ProHoster > Blog > Utongi > SSO pane microservice architecture. Isu tinoshandisa Keycloak. Chikamu #1

SSO pane microservice architecture. Isu tinoshandisa Keycloak. Chikamu #1

Mune chero kambani hombe, uye X5 Retail Group haisi iyo, sezvainokura, nhamba yemapurojekiti anoda mvumo yemushandisi inowedzera. Nekufamba kwenguva, shanduko isina musono yevashandisi kubva kune imwe application kuenda kune imwe inodiwa, uyezve panodiwa kushandisa imwechete-Sing-On (SSO) server. Asi ko kana vanopa zvitupa vakaita seAD kana vamwe vasina humwe hunhu vatoshandiswa mumapurojekiti akasiyana. Boka remasystem anonzi "identification broker" achauya kuzonunura. Vanonyanya kushanda ndivo vamiririri vayo, vakadai seKeycloak, Gravitee Access management, etc. Kazhinji, kushandiswa kwezviitiko zvinogona kunge zvakasiyana: kushandiswa kwemichina, kushandiswa kwevashandisi, nezvimwewo. Mhinduro yacho inofanira kutsigira kushanduka uye scalable kushanda kunogona kusanganisa zvose zvinodiwa mune imwe chete, uye mhinduro dzakadai kambani yedu ikozvino ine chiratidzo bhuroka - Keycloak.

SSO pane microservice architecture. Isu tinoshandisa Keycloak. Chikamu #1

Keycloak ndeye yakavhurika sosi kuzivikanwa uye yekuwana yekudzora chigadzirwa inochengetwa neRedHat. Ndiyo hwaro hwezvigadzirwa zvekambani uchishandisa SSO - RH-SSO.

Basic pfungwa

Usati watanga kubata nemhinduro uye nzira, iwe unofanirwa kusarudza maererano uye kutevedzana kwemaitiro:

SSO pane microservice architecture. Isu tinoshandisa Keycloak. Chikamu #1

Chiratidzo inzira yekuziva chidzidzo nechiziviso chake (nemamwe mazwi, iyi ndiyo tsanangudzo yezita, login kana nhamba).

Kusimbiswa - iyi inzira yekusimbisa (mushandisi anotariswa nepassword, iyo tsamba inotariswa nemagetsi siginecha, nezvimwewo)

Mvumo - uku ndiko kupihwa kwekuwana kune sosi (somuenzaniso, kune e-mail).

Identity Broker Keycloak

keycloak ndeye yakavhurika sosi identity uye yekuwana manejimendi mhinduro yakagadzirirwa kushandiswa muIS uko microservice architecture mapatani anogona kushandiswa.

Keycloak inopa maficha akadai seasina kusaina-pa (SSO), identity yakadhirowa uye kupinda munharaunda, mubatanidzwa wevashandisi, maadapter evatengi, admin console uye account management console.

Basa rekutanga rinotsigirwa neKeycloak:

  • Single-Sign On uye Single-Sign Out yebrowser application.
  • Tsigiro yeOpenID/OAuth 2.0/SAML.
  • Identity Brokering - yechokwadi uchishandisa ekunze OpenID Connect kana SAML identity vanopa.
  • Social Login - Google, GitHub, Facebook, Twitter rutsigiro rwekuzivikanwa kwemushandisi.
  • Mushandisi Federation - kuwiriranisa kwevashandisi kubva kuLDAP uye Active Directory maseva uye vamwe vanopa zvitupa.
  • Kerberos bhiriji - uchishandisa sevha yeKerberos yeotomatiki mushandisi kutendeseka.
  • Admin Console - yekubatana manejimendi uye sarudzo sarudzo kuburikidza neWebhu.
  • Account Management Console - yekuzvitonga wega iyo profiles yemushandisi.
  • Kugadzirisa mhinduro zvichienderana nekuzivikanwa kwekambani yekambani.
  • 2FA Authentication - TOTP/HOTP rutsigiro uchishandisa Google Authenticator kana FreeOTP.
  • Login Inoyerera - mushandisi-kuzvinyoresa, password kudzoreredza uye reset, uye zvimwe zvinogoneka.
  • Session Management - vatariri vanogona kubata masesheni evashandisi kubva panzvimbo imwechete.
  • Token Mapers - inosunga mushandisi hunhu, mabasa uye humwe hunodiwa hunhu kune tokeni.
  • Flexible policy management munzvimbo yese, application uye vashandisi.
  • CORS Tsigiro - Mutengi maadapta ane akavakirwa-mukati CORS rutsigiro.
  • Service Provider Interfaces (SPI) - Nhamba huru yeSPIs iyo inokutendera iwe kugadzirisa akasiyana maficha evhavha: kuyerera kwechokwadi, vanopa zvitupa, protocol mepu, nezvimwe.
  • Mutengi adapter yeJavaScript application, WildFly, JBoss EAP, Fuse, Tomcat, Jetty, Spring.
  • Tsigiro yekushanda neakasiyana maapplication anotsigira OpenID Batanidza Relying Party raibhurari kana SAML 2.0 Service Provider Library.
  • Inogona kuwedzera uchishandisa plugins.

Kune CI / CD maitirwo, pamwe neautomation maitiro ekutonga muKeycloak, iyo REST API / JAVA API inogona kushandiswa. Zvinyorwa zvinowanikwa nemagetsi:

VAMWE API https://www.keycloak.org/docs-api/8.0/rest-api/index.html
Java API https://www.keycloak.org/docs-api/8.0/javadocs/index.html

Enterprise Identity Providers (On-Premise)

Kugona kutendesa vashandisi kuburikidza neMushandisi Federation masevhisi.

SSO pane microservice architecture. Isu tinoshandisa Keycloak. Chikamu #1

Kupfuura-kuburikidza kwechokwadi kunogona zvakare kushandiswa - kana vashandisi vakatendesa pane nzvimbo dzekushandira neKerberos (LDAP kana AD), ipapo vanogona kutenderwa kuKeycloak pasina kuisa zita ravo rekushandisa uye password zvakare.

Nekuda kwekutendeseka uye nekuwedzera mvumo yevashandisi, zvinokwanisika kushandisa hukama hweDBMS, iyo inonyanya kushanda kune nzvimbo dzekusimudzira, sezvo isingabatanidzi marongero akareba uye kubatanidzwa pamatanho ekutanga emapurojekiti. Nekutadza, Keycloak inoshandisa yakavakirwa-mukati DBMS kuchengetedza marongero uye data yemushandisi.

Rondedzero yeDBMS inotsigirwa yakakura uye inosanganisira: MS SQL, Oracle, PostgreSQL, MariaDB, Oracle nevamwe. Akanyanya kuedzwa kusvika parizvino Oracle 12C Release1 RAC uye Galera 3.12 cluster yeMariaDB 10.1.19.

Identity providers - social login

Zvinogoneka kushandisa login kubva pasocial network. Kumisikidza kugona kutendesa vashandisi, shandisa Keyclock admin console. Shanduko mukodhi yekushandisa haidiwe uye mashandiro aya anowanikwa kunze kwebhokisi uye anogona kuvhurwa chero nhanho yeprojekiti.

SSO pane microservice architecture. Isu tinoshandisa Keycloak. Chikamu #1

Zvinogoneka kushandisa OpenID/SAML Identity vanopa kuti mushandisi aite chokwadi.

Mamiriro ezvinhu emvumo akajairika uchishandisa OAuth2 muKeycloak

Authorization Code Flow - inoshandiswa ne-server-side application. Imwe yemhando dzakajairika dzemvumo yemvumo nekuti yakanyatso kuenderana nesevha application uko application sosi kodhi uye data yemutengi isingawanikwe kune vekunze. Maitiro munyaya iyi anobva pane redirection. Chishandiso chacho chinofanira kukwanisa kudyidzana nemushandisi (mushandisi-mumiriri), senge web browser - kugamuchira macode emvumo eAPI anotungamirwa kuburikidza nemumiriri wemushandisi.

kuyerera chaiko - inoshandiswa nenharembozha kana webhu application (maapplication ari kushanda pane mudziyo wemushandisi).

Irwo rudzi rwemvumo yemvumo inoshandiswa nenharembozha uye pawebhu zvikumbiro apo kuvanzika kwemutengi hakugone kuvimbiswa. Rudzi rwemvumo rwakajeka runoshandisawo mushandisi mumiriri redirection, iyo tokeni yekuwana inopfuudzwa kune mumiriri wemushandisi kuti ishandiswe zvakare mukushandisa. Izvi zvinoita kuti chiratidzo chiwanikwe kumushandisi uye zvimwe zvinoshandiswa pamudziyo wemushandisi. Rudzi urwu rwemvumo yemvumo harubvumidze kuzivikanwa kwechikumbiro, uye maitiro acho anovimba neredirect URL (yakambonyoreswa nesevhisi).

Implicit Flow haitsigire tokeni yekumutsiridza tokeni.

Client Credentials Grant Flow - anoshandiswa kana application ikawana iyo API. Rudzi urwu rwemvumo rwemvumo runowanzo shandiswa kune server-kune-server kudyidzana kunofanirwa kuitwa kumashure pasina kusangana nemushandisi nekukurumidza. Kuyerera kwemutengi kunopa kuyerera kunobvumira sevhisi yewebhu (chakavanzika mutengi) kushandisa zvinyorwa zvayo pachinzvimbo chekuedzesera mushandisi kuratidza chokwadi pakufonera imwe sevhisi yewebhu. Kune yakakwira mwero wechengetedzo, zvinogoneka kuti sevhisi yekufona ishandise chitupa (panzvimbo pechakavanzika chakagovaniswa) sechiratidzo.

Iyo OAuth2 yakatarwa inotsanangurwa mukati
RFC-6749
RFC-8252
RFC-6819

JWT token uye mabhenefiti ayo

JWT (JSON Web Token) chiyero chakavhurika (https://tools.ietf.org/html/rfc7519) iyo inotsanangura nzira yakabatana uye yakazvimiririra yekufambisa zvakachengeteka ruzivo pakati pemapato sechinhu cheJSON.

Zvinoenderana nechiyero, chiratidzo chine zvikamu zvitatu mu base-64 fomati, yakapatsanurwa nemadotsi. Chikamu chekutanga chinonzi musoro, iyo ine mhando yechiratidzo uye zita rehashi algorithm yekuwana siginecha yedhijitari. Chikamu chechipiri chinochengeta ruzivo rwekutanga (mushandisi, hunhu, nezvimwewo). Chikamu chechitatu ndicho siginecha yedhijitari.

. .
Usambofa wakachengeta chiratidzo muDB yako. Nekuti chiratidzo chechokwadi chakaenzana nepassword, kuchengeta chiratidzo kwakafanana nekuchengeta password mune mavara akajeka.
Access token chiratidzo chinopa muridzi wayo kuwana kune yakachengeteka server zviwanikwa. Iyo inowanzo ine hupenyu hupfupi uye inogona kutakura rumwe ruzivo senge IP kero yepati iri kukumbira chiratidzo.

Refresh token chiratidzo chinobvumira vatengi kukumbira ma tokens matsva ekuwana mushure mehupenyu hwavo hwapera. Aya ma tokeni anowanzo kupihwa kwenguva yakareba.

Iwo mabhenefiti makuru ekushandisa mune microservice architecture:

  • Kugona kuwana akasiyana maapplication uye masevhisi kuburikidza ne-imwe-nguva yechokwadi.
  • Mukushaikwa kwehuwandu hwehunhu hunodiwa muchimiro chemushandisi, zvinokwanisika kupfumisa nedata rinogona kuwedzerwa kune mubhadharo, kusanganisira otomatiki uye pa-iyo-kubhururuka.
  • Iko hakuna chikonzero chekuchengeta ruzivo nezve anoshanda masesheni, iyo server application inongoda kuratidza siginecha.
  • Yakawedzera kuchinjika yekuwana kutonga kuburikidza nekuwedzera hunhu mune iyo payload.
  • Kushandiswa kwechiratidzo chechiratidzo chemusoro uye mubhadharo kunowedzera kuchengetedzwa kwemhinduro seyese.

JWT chiratidzo - kuumbwa

Header - nekusarudzika, musoro unongori nemhando yechiratidzo uye algorithm inoshandiswa pakunyorera.

Mhando yechiratidzo inochengetwa mu "typ" kiyi. Iyo 'type' kiyi inofuratirwa muJWT. Kana "typ" kiyi iripo, kukosha kwayo kunofanirwa kunge kuri JWT kuratidza kuti chinhu ichi iJSON Web Token.

Yechipiri kiyi "alg" inotsanangura iyo algorithm inoshandiswa encrypt chiratidzo. Inofanirwa kusetwa kuHS256 nekukasira. Musoro wakaiswa mu base64.

{ "alg": "HS256", "type": "JWT"}
payload (zvirimo) - iyo payload inochengeta chero ruzivo rwunoda kuongororwa. Imwe neimwe kiyi yemubhadharo inozivikanwa se "claim". Semuenzaniso, unogona kuisa iyo application chete nekukoka (yakavharwa promo). Kana tichida kukoka mumwe munhu kuti aitewo chimwe chinhu, tinomutumira tsamba yokukoka. Zvakakosha kutarisa kuti email kero ndeyemunhu anogamuchira kukokwa, saka tichaisa kero iyi mubhadharo, nokuda kweizvi tinoichengeta mu "email" key.

{"email": "[email inodzivirirwa]"}

Makiyi emubhadharo anogona kunge ari ega. Zvisinei, pane zvishoma zvakachengetwa:

  • iss (Mubudisi) - Inozivisa chikumbiro kubva kwairi kutumirwa chiratidzo.
  • sub (Chinyorwa) - inotsanangura musoro wechiratidzo.
  • aud (Vateereri) mutsara wetambo dzinonzwa nyaya kana maURI inova rondedzero yevakagamuchira chiratidzo ichi. Kana iro divi rekugamuchira ragamuchira JWT nekiyi yakapihwa, inofanirwa kutarisa kuvepo kwayo mune vanogamuchira - zvikasadaro furatira chiratidzo.
  • exp (Nguva Yekupera) - Inoratidza kana chiratidzo chapera. Iyo JWT chiyero inoda kuita kwayo kwese kuti irambe tokeni dzakapera. Kiyi ye exp inofanirwa kunge iri chitambi chenguva mune unix fomati.
  • nbf (Kwete Pamberi) inguva mune unix fomati inotara nguva iyo chiratidzo chinoshanda.
  • iat (Yakaburitswa At) - Kiyi iyi inomiririra nguva yakapihwa tokeni uye inogona kushandiswa kuona zera reJWT. Kiyi ye iat inofanirwa kunge iri chitambi chenguva mune unix fomati.
  • Jti (JWT ID) - tambo inotsanangura iyo yakasarudzika identifier yeichi chiratidzo, inobata nyaya.

Izvo zvakakosha kuti unzwisise kuti iyo payload haina kufambiswa nenzira yakavharidzirwa (kunyangwe tokens inogona kuvharirwa uye zvinokwanisika kuendesa encrypted data). Nokudaro, haigoni kuchengeta chero ruzivo rwakavanzika. Kufanana nemusoro, iyo payload iri base64 encoded.
Chiratidzo - kana tine zita uye mubhadharo, tinogona kuverenga siginecha.

Base64-encoded: musoro uye payload inotorwa, inosanganiswa kuita tambo kuburikidza nedoti. Ipapo tambo iyi uye kiyi yakavanzika zvinoiswa kune encryption algorithm inotsanangurwa mumusoro ("alg" kiyi). Kiyi inogona kuva chero tambo. Tambo dzakareba dzichanyanya kufarirwa sezvo zvichatora nguva yakareba kuti utore.

{"alg":"RSA1_5","muripo":"A128CBC-HS256"}

Kuvaka Keycloak Failover Cluster Architecture

Paunenge uchishandisa sumbu rimwe chete kumapurojekiti ese, kune zvakawedzera zvinodiwa zveSSO mhinduro. Kana huwandu hwemapurojekiti hudiki, izvi zvinodikanwa hazvionekwe kune ese mapurojekiti, zvisinei, nekuwedzera kwenhamba yevashandisi uye kubatanidzwa, izvo zvinodiwa zvekuwanikwa uye kuwedzera kwekuita.

Kuwedzera njodzi yekukundikana kweSSO imwe chete kunowedzera zvinodikanwa zvekugadzirisa zvivakwa uye nzira dzinoshandiswa kune zvisingaite zvikamu uye zvinotungamira kune yakasimba kwazvo SLA. Panyaya iyi, kazhinji panguva yekuvandudza kana nhanho dzekutanga dzekugadzirisa zvigadziriso, mapurojekiti ane zvivakwa zvawo zvisina-kukanganisa. Sezvo budiriro ichifambira mberi, zvinodikanwa kuisa pasi mikana yekusimudzira uye scaling. Iyo inonyanya kuchinjika kuvaka failover cluster uchishandisa mudziyo virtualization kana nzira yakasanganiswa.

Kuti ushande muActive/Active uye Active/Passive cluster modes, zvinodikanwa kuti uve nechokwadi chekuenderana mudhatabhesi rehukama - ese ari maviri dhatabhesi anofanirwa kudzokororwa pakati peakasiyana geo-akaparadzirwa data data.

Muenzaniso wakapfava wekutadza-kushivirira kuisirwa.

SSO pane microservice architecture. Isu tinoshandisa Keycloak. Chikamu #1

Ndeapi mabhenefiti ekushandisa rimwe cluster:

  • Kuwanikwa kwepamusoro uye kushanda.
  • Tsigiro yemamodhi ekushandisa: Inoshanda / Inoshanda, Inoshanda/Passive.
  • Kugona kuyera zvine simba - kana uchishandisa mudziyo virtualization.
  • Kugona kwepakati pekutonga uye kutarisa.
  • Yakabatana nzira yekuzivikanwa / yechokwadi / mvumo yevashandisi mumapurojekiti.
  • Kudyidzana kwakajeka pakati pemapurojekiti akasiyana pasina kubatanidzwa kwemushandisi.
  • Kugona kushandisazve chiratidzo cheJWT mumapurojekiti akasiyana.
  • Single point of trust.
  • Kukurumidza kuvhurwa kwemapurojekiti uchishandisa microservices/container virtualization (hapana chikonzero chekusimudza nekugadzirisa zvimwe zvikamu).
  • Zvinokwanisika kutenga rubatsiro rwekutengeserana kubva kune mutengesi.

Zvekutsvaga Kana Uchironga Cluster

DBMS

Keycloak inoshandisa dhatabhesi manejimendi system kuchengetedza: nzvimbo, vatengi, vashandisi, nezvimwe.
Yakasiyana siyana yeDBMS inotsigirwa: MS SQL, Oracle, MySQL, PostgreSQL. Keycloak inouya neyayo yakavakirwa-mukati yehukama dhatabhesi. Inokurudzirwa kushandisa kune dzisiri dzakaremerwa nharaunda - senge budiriro nharaunda.

Kuti ushande muActive/Active uye Active/Passive cluster modes, kuenderana kwedata mudura rehukama kunodiwa, uye ese ari maviri dhatabhesi cluster node anodzokororwa pakati penzvimbo dzedata.

Yakaparadzirwa cache (Infinspan)

Kuti iyo cluster ishande nemazvo, kusanganisa kwekuwedzera kweanotevera marudzi emacache uchishandisa iyo JBoss Data Grid inodiwa:

Zvikamu zvekusimbisa - zvinoshandiswa kuchengetedza data paunenge uchisimbisa mumwe mushandisi. Zvikumbiro kubva pane iyi cache zvinowanzo sanganisira bhurawuza uye Keycloak server, kwete iyo application.

Maitiro ekuita anoshandiswa kune zviitiko apo mushandisi anoda kusimbisa chiito asynchronously (kuburikidza neemail). Semuenzaniso, panguva yekukanganwa kuyerera kwepassword, iyo ActionTokens Infinispan cache inoshandiswa kuchengetedza metadata nezve inosanganisirwa chiito tokens yakatoshandiswa, saka haigone kushandiswa zvakare.

Kuchengetera uye kusashanda kwedata rinoramba - rinoshandiswa kuchengetedza data rinoramba richidzivirira kubvunza zvisina basa kune dhatabhesi. Kana chero sevha yeKeycloak inogadziridza data, mamwe ese maKeycloak maseva munzvimbo dzese dzedata anofanirwa kuziva nezvazvo.

Basa - Inoshandiswa chete kutumira mameseji asiri iwo pakati pemasumbu node nenzvimbo dzedata.

Zvikamu zvemushandisi - zvinoshandiswa kuchengetedza data nezvesesheni dzevashandisi dzinoshanda kwenguva yese yebrowser yemushandisi. Iyo cache inofanirwa kugadzirisa zvikumbiro zveHTTP kubva kune yekupedzisira mushandisi uye application.

Brute simba rekudzivirira - rinoshandiswa kuteedzera data nezve akakundikana logins.

Load balancing

Iyo inoremedza inoremedza ndiyo imwe chete yekupinda nzvimbo kune keycloak uye inofanirwa kutsigira inonamira zvikamu.

Application Servers

Iwo anoshandiswa kudzora kupindirana kwezvikamu kune mumwe nemumwe uye anogona kuvharidzirwa kana kuiswa mumidziyo uchishandisa aripo otomatiki maturusi uye ane simba kuyera kwezvivakwa otomatiki maturusi. Iwo anonyanya kufarirwa mamiriro ekuisa muOpenShift, Kubernates, Rancher.

Izvi zvinopedzisa chikamu chekutanga - the theoretical one. Muchikamu chinotevera chezvinyorwa, mienzaniso yekubatanidzwa nevatambi vakasiyana-siyana vezvitupa uye mienzaniso yezvirongwa ichaongororwa.

Source: www.habr.com

Voeg