Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
サーバーレスなマルチテナントSaaSの権限管理 / Serverless Multitenan...
Search
ykarakita
August 31, 2018
Technology
3
1.9k
サーバーレスなマルチテナントSaaSの権限管理 / Serverless Multitenant SaaS Auth Management
2018/08/31 Serverless Meetup Tokyo #10
ykarakita
August 31, 2018
Tweet
Share
More Decks by ykarakita
See All by ykarakita
ユーザー企業における サーバーレスな Web APIバックエンド開発 / Developping serverless Web API Backend
ykarakita
2
2.5k
Fitbit APIのススメ / Effective usage of fitbit API
ykarakita
0
720
Fitbit ✕ Music 〜Fitbit APIで最高のトレーニングを〜 / Great Training with Fitbit API
ykarakita
5
920
Other Decks in Technology
See All in Technology
モバイルアプリ研修
recruitengineers
PRO
5
1.6k
絶対に失敗できないキャンペーンページの高速かつ安全な開発、WINTICKET × microCMS の開発事例
microcms
0
360
おやつは300円まで!の最適化を模索してみた
techtekt
PRO
0
250
制約理論(ToC)入門
recruitengineers
PRO
8
3.6k
クラウドセキュリティを支える技術と運用の最前線 / Cutting-edge Technologies and Operations Supporting Cloud Security
yuj1osm
2
240
「魔法少女まどか☆マギカ Magia Exedra」での負荷試験の実践と学び
gree_tech
PRO
0
430
AIエージェントの活用に重要な「MCP (Model Context Protocol)」とは何か
masayamoriofficial
0
240
「守る」から「進化させる」セキュリティへ ~AWS re:Inforce 2025参加報告~ / AWS re:Inforce 2025 Participation Report
yuj1osm
1
180
TypeScript入門
recruitengineers
PRO
33
11k
Kubernetes における cgroup v2 でのOut-Of-Memory 問題の解決
pfn
PRO
0
430
Bye-Bye Query Spaghetti: Write Queries You'll Actually Understand Using Pipelined SQL Syntax
tobiaslampertlotum
0
120
まだ間に合う! StrandsとBedrock AgentCoreでAIエージェント構築に入門しよう
minorun365
PRO
10
690
Featured
See All Featured
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
46
7.6k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
Fashionably flexible responsive web design (full day workshop)
malarkey
407
66k
Documentation Writing (for coders)
carmenintech
73
5k
Speed Design
sergeychernyshev
32
1.1k
Building Applications with DynamoDB
mza
96
6.6k
Faster Mobile Websites
deanohume
309
31k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
61k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.4k
Raft: Consensus for Rubyists
vanstee
140
7.1k
Balancing Empowerment & Direction
lara
3
600
KATA
mclloyd
32
14k
Transcript
αʔόʔϨεͳ ϚϧνςφϯτSaaSͷݖݶཧ Serverless Meetup Tokyo #10 2018/08/31 @ykarakita
Profile ඦా ༤྄ʢYusuke Karakitaʣ ϋϯζϥϘגࣜձࣾʗαʔϏε։ൃνʔϜ ୲ɿΠϯϑϥઃܭɺAPIόοΫΤϯυ։ൃ @ykarakita
ը૾Ͱͬͱɺചͱͭͳ͕Δ ίϛϡχέʔγϣϯαʔϏε
ϚϧνςφϯτΞϓϦέʔγϣϯ
ϚϧνςφϯτΞϓϦέʔγϣϯ • ҰͭͷΞϓϦέʔγϣϯϓϥοτϑΥʔϜΛ ෳͷ৫Ͱڞ༗ γεςϜ ∟৫A ∟ϢʔβʔA ∟ϢʔβʔB ∟৫B ∟ϢʔβʔC
∟ϢʔβʔD
ϚϧνςφϯτΞϓϦέʔγϣϯ Ͱߟྀ͕ඞཁͳ͜ͱ
Ϛϧνςφϯτͷߟྀ • ݖݶཧ • ςφϯτཧʢϓϥϯͷมߋͳͲʣ • σʔλྖҬʢσʔλʣ • ϦιʔεཧʢϝϞϦɺσΟεΫɺCPUͳͲʣ •
ͳͲ
ࠓͷ༰ αʔόʔϨεͰϚϧνςφϯτ ΞϓϦΛߏங͢Δ্Ͱͷ ݖݶཧͷϊϋ
ϚϧνςφϯτΞϓϦͷ ݖݶཧͬͯͲΜͳײ͡ʁ
Ϛϧνςφϯτͷݖݶཧ • Ϣʔβʔͷෳͷଐੑ͔ΒΞΫηεՄೳͳϦ ιʔε͕ܾఆ͢Δ ɾςφϯτ →tenant-Aɺtenant-B… ɾςφϯτͷར༻ϓϥϯ →freeɺstandardɺpremium… ɾϢʔβʔ →User-AɺUser-B…
ɾϢʔβʔͷϩʔϧ →AdminɺUser… ɾϢʔβʔͷͦͷଞͷଐੑʢॴଐΤϦΞͳͲʣ →Area-AɺArea-B…
ϚϧνςφϯτΞϓϦͷ ηΩϡϦςΟཁ݅ • ex1) σʔλͷΞΫηεͷೝՄ • tenant-Aʹଐ͢ΔϢʔβʔtenant-Aͷσʔ λͷΈΞΫηε͕ڐՄ͞ΕΔ • ex2)
API ͷೝՄ • AdminϩʔϧͷϢʔβʔͯ͢ͷAPIϦΫ Τετ͕ڐՄ͞ΕΔ͕UserϩʔϧͷϢʔβʔ GETϝιουͷΈΞΫηε͕ڐՄ͞ΕΔ
ͭ·ΓϚϧνςφϯτΞϓϦ ɾڞ௨ͷγεςϜͷதͰ ɾϢʔβʔͷଐੑ͝ͱʹ ɾΞΫηε੍ޚ͕ඞཁ
Ұൠతʹɾɾ • WebϑϨʔϜϫʔΫϛυϧΣΞϨϕϧͰ੍ޚ
αʔόʔϨεͰϚϧνςφϯτɾɾ ɾɾશવࣄྫͳ͍ʘ(^o^)ʗ
AWSωΠςΟϒͳΞϓϦͳΒ Cognito + IAM Ͱ࣮ݱͰ͖Δ
Ϣʔβʔͷݖݶ༩ ϢʔβʔʹΑͬͯΞΫηεՄೳͳϦιʔε͕ҟͳΔͨΊɺ LambdaϑΝϯΫγϣϯݖݶΛ༩͢ΔͷͰͳ͘ɺ ϢʔβʔࣗʹݖݶΛ͚Δ ݖݶ༩
Cognito User Pool άϧʔϓͷઃఆ Cognito Tenant-A User Group Admin Group
Billing Group tenant_a_user_role tenant_a_billing_role tenant_a_admin_role Cognito Tenant-B Cognito Tenant-C • ςφϯτ͝ͱʹUser PoolΛ࡞͠ɺͦͷதʹΞϓϦͰͷϩʔϧ͝ͱʹCognitoά ϧʔϓΛ࡞͢ΔɻάϧʔϓʹIAMϩʔϧΛΞλονɻ
άϧʔϓͷIAMϩʔϧ tenant_a_admin_role ɹɹɹɹɹɹɹɹộ { "Action": [ "s3:GetObject" "s3:PutObject" ], "Resource":
“arn:aws:s3:::myapp/tenant_a/*”, "Effect": "Allow" }, ɹɹɹɹɹɹɹɹộ tenant_a_user_role ɹɹɹɹɹɹɹɹộ { "Action": [ "s3:GetObject" ], "Resource": “arn:aws:s3:::myapp/tenant_a/*”, "Effect": "Allow" }, ɹɹɹɹɹɹɹɹộ ΞΫηεՄೳͳϦιʔεΛ੍ݶ ΞϓϦͰͷϩʔϧผʹ࣮ߦՄೳͳૢ࡞Λ੍ݶ
API GatewayͷೝՄ ᶃLogin with username & password ᶄReturn Token(JWT) ᶅAPI
Request with ID Token(JWT) ᶆJWTͷ༗ޮੑΛ֬ೝʢॺ໊νΣοΫɾ༗ޮظݶνΣοΫʣ ᶇJWT͔ΒϢʔβʔͷଐੑΛऔಘ ᶈೝՄ͢ΔAPIΛܾఆ CognitoʹΧελϜଐੑͱͯ͠tierͳͲΛઃఆ͓ͯ͘͜͠ͱͰɺ ϓϥϯͳͲʹΑΔݖݶܾఆϩδοΫΛΈࠐΉ͜ͱՄೳ Custom Authorizer ᶉೝՄ͞Εͨૢ࡞ͳΒ ϦΫΤετଓߦ
ϦιʔεͷΞΫηε JWT Token JWT Token JWT Token Token͔ΒҰ࣌ೝূใΛੜ Ұ࣌ೝূใΛͬͯΞΫηε ίϯϐϡʔτࣗͷϩʔϧʹS3ͷΞΫηεݖݶΛ༩͍ͯ͠ͳ͍
ͯ͢ͷϦιʔεΞΫηεΛϢʔβʔʹ༩͞ΕͨϩʔϧΛͬ ࣮ͯߦ͢Δ͜ͱͰΠϯϑϥϨϕϧͰͷΞΫηε੍ޚ͕Մೳʹ
"1*(BUFXBZ 4FSWJDF" 4FSWJDF# 4FSWJDF$ ϚΠΫϩαʔϏεͰಈ͍ͯ·͢ • Shared API Gateway •
API GatewayͱΧελϜΦʔιϥΠβʔΛαʔ Ϗεڞ௨Ͱ༻
ϚΠΫϩαʔϏεؒͷΓͱΓΠϕϯτ υϦϒϯ • αʔόʔϨεͷϙςϯγϟϧΛ࠷େݶʹҾ͖ग़͢ ͨΊʹΠϕϯτυϦϒϯͳΞʔΩςΫνϟ͕࠷ ద 4FSWJDF" Pub Sub SNS
Topic 4FSWJDF# Pub SNS Topic ඇಉظͰૄ݁߹ͳΞʔΩςΫνϟ✨✨ඒ͍͠ɾɾ
4FSWJDF" ΠϕϯτυϦϒϯ • αʔϏεؒͰ࿈ܞ͕ඞཁͳ߹ඇಉظతʹॲཧ͢Δ • ଞͷαʔϏεͷσʔλ͕ඞཁ߹ɺऔಘଆ͕Λ࣋ͬͯ Sub͢Δ • Πϕϯτσʔλͷઃܭࣄલʹ͔ͬ͠ΓΒͳ͍ͱޙʑେม 4FSWJDF#
4FSWJDF$ Pub Pub Pub Sub Sub SNS Topic
4FSWJDF" ͔͠͠ɺ 4FSWJDF# 4FSWJDF$ Pub Pub Pub Sub Sub SNS
Topic ͲͷLambdaϑΝϯΫγϣϯϦιʔεΞΫηεݖݶΛ࣋ͨͳ͍
IDτʔΫϯΛҾ͖ͣΓճ͢ 4FSWJDF" 4FSWJDF# Pub Pub Sub JWT Token • ΠϕϯτσʔλʹඞͣIDτʔΫϯΛؚΊΔ
• Ͳ͜·ͰҾ͖ͣΓճ͢ • τʔΫϯͷ༗ޮظݶʹҙ͢Δʢ̍࣌ؒʣ JWT Token