Pulogalamu ya ProHoster > Blog > Ulamuliro > SSO pa zomangamanga za microservice. Timagwiritsa ntchito Keycloak. Gawo #1

SSO pa zomangamanga za microservice. Timagwiritsa ntchito Keycloak. Gawo #1

Mu kampani iliyonse yayikulu, ndi X5 Retail Group ndizosiyana, pamene ikukula, chiwerengero cha ntchito zomwe zimafuna chilolezo cha ogwiritsa ntchito chikuwonjezeka. Pakapita nthawi, kusintha kosasinthika kwa ogwiritsa ntchito kuchokera ku pulogalamu ina kupita ku ina kumafunika, ndiyeno pakufunika kugwiritsa ntchito seva imodzi ya Single-Sing-On (SSO). Koma bwanji ngati opereka zidziwitso monga AD kapena ena omwe alibe zina zowonjezera agwiritsidwa ntchito kale pama projekiti osiyanasiyana. Gulu la machitidwe otchedwa "identification brokers" abwera kudzapulumutsa. Zomwe zimagwira ntchito kwambiri ndi oimira ake, monga Keycloak, Gravitee Access management, etc. Nthawi zambiri, milandu yogwiritsira ntchito ikhoza kukhala yosiyana: kugwirizanitsa makina, kutenga nawo mbali kwa ogwiritsa ntchito, ndi zina zotero. ndi mayankho otere omwe kampani yathu tsopano ili ndi wowonetsa - Keycloak.

SSO pa zomangamanga za microservice. Timagwiritsa ntchito Keycloak. Gawo #1

Keycloak ndi chidziwitso chotseguka komanso chowongolera mwayi chosungidwa ndi RedHat. Ndiwo maziko a zinthu za kampani pogwiritsa ntchito SSO - RH-SSO.

Mfundo zazikulu

Musanayambe kuthana ndi mayankho ndi njira, muyenera kusankha motsatira ndondomeko:

SSO pa zomangamanga za microservice. Timagwiritsa ntchito Keycloak. Gawo #1

Chizindikiritso ndi njira yozindikirira mutu ndi chizindikiritso chake (mwanjira ina, uku ndiko tanthauzo la dzina, lolowera kapena nambala).

Kutsimikizika - iyi ndi njira yotsimikizira (wogwiritsa ntchito amafufuzidwa ndi mawu achinsinsi, kalatayo imafufuzidwa ndi siginecha yamagetsi, etc.)

Kulowa - uku ndiko kupereka mwayi wopeza chithandizo (mwachitsanzo, kutumiza imelo).

Identity Broker Keycloak

chikhomo ndi njira yotseguka yodziwikiratu komanso njira yoyendetsera mwayi yomwe idapangidwa kuti igwiritsidwe ntchito ku IS komwe ma microservice ang'onoang'ono angagwiritsidwe ntchito.

Keycloak imapereka zinthu monga kusaina kamodzi (SSO), chizindikiritso cholumikizidwa ndi malo ochezera, bungwe la ogwiritsa ntchito, ma adapter kasitomala, admin console ndi akaunti yoyang'anira akaunti.

Ntchito zoyambira zothandizidwa ndi Keycloak:

  • Lowani Pang'onopang'ono ndi Kutuluka M'modzi M'mapulogalamu a msakatuli.
  • Kuthandizira kwa OpenID/OAuth 2.0/SAML.
  • Identity Brokering - kutsimikizira pogwiritsa ntchito OpenID Connect yakunja kapena SAML identity providers.
  • Kulowa Pagulu - Google, GitHub, Facebook, Twitter thandizo pakuzindikiritsa ogwiritsa ntchito.
  • User Federation - kulunzanitsa kwa ogwiritsa ntchito kuchokera ku LDAP ndi Active Directory maseva ndi ena opereka zidziwitso.
  • Mlatho wa Kerberos - kugwiritsa ntchito seva ya Kerberos potsimikizira ogwiritsa ntchito.
  • Admin Console - pakuwongolera kogwirizana kwamasinthidwe ndi njira zothetsera mavuto kudzera pa Webusayiti.
  • Akaunti Yoyang'anira Akaunti - yodziwongolera nokha mbiri ya ogwiritsa ntchito.
  • Kusintha mwamakonda yankho kutengera chidziwitso cha kampani.
  • 2FA Authenticator - Thandizo la TOTP/HOTP pogwiritsa ntchito Google Authenticator kapena FreeOTP.
  • Login Flows - kudzilembera nokha kwa ogwiritsa ntchito, kubwezeretsa mawu achinsinsi ndikukhazikitsanso, ndi zina ndizotheka.
  • Session Management - olamulira amatha kuyang'anira magawo a ogwiritsa ntchito pamfundo imodzi.
  • Ma Token Maps - zomangira za ogwiritsa ntchito, maudindo ndi zina zofunika pama tokeni.
  • Kuwongolera kwa mfundo zosinthika kumadera onse, kugwiritsa ntchito ndi ogwiritsa ntchito.
  • Thandizo la CORS - Ma adapter a kasitomala ali ndi chithandizo cha CORS chokhazikika.
  • Service Provider Interfaces (SPI) - Ma SPI ambiri omwe amakulolani kuti musinthe mawonekedwe osiyanasiyana a seva: mayendedwe otsimikizika, opereka zidziwitso, mapu a protocol, ndi zina zambiri.
  • Makasitomala osinthira a JavaScript, WildFly, JBoss EAP, Fuse, Tomcat, Jetty, Spring.
  • Thandizo logwira ntchito ndi mapulogalamu osiyanasiyana omwe amathandiza laibulale ya OpenID Connect Relying Party kapena SAML 2.0 Service Provider Library.
  • Zowonjezera pogwiritsa ntchito mapulagini.

Pazinthu za CI / CD, komanso makina owongolera ku Keycloak, REST API / JAVA API ingagwiritsidwe ntchito. Zolemba zilipo pakompyuta:

REST API https://www.keycloak.org/docs-api/8.0/rest-api/index.html
Java API https://www.keycloak.org/docs-api/8.0/javadocs/index.html

Enterprise Identity Providers (Pamalo)

Kutha kutsimikizira ogwiritsa ntchito kudzera mu User Federation services.

SSO pa zomangamanga za microservice. Timagwiritsa ntchito Keycloak. Gawo #1

Kutsimikizira kupitilira kungagwiritsidwenso ntchito - ngati ogwiritsa ntchito atsimikizira motsutsana ndi malo ogwirira ntchito ndi Kerberos (LDAP kapena AD), ndiye kuti amatha kutsimikiziridwa okha ku Keycloak osalowetsanso dzina lawo lolowera ndi mawu achinsinsi.

Kuti mutsimikizidwe ndi kuvomereza kwina kwa ogwiritsa ntchito, ndizotheka kugwiritsa ntchito DBMS yogwirizana, yomwe ikugwiritsidwa ntchito kwambiri pazitukuko zachitukuko, popeza sizimaphatikizapo zoikidwiratu zautali ndi kugwirizanitsa kumayambiriro kwa ntchito. Mwachikhazikitso, Keycloak amagwiritsa ntchito DBMS yomangidwa kuti asunge zoikamo ndi deta ya ogwiritsa ntchito.

Mndandanda wa DBMS wothandizidwa ndi wochuluka ndipo umaphatikizapo: MS SQL, Oracle, PostgreSQL, MariaDB, Oracle ndi ena. Oyesedwa kwambiri mpaka pano ndi Oracle 12C Release1 RAC ndi Galera 3.12 cluster ya MariaDB 10.1.19.

Opereka zidziwitso - malowedwe ochezera

Ndizotheka kugwiritsa ntchito malowedwe ochezera pa intaneti. Kuti mutsegule kuthekera kotsimikizira ogwiritsa ntchito, gwiritsani ntchito Keyclock admin console. Kusintha kwa code yogwiritsira ntchito sikofunikira ndipo ntchitoyi ikupezeka kunja kwa bokosi ndipo ikhoza kutsegulidwa panthawi iliyonse ya polojekiti.

SSO pa zomangamanga za microservice. Timagwiritsa ntchito Keycloak. Gawo #1

Ndizotheka kugwiritsa ntchito OpenID/SAML Identity providers kuti atsimikizire ogwiritsa ntchito.

Zochitika zovomerezeka pogwiritsa ntchito OAuth2 mu Keycloak

Authorization Code Flow - yogwiritsidwa ntchito ndi ma seva ambali. Imodzi mwa mitundu yodziwika bwino ya chilolezo chololeza chifukwa ndiyoyenera kugwiritsa ntchito seva pomwe magwero a pulogalamuyo ndi data yamakasitomala sapezeka kwa akunja. Ndondomekoyi imachokera pakupitanso kumalo. Pulogalamuyi iyenera kuyanjana ndi wogwiritsa ntchito (wogwiritsa ntchito), monga msakatuli - kuti alandire ma code ovomerezeka a API omwe atumizidwa kudzera mwa wogwiritsa ntchito.

mayendedwe osadziwika - zogwiritsidwa ntchito ndi mafoni kapena intaneti (zogwiritsa ntchito pazida za wosuta).

Mtundu wa chilolezo chovomerezeka umagwiritsidwa ntchito ndi mafoni ndi intaneti pomwe chinsinsi cha kasitomala sichingatsimikizidwe. Mtundu wa chilolezo chotsimikizika umagwiritsanso ntchito njira yotumizira wogwiritsa ntchito, pomwe chizindikirocho chimaperekedwa kwa wogwiritsa ntchito kuti agwiritsenso ntchito. Izi zimapangitsa chizindikirocho kupezeka kwa wogwiritsa ntchito ndi mapulogalamu ena pa chipangizo cha wosuta. Chilolezo chamtunduwu sichimatsimikizira kuti pulogalamuyo ndi ndani, ndipo ndondomekoyi imadalira URL yolondoleranso (yomwe idalembetsedwa kale ndi ntchito).

Implicit Flow sikuthandizira ma tokeni otsitsimula ofikira.

Kuyenda kwa Zidziwitso za Makasitomala - amagwiritsidwa ntchito pomwe pulogalamuyo ipeza API. Chilolezo chololeza choterechi chimagwiritsidwa ntchito polumikizana ndi seva ndi seva zomwe zimayenera kuchitika chakumbuyo popanda kugwiritsa ntchito nthawi yomweyo. Kupereka zidziwitso zamakasitomala kumalola ntchito yapaintaneti (makasitomala achinsinsi) kugwiritsa ntchito zidziwitso zake m'malo modziwonetsera ngati wogwiritsa ntchito kuti atsimikizire poyimba ntchito ina. Kuti pakhale chitetezo chapamwamba, ndizotheka kuti ntchito yoyitana igwiritse ntchito chiphaso (m'malo mwa chinsinsi chogawana) ngati chidziwitso.

Mafotokozedwe a OAuth2 akufotokozedwa mu
Zamgululi
Zamgululi
Zamgululi

Chizindikiro cha JWT ndi maubwino ake

JWT (JSON Web Token) ndi muyezo wotseguka (https://tools.ietf.org/html/rfc7519) yomwe imatanthawuza njira yokhazikika komanso yodziyimira yokha yosamutsira uthenga pakati pa maphwando ngati chinthu cha JSON.

Malinga ndi muyezo, chizindikirocho chimakhala ndi magawo atatu mumtundu wa 64, wolekanitsidwa ndi madontho. Gawo loyamba limatchedwa mutu, womwe uli ndi mtundu wa chizindikiro ndi dzina la algorithm ya hashi kuti mupeze siginecha ya digito. Gawo lachiwiri limasunga zidziwitso zoyambira (wogwiritsa ntchito, mawonekedwe, ndi zina). Gawo lachitatu ndi siginecha ya digito.

. .
Osasunga chizindikiro mu DB yanu. Chifukwa chizindikiro chovomerezeka ndi chofanana ndi mawu achinsinsi, kusunga chizindikirocho kuli ngati kusunga mawu achinsinsi m'mawu omveka bwino.
Chizindikiro chofikira ndi chizindikiro chomwe chimapatsa mwiniwake mwayi wopeza zida zotetezedwa za seva. Nthawi zambiri imakhala ndi moyo waufupi ndipo imatha kunyamula zambiri monga adilesi ya IP ya gulu lomwe likupempha chizindikirocho.

Tsitsani chizindikiro ndi chizindikiro chomwe chimalola makasitomala kupempha zizindikiro zatsopano zowonjezera moyo wawo utatha. Zizindikiro izi nthawi zambiri zimaperekedwa kwa nthawi yayitali.

Ubwino waukulu wogwiritsa ntchito kamangidwe ka microservice:

  • Kutha kupeza mapulogalamu ndi mautumiki osiyanasiyana kudzera mu chitsimikizo cha nthawi imodzi.
  • Popanda zikhalidwe zingapo zofunika pazambiri za ogwiritsa ntchito, ndizotheka kulemeretsa ndi data yomwe ingawonjezedwe pamalipiro, kuphatikiza zodziwikiratu komanso zowuluka.
  • Palibe chifukwa chosungira zambiri za magawo omwe akugwira ntchito, pulogalamu ya seva imangofunika kutsimikizira siginecha.
  • Kuwongolera kosinthika kowonjezereka kudzera muzowonjezera zina muzolipira.
  • Kugwiritsiridwa ntchito kwa siginecha ya chizindikiro chamutu ndi malipiro kumawonjezera chitetezo cha yankho lonse.

Chizindikiro cha JWT - kapangidwe

Mutu - mwachisawawa, mutuwo uli ndi mtundu wokha wa chizindikiro ndi ndondomeko yomwe imagwiritsidwa ntchito polemba.

Mtundu wa chizindikiro umasungidwa mu kiyi ya "typ". Kiyi ya "typ" imanyalanyazidwa mu JWT. Ngati kiyi ya "typ" ilipo, mtengo wake uyenera kukhala JWT kusonyeza kuti chinthuchi ndi JSON Web Token.

Kiyi yachiwiri "alg" imatanthawuza algorithm yomwe imagwiritsidwa ntchito kubisa chizindikirocho. Iyenera kukhazikitsidwa kukhala HS256 mwachisawawa. Mutuwo umasungidwa mu base64.

{ "alg": "HS256", "type": "JWT"}
malipiro (zokhutira) - malipiro amasunga zidziwitso zilizonse zomwe ziyenera kutsimikiziridwa. Kiyi iliyonse muzolipira imadziwika kuti "statement". Mwachitsanzo, mutha kulowetsa pulogalamuyi pokhapokha mutayitanira (kukwezedwa kotsekedwa). Tikafuna kuitana munthu kuti atengeko mbali, timamutumizira kalata yoitanila anthu. Ndikofunika kuyang'ana kuti adilesi ya imelo ndi ya munthu amene walandira kuyitanidwa, kotero tidzaphatikiza adilesiyi muzolipira, chifukwa chake timayisunga mu kiyi ya "imelo"

{"imelo": "[imelo ndiotetezedwa]"}

Makiyi omwe ali muzolipira amatha kukhala osasintha. Komabe, pali ena osungidwa:

  • iss (Wopereka) - Imazindikiritsa ntchito komwe chizindikirocho chikutumizidwa.
  • sub (mutu) - imatanthawuza mutu wa chizindikiro.
  • aud (Audience) ndi mndandanda wa zingwe zomwe zimakhudzidwa ndi zochitika kapena ma URI omwe ndi mndandanda wa omwe alandira chizindikirochi. Mbali yolandirayo ikalandira JWT ndi kiyi yopatsidwa, iyenera kuyang'ana ngati ilipo mwa omwe alandila - apo ayi musanyalanyaze chizindikirocho.
  • exp (Nthawi Yotha) - Imawonetsa nthawi yomwe chizindikirocho chimatha. Muyezo wa JWT umafuna kuti zonse zomwe zakhazikitsidwa zikane ma tokeni omwe atha ntchito. Kiyi ya exp iyenera kukhala sitampu yanthawi yamtundu wa unix.
  • nbf (Osati Kale) ndi nthawi yamtundu wa unix yomwe imatsimikizira nthawi yomwe chizindikirocho chimakhala chovomerezeka.
  • iat (Issued At) - Kiyiyi imayimira nthawi yomwe chizindikirocho chinaperekedwa ndipo chingagwiritsidwe ntchito kudziwa zaka za JWT. Kiyi ya iat iyenera kukhala sitampu yanthawi mumtundu wa unix.
  • Jti (ID ya JWT) - chingwe chomwe chimatanthawuza chizindikiritso chapadera cha chizindikirochi, chokhudzidwa ndi nkhani.

Ndikofunika kumvetsetsa kuti malipirowo samatumizidwa mu mawonekedwe obisika (ngakhale zizindikiro zimatha kusungidwa ndipo ndizotheka kutumiza deta yosungidwa). Choncho, sichikhoza kusunga zinsinsi zilizonse. Monga chamutu, malipiro ake ndi base64 encoded.
Chizindikiro - tikakhala ndi mutu ndi malipiro, tikhoza kuwerengera siginecha.

Base64-encoded: mutu ndi malipiro amatengedwa, amaphatikizidwa mu chingwe kupyolera mudontho. Kenako chingwe ichi ndi kiyi yachinsinsi imalowetsedwa ku algorithm yachinsinsi yomwe yatchulidwa pamutu (kiyi "alg"). Kiyi ikhoza kukhala chingwe chilichonse. Zingwe zazitali ndizabwino kwambiri chifukwa zimatenga nthawi yayitali kuti zinyamuke.

{"alg":"RSA1_5","payload":"A128CBC-HS256"}

Kumanga Keycloak Failover Cluster Architecture

Mukamagwiritsa ntchito gulu limodzi pama projekiti onse, pali zofunikira zowonjezera pa yankho la SSO. Pamene chiwerengero cha mapulojekiti ndi chaching'ono, zofunikirazi sizikuwoneka bwino pamapulojekiti onse, komabe, ndi kuwonjezeka kwa chiwerengero cha ogwiritsa ntchito ndi kuphatikiza, zofunikira kuti zikhalepo ndi kuwonjezeka kwa ntchito.

Kuchulukitsa chiwopsezo cha kulephera kwa SSO limodzi kumawonjezera zofunikira pazomangamanga zamayankho ndi njira zomwe zimagwiritsidwa ntchito pazinthu zopanda ntchito ndipo zimatsogolera ku SLA yolimba kwambiri. Pachifukwa ichi, nthawi zambiri panthawi yachitukuko kapena kumayambiriro kwa njira zothetsera mavuto, mapulojekiti amakhala ndi zowonongeka zawo zopanda malire. Pamene chitukuko chikupita patsogolo, m'pofunika kuyika mipata yachitukuko ndi makulitsidwe. Ndizosinthika kwambiri kupanga gulu la failover pogwiritsa ntchito chidebe chowoneka bwino kapena njira yosakanizidwa.

Kuti mugwire ntchito mumagulu a Active/Active and Active/Passive cluster, pamafunika kuwonetsetsa kusasinthika kwa data mu nkhokwe yolumikizana - ma node onse ankhokwe akuyenera kutsatiridwa mofanana pakati pa malo osiyanasiyana ogawidwa a geo.

Chitsanzo chosavuta cha kukhazikitsa kosalekeza.

SSO pa zomangamanga za microservice. Timagwiritsa ntchito Keycloak. Gawo #1

Ubwino wogwiritsa ntchito gulu limodzi ndi chiyani:

  • Kupezeka kwakukulu ndi magwiridwe antchito.
  • Kuthandizira kwamachitidwe ogwiritsira ntchito: Active / Active, Active / Passive.
  • Kutha kukulitsa mwamphamvu - mukamagwiritsa ntchito chidebe chowoneka bwino.
  • Kuthekera kwa kasamalidwe kapakati ndi kuyang'anira.
  • Njira yolumikizana yozindikiritsa / kutsimikizira / kuvomereza kwa ogwiritsa ntchito muma projekiti.
  • Kulumikizana koonekera bwino pakati pa mapulojekiti osiyanasiyana popanda kukhudzidwa kwa ogwiritsa ntchito.
  • Kutha kugwiritsanso ntchito chizindikiro cha JWT pama projekiti osiyanasiyana.
  • Mfundo imodzi yodalirika.
  • Kukhazikitsa mwachangu mapulojekiti pogwiritsa ntchito ma microservices/containization virtualization (palibe chifukwa chokweza ndi kukonza zina zowonjezera).
  • N'zotheka kugula chithandizo chamalonda kuchokera kwa wogulitsa.

Zomwe Muyenera Kuziyang'ana Pokonzekera Cluster

DBMS

Keycloak amagwiritsa ntchito kasamalidwe ka DBMS kuti apulumutse: malo, makasitomala, ogwiritsa ntchito, etc.
Ma DBMS osiyanasiyana amathandizidwa: MS SQL, Oracle, MySQL, PostgreSQL. Keycloak imabwera ndi nkhokwe yake yolumikizirana. Ndibwino kugwiritsa ntchito malo osadzaza - monga malo otukuka.

Kuti mugwire ntchito mumagulu a Active/Active and Active/Passive cluster, kusasinthasintha kwa data mu nkhokwe yaubale ndikofunikira, ndipo ma node onse a database amatsatiridwa mofanana pakati pa malo opangira data.

Cache yogawidwa (Infinspan)

Kuti tsango ligwire ntchito moyenera, kulumikiza kowonjezera kwa mitundu yotsatirayi ya cache pogwiritsa ntchito JBoss Data Grid ndikofunikira:

Magawo otsimikizira - amagwiritsidwa ntchito kusunga deta potsimikizira wogwiritsa ntchito. Zopempha kuchokera ku cache iyi zimangophatikiza msakatuli ndi seva ya Keycloak, osati pulogalamu.

Zizindikiro za zochita zimagwiritsidwa ntchito pazochitika zomwe wogwiritsa ntchito ayenera kutsimikizira zomwe zikuchitika mwachisawawa (kudzera pa imelo). Mwachitsanzo, panthawi yoyiwala mawu achinsinsi, chosungira cha ActionTokens Infinispan chimagwiritsidwa ntchito kuyang'anira metadata yokhudzana ndi zizindikiro zomwe zagwiritsidwa ntchito kale, kotero sizingagwiritsidwenso ntchito.

Kusungitsa ndi kuletsa deta yosalekeza - yomwe imagwiritsidwa ntchito posungira zomwe zikupitilira kupeΕ΅a mafunso osafunikira ku database. Seva iliyonse ya Keycloak ikasintha deta, ma seva ena onse a Keycloak m'malo onse a deta ayenera kudziwa za izo.

Ntchito - Amagwiritsidwa ntchito potumiza mauthenga olakwika pakati pa ma cluster node ndi ma data center.

Magawo ogwiritsira ntchito - omwe amagwiritsidwa ntchito kusungira deta za magawo omwe ali ovomerezeka kwa nthawi yonse ya msakatuli wa wogwiritsa ntchito. Cache iyenera kukonza zopempha za HTTP kuchokera kwa wogwiritsa ntchito komanso kugwiritsa ntchito.

Chitetezo cha Brute Force - chomwe chimagwiritsidwa ntchito kutsata zomwe zalephera kulowa.

Katundu kusanja

Chojambulira katundu ndiye malo amodzi olowera ku keycloak ndipo ayenera kuthandizira magawo omata.

Ma seva a Application

Amagwiritsidwa ntchito kuwongolera kulumikizana kwa zigawo wina ndi mnzake ndipo amatha kusinthidwa kapena kusungidwa pogwiritsa ntchito zida zomwe zilipo komanso makulitsidwe amphamvu a zida zamagetsi zamagetsi. Zomwe zimachitika kwambiri ku OpenShift, Kubernates, Rancher.

Izi zikumaliza gawo loyamba - longoyerekeza. M'nkhani zotsatila, zitsanzo za kuphatikizika ndi opereka zidziwitso zosiyanasiyana ndi zitsanzo za makonda zidzawunikidwa.

Source: www.habr.com

Kuwonjezera ndemanga