyev palkan
2
810
Embracing the Ebb and Flow
Avatar for Simon Collison colly
88
5k
KATA
Avatar for Megan Lloyd mclloyd
PRO
35
15k
Code Reviewing Like a Champion
Avatar for maltzj maltzj
528
40k
SEO Brein meetup: CTRL+C is not how to scale international SEO
Avatar for Linda Hogenes lindahogenes
0
2.4k
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
Avatar for Tammy Everts tammyeverts
11
850
How to optimise 3,500 product descriptions for ecommerce in one day using ChatGPT
Avatar for Katarina Dahlin katarinadahlin
PRO
1
3.5k
The Pragmatic Product Professional
Avatar for Laura Van Doore lauravandoore
37
7.2k
The browser strikes back
Avatar for Jono Alderson jonoalderson
0
760
Making the Leap to Tech Lead
Avatar for Ryan Cromwell cromwellryan
135
9.8k
Typedesign – Prime Four
Avatar for Hannes Fritz hannesfritz
42
3k
The Invisible Side of Design
Avatar for Vitaly Friedman smashingmag
302
51k

Transcript

  1. αʔόʔϨεͳ ϚϧνςφϯτSaaSͷݖݶ؅ཧ Serverless Meetup Tokyo #10 2018/08/31 @ykarakita

  2. Profile ඦ໦ా ༤྄ʢYusuke Karakitaʣ ϋϯζϥϘגࣜձࣾʗαʔϏε։ൃνʔϜ ୲౰ɿΠϯϑϥઃܭɺAPIόοΫΤϯυ։ൃ @ykarakita

  3. ը૾Ͱ΋ͬͱɺച৔ͱͭͳ͕Δ ίϛϡχέʔγϣϯαʔϏε

  4. ϚϧνςφϯτΞϓϦέʔγϣϯ

  5. ϚϧνςφϯτΞϓϦέʔγϣϯ • ҰͭͷΞϓϦέʔγϣϯϓϥοτϑΥʔϜΛ ෳ਺ͷ૊৫Ͱڞ༗ γεςϜ ∟૊৫A ∟ϢʔβʔA ∟ϢʔβʔB ∟૊৫B ∟ϢʔβʔC

    ∟ϢʔβʔD

  6. ϚϧνςφϯτΞϓϦέʔγϣϯ Ͱߟྀ͕ඞཁͳ͜ͱ

  7. Ϛϧνςφϯτͷߟྀ఺ • ݖݶ؅ཧ • ςφϯτ؅ཧʢϓϥϯͷมߋͳͲʣ • σʔλྖҬʢσʔλ෼཭ʣ • Ϧιʔε؅ཧʢϝϞϦɺσΟεΫɺCPUͳͲʣ •

    ͳͲ

  8. ࠓ೔ͷ಺༰ αʔόʔϨεͰϚϧνςφϯτ ΞϓϦΛߏங͢Δ্Ͱͷ ݖݶ؅ཧͷϊ΢ϋ΢

  9. ϚϧνςφϯτΞϓϦͷ ݖݶ؅ཧͬͯͲΜͳײ͡ʁ

  10. Ϛϧνςφϯτͷݖݶ؅ཧ • Ϣʔβʔͷෳ਺ͷଐੑ͔ΒΞΫηεՄೳͳϦ ιʔε͕ܾఆ͢Δ ɾςφϯτ →tenant-Aɺtenant-B… ɾςφϯτͷར༻ϓϥϯ →freeɺstandardɺpremium… ɾϢʔβʔ →User-AɺUser-B…

    ɾϢʔβʔͷϩʔϧ →AdminɺUser… ɾϢʔβʔͷͦͷଞͷଐੑʢॴଐΤϦΞͳͲʣ →Area-AɺArea-B…

  11. ϚϧνςφϯτΞϓϦͷ ηΩϡϦςΟཁ݅ • ex1) σʔλ΁ͷΞΫηεͷೝՄ • tenant-Aʹଐ͢ΔϢʔβʔ͸tenant-Aͷσʔ λͷΈΞΫηε͕ڐՄ͞ΕΔ • ex2)

    API ͷೝՄ • AdminϩʔϧͷϢʔβʔ͸͢΂ͯͷAPIϦΫ Τετ͕ڐՄ͞ΕΔ͕UserϩʔϧͷϢʔβʔ ͸GETϝιουͷΈΞΫηε͕ڐՄ͞ΕΔ

  12. ͭ·ΓϚϧνςφϯτΞϓϦ͸ ɾڞ௨ͷγεςϜͷதͰ ɾϢʔβʔͷଐੑ͝ͱʹ ɾΞΫηε੍ޚ͕ඞཁ

  13. Ұൠతʹ͸ɾɾ • WebϑϨʔϜϫʔΫ΍ϛυϧ΢ΣΞϨϕϧͰ੍ޚ

  14. αʔόʔϨεͰϚϧνςφϯτɾɾ ɾɾશવࣄྫͳ͍ʘ(^o^)ʗ

  15. AWSωΠςΟϒͳΞϓϦͳΒ Cognito + IAM Ͱ࣮ݱͰ͖Δ

  16. Ϣʔβʔ΁ͷݖݶ෇༩ ϢʔβʔʹΑͬͯΞΫηεՄೳͳϦιʔε͕ҟͳΔͨΊɺ LambdaϑΝϯΫγϣϯ΁ݖݶΛ෇༩͢ΔͷͰ͸ͳ͘ɺ Ϣʔβʔࣗ਎ʹݖݶΛ෇͚Δ ݖݶ෇༩

  17. Cognito User Pool άϧʔϓͷઃఆ Cognito Tenant-A User Group Admin Group

    Billing Group tenant_a_user_role tenant_a_billing_role tenant_a_admin_role Cognito Tenant-B Cognito Tenant-C • ςφϯτ͝ͱʹUser PoolΛ࡞੒͠ɺͦͷதʹΞϓϦͰͷϩʔϧ͝ͱʹCognitoά ϧʔϓΛ࡞੒͢Δɻάϧʔϓʹ͸IAMϩʔϧΛΞλονɻ

  18. άϧʔϓͷIAMϩʔϧ tenant_a_admin_role ɹɹɹɹɹɹɹɹộ { "Action": [ "s3:GetObject" "s3:PutObject" ], "Resource":

    “arn:aws:s3:::myapp/tenant_a/*”, "Effect": "Allow" }, ɹɹɹɹɹɹɹɹộ tenant_a_user_role ɹɹɹɹɹɹɹɹộ { "Action": [ "s3:GetObject" ], "Resource": “arn:aws:s3:::myapp/tenant_a/*”, "Effect": "Allow" }, ɹɹɹɹɹɹɹɹộ ΞΫηεՄೳͳϦιʔεΛ੍ݶ ΞϓϦ಺Ͱͷϩʔϧผʹ࣮ߦՄೳͳૢ࡞Λ੍ݶ

  19. API GatewayͷೝՄ ᶃLogin with username & password ᶄReturn Token(JWT) ᶅAPI

    Request with ID Token(JWT) ᶆJWTͷ༗ޮੑΛ֬ೝʢॺ໊νΣοΫɾ༗ޮظݶνΣοΫʣ ᶇJWT͔ΒϢʔβʔͷଐੑΛऔಘ ᶈೝՄ͢ΔAPIΛܾఆ CognitoʹΧελϜଐੑͱͯ͠tierͳͲΛઃఆ͓ͯ͘͜͠ͱͰɺ ϓϥϯͳͲʹΑΔݖݶܾఆϩδοΫΛ૊ΈࠐΉ͜ͱ΋Մೳ Custom Authorizer ᶉೝՄ͞Εͨૢ࡞ͳΒ ϦΫΤετଓߦ

  20. Ϧιʔε΁ͷΞΫηε JWT Token JWT Token JWT Token Token͔ΒҰ࣌ೝূ৘ใΛੜ੒ Ұ࣌ೝূ৘ใΛ࢖ͬͯΞΫηε ίϯϐϡʔτࣗ਎ͷϩʔϧʹ͸S3΁ͷΞΫηεݖݶΛ෇༩͍ͯ͠ͳ͍

    ͢΂ͯͷϦιʔεΞΫηεΛϢʔβʔʹ෇༩͞ΕͨϩʔϧΛ࢖ͬ ࣮ͯߦ͢Δ͜ͱͰΠϯϑϥϨϕϧͰͷΞΫηε੍ޚ͕Մೳʹ

  21. "1*(BUFXBZ 4FSWJDF" 4FSWJDF# 4FSWJDF$ ϚΠΫϩαʔϏεͰಈ͍ͯ·͢ • Shared API Gateway •

    API GatewayͱΧελϜΦʔιϥΠβʔΛαʔ Ϗεڞ௨Ͱ࢖༻

  22. ϚΠΫϩαʔϏεؒͷ΍ΓͱΓ͸Πϕϯτ υϦϒϯ • αʔόʔϨεͷϙςϯγϟϧΛ࠷େݶʹҾ͖ग़͢ ͨΊʹ͸ΠϕϯτυϦϒϯͳΞʔΩςΫνϟ͕࠷ ద 4FSWJDF" Pub Sub SNS

    Topic 4FSWJDF# Pub SNS Topic ඇಉظͰૄ݁߹ͳΞʔΩςΫνϟ✨✨ඒ͍͠ɾɾ

  23. 4FSWJDF" ΠϕϯτυϦϒϯ • αʔϏεؒͰ࿈ܞ͕ඞཁͳ৔߹͸ඇಉظతʹॲཧ͢Δ • ଞͷαʔϏεͷσʔλ͕ඞཁ৔߹͸ɺऔಘଆ͕੹೚Λ࣋ͬͯ Sub͢Δ • Πϕϯτσʔλͷઃܭ͸ࣄલʹ͔ͬ͠Γ΍Βͳ͍ͱޙʑେม 4FSWJDF#

    4FSWJDF$ Pub Pub Pub Sub Sub SNS Topic

  24. 4FSWJDF" ͔͠͠ɺ 4FSWJDF# 4FSWJDF$ Pub Pub Pub Sub Sub SNS

    Topic ͲͷLambdaϑΝϯΫγϣϯ΋ϦιʔεΞΫηεݖݶΛ࣋ͨͳ͍

  25. IDτʔΫϯΛҾ͖ͣΓճ͢ 4FSWJDF" 4FSWJDF# Pub Pub Sub JWT Token • Πϕϯτσʔλʹ͸ඞͣIDτʔΫϯΛؚΊΔ

    • Ͳ͜·Ͱ΋Ҿ͖ͣΓճ͢ • τʔΫϯͷ༗ޮظݶʹ஫ҙ͢Δʢ̍࣌ؒʣ JWT Token