Deep Dive into Building a Secure & Multi-tenant SaaS Solution with NATS
•Als PPTX, PDF herunterladen•
0 gefällt mir•504 views
KubeCon + CloudNativeCon EU 2020 Deep Dive Maintainer Talk
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie Deep Dive into Building a Secure & Multi-tenant SaaS Solution with NATS
Ähnlich wie Deep Dive into Building a Secure & Multi-tenant SaaS Solution with NATS (20)
Mehr von NATS
Mehr von NATS (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Deep Dive into Building a Secure & Multi-tenant SaaS Solution with NATS
- 1. Waldemar Quevedo Deep Dive 2020: Building Decentralized Applications NATS Core Maintainer
- 2. About me ● Waldemar Quevedo / @wallyqs ● Software Engineer at ● NATS Core maintainer ● Using NATS since 2012 ● Author of Practical NATS (Apress, 2018)
- 3. In this talk ● Deep Dive into some of the NATS features ● Example: Building Chat App Walkthrough ● Complete application can be found at: https://github.com/wallyqs/kubecon2020/
- 4. The Chat App :)
- 5. Quick Recap: NATS Streams & Services
- 6. Core of NATS ● Streams ○ A “flow” ○ A sequence of messages that can be consumed. Fan out. ● Service ○ A subscription that takes request messages and can respond (RPC) ○ “Do something and return a result” ○ Load Balanced
- 7. Core of NATS: Subjects A subject is simply a string representing an interest in data. ● Simple subject: foo or weather ● Hierarchically Tokenized: foo.bar, weather.us.co.denver ● Wildcard subscriptions ✓ foo.* matches foo.bar and foo.baz. ✓ foo.*.bar matches foo.a.bar and foo.b.bar. ✓ foo.> matches any of the above ✓ > matches everything in NATS ● Unique subjects for 1:1 addressability
- 8. Core of NATS: Streams Streams: Subscribe() <-> Publish() Export Import
- 9. Core of NATS: Services Services: Subscribe() <-> Request() Export Import
- 11. Services NATS Client Chat Access Response Request SERVICE: chat.req.access To get access to the Chat Streams, first need to request for credentials.
- 12. Accounts Isolation ● We have 3 types of users, all part of the same account KUBECON ✓ Chat Credentials Requestor ./nats-req chat.req.access <username> ✓ Credential Provisioners ./chat-access -creds chat.creds ✓ Chat Users ./chat -creds my.creds
- 13. Using NSC ● NSC is the command line tool to manage users and accounts https://github.com/nats-io/nsc curl https://nats-io.github.io/k8s/setup/nsc-setup.sh | sh ● nsc add account --name KUBECON [ OK ] generated and stored account key "ADKN46NONOAOEPWUPFB47MOEBNOXRNJFRAKVOAQA7Q4JPVSFAPVHAW4T" [ OK ] added account "KUBECON"
- 14. Creating the account ● The chat application will exist in the KUBECON account > nsc add account --name KUBECON [ OK ] generated and stored account key "ADKN46NONOAOEPWUPFB47MOEBNOXRNJFRAKVOAQA7Q4JPVSFAPVHAW4T" [ OK ] added account "KUBECON"
- 15. Adding a signing key ● Since chat users will be created on the fly, we will use a special signing key for that purpose: https://docs.nats.io/nats- tools/nsc/signing_keys > nsc generate nkey --account --store > nsc edit account --sk AABKQTMBNP74VWKMA64PERDYH6ZYB45Y5JINQKG5MEKJZ5M45JDV57KI [ OK ] added signing key "AABKQTMBNP74VWKMA64PERDYH6ZYB45Y5JINQKG5MEKJZ5M45JDV57KI" [ OK ] edited account "KUBECON"
- 16. Adding a signing key Public Key
- 17. Starting the NATS Server ● We will use the NATS Server Trusted Operator setup for a decentralized setup. ● NSC can generate the server config: > nsc generate config --mem-resolver > nats.conf > nats-server -c nats.conf [INF] Starting nats-server version 2.2.0-beta.20 [DBG] Go build version go1.14.4 [INF] Git commit [not set] [INF] Using configuration file: nats.conf [INF] Trusted Operators
- 18. Create the Creds Provisioner ● The chat-access tool will use the account JWT and the signing key to issue new credentials to users. > nsc add user chat-access -K $NKEYS_PATH/keys/A/AB/AABKQTMBNP74VWKMA64PERDYH6ZYB45Y5JINQKG5MEKJZ5M45JDV57KI.nk > cd chat-access > go run main.go --acc $NSC_HOME/nats/KO/accounts/KUBECON/KUBECON.jwt --sk $NKEYS_PATH/keys/A/AB/AABKQTMBNP74VWKMA64PERDYH6ZYB45Y5JINQKG5MEKJZ5M45JDV57KI.nk --creds $NKEYS_PATH/creds/KO/KUBECON/chat-access.creds
- 19. Create the Creds Provisioner
- 20. Create the Creds Provisioner QueueSubscription makes this a load balanced service.
- 21. Requesting Access ● In order to request access, we need to create a special user with very limited permissions, that can only request for access. nsc add user chat-creds-request -K $SIGNING_KEY > --allow-pubsub 'chat.req.access' > --allow-pubsub '_INBOX.>' > --allow-pubsub '_R_' > --allow-pubsub '_R_.>' [ OK ] generated and stored user key "UAP7HBB4U7P6NIJTSYFHLU6AXS4KRSYGTLQDSFBQKVHYXFA26LPJH6AF" [ OK ] generated user creds file "$NKEYS_PATH/creds/KO/KUBECON/chat-creds-request.creds" [ OK ] added user "chat-creds-request" to account "KUBECON" Required for requests
- 22. Requesting Access ./nats-req -s localhost -creds $NKEYS_PATH/creds/KO/KUBECON/chat-creds-request.creds chat.req.access foo Published [chat.req.access] : 'foo' Received [_INBOX.GoMGWmwpbPnwRSSpiXFeKd.2NumbUrd] : ' -----BEGIN NATS USER JWT----- eyJ0eXAiOiJqd3QiLCJhbGciOiJlZDI1NTE5In0.eyJleHAiOjE2Mjc3NTc2NzYsImp0aSI6Ik43VEdNM0FRVFRaQVFWUElNRDNURlRZRUVYVkNWU1hPWEFIR0U3Q0g2UFJRWlpBUkFTSFEiLCJpYXQiOjE1OTYyMjE2NzYsImlzcyI6IkFBQ ktRVE1CTlA3NFZXS01BNjRQRVJEWUg2WllCNDVZNUpJTlFLRzVNRUtKWjVNNDVKRFY1N0tJIiwibmFtZSI6ImZvbyIsInN1YiI6IlVEN0pRTkNUSlFKVUpEVTJLNUxUNVlRSVlWSk9MTElXRVlOTUs1UUxUQ1hCMkNQQTVJTllNUEo1Ii widHlwZSI6InVzZXIiLCJuYXRzIjp7InB1YiI6eyJhbGxvdyI6WyJjaGF0LktVQkVDT04ub25saW5lIiwiY2hhdC5LVUJFQ09OLnBvc3RzLioiLCJjaGF0LktVQkVDT04uZG1zLioiXX0sInN1YiI6eyJhbGxvdyI6WyJjaGF0LktVQkVDT04ub25saW5 lIiwiY2hhdC5LVUJFQ09OLnBvc3RzLioiLCJjaGF0LktVQkVDT04uZG1zLlVEN0pRTkNUSlFKVUpEVTJLNUxUNVlRSVlWSk9MTElXRVlOTUs1UUxUQ1hCMkNQQTVJTllNUEo1IiwiX0lOQk9YLlx1MDAzZSJdfSwicGF5bG9hZCI6MTAyN H0sImlzc3Vlcl9hY2NvdW50IjoiQURLTjQ2Tk9OT0FPRVBXVVBGQjQ3TU9FQk5PWFJOSkZSQUtWT0FRQTdRNEpQVlNGQVBWSEFXNFQifQ.d1tr9RFHFqqLQ4Ed- Oncuu43l843rS5FLq6MhA8ocj2qj2ZcvD_UE1SoKKnRMoJxUdZVMty8GhT8RA3Qpo85AA ------END NATS USER JWT------ ************************* IMPORTANT ************************* Private NKEYs are sensitive and should be treated as secrets. -----BEGIN USER PRIVATE KEY----- SUAN7DPWZXEXUFAG3QEZIU6WQIUECAEHXHFBD6NA62ALPCGTVESWPGBRUQ ------END USER PRIVATE KEY------ *************************************************************
- 23. Requesting Access DMs subscription only work against the user public key
- 24. Entering the chat ● A user can now connect with this credentials and join a chat. ./chat -s localhost -creds foo.creds
- 25. Entering the chat ● We can use the same credentials to listen to online events. > nats-sub -creds userA.creds 'chat.KUBECON.online' Listening on [chat.KUBECON.online] [#1] Received on [chat.KUBECON.online]: 'eyJ0eXAiOiJqd3QiLCJhbGciOiJlZDI1NTE5In0.eyJleHAiOjE1OTYyMjMwMTAsImp0aSI6IjNZSlpHUjROQVE3VTJJVFFFSU41WlBCRlBPV 1A3QVZDRTRISTZLRElMUzVKRkZVSFg1WlEiLCJpYXQiOjE1OTYyMjI5NTAsImlzcyI6IlVCQUNSWURRWlZUVFFONE9ITlRESEdPTDZS V0VTWlNMM0tBR1hYSDJaWU5HTUNZRTVWVVcyNkpZIiwibmFtZSI6ImZvbyIsInN1YiI6IlVCQUNSWURRWlZUVFFONE9ITlRESEdPTDZ SV0VTWlNMM0tBR1hYSDJaWU5HTUNZRTVWVVcyNkpZIiwidHlwZSI6Im5ncy1jaGF0LW9ubGluZSJ9.tu8Q8x88FpDmFhYQbSLiKDKiz4q P9yy7c0S23zIRQzhBHlxBLX9wpduQaF9HOcEYivMSu538cesPDP2EVyy8Bg'
- 26. Entering the chat ● But can only subscribe to personal DMs > nats-sub -creds userA.creds ‘chat.KUBECON.dms.UBGAWHHSU2CKNIHYWSCXA53HLYCCKRH5TB6HWW3QSJGGA652WSANDCG5' > nats-sub -creds userA.creds 'chat.KUBECON.dms.*' nats: Permissions Violation for Subscription to "chat.KUBECON.dms.*"
- 27. The Chat Client
- 28. The Chat Client
- 29. Done :) ● Complete application can be found at: https://github.com/wallyqs/kubecon2020/
- 30. Thanks! https://natsio.slack.com github.com/nats-io / @nats_io https://nats.io ← Join the NATS community :)