Дмитрий Хоревич "Cloud native security with UAA \ Как защитить...
-
Upload
tanya-denisyuk -
Category
Education
-
view
64 -
download
4
Transcript of Дмитрий Хоревич "Cloud native security with UAA \ Как защитить...
About meJava developer since 2008
Works for Altoros Development
Love mountain biking and jogging
Agenda1. Authentication in monolithic applications vs microservices
2. Introduction to OAuth2.0
3. CloudFoundry User Account and Authentication (UAA) Server
4. How we use UAA in our project
5. Q&A
Base definition
● Authentication
● Authorization
● Session
● Token
A Traditional Service
With Traditional Subsystem
and traditional scalability
A microservice
Many microservices
Scaling microservices
So what’s the problem?
Securing a traditional service
So for microservice that would mean
How to solve?
● Basic authentication
● SAML
● OAuth
Lets talk about OAuth
It’s not for Authentication
…and not for Authorization
OAuth is a scalable delegation protocol
History
● OAuth started around November 2006, while Blaine Cook was working on the
Twitter OpenID implementation.
● In April 2007, a Google group was created with a small group of implementers
to write a proposal for an open protocol.
● In July 2007 the team drafted an initial specification and the group was
opened to anyone interested in contributing.
OAuth 2.0
+ Designed to simplify creation of client application
+ Token retrieval is simplified
+ Scalability is better
- Is not compatible with 1-st version
OAuth Roles
OAuth defines four roles:
● Resource Owner (User)
● Client
● Resource Server
● Authorization Server
OAuth2 workflow
OAuth2 grant type
● Authorization Code (web apps)
● Implicit (browser-based and mobile apps)
● Resource Owner Password Credentials (user / password)
● Client Credentials (application)
● Refresh Token
About UAA● User Account and Authorisation server● Secures all CF components● OAuth2 and OpenID connect● SCIM API for user management in internal user database● Integration with SAML and LDAP● OAuth2 client registration API
UAA for Cloud Native Security● In CF there is more to security then just UAA
○ Network security/ security group○ Cross container traffic / trusted workloads○ end to end TLS
● UAA is for application-level security
You want to secure your apps
Example:
You want to host your API application on Cloud Foundry
You want to secure your apps
Example
It will be accessed by a web app hosted on CF
You want to secure your apps
Example
It will be accessed through a mobile app as well
You want to secure your apps
Perfect! Use UAA
You want to secure your apps
Perfect! Use UAA
UAA
– Client for web app -> Authorization Code
– Client for mobile app -> Implicit
– API app token verification
UAA end user
● SpaceDevelopers, OrgManagers○ Platform users, no problem
● Sales guy○ Not a platform user, problem
The Principle of Least Privilege
● You (or the application, process, module, etc) should have the minimum level
of access required for performing their job
● Sales guy should not have been added to the platform UAA
Solutions
● Create your own authorization server
● Deploy your own UAA
Deploy your own UAA
● cf push cloudfoundry-identity-uaa.war
● Yaml config
● Bootstrap users
● Provision DB
● Do the above manually, or as part of a Bosh deployment
Running your own UAAPros:
● Principle of least privilege○ Systems secured by your UAA cannot affect systems secured by the platform UAA
● You can fork it
Cons:
● Overhead
● Manual upgrades
● “yak shaving” a bosh release
Solutions
● Create your own authorization server
● Deploy your own UAA
● Multitenant UAA
What is Multitenant UAA● CF v208+● The built-in UAA with subdomains● Subdomain maps to Identity Zone● Total segregation between Identity Zones● API for creating Identity Zones● Existing API stays the same
Multitenant UAA● Pros:
○ Principle of least privilege
○ API calls for creating a new tenant (aka Identity Zone)
○ Zone administrators instead of bootstrap users
● Cons: ○ Overhead
○ Manual upgrades
○ “yak shaving” a bosh release
○ You can’t fork it
How we use UAA in our project
How we use UAA in our project
Sample
One more thing...How to manage UAA:
● curl● UAAC (gem install cf-uaac)
Resourceshttps://github.com/cloudfoundry/uaa
https://docs.cloudfoundry.org/api/uaa/
https://github.com/cloudfoundry/cf-uaac
https://github.com/zeremit/uaa-samples
Q&A