ProHoster > Ibhulogi > Ulawulo > SSO kwi-microservice architecture. Sisebenzisa i-Keycloak. Icandelo #1

SSO kwi-microservice architecture. Sisebenzisa i-Keycloak. Icandelo #1

Kuyo nayiphi na inkampani enkulu, kunye ne-X5 Retail Group ayikho into, njengoko iphuhlisa, inani leeprojekthi ezifuna ukugunyazwa komsebenzisi kwanda. Ngokuhamba kwexesha, utshintsho olungenamthungo lwabasebenzisi ukusuka kwesinye isicelo ukuya kwesinye luyafuneka, kwaye ke kukho imfuneko yokusebenzisa umncedisi omnye we-Single-Sing-On (SSO). Kodwa kuthekani xa ababoneleli bezazisi abanjengeAD okanye abanye abangenazo iimpawu ezongezelelweyo sele besetyenziswa kwiiprojekthi ezahlukeneyo. Udidi lweenkqubo ezibizwa ngokuba β€œzii-identity brokers” ziya kunceda. Eyona nto isebenzayo ngabameli bayo, njenge-Keycloak, i-Gravitee Access management, njl. Ngokuqhelekileyo, iimeko zokusetyenziswa zingahluka: ukusebenzisana komatshini, ukuthatha inxaxheba komsebenzisi, njl. kunye nezisombululo ezinjalo inkampani yethu ngoku inesalathiso somthengisi - Keycloak.

SSO kwi-microservice architecture. Sisebenzisa i-Keycloak. Icandelo #1

I-Keycloak yisazisi somthombo ovulekileyo kunye nemveliso yokulawula ukufikelela egcinwe yi-RedHat. Isisiseko seemveliso zenkampani usebenzisa i-SSO - RH-SSO.

Iingcamango ezisisiseko

Ngaphambi kokuba uqale ukuqonda izisombululo kunye neendlela, kufuneka uchaze imigaqo kunye nolandelelwano lweenkqubo:

SSO kwi-microservice architecture. Sisebenzisa i-Keycloak. Icandelo #1

Uchonga yinkqubo yokuqaphela umbandela ngesazisi sakhe (ngamanye amazwi, le yinkcazelo yegama, igama lokungena okanye inombolo).

Uqinisekiso - le yinkqubo yokuqinisekisa (umsebenzisi uhlolwe ngegama eliyimfihlo, ileta ihlolwe ngesignesha ye-elektroniki, njl.)

Ngena – ibonelela ngofikelelo kumthombo (umzekelo, i-imeyile).

Identity Broker Keycloak

isitshixo sisazisi somthombo ovulekileyo kunye nesisombululo solawulo lofikelelo esenzelwe ukusetyenziswa kwi-IS apho iipateni zoyilo lwe-microservice zingasetyenziswa.

I-Keycloak inikezela ngeempawu ezifana nokungena-kwi-single (i-SSO), isazisi se-broker kunye nokungena kwintlalontle, umanyano lwabasebenzisi, iiadaptha zabaxumi, ikhonsoli yolawulo kunye nekhonsoli yolawulo lweakhawunti.

Umsebenzi osisiseko oxhaswayo kwi-Keycloak:

  • Sayina-kanye kwaye Phuma ngokuNye kusetyenziso lwebrawuza.
  • Inkxaso ye-OpenID/OAuth 2.0/SAML.
  • Identity Brokering - uqinisekiso usebenzisa yangaphandle OpenID Connect okanye SAML ababoneleli zesazisi.
  • Ukungena kweNtlalo-Google, GitHub, Facebook, Twitter inkxaso yokuchonga umsebenzisi.
  • I-User Federation - ungqamaniso lwabasebenzisi abasuka kwi-LDAP kunye neeseva ze-Active Directory kunye nabanye ababoneleli bezazisi.
  • Ibhulorho yeKerberos-ukusetyenziswa kweseva yeKerberos ukuqinisekiswa komsebenzisi okuzenzekelayo.
  • Umlawuli weConsole - kulawulo olumanyeneyo lwezicwangciso kunye neenketho zesisombululo ngeWebhu.
  • I-Akhawunti yoLawulo lweConsole - yokulawula iprofayile yomsebenzisi.
  • Ukwenziwa ngokwezifiso kwesisombululo ngokusekelwe kwisazisi senkampani yenkampani.
  • 2FA Uqinisekiso - TOTP/HOTP inkxaso usebenzisa Google Authenticator okanye FreeOTP.
  • I-Login Flows - ukubhaliswa komsebenzisi, ukubuyiswa kwephasiwedi kunye nokusetha kwakhona, kunye nezinye zinokwenzeka.
  • Ulawulo lweSeshini - abalawuli banokulawula iiseshoni zabasebenzisi ukusuka kwindawo enye.
  • Iimpawu zeeMaphu - ukubophelela kweempawu zomsebenzisi, iindima kunye nezinye iimpawu ezifunekayo kwiimpawu.
  • Ulawulo lomgaqo-nkqubo oguquguqukayo ngommandla, isicelo kunye nabasebenzisi.
  • Inkxaso ye-CORS - Iiadaptha zabathengi zinenkxaso eyakhelwe-ngaphakathi ye-CORS.
  • I-Service Provider Interfaces (SPI) - inani elikhulu le-SPI elikuvumela ukuba uqwalasele iinkalo ezahlukeneyo zomncedisi: ukuhamba kokuqinisekiswa, ababoneleli besazisi, imephu yeprotocol kunye nokunye okuninzi.
  • Iiadaptha zabaxumi bezicelo zeJavaScript, iWildFly, iJBoss EAP, iFuse, iTomcat, iJetty, iSpring.
  • Inkxaso yokusebenza ngezicelo ezahlukeneyo ezixhasa ithala leencwadi le-OpenID Connect Relying Party okanye ithala leencwadi le-SAML 2.0 labaBoneleli beNkonzo.
  • Yandiswa kusetyenziswa iiplagi.

Kwiinkqubo zeCI / CD, kunye nokuzenzekelayo kweenkqubo zokulawula kwi-Keycloak, i-REST API / JAVA API ingasetyenziswa. Amaxwebhu afumaneka ngekhompyutha:

I-API yokuphinda https://www.keycloak.org/docs-api/8.0/rest-api/index.html
Java API https://www.keycloak.org/docs-api/8.0/javadocs/index.html

Ababoneleli ngeZazisi zeShishini (kwiNdawo)

Ukukwazi ukuqinisekisa abasebenzisi ngokusebenzisa iinkonzo ze-User Federation.

SSO kwi-microservice architecture. Sisebenzisa i-Keycloak. Icandelo #1

Ukuqinisekiswa kokudlula kungasetyenziswa - ukuba abasebenzisi baqinisekisa ngokuchasene neendawo zokusebenza nge-Kerberos (LDAP okanye AD), ngoko banokuqinisekiswa ngokuzenzekelayo kwi-Keycloak ngaphandle kokufaka igama labo lomsebenzisi kunye negama lokugqitha kwakhona.

Ukuqinisekiswa kunye nokugunyaziswa okuqhubekayo kwabasebenzisi, kunokwenzeka ukusebenzisa i-DBMS ehambelanayo, eyona nto isebenzayo kwiindawo zophuhliso, kuba ayibandakanyi izicwangciso ezide kunye nokudibanisa kwizigaba zokuqala zeeprojekthi. Ngokungagqibekanga, i-Keycloak isebenzisa i-DBMS eyakhelweyo ukugcina izicwangciso kunye nedatha yomsebenzisi.

Uluhlu lweeDBMS ezixhaswayo lubanzi kwaye lubandakanya: MS SQL, Oracle, PostgreSQL, MariaDB, Oracle kunye nabanye. Eyona nto ivavanyiweyo okwangoku yi-Oracle 12C Release1 RAC kunye ne-Galera 3.12 cluster ye-MariaDB 10.1.19.

Ababoneleli besazisi - ukungena kwezentlalo

Kuyenzeka ukuba usebenzise ukungena kwinethiwekhi yoluntu. Ukuvumela ukukwazi ukuqinisekisa abasebenzisi, sebenzisa i-Keyclock admin console. Akukho lutshintsho kwikhowudi yesicelo olufunekayo kwaye lo msebenzi ufumaneka ngaphandle kwebhokisi kwaye unokuqaliswa kuyo nayiphi na inqanaba leprojekthi.

SSO kwi-microservice architecture. Sisebenzisa i-Keycloak. Icandelo #1

Kuyenzeka ukusebenzisa i-OpenID/SAML Identity providers ukwenzela ukuqinisekiswa komsebenzisi.

Iimeko zogunyaziso eziqhelekileyo usebenzisa i-OAuth2 kwi-Keycloak

Ukuhamba kweKhowudi yoGunyaziso - isetyenziswe kunye nezicelo zecala lomncedisi. Enye yezona ntlobo zixhaphakileyo zemvume yogunyaziso kuba ifanelekile kwizicelo zecala lomncedisi apho ikhowudi yemvelaphi yesicelo kunye nedatha yomxhasi ayifikeleleki kwabanye. Inkqubo kule meko isekelwe kwi-redirection. Isicelo kufuneka sikwazi ukunxibelelana ne-arhente yomsebenzisi (umsebenzisi-arhente), njengesikhangeli sewebhu, ukufumana iikhowudi zokugunyazwa kwe-API ezithunyelwa nge-arhente yomsebenzisi.

Ukuqukuqela okungacacanga - esetyenziswa zizixhobo zeselula okanye zewebhu (izicelo ezisebenza kwisixhobo somsebenzisi).

Uhlobo lwemvume yogunyaziso olungacacanga lusetyenziswa zizicelo zeselula kunye newebhu apho ubumfihlo bomthengi bungenakuqinisekiswa. Uhlobo lwemvume engafihlwanga lukwasebenzisa ulwalathiso lwearhente yomsebenzisi, apho ithokheni yofikelelo igqithiselwa kwiarhente yomsebenzisi ukuze isetyenziswe kamva kwisicelo. Oku kwenza uphawu lufumaneke kumsebenzisi kunye nezinye izicelo kwisixhobo somsebenzisi. Olu hlobo lwemvume yogunyaziso aluqinisekisi isazisi sesicelo, kwaye inkqubo ngokwayo ixhomekeke kwi-URL yokuqondisa kwakhona (eyayibhaliswe ngaphambili kunye nenkonzo).

I-Implicit Flow ayizixhasi iithokheni zokuhlaziya iithokheni.

UkuHamba kweSibonelelo seZiqinisekiso zoMxumi - zisetyenziswa xa isicelo sifikelela kwi-API. Olu hlobo lwemvume yogunyaziso luqhele ukusetyenziswa kunxibelelwano lweseva-kwiseva ekufuneka lwenziwe ngasemva ngaphandle kokunxibelelana komsebenzisi kwangoko. Ukuhamba konikezelo lweenkcukacha zomxhasi kuvumela inkonzo yewebhu (umxhasi oyimfihlo) ukuba isebenzise iinkcazi zayo endaweni yokuzenza umsebenzisi ukungqinisisa xa ifowunela enye inkonzo yewebhu. Kwinqanaba eliphezulu lokhuseleko, kunokwenzeka ukuba inkonzo yokufowuna isebenzise isatifikethi (endaweni yemfihlo ekwabelwana ngayo) njengesiqinisekiso.

Iinkcukacha ze-OAuth2 zichazwe kwi
I-RFC-6749
I-RFC-8252
I-RFC-6819

Ithokheni yeJWT kunye neenzuzo zayo

I-JWT (i-JSON Web Token) ngumgangatho ovulekileyo (https://tools.ietf.org/html/rfc7519), echaza indlela edibeneyo kunye neyokuzimela yokudlulisa ngokukhuselekileyo ulwazi phakathi kwamaqela ngendlela ye-JSON into.

Ngokomgangatho, ithokheni iqulethwe ngamacandelo amathathu kwi-base-64 ifomathi, ehlulwe ngamachaphaza. Inxalenye yokuqala ibizwa ngokuba yintloko, equlethe uhlobo lwethokheni kunye negama le-algorithm ye-hash yokufumana utyikityo lwedijithali. Inxalenye yesibini igcina ulwazi olusisiseko (umsebenzisi, iimpawu, njl.). Inxalenye yesithathu ngumsayino wedijithali.

. .
Ungaze ugcine uphawu kwidatabase yakho. Ngenxa yokuba umqondiso osebenzayo ulingana negama eliyimfihlo, ukugcina uphawu kufana nokugcina igama eliyimfihlo kumbhalo ocacileyo.
uphawu lofikelelo luphawu olunika umnini walo ukufikelela kwimithombo yomncedisi ekhuselweyo. Ngokuqhelekileyo inobomi obufutshane kwaye inokuthwala ulwazi olongezelelweyo, njengedilesi ye-IP yeqela elicela uphawu.

Hlaziya uphawu luphawu oluvumela abathengi ukuba bacele amathokheni okufikelela amatsha emva kokuba ubomi babo buphelile. Ezi mpawu zivame ukukhutshwa ixesha elide.

Iinzuzo eziphambili zokusebenzisa i-microservice architecture:

  • Ukukwazi ukufikelela kwiinkqubo ezahlukeneyo kunye neenkonzo ngokusebenzisa ukuqinisekiswa kwexesha elinye.
  • Ukungabikho kwenani leempawu ezifunekayo kwiprofayili yomsebenzisi, kunokwenzeka ukutyebisa ngedatha enokuthi ifakwe kwi-payload, kubandakanywa ngokuzenzekelayo kunye ne-fly-fly.
  • Akukho mfuneko yokugcina ulwazi malunga neeseshoni ezisebenzayo, isicelo somncedisi sifuna kuphela ukuqinisekisa utyikityo.
  • Ulawulo lofikelelo oluguquguqukayo ngakumbi ngeempawu ezongezelelweyo kumthwalo wokuhlawula.
  • Ukusebenzisa isignesha yethokheni yentloko kunye nomthwalo wokuhlawula kwandisa ukhuseleko lwesisombululo ngokubanzi.

Umqondiso weJWT-ukwakheka

Inhloko - ngokuzenzekelayo, i-header iqulethe kuphela uhlobo lwethokheni kunye ne-algorithm esetyenziselwa ukufihla.

Uhlobo lwethokheni lugcinwe kwiqhosha elithi "typ". Iqhosha elithi "chwetheza" alihoywa kwi-JWT. Ukuba iqhosha elithi "chwetheza" likhona, ixabiso layo kufuneka libe yi-JWT ukubonisa ukuba le nto yi-JSON Web Token.

Iqhosha lesibini elithi "alg" lichaza i-algorithm esetyenziselwa ukubethela ithokheni. Kufuneka imiselwe HS256 ngokungagqibekanga. Iheda ifakwe kwiikhowudi kwisiseko64.

{ "alg": "HS256", "typ": "JWT"}
Ukuhlawula (umxholo) β€” umthwalo ugcina naluphi na ulwazi olufuna ukuqinisekiswa. Isitshixo ngasinye kumthwalo womvuzo waziwa ngokuba "yingxelo". Umzekelo, ungangenisa isicelo kuphela ngesimemo (intengiso evaliweyo). Xa sifuna ukumema umntu ukuba athathe inxaxheba, sibathumelela i-imeyile yesimemo. Kubalulekile ukuqinisekisa ukuba idilesi ye-imeyile yeyomntu owamkela isimemo, ngoko ke siya kufaka le dilesi kumthwalo ngokuyigcina kwiqhosha elithi "imeyile".

{"imeyile": "[imeyile ikhuselwe]"}

Izitshixo kumthwalo womvuzo zisenokunganyanzelwanga. Nangona kunjalo, kukho ezimbalwa ezigciniweyo:

  • iss (Umniki) - umisela isicelo apho umqondiso uthunyelwa khona.
  • sub (Isihloko) - ichaza umxholo wophawu.
  • i-aud (Abaphulaphuli) luluhlu lweentambo ezinovakalelo lwemeko okanye ii-URI eziluluhlu lwabamkeli balo mqondiso. Xa icala elifumanayo lifumana i-JWT ngesitshixo esinikiweyo, kufuneka lijonge ubukho balo kubamkeli - kungenjalo ngoyaba uphawu.
  • exp (Ixesha lokuphelelwa yisikhathi) - Ibonisa xa ithokheni iphelelwa. Umgangatho we-JWT ufuna konke ukuphunyezwa kwawo ukwala amathokheni aphelelwe lixesha. Iqhosha le-exp kufuneka libe sisitampu sexesha kwifomathi ye-unix.
  • I-nbf (Hayi Ngaphambili) lixesha elikwifomathi ye-unix emisela umzuzu xa uphawu lusebenza.
  • iat (Ikhutshwe Ngo) - Eli qhosha limele ixesha lokukhutshwa kwethokheni kwaye ingasetyenziselwa ukumisela iminyaka ye-JWT. Iqhosha le-iat kufuneka libe sisitampu sexesha kwifomathi ye-unix.
  • I-Jti (ID ye-JWT) ngumtya ochaza isazisi esikhethekileyo esinovakalelo kulo mqondiso.

Kubalulekile ukuqonda ukuba umthwalo ohlawulwayo awuthunyelwa kwifom efihliweyo (nangona amathokheni anokuthi afakwe kwindlwane kwaye ke kunokwenzeka ukuhambisa idatha efihliweyo). Ngoko ke, awukwazi ukugcina naluphi na ulwazi oluyimfihlo kuyo. Njengombhalo ongasentla, umthwalo wentlawulo yi-base64 encoded.
Isayinwe - xa sinesihloko kunye nomthwalo wokuhlawula, sinokubala utyikityo.

Iheda kunye nomthwalo wokuhlawula ofakwe kwi-base64 uthathwa kwaye udityaniswe kumgca owahlulwe ngamachaphaza. Emva koko lo mtya kunye nesitshixo esiyimfihlo sigalelo kwi-algorithm ye-encryption echazwe kwi-header (iqhosha le-"alg"). Isitshixo sinokuba naluphi na umtya. Iintambo ezinde ziya kuthandwa kakhulu njengoko kuya kuthatha ixesha elide ukucocwa.

{"alg":"RSA1_5","intlawulo":"A128CBC-HS256"}

Ukwakha i-Keycloak Failover Cluster Architecture

Xa usebenzisa iqela elinye kuzo zonke iiprojekthi, kukho iimfuno ezongeziweyo zesisombululo se-SSO. Xa inani leeprojekthi lincinci, ezi mfuno azibalulekanga kakhulu kuzo zonke iiprojekthi, nangona kunjalo, njengoko inani labasebenzisi kunye nokudibanisa kwanda, iimfuno zokufumaneka kunye nokusebenza kwanda.

Ukwandisa imingcipheko yokungaphumeleli kwe-SSO eyodwa kwandisa iimfuno zoyilo lwesisombululo kunye neendlela ezisetyenziselwa ukuphindaphinda kwamacandelo kwaye kukhokelela kwi-SLA engqongqo kakhulu. Kule nkalo, ngokuphindaphindiweyo ngexesha lophuhliso okanye izigaba zokuqala zokuphumeza izisombululo, iiprojekthi zineziseko zabo ezingenakukwazi ukunyamezela. Njengoko uphuhliso luqhubela phambili, kuyafuneka ukuba kubekwe phantsi amathuba ophuhliso kunye nokukalwa. Eyona ndlela iguquguqukayo yokwakha iqela le-faillover kukusebenzisa i-container virtualization okanye indlela ye-hybrid.

Ukuze usebenze kwiimowudi ze-Active/Active and Active/Passive cluster modes, kuyimfuneko ukuqinisekisa ukungqinelana kwedatha kwiziko ledatha le-relational - zombini iindawo zedatha kufuneka ziphindaphindwe ngokufanayo phakathi kwamaziko edatha ahlukeneyo asasazwa nge-geo.

Umzekelo olula wofakelo olunempazamo.

SSO kwi-microservice architecture. Sisebenzisa i-Keycloak. Icandelo #1

Ziziphi iingenelo zokusebenzisa iqela elinye:

  • Ukufumaneka okuphezulu kunye nokusebenza.
  • Inkxaso yeendlela zokusebenza: Esebenzayo / Esebenzayo, Esebenzayo / ePassive.
  • Ukubanakho kokulinganisa okuguquguqukayo - xa usebenzisa i-container virtualization.
  • Ukubakho kolawulo oluphakathi kunye nokubekwa kweliso.
  • Indlela emanyeneyo yokuchonga/ukuqinisekisa/ugunyaziso lwabasebenzisi kwiiprojekthi.
  • Ukusebenzisana okuselubala phakathi kweeprojekthi ezahlukeneyo ngaphandle kokubandakanyeka komsebenzisi.
  • Ukubakho kokuphinda kusetyenziswe ithokheni yeJWT kwiiprojekthi ezahlukeneyo.
  • Inqaku elinye lokuthembela.
  • Ukuqaliswa ngokukhawuleza kweeprojekthi kusetyenziswa i-microservices / i-container virtualization (akukho mfuneko yokufaka kunye nokuqwalasela amacandelo awongezelelweyo).
  • Kunokwenzeka ukuthenga inkxaso yorhwebo kumthengisi.

Yintoni omawuyiqwalasele xa ucwangcisa iqela

DBMS

I-Keycloak isebenzisa inkqubo yokulawula ye-DBMS ukugcina: iindawo, abathengi, abasebenzisi, njl.
Uluhlu olubanzi lweDBMS luyaxhaswa: MS SQL, Oracle, MySQL, PostgreSQL. I-Keycloak iza nedatha yayo eyakhelwe-ngaphakathi yobudlelwane. Kuyacetyiswa ukuba kusetyenziswe indawo ezingalayishwanga - ezifana neendawo zophuhliso.

Ukusebenza kwiimowudi ze-Active / Active kunye ne-Active/Passive cluster, kuyimfuneko ukuqinisekisa ukuhambelana kwedatha kwiziko ledatha ehambelanayo kwaye zombini ii-nodes ze-database cluster ziphindaphindwa ngokufanayo phakathi kwamaziko edatha.

I-cache esasaziweyo (Infinspan)

Ukuze iqela lisebenze ngokuchanekileyo, ungqamaniso olongezelelweyo lwezi ntlobo ze-cache zilandelayo usebenzisa i-JBoss Data Grid iyafuneka:

Iiseshoni zokuqinisekisa - ezisetyenziselwa ukugcina idatha xa kuqinisekiswa umsebenzisi othile. Izicelo ezisuka kule cache zibandakanya kuphela isikhangeli kunye neseva yeKeycloak, hayi usetyenziso.

Iimpawu zesenzo zisetyenziselwa iimeko apho umsebenzisi kufuneka aqinisekise isenzo ngokuzenzekelayo (nge-imeyile). Ngokomzekelo, ngexesha lokuhamba okugqithisiweyo okulibalayo, i-actionTokens Infinispan cache isetyenziselwa ukugcina umkhondo wemetadata malunga neethokheni zesenzo ezihambelanayo esele zisetyenzisiwe, ngoko ayinakuphinda isetyenziswe.

I-Caching kunye nokungasebenzi kwedatha eqhubekayo - esetyenziselwa ukugcina idatha eqhubekayo ukuphepha imibuzo engeyomfuneko kwiziko ledatha. Xa nayiphi na iseva ye-Keycloak ihlaziya idatha, zonke ezinye iiseva ze-Keycloak kuwo onke amaziko edatha kufuneka zazi malunga nayo.

Umsebenzi - Isetyenziselwa kuphela ukuthumela imiyalezo engasebenziyo phakathi kweendawo zeqela kunye namaziko edatha.

Iiseshoni zabasebenzisi - ezisetyenziselwa ukugcina idatha malunga neeseshoni zabasebenzisi ezivumelekileyo ngexesha leseshini yesikhangeli somsebenzisi. I-cache kufuneka iphathe izicelo ze-HTTP kumsebenzisi wokugqibela kunye nesicelo.

Ukhuseleko lwamandla e-Brute - lusetyenziselwa ukulandelela idatha malunga nokungena okungaphumelelanga.

Umthwalo wokulinganisa

Isilinganisi somthwalo yindawo enye yokungena kwi-keycloak kwaye kufuneka ixhase iiseshoni ezincangathi.

Iiseva zosetyenziso

Zisetyenziselwa ukulawula intsebenziswano yamacandelo kunye nomnye kwaye zinokuthi zenziwe ngokubonakalayo okanye zifakwe kwikhonteyina kusetyenziswa izixhobo ezikhoyo ezizenzekelayo kunye nokulinganisa okuguquguqukayo kwezixhobo ezizenzekelayo zeziseko. Ezona meko zixhaphakileyo zokusasazwa kwi-OpenShift, Kubernates, Rancher.

Oku kuqukumbela icandelo lokuqala - elo lethiyori. Kuluhlu olulandelayo lwamanqaku, imizekelo yokudibanisa kunye nababoneleli bezazisi ezahlukeneyo kunye nemizekelo yezicwangciso ziya kuhlalutywa.

umthombo: www.habr.com

Yongeza izimvo