Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Authz

machu
July 29, 2020

 Authz

社内勉強会用

machu

July 29, 2020
Tweet

More Decks by machu

Other Decks in Technology

Transcript

  1. ࣮૷Λߟ͑ͯΈΔ • ೝূ • ϩάΠϯ੒ޭͨ͠ΒτʔΫϯΛฦ͢ • ͦΕͧΕͷAPI͸τʔΫϯ͕ਖ਼ৗͳΒޙଓͷॲཧΛڐՄ͢ Δ • ͜͜ʹೝՄΛ࣮૷͢Δͱͨ͠Βʁ

    • (Ϣʔβʔ|ϩʔϧ)ݻ༗ͰڐՄ͍ͨ͠ΞΫγϣϯ͸ΦϖϨʔ λʔID΍ϩʔϧIDͱඥ෇͚ͯϗϫΠτϦετ/ϒϥοΫϦ ετͰอଘ͠ɺAPIͷॲཧͷલఏ৚݅ͱ͢Δ
  2. ࣮૷Λߟ͑ͯΈΔ • ೝূ • Ϣʔβʔ͸APIΩʔΛ࡞ΕɺͦΕΛ౉ͤ͹ࣗ෼ͷID/PassΛڞ༗ͤͣͱ΋ࣗ෼ ͷ࣋ͭݖݶΛҕৡͰ͖Δ • APIΩʔͷೝূ͸ߦ͏(firebaseͰ΍ͬͯ·͢Ͷ) • APIΩʔ͸ిंͷ੾ූͷΑ͏ͳ΋ͷɻ੾ූΛങͬͨਓ͸֬ೝ͠ͳ͍͚Ͳ੾

    ූ͸֬ೝ͢Δ • ೝՄ • લड़ͷϢʔβʔ΍ϩʔϧʹඥ͚ͮͯͷೝՄॲཧ࣮૷Λߦ͏ͱڽू౓ͷ௿͍࣮ ૷ʹͳΔͷ͕ΠϝʔδͰ͖ΔͩΖ͏͔ɾɾɾ • લड़ͷ࣮૷ͩͱɺ੾ූͷ֬ೝΛߦ͍͍ͨͷʹɺ੾ූͷൃߦऀ·ͰͨͲΔ͜ ͱʹͳͬͯ͠·͏ɻ
  3. RBAC ʢRole-Based Access Controlʣ ▪ͲΜͳ΍ͭʁ □ ϩʔϧΛׂΓৼΔ΍ͭ ▪Pros □ υϝΠϯݴޠͱϚονͤ͞΍͍͢

    □ ACLΑΓࡉ੍͔͍ޚ͕Մೳ ▪Cons □ Role explosion ίϯςΩετAͰ͸ϩʔϧAɺίϯςΩετBͰ͸ϩʔϧBͳͲɺ ෳࡶ౓΍ߋʹࡉ੍͔͍ޚ͕ͨ͘͠ͳΔͱϩʔϧ͕૿͑͗ͯ͢ഁ୼͢Δ ʢRoleAʹActionAΛ௥Ճ͍͚ͨͩ͠ͳͷʹ৽ͨͳϩʔϧΛ࡞੒͢Δ౳…) □ ໾ׂʹറΒΕ͗͢Δ Ұ࣌తͳݖݶ΍ɺϢʔβʔͷଐੑ΍ΞΫγϣϯͳͲʹΑͬͯॊೈʹݖݶ෇༩͢Δ͜ͱ͕೉͍͠ ʢࣄલʹϩʔϧΛ༻ҙ͠ͳ͍ͱ͍͚ͳ͍ͷͰ)
  4. AttachedPolicy • AccountId + AccountʹׂΓ౰ͯΒΕͨϙϦγʔͷϦετ Λ΋ͭAuthzίϯςΩετͷू໿ • Account͸ID + AccountType

    ͔Β੒ΓɺOperator,API Key౳ͷPrincipalΛಉ͡ܕͰ؅ཧͰ͖ΔͷͰݖݶΛಉ͡ σʔλߏ଄ͰҰݩతʹ؅ཧ͢Δ͜ͱ͕Ͱ͖Δ
  5. PermissionReason • ݖݶ͕෇༩͞Εͨཧ༝(༝དྷ) • ※ྫɿ • CloudSignͰܖ໿Λ݁Μͩ • खಈͰҰ࣌తʹ෇༩ͨ͠ •

    τϥΠΞϧͰظؒݶఆ෇༩౳ • ͜Ε͸ίϯςΩετ͝ͱʹϞδϡʔϧΛ੾Δ൑அΛԼͨ͠ γεςϜಛ༗ͷ͋ͬͨ΄͏͕ྑ͍৘ใͱ͍͑Δ͔΋ • ڽूੑΛߴΊΔͨΊʹ͜ͷ৘ใ͕ඞਢ
  6. ݖݶͱݖݶ෇༩ཧ༝ͷ ϛεϚον • - ଟॏ՝ۚ͸໰୊͕͋Δ৔߹͕ଟ͍ͷͰϢʔβʔ΁௨஌͢Δඞཁ͕͋Δ • - ଟॏݖݶ͸໰୊ͳ͍έʔε΋ଟʑ͋ΔʢτϥΠΞϧͱຊܖ໿͕͔Ϳͬͯͯ΋ผʹྑ͍ΑͶతͳ) • -

    AuthzͷReasonͰଟॏݖݶΛ؅ཧ͠ɺPaymentͰଟॏ՝ۚΛ؅ཧ͢ΔɻೝՄΛ෼཭ͯ͠ͳ͔ͬͨ ΓɺReason͕ͳ͔ͬͨΓ͢Δͱ͜͜ͷ۠ผ͕೉͍͠ • - ҙࣝ͠ͳ͍͜ͱʹΑΔརศੑ΋͋Δ͸͋ΔͷͰɺ • ҙࣝ͠ͳ͍͜ͱʹΑΔརศੑྫ • ͱΓ͋͑ͣࡶʹݖݶΛফ͍ͨ͠έʔε • ෳ਺ͷखஈͰ՝ۚ͞Ε͍ͯΔ৔߹ͷΈΤϥʔʹ͢ΔɻτϥΠΞϧ+1ͭͷ՝ۚखஈͷ৔߹͸྆ ํফ͢ɻτϥΠΞϧͷΈ|1ͭͷ՝ۚखஈͷΈͷ৔߹΋ফ͢౳ͷཁ݅) • ͷΑ͏ʹɺ݁ہࡶʹ͸ফͤͳ͍ͷͰҙࣝ͢Δ͔ɺΤϥʔέʔεΛࣺͯΔ͔ʹͳΔɻ
  7. ίʔυ sealed abstract class AuthzIO[A] {} // support case class

    ShowPolicy(principal: AccountId) extends AuthzIO[AttachedPolicy] // manage case class AddPolicy(principal: AccountId, policy: Policy) extends AuthzIO[AttachedPolicy] case class AddPolicies(principal: AccountId, policies: Seq[Policy]) extends AuthzIO[AttachedPolicy] case class RemovePolicy(principal: AccountId, policy: Policy) extends AuthzIO[AttachedPolicy] case class RemovePolicies(principal: AccountId, policies: Seq[Policy]) extends AuthzIO[AttachedPolicy] // request case class RequestPolicy(principal: AccountId, actionSeq: Seq[Action]) extends AuthzIO[Unit] case class RequestPolicyToResource( principal: AccountId, principalActionSeq: Seq[Action], // ࢦఆͨ͢͠΂ͯͷΞΫγϣϯʹର͠ɺ resourceSeq: Seq[Resource], // ର৅ͷresource͕ڐՄ͞Εͯͳ͚Ε͹NGͱ͢Δ resourceAllowedActionSeq: Seq[Action] ) extends AuthzIO[Unit] // requestBool case class RequestBoolPolicy(principal: AccountId, actionSeq: Seq[Action]) extends AuthzIO[Boolean] case class RequestBoolPolicyToResource( principal: AccountId, principalActionSeq: Seq[Action], // ࢦఆͨ͢͠΂ͯͷΞΫγϣϯʹର͠ɺ resourceSeq: Seq[Resource], // ର৅ͷresource͕ڐՄ͞Εͯͳ͚Ε͹NGͱ͢Δ resourceAllowedActionSeq: Seq[Action] ) extends AuthzIO[Boolean]
  8. ࢖͍ํΠϝʔδᶃ • RequestBoolΛෳ਺ύλʔϯ࣮ߦͯ݁͠ՌΛ߹੒ͯ͠΋Α͠ • requestBool͸booleanΛฦ͢ͷͰෳ਺ͷ݁ՌΛ෼ղͯ͠νΣοΫͯ͠΋OK(൒؀ͷදݱྗΛ ࣋ͭ(Bool୅਺͸൒؀) • ৄ͘͠͸ ͷهࣄΛࢀর •

    https://www.slideshare.net/oarat/ss-55487535 • ൒؀͸ෛݩ(ϚΠφε)͕ͳͯ͘Ճ๏+৐๏ͷ͋Δू߹ͷ͜ͱͰɺཁ͸ॱ൪Λม͑ͯ΋݁ՌมΘ ΒΜΑͶɻҙຯͰଊ͑Δͱྑ͍(Ϋιͬ͘͟ΓͰ͝ΊΜͳ͍͞) • request͸BooleanΛ͍͍ͪͪ൑ఆ͢Δͷ͕໘౗ͳέʔε΋ଟ͍ͷͰUnitΛฦ͠ɺfalseͷ৔߹͸ Either.leftΛEffʹಥͬࠐΜͰฦͯ͘͠ΕΔͷͰ݁Ռͷ߹੒͕ෆཁͳ৔߹͸͜ΕΛ࢖͏ • ShowͰPolicyҾͬு͖֤ͬͯͯίϯςΩετͰࡉ͔͍ॲཧͯ͠΋Α͠ʢ͋·Γ૝ఆ͸͍ͯ͠ͳ͍) • enforce(σʔλͷϑΟϧλ౳)͸ɺAuthzIOʹRepository౉ͯ͠InterpreterͰϑΟϧλͰ͖ΔΑ͏ ʹ͢Δͷ΋ߟ͕͑ͨந৅౓ߴ͘ͳΓ͗͢Δׂʹ࢖͍ʹ͍͘͠ɺΧόʔͰ͖Δ༻్΋ڱ͘ͳΓͦ͏ ͩͬͨͷͰɺΘ͔Γ΍֤͘͢ίϯςΩετͷDomainServiceͰrequestͷ݁ՌΛݩʹϑΟϧλ͢Δ ͷ͕ྑ͍ͱ൑அͨ͠ɻ
  9. ൒؀ͱଋ • ଋ͸ScalaͷܕͷAny <-> Nothing ΛΠϝʔδ͢Ε͹OK • ࢝఺ͱऴ఺͕ܾ·͓ͬͯΓɺͦͷؒͷͲΕ͔ʹܕ͸ଐ͢Δ • ݖݶΛ͜ͷߏ଄Ͱදݱ͢Δͱɺ͋ΒΏΔ૊Έ߹ΘͤΛܕʹམͱ͢ඞཁ͕͋Γɺexplosion͢Δ

    ʢݱঢ়͸ɺEgsAndTOEIC, EgsAndBiz, EgsAndPersonalCoachͳͲΛbitԋࢉΆ͘ѻͬͯΔͷ Ͱগ͠Ϛγ͕ͩɺ͜ΕʹҰͭҰͭܕΛ͚ͭΔͱ͖ͼ͍͠) • ൒؀͸BooleanΛΠϝʔδ͢Ε͹OK(Booleanͱ४ಉܕͰ͋ΔɻBool؀) • ධՁ͢Δॱ൪Λม͑ͯ΋݁Ռ͸มΘΒͳ͍ • ࿨ͱੵͷ2ͭͷԋࢉΛ΋ͭू߹Ͱɺަ׵,݁߹,෼഑ͷଇΛຬͨ͢ • A = (true && false) => false • B = (false || true) => true • C = A && B = false • A,Bʹग़ͯ͘Δɺtrue,falseΛͲ͏ೖΕସ͑ͯ΋Cͷ݁Ռ͸มΘΒͳ͍ΑͶΈ͍ͨͳ͜ͱ͕ݴ͍͍ͨ (Ϋιͬ͘͟ΓͰ͝ΊΜͳ͍͞) • ݖݶ͸৭ΜͳཁૉΛߟྀ͢Δඞཁ͕͋Δ͔Β͜ͷߏ଄͕ࢫ͍
  10. • ೝূͱೝՄ͸෼཭͠ͳ͍ͱෳࡶͳཁ݅Λ࣮ݱ͢Δࡍʹ௧ΈΛ൐͏ • ೝՄํࣜ͸ABACΛ࠾༻ • Authz͸൒؀ߏ଄Λ࠾༻ͯ͠Δͧ(ܕϨϕϧʹΤϯίʔυ͸ͯ͠ͳ͍) • enforce͸domainServiceͰrequest/requestBoolΛ࢖࣮ͬͯ૷ͯ͠ ͍ͧ͘ •

    ϑϩϯτͰ΋ݖݶͰϋϯυϦϯά͍ͨ͠έʔε͸͋ΔͷͰɺͲΜͳ ܗͰฦ͔͢͸૬ஊ͍ͨ͠(isAnalysis=true,Έ͍ͨͳͷΛແݶʹ૿΍ ͯ͠΋͍͍͠ɺshowPolicyͰऔΕΔ݁ՌΛͦͷ··౉ͯ͠΋OK)ɹ • ͜ͷهࣄ࠷ߴͳͷͰಡΉͱྑ͍ • https://kenfdev.hateblo.jp/entry/2020/01/13/115032