A cikin kowane babban kamfani, kuma X5 Retail Group ba banda bane, yayin da yake haɓaka, adadin ayyukan da ke buƙatar izinin mai amfani yana ƙaruwa. A tsawon lokaci, ana buƙatar canja wurin masu amfani daga wannan aikace-aikacen zuwa wani, sannan akwai buƙatar amfani da uwar garken Single-Sing-On (SSO). Amma yaya game da lokacin da aka riga aka yi amfani da masu ba da shaida kamar AD ko wasu waɗanda ba su da ƙarin halaye a cikin ayyuka daban-daban. Wani nau'in tsarin da ake kira "dillalai masu ganewa" zai zo don ceto. Mafi yawan aiki shine wakilansa, irin su Keycloak, Gravitee Access management, da dai sauransu. Mafi sau da yawa, amfani da lokuta na iya zama daban-daban: na'ura hulda, mai amfani sa hannu, da dai sauransu Magani dole ne ya goyi bayan m da scalable ayyuka da za su iya hada duk bukatun a daya. kuma irin waɗannan mafita kamfaninmu yanzu yana da dillali mai nuni - Keycloak.
Keycloak shine tushen tushen buɗaɗɗen buɗaɗɗen buɗaɗɗen buɗaɗɗen buɗaɗɗen buɗaɗɗen tushe da samfurin sarrafa isa ga wanda RedHat ke kiyaye shi. Ita ce tushen samfuran kamfanin ta amfani da SSO - RH-SSO.
Tushen ka'idoji
Kafin ka fara fahimtar mafita da hanyoyin, ya kamata ka ayyana sharuɗɗa da jerin matakai:
Ganewa hanya ce ta gane batu ta hanyar gano shi (wato wannan ita ce ma'anar suna, shiga ko lamba).
Gasktawa - wannan hanya ce ta tabbatarwa (ana duba mai amfani da kalmar sirri, ana duba wasiƙar tare da sa hannun lantarki, da sauransu).
Izini - wannan shine samar da damar samun albarkatu (misali, zuwa imel).
Mabuɗin Dillalin Identity
Kyakkyawar maɓalli shine tushen buɗaɗɗen tushen asali da kuma hanyar sarrafa damar da aka tsara don amfani a cikin IS inda za'a iya amfani da tsarin gine-ginen microservice.
Keycloak yana ba da fasali kamar sa hannu guda ɗaya (SSO), shaidar dillali da shiga cikin jama'a, ƙungiyar masu amfani, adaftar abokin ciniki, na'ura mai sarrafa kwamfuta da na'ura mai sarrafa asusu.
Mahimmin ayyuka masu goyan bayan Keycloak:
- Kunna-Sa hannu ɗaya da Fita ɗaya don aikace-aikacen burauza.
- OpenID/OAuth 2.0/SAML goyon baya.
- Dillalan Shaida - Tantancewa ta amfani da Haɗin Buɗaɗɗen ID na waje ko masu samar da shaidar SAML.
- Login Jama'a - Google, GitHub, Facebook, Tallafin Twitter don tantance mai amfani.
- Ƙungiyar Mai amfani - aiki tare da masu amfani daga LDAP da Active Directory sabobin da sauran masu ba da shaida.
- Gadar Kerberos - ta amfani da sabar Kerberos don tantance mai amfani ta atomatik.
- Console Admin - don haɗin kai na gudanarwar saituna da zaɓuɓɓukan mafita ta hanyar Yanar Gizo.
- Console Gudanar da Asusu - don sarrafa kansa na bayanin martabar mai amfani.
- Keɓance mafita dangane da ainihin kamfani na kamfani.
- 2FA Tabbatarwa - Goyan bayan TOTP/HOTP ta amfani da Google Authenticator ko FreeOTP.
- Gudun shiga – rijistar mai amfani, dawo da kalmar wucewa da sake saiti, da sauransu suna yiwuwa.
- Gudanar da Zama - masu gudanarwa na iya sarrafa zaman mai amfani daga wuri guda.
- Token Mappers - halayen masu amfani, matsayi da sauran halayen da ake buƙata zuwa alamun.
- Gudanar da manufofin sassauci ta hanyar daula, aikace-aikace da masu amfani.
- Taimakon CORS - Adaftar abokin ciniki suna da tallafin CORS na asali.
- Hanyoyin Sadarwar Mai Ba da Sabis (SPI) - Babban adadin SPIs waɗanda ke ba ku damar keɓance bangarori daban-daban na uwar garken: kwararar tantancewa, masu ba da shaida, taswirar yarjejeniya, da ƙari.
- Adaftar abokin ciniki don aikace-aikacen JavaScript, WildFly, JBoss EAP, Fuse, Tomcat, Jetty, Spring.
- Taimako don aiki tare da aikace-aikace daban-daban waɗanda ke tallafawa ɗakin karatu na OpenID Connect Relying Party ko Laburaren Mai Ba da Sabis na SAML 2.0.
- Fadada ta amfani da plugins.
Don tsarin CI / CD, da sarrafa kansa na tsarin gudanarwa a cikin Keycloak, ana iya amfani da REST API / JAVA API. Ana samun takaddun ta hanyar lantarki:
REST API
API ɗin Java
Masu Bayar da Shaida ta Kasuwanci (Akan-Gida)
Ikon tantance masu amfani ta hanyar sabis na Tarayyar Mai amfani.
Hakanan za'a iya amfani da tantancewar wucewa - idan masu amfani suka tabbatar da wuraren aiki tare da Kerberos (LDAP ko AD), to ana iya tantance su ta atomatik zuwa Keycloak ba tare da sake shigar da sunan mai amfani da kalmar wucewa ba.
Don tabbatarwa da ƙarin izini na masu amfani, yana yiwuwa a yi amfani da DBMS na dangantaka, wanda ya fi dacewa don yanayin ci gaba, tun da ba ya ƙunshi dogon saiti da haɗin kai a farkon matakan ayyukan. Ta hanyar tsoho, Keycloak yana amfani da ginanniyar DBMS don adana saituna da bayanan mai amfani.
Jerin tallafin DBMS yana da yawa kuma ya haɗa da: MS SQL, Oracle, PostgreSQL, MariaDB, Oracle da sauransu. Mafi jarrabawa zuwa yanzu sune Oracle 12C Release1 RAC da Galera 3.12 cluster don MariaDB 10.1.19.
Masu ba da shaida - shigar da jama'a
Yana yiwuwa a yi amfani da shiga daga cibiyoyin sadarwar jama'a. Don ba da damar tantance masu amfani, yi amfani da na'ura mai sarrafa Keycloack. Babu canje-canje ga lambar aikace-aikacen da ake buƙata kuma ana samun wannan aikin daga cikin akwatin kuma ana iya kunna shi a kowane mataki na aikin.
Don tantance masu amfani, yana yiwuwa a yi amfani da OpenID/SAML Identity.
Halin yanayin izini na yau da kullun ta amfani da OAuth2 a cikin Maɓalli
Gudun Lambar izini - amfani da aikace-aikacen gefen uwar garke. Ɗaya daga cikin mafi yawan nau'ikan izini na izini saboda ya dace da aikace-aikacen uwar garken inda ba sa samun lambar tushen aikace-aikacen da bayanan abokin ciniki ga waje. Tsarin da ke cikin wannan yanayin yana dogara ne akan juyawa. Dole ne aikace-aikacen ya sami damar sadarwa tare da wakilin mai amfani (wakilin mai amfani), kamar mai binciken gidan yanar gizo - don karɓar lambobin izinin API da aka tura ta hanyar wakilin mai amfani.
kwarara a fakaice - amfani da wayar hannu ko aikace-aikacen yanar gizo ( aikace-aikacen da ke gudana akan na'urar mai amfani).
Ana amfani da nau'in izinin fayyace ta hanyar wayar hannu da aikace-aikacen yanar gizo inda ba za a iya tabbatar da sirrin abokin ciniki ba. Nau'in izini a fakaice kuma yana amfani da turawa wakilin mai amfani, inda aka ba da alamar samun dama ga wakilin mai amfani don amfani daga baya a cikin aikace-aikacen. Wannan yana sa alamar ta kasance ga mai amfani da sauran aikace-aikace akan na'urar mai amfani. Irin wannan izinin izini baya tabbatar da ainihin aikace-aikacen, kuma tsarin da kansa ya dogara da URL ɗin turawa (wanda aka yi rajista da sabis ɗin a baya).
Gudun kai tsaye baya goyan bayan samun dama ga alamun wartsakewa.
Gudun Tallafin Shaidar Abokin Ciniki - ana amfani dashi lokacin da aikace-aikacen ya sami dama ga API. Irin wannan izinin izini yawanci ana amfani dashi don hulɗar uwar garken-zuwa uwar garke wanda dole ne a yi shi a bango ba tare da hulɗar mai amfani ba nan take. Shaidar shaidar abokin ciniki ta ba da izinin kwararar sabis na yanar gizo (abokin ciniki na sirri) ya yi amfani da takaddun shaidarsa maimakon yin kwaikwayi mai amfani don tantancewa lokacin kiran wani sabis ɗin gidan yanar gizo. Don babban matakin tsaro, yana yiwuwa sabis na kira ya yi amfani da takaddun shaida (maimakon sirrin da aka raba) azaman takaddun shaida.
An bayyana ƙayyadaddun OAuth2 a cikin
JWT token da fa'idodin sa
JWT (JSON Web Token) buɗaɗɗen ma'auni ne () wanda ke ayyana ƙaƙƙarfan hanya mai cin gashin kai don amintaccen canja wurin bayanai tsakanin ɓangarori azaman abun JSON.
Bisa ga ma'auni, alamar ta ƙunshi sassa uku a tsarin tushe-64, rabu da dige. Sashin farko ana kiransa header, wanda ya ƙunshi nau'in alama da sunan hash algorithm don samun sa hannu na dijital. Kashi na biyu yana adana bayanan asali (mai amfani, halaye, da sauransu). Kashi na uku shine sa hannun dijital.
. .
Kada a taɓa adana alamar a cikin DB ɗin ku. Domin ingantacciyar alama tana daidai da kalmar sirri, adana alamar kamar adana kalmar sirri ne a cikin madaidaicin rubutu.
Alamar shiga alama ce da ke ba mai shi damar samun amintattun albarkatun sabar. Yawancin lokaci yana da ɗan gajeren rayuwa kuma yana iya ɗaukar ƙarin bayani kamar adireshin IP na ƙungiyar da ke neman alamar.
Alamar wartsakewa alama ce da ke ba abokan ciniki damar neman sabbin alamun shiga bayan rayuwarsu ta ƙare. Ana ba da waɗannan alamun yawanci na dogon lokaci.
Babban fa'idodin amfani a cikin gine-ginen microservice:
- Ikon samun dama ga aikace-aikace da ayyuka daban-daban ta hanyar tantancewar lokaci ɗaya.
- Idan babu yawan halayen da ake buƙata a cikin bayanin martabar mai amfani, yana yiwuwa a wadatar da bayanan da za a iya ƙarawa zuwa nauyin biyan kuɗi, ciki har da mai sarrafa kansa da kuma kan-tashi.
- Babu buƙatar adana bayanai game da zama masu aiki; aikace-aikacen uwar garken yana buƙatar tabbatar da sa hannu kawai.
- Ƙarin sassauƙan ikon samun damar shiga saboda ƙarin halaye a cikin abin da aka biya.
- Yin amfani da alamar sa hannu don rubutun kai da kuma biyan kuɗi yana ƙara tsaro na maganin gaba ɗaya.
JWT alama - abun da ke ciki
Rubuta - ta tsohuwa, taken yana ƙunshe da nau'in alamar kawai da algorithm da aka yi amfani da shi don ɓoyewa.
Ana adana nau'in alamar a cikin maɓallin "typ". An yi watsi da maɓallin 'nau'in' a cikin JWT. Idan maɓallin "typ" yana nan, dole ne ƙimarsa ta zama JWT don nuna cewa wannan abu JSON Web Token ne.
Maɓalli na biyu "alg" yana bayyana algorithm da aka yi amfani da shi don ɓoye alamar. Ya kamata a saita shi zuwa HS256 ta tsohuwa. An lulluɓe kan kan a cikin tushe64.
{"alg": "HS256", "typ": "JWT"}
Kayan Aiki (abun ciki) - loading yana adana duk wani bayani da ke buƙatar dubawa. Kowane maɓalli a cikin abin da aka biya an san shi da "da'awar". Misali, zaku iya shigar da aikace-aikacen ta hanyar gayyata kawai (promo na rufe). Sa’ad da muke son gayyatar wani ya shiga, muna aika musu da wasiƙar gayyata. Yana da mahimmanci a bincika cewa adireshin imel ɗin na wanda ya karɓi gayyatar ne, don haka za mu sanya wannan adireshin a cikin abin da ake biya, don wannan muna adana shi a cikin maɓallin "email"
{"email":"[email kariya]"}
Maɓallai a cikin kaya na iya zama sabani. Koyaya, akwai wasu da aka keɓance:
- iss (Mai bayarwa) - Yana gano aikace-aikacen da ake aika alamar.
- sub (Subject) - ya bayyana batun alamar.
- aud (Masu sauraro) jeri ne na igiyoyi masu hankali ko URI waɗanda ke cikin jerin masu karɓar wannan alamar. Lokacin da ɓangaren karɓa ya karɓi JWT tare da maɓallin da aka bayar, dole ne ya bincika kasancewar kansa a cikin masu karɓa - in ba haka ba ya yi watsi da alamar.
- exp (Lokacin Karewa) - Yana nuna lokacin da alamar ta ƙare. Ma'auni na JWT yana buƙatar duk aiwatarwa su ƙi alamun da suka ƙare. Maɓallin Exp dole ne ya zama tambarin lokaci a tsarin unix.
- nbf (Ba a da ba) lokaci ne a tsarin unix wanda ke ƙayyade lokacin da alamar ta fara aiki.
- iat (An Ba da A) - Wannan maɓalli yana wakiltar lokacin da aka ba da alamar kuma ana iya amfani dashi don sanin shekarun JWT. Maɓallin iat dole ne ya zama tambarin lokaci a tsarin unix.
- Jti (JWT ID) - kirtani da ke bayyana keɓantaccen mai gano wannan alamar, mai saurin yanayi.
Yana da mahimmanci a fahimci cewa ba a ɓoye kayan da aka biya ba (ko da yake ana iya shigar da alamu sannan kuma yana yiwuwa a watsa bayanan da aka ɓoye). Don haka, ba za ku iya adana duk wani bayanin sirri a ciki ba. Kamar kan kai, nauyin biyan kuɗi yana da tushe64.
Sa hannu - da zarar muna da kai da kaya, za mu iya lissafin sa hannun.
Base64-encoded: ana ɗaukar kai da kaya, ana haɗa su cikin kirtani ta digo. Sannan wannan kirtani da maɓalli na sirri suna shigar da su zuwa ga ɓoyayyen algorithm da aka ƙayyade a cikin maɓalli ("alg"). Makullin na iya zama kowane kirtani. Za a fi fifita igiyoyi masu tsayi saboda zai ɗauki tsawon lokaci don ɗauka.
{"alg":"RSA1_5","mai kayatarwa":"A128CBC-HS256"}
Gina Gine-ginen Rukunin Gine-gine na Maɓalli
Lokacin amfani da gungu ɗaya don duk ayyukan, akwai ƙarin buƙatu don maganin SSO. Lokacin da adadin ayyukan ƙananan ƙananan, waɗannan buƙatun ba su da mahimmanci ga duk ayyukan, duk da haka, tare da karuwa a yawan masu amfani da haɗin kai, abubuwan da ake buƙata don samuwa da haɓaka aiki.
Haɓaka haɗarin gazawar SSO guda ɗaya yana haɓaka buƙatun don tsarin gine-ginen mafita da hanyoyin da aka yi amfani da su don sake fasalin abubuwan haɗin gwiwa kuma yana haifar da SLA mai tsananin ƙarfi. Dangane da wannan, sau da yawa a lokacin haɓakawa ko farkon matakan aiwatar da mafita, ayyukan suna da nasu abubuwan da ba su da laifi. Yayin da ci gaba ke ci gaba, ya zama dole a gina a cikin dama don ci gaba da haɓaka. Hanya mafi sassauƙa don gina gungu mai gazawa shine ta yin amfani da ƙwaƙƙwaran kwantena ko tsarin haɗaɗɗiyar hanya.
Don aiki a cikin Active/Active da Active/Passive cluster modes, wajibi ne a tabbatar da daidaiton bayanai a cikin ma'ajin bayanai na dangantaka - duka nodes ɗin bayanai dole ne a kwafi su tare tsakanin cibiyoyin bayanai daban-daban da aka rarraba ta geo.
Misali mafi sauƙi na shigarwa mai jurewa kuskure.
Menene amfanin amfani da gungu guda ɗaya:
- Babban samuwa da aiki.
- Taimako don yanayin aiki: Active / Active, Active / Passive.
- Ƙarfin ma'auni mai ƙarfi - lokacin amfani da haɓakar kwantena.
- Yiwuwar gudanarwa da kulawa ta tsakiya.
- Haɗin kai don ganowa / tabbatarwa / ba da izini na masu amfani a cikin ayyukan.
- Ƙarin hulɗar gaskiya tsakanin ayyuka daban-daban ba tare da sa hannun mai amfani ba.
- Yiwuwar sake amfani da alamar JWT a ayyuka daban-daban.
- Wuri ɗaya na amana.
- Ƙaddamar da ayyukan da sauri ta hanyar amfani da ƙananan ayyuka/maganin kwantena (babu buƙatar ɗagawa da daidaita ƙarin abubuwan da aka gyara).
- Yana yiwuwa a sayi tallafin kasuwanci daga mai siyarwa.
Abin da ake nema Lokacin Shirya Tari
DBMS
Keycloak yana amfani da tsarin sarrafa bayanai don adanawa: daula, abokan ciniki, masu amfani, da sauransu.
Ana goyan bayan DBMS da yawa: MS SQL, Oracle, MySQL, PostgreSQL. Keycloak ya zo da nasa ginanniyar bayanai na alaƙa. Ana ba da shawarar yin amfani da wuraren da ba a ɗora ba - kamar yanayin ci gaba.
Don yin aiki a cikin Active/Active da Active/Passive cluster modes, wajibi ne a tabbatar da daidaiton bayanai a cikin ma'ajin bayanai na dangantaka kuma duka nodes na gungu na bayanan suna aiki tare tsakanin cibiyoyin bayanai.
Rarraba cache (Infinspan)
Don gungu yayi aiki daidai, ana buƙatar ƙarin aiki tare na nau'ikan cache masu zuwa ta amfani da Grid Data JBoss:
Zaman tantancewa - ana amfani da shi don adana bayanai lokacin tantance takamaiman mai amfani. Buƙatun daga wannan cache yawanci sun haɗa da mai lilo da uwar garken Keycloak kawai, ba aikace-aikacen ba.
Ana amfani da alamun aiki don yanayi inda mai amfani ke buƙatar tabbatar da wani aiki ba tare da izini ba (ta imel). Misali, yayin tafiyar da kalmar sirri ta manta, ana amfani da cacheActionTokens Infinispan don kiyaye bayanan metadata game da alamun ayyukan da aka riga aka yi amfani da su, don haka ba za a iya sake amfani da shi ba.
Caching da ɓata bayanan dagewa - ana amfani da su don adana bayanai na dindindin don guje wa tambayoyin da ba dole ba a cikin bayanan. Lokacin da kowane uwar garken Keycloak ke sabunta bayanai, duk sauran sabar Maɓalli a duk cibiyoyin bayanai dole ne su san game da shi.
Aiki - Ana amfani da shi kawai don aika saƙon da ba daidai ba tsakanin nodes ɗin tari da cibiyoyin bayanai.
Zauren mai amfani - ana amfani da shi don adana bayanai game da zaman mai amfani waɗanda suke da inganci na tsawon lokacin zaman mai lilo. Cache dole ne ya aiwatar da buƙatun HTTP daga mai amfani na ƙarshe da aikace-aikacen.
Kariyar ƙarfin ƙarfi - ana amfani da shi don bin diddigin bayanai game da gazawar shiga.
Load daidaitawa
Ma'aunin nauyi shine wurin shiga guda ɗaya zuwa mayafin maɓalli kuma dole ne ya goyi bayan zaman m.
Sabar Application
Ana amfani da su don sarrafa ma'amalar abubuwan haɗin gwiwa tare da juna kuma ana iya ƙirƙira su ko a sanya su ta amfani da kayan aikin sarrafa kai da ke da ƙarfi da ƙima na kayan aikin sarrafa kayan more rayuwa. Mafi yawan yanayin turawa a cikin OpenShift, Kubernates, Rancher.
Wannan ya ƙare kashi na farko - na ka'idar. A cikin jerin labarai na gaba, za a bincika misalan haɗin kai tare da masu ba da shaida iri-iri da misalan saituna.
source: www.habr.com