Upgrade to Pro — share decks privately, control downloads, hide ads and more …

サーバーレスなマルチテナントSaaSの権限管理 / Serverless Multitenan...

Avatar for ykarakita ykarakita
August 31, 2018
Technology
3
1.9k

サーバーレスなマルチテナントSaaSの権限管理 / Serverless Multitenant SaaS Auth Management

2018/08/31 Serverless Meetup Tokyo #10
Avatar for ykarakita

ykarakita

August 31, 2018
Tweet

More Decks by ykarakita

See All by ykarakita
ユーザー企業における サーバーレスな Web APIバックエンド開発 / Developping serverless Web API Backend
Avatar for ykarakita ykarakita
2
2.5k
Fitbit APIのススメ / Effective usage of fitbit API
Avatar for ykarakita ykarakita
0
710
Fitbit ✕ Music 〜Fitbit APIで最高のトレーニングを〜 / Great Training with Fitbit API
Avatar for ykarakita ykarakita
5
910

Other Decks in Technology

See All in Technology
事例で学ぶ!B2B SaaSにおけるSREの実践例/SRE for B2B SaaS: A Real-World Case Study
Avatar for 株式会社ビットキー / Bitkey Inc. bitkey
1
160
IPA&AWSダブル全冠が明かす、人生を変えた勉強法のすべて
Avatar for iwamot iwamot
PRO
2
190
Lufthansa ®️ USA Contact Numbers: Complete 2025 Support Guide
Avatar for danielconkling870 lufthanahelpsupport
0
220
2025-07-06 QGIS初級ハンズオン「はじめてのQGIS」
Avatar for kou_kita kou_kita
0
180
SREの次のキャリアの道しるべ 〜SREがマネジメントレイヤーに挑戦して、 気づいたこととTips〜
Avatar for coconala_engineer coconala_engineer
1
150
QuickSight SPICE の効果的な運用戦略~S3 + Athena 構成での実践ノウハウ~/quicksight-spice-s3-athena-best-practices
Avatar for emi emiki
0
120
shake-upを科学する
Avatar for Jack rsakata
7
790
タイミーのデータモデリング事例と今後のチャレンジ
Avatar for Toshiki Tsuchikawa ttccddtoki
6
2.5k
「クラウドコスト絶対削減」を支える技術—FinOpsを超えた徹底的なクラウドコスト削減の実践論
Avatar for 株式会社DELTA delta_tech
4
180
インフラ寄りSREの生存戦略
Avatar for SansanTech sansantech
PRO
7
2.6k
CDK Toolkit Libraryにおけるテストの考え方
Avatar for Makky12 smt7174
0
120
AI エージェントと考え直すデータ基盤
Avatar for na0 na0
17
5.5k

Featured

See All Featured
How to Ace a Technical Interview
Avatar for Jacob Kaplan-Moss jacobian
278
23k
Statistics for Hackers
Avatar for Jake VanderPlas jakevdp
799
220k
Gamification - CAS2011
Avatar for David Bonilla davidbonilla
81
5.4k
It's Worth the Effort
Avatar for 3n 3n
185
28k
Navigating Team Friction
Avatar for Lara Hogan lara
187
15k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
Avatar for Sam Stephenson sstephenson
161
15k
[RailsConf 2023 Opening Keynote] The Magic of Rails
Avatar for Eileen M. Uchitelle eileencodes
29
9.6k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
Avatar for Stéphanie Walter stephaniewalter
281
13k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
Avatar for Michelle Schulp Hunt marktimemedia
31
2.4k
The Illustrated Children's Guide to Kubernetes
Avatar for Chris Short chrisshort
48
50k
VelocityConf: Rendering Performance Case Studies
Avatar for Addy Osmani addyosmani
332
24k
Helping Users Find Their Own Way: Creating Modern Search Experiences
Avatar for Dan Newman danielanewman
29
2.7k

Transcript

  1. αʔόʔϨεͳ ϚϧνςφϯτSaaSͷݖݶ؅ཧ Serverless Meetup Tokyo #10 2018/08/31 @ykarakita

  2. Profile ඦ໦ా ༤྄ʢYusuke Karakitaʣ ϋϯζϥϘגࣜձࣾʗαʔϏε։ൃνʔϜ ୲౰ɿΠϯϑϥઃܭɺAPIόοΫΤϯυ։ൃ @ykarakita

  3. ը૾Ͱ΋ͬͱɺച৔ͱͭͳ͕Δ ίϛϡχέʔγϣϯαʔϏε

  4. ϚϧνςφϯτΞϓϦέʔγϣϯ

  5. ϚϧνςφϯτΞϓϦέʔγϣϯ • ҰͭͷΞϓϦέʔγϣϯϓϥοτϑΥʔϜΛ ෳ਺ͷ૊৫Ͱڞ༗ γεςϜ ∟૊৫A ∟ϢʔβʔA ∟ϢʔβʔB ∟૊৫B ∟ϢʔβʔC

    ∟ϢʔβʔD

  6. ϚϧνςφϯτΞϓϦέʔγϣϯ Ͱߟྀ͕ඞཁͳ͜ͱ

  7. Ϛϧνςφϯτͷߟྀ఺ • ݖݶ؅ཧ • ςφϯτ؅ཧʢϓϥϯͷมߋͳͲʣ • σʔλྖҬʢσʔλ෼཭ʣ • Ϧιʔε؅ཧʢϝϞϦɺσΟεΫɺCPUͳͲʣ •

    ͳͲ

  8. ࠓ೔ͷ಺༰ αʔόʔϨεͰϚϧνςφϯτ ΞϓϦΛߏங͢Δ্Ͱͷ ݖݶ؅ཧͷϊ΢ϋ΢

  9. ϚϧνςφϯτΞϓϦͷ ݖݶ؅ཧͬͯͲΜͳײ͡ʁ

  10. Ϛϧνςφϯτͷݖݶ؅ཧ • Ϣʔβʔͷෳ਺ͷଐੑ͔ΒΞΫηεՄೳͳϦ ιʔε͕ܾఆ͢Δ ɾςφϯτ →tenant-Aɺtenant-B… ɾςφϯτͷར༻ϓϥϯ →freeɺstandardɺpremium… ɾϢʔβʔ →User-AɺUser-B…

    ɾϢʔβʔͷϩʔϧ →AdminɺUser… ɾϢʔβʔͷͦͷଞͷଐੑʢॴଐΤϦΞͳͲʣ →Area-AɺArea-B…

  11. ϚϧνςφϯτΞϓϦͷ ηΩϡϦςΟཁ݅ • ex1) σʔλ΁ͷΞΫηεͷೝՄ • tenant-Aʹଐ͢ΔϢʔβʔ͸tenant-Aͷσʔ λͷΈΞΫηε͕ڐՄ͞ΕΔ • ex2)

    API ͷೝՄ • AdminϩʔϧͷϢʔβʔ͸͢΂ͯͷAPIϦΫ Τετ͕ڐՄ͞ΕΔ͕UserϩʔϧͷϢʔβʔ ͸GETϝιουͷΈΞΫηε͕ڐՄ͞ΕΔ

  12. ͭ·ΓϚϧνςφϯτΞϓϦ͸ ɾڞ௨ͷγεςϜͷதͰ ɾϢʔβʔͷଐੑ͝ͱʹ ɾΞΫηε੍ޚ͕ඞཁ

  13. Ұൠతʹ͸ɾɾ • WebϑϨʔϜϫʔΫ΍ϛυϧ΢ΣΞϨϕϧͰ੍ޚ

  14. αʔόʔϨεͰϚϧνςφϯτɾɾ ɾɾશવࣄྫͳ͍ʘ(^o^)ʗ

  15. AWSωΠςΟϒͳΞϓϦͳΒ Cognito + IAM Ͱ࣮ݱͰ͖Δ

  16. Ϣʔβʔ΁ͷݖݶ෇༩ ϢʔβʔʹΑͬͯΞΫηεՄೳͳϦιʔε͕ҟͳΔͨΊɺ LambdaϑΝϯΫγϣϯ΁ݖݶΛ෇༩͢ΔͷͰ͸ͳ͘ɺ Ϣʔβʔࣗ਎ʹݖݶΛ෇͚Δ ݖݶ෇༩

  17. Cognito User Pool άϧʔϓͷઃఆ Cognito Tenant-A User Group Admin Group

    Billing Group tenant_a_user_role tenant_a_billing_role tenant_a_admin_role Cognito Tenant-B Cognito Tenant-C • ςφϯτ͝ͱʹUser PoolΛ࡞੒͠ɺͦͷதʹΞϓϦͰͷϩʔϧ͝ͱʹCognitoά ϧʔϓΛ࡞੒͢Δɻάϧʔϓʹ͸IAMϩʔϧΛΞλονɻ

  18. άϧʔϓͷIAMϩʔϧ tenant_a_admin_role ɹɹɹɹɹɹɹɹộ { "Action": [ "s3:GetObject" "s3:PutObject" ], "Resource":

    “arn:aws:s3:::myapp/tenant_a/*”, "Effect": "Allow" }, ɹɹɹɹɹɹɹɹộ tenant_a_user_role ɹɹɹɹɹɹɹɹộ { "Action": [ "s3:GetObject" ], "Resource": “arn:aws:s3:::myapp/tenant_a/*”, "Effect": "Allow" }, ɹɹɹɹɹɹɹɹộ ΞΫηεՄೳͳϦιʔεΛ੍ݶ ΞϓϦ಺Ͱͷϩʔϧผʹ࣮ߦՄೳͳૢ࡞Λ੍ݶ

  19. API GatewayͷೝՄ ᶃLogin with username & password ᶄReturn Token(JWT) ᶅAPI

    Request with ID Token(JWT) ᶆJWTͷ༗ޮੑΛ֬ೝʢॺ໊νΣοΫɾ༗ޮظݶνΣοΫʣ ᶇJWT͔ΒϢʔβʔͷଐੑΛऔಘ ᶈೝՄ͢ΔAPIΛܾఆ CognitoʹΧελϜଐੑͱͯ͠tierͳͲΛઃఆ͓ͯ͘͜͠ͱͰɺ ϓϥϯͳͲʹΑΔݖݶܾఆϩδοΫΛ૊ΈࠐΉ͜ͱ΋Մೳ Custom Authorizer ᶉೝՄ͞Εͨૢ࡞ͳΒ ϦΫΤετଓߦ

  20. Ϧιʔε΁ͷΞΫηε JWT Token JWT Token JWT Token Token͔ΒҰ࣌ೝূ৘ใΛੜ੒ Ұ࣌ೝূ৘ใΛ࢖ͬͯΞΫηε ίϯϐϡʔτࣗ਎ͷϩʔϧʹ͸S3΁ͷΞΫηεݖݶΛ෇༩͍ͯ͠ͳ͍

    ͢΂ͯͷϦιʔεΞΫηεΛϢʔβʔʹ෇༩͞ΕͨϩʔϧΛ࢖ͬ ࣮ͯߦ͢Δ͜ͱͰΠϯϑϥϨϕϧͰͷΞΫηε੍ޚ͕Մೳʹ

  21. "1*(BUFXBZ 4FSWJDF" 4FSWJDF# 4FSWJDF$ ϚΠΫϩαʔϏεͰಈ͍ͯ·͢ • Shared API Gateway •

    API GatewayͱΧελϜΦʔιϥΠβʔΛαʔ Ϗεڞ௨Ͱ࢖༻

  22. ϚΠΫϩαʔϏεؒͷ΍ΓͱΓ͸Πϕϯτ υϦϒϯ • αʔόʔϨεͷϙςϯγϟϧΛ࠷େݶʹҾ͖ग़͢ ͨΊʹ͸ΠϕϯτυϦϒϯͳΞʔΩςΫνϟ͕࠷ ద 4FSWJDF" Pub Sub SNS

    Topic 4FSWJDF# Pub SNS Topic ඇಉظͰૄ݁߹ͳΞʔΩςΫνϟ✨✨ඒ͍͠ɾɾ

  23. 4FSWJDF" ΠϕϯτυϦϒϯ • αʔϏεؒͰ࿈ܞ͕ඞཁͳ৔߹͸ඇಉظతʹॲཧ͢Δ • ଞͷαʔϏεͷσʔλ͕ඞཁ৔߹͸ɺऔಘଆ͕੹೚Λ࣋ͬͯ Sub͢Δ • Πϕϯτσʔλͷઃܭ͸ࣄલʹ͔ͬ͠Γ΍Βͳ͍ͱޙʑେม 4FSWJDF#

    4FSWJDF$ Pub Pub Pub Sub Sub SNS Topic

  24. 4FSWJDF" ͔͠͠ɺ 4FSWJDF# 4FSWJDF$ Pub Pub Pub Sub Sub SNS

    Topic ͲͷLambdaϑΝϯΫγϣϯ΋ϦιʔεΞΫηεݖݶΛ࣋ͨͳ͍

  25. IDτʔΫϯΛҾ͖ͣΓճ͢ 4FSWJDF" 4FSWJDF# Pub Pub Sub JWT Token • Πϕϯτσʔλʹ͸ඞͣIDτʔΫϯΛؚΊΔ

    • Ͳ͜·Ͱ΋Ҿ͖ͣΓճ͢ • τʔΫϯͷ༗ޮظݶʹ஫ҙ͢Δʢ̍࣌ؒʣ JWT Token