microservice security 12 · – istio, nginx • dharma foundationalconcepts k l a s ffe t. 21...
TRANSCRIPT
Microservice ApplicationsSecurity, Logging, Tracing
Matthias Fuchs, @hias222Oracle Code Berlin, 2018/06/12
Microservice Applications - Security, Logging, Tracing3
Agenda• Microservice Example• Details
– Logging– Security, OAuth, TLS– Tracing
• Lessons Learned
Microservice Applications - Security, Logging, Tracing4
Microservices Example Flow• Implementatition
Cloud– Access through
Loadbalancer– Login with OAuth– Angular App
• Logging Tracing– Docker Images– Logging Service
4
AuthorizationServer
OAuth
Frontend
Angular/nginx
Services
Rest/SpringResource Server
Frontend
Angular/nginx
Docker Container
Loadbalancer
Services
Rest/SpringResource Server
Services
Rest/SpringResource Server
Persistence Logging
Call Web AppLoginService CallWeb Page
Microservice Applications - Security, Logging, Tracing5
Integrated Cloud Services• Logging
– Oracle Management Cloud (Agents)– Elastic Search Kibana (Cloud Watch, Lamdba, Elastic)
• Authentication/Authorization– Oracle Identity Service– Cognito, Keycloak, OAM, Ping Identity
• Docker Services– Infrastructure Container Service - Kubernetes– Enterprise Container Services (AWS), Openshift– Google Kubernetes Engine
ServiceRest/Spring
Resource ServerServce Rest/SpringResource ServerService
Logging
Identity
Container
Microservice Applications - Security, Logging, Tracing6
More Cloud Services
• Parameter– Object Storage, maybe File Storage– S3 Buckets, Systems Manager Parameter Store
• Secrets– Oracle Key Vault (Cloud ready?)– Identity and Access Management (IAM) – AWS Secrets Manager– Hashicorp Vault
?
Microservice Applications - Security, Logging, Tracing8
Agenda• Microservice Example• Details
– Logging– Security, OAuth, TLS– Tracing
• Lessons Learned
Microservice Applications - Security, Logging, Tracing9
Logging/Monitoring Cloud Services
ServicesServicesServicesServicesAgent
Dashboard Analyze
Logging
Infrastructure Data
Metric App Data
Self Service
Cloud Service
Microservice Applications - Security, Logging, Tracing10
Oracle Cloud AgentCloud agents on hosts where entities are running. Cloud agents collect metrics and logs data that is processed, analyzed and visualized in Oracle Management Cloud.
APM agents specifically for monitoring applications end to end. APM agents can be configured for a wide range of application servers and they collect metrics that are processed, analyzed and visualized in Oracle Application Performance Monitoring.
Microservice Applications - Security, Logging, Tracing11
Oracle Cloud Agent Entities• Entity: A monitored resource such as a database, a host server, a compute resource, or an
application server.https://docs.oracle.com/en/cloud/paas/management-cloud/gfadg/managing-oracle-management-cloud-entities.pdf
• Oracle Application Performance Monitoring, Oracle Infrastructure Monitoring, Oracle Orchestration, Oracle IT Analytics, Oracle Log Analytics, Oracle Configuration and Compliance, Oracle Security Monitoring and Analytics
• Example Entities:
Microservice Applications - Security, Logging, Tracing12
Metric
• Standard of measure on process or
property
• Creates measurements
• Content
– Availability
– Performance Merics
– Alerting
– CPU, Memory, IO, ..
– Application Specific JAVA, DB, …
• Format
– Values
– Dashboards
Logs
• Information of Dev
• Content
– Technical/Business Logs
– Service Names
– Trace Ids, Correlation IDs
– User Names
– Sometimes measurements:
Response Times, Request Size
• Format
– Json, XML, Text
– Dashboard
Metric and Logging
Microservice Applications - Security, Logging, Tracing13
Logging in Microservices• Centralize and
Externalize Log Storage• Log Structured Data• Correlation IDs• Dynamic Logging Levels
and async Logging• For analyses and search,
user information, security concept
Microservice Applications - Security, Logging, Tracing14
Log View
Oracle
Kibana/Lambda/CloudWatch
Microservice Applications - Security, Logging, Tracing15
User information• Security aware• Security Concept
Correlation ID• Basic for Tracing• Common log structure
(JSON, XML, ..)
Logging in Microservices
Security Tracing
Microservice Applications - Security, Logging, Tracing17
Agenda• Microservice Example• Details
– Logging– Security, OAuth, TLS– Tracing
• Lessons Learned
Microservice Applications - Security, Logging, Tracing18
IAAA Framework for Microservices APIs
• Must support multiple identities and attributes(end users, system components, domains)Identification
• Must support multiple authentication methodsas well as delegated authenticationAuthentication
• Authorization for a single request may bedecided at multiple points in the request pathAuthorization
• Capture of relevant security data or metadatafrom API messagesAccountability
Microservice Applications - Security, Logging, Tracing19
Current Approches• Network-Level Controls
– Localhost, Network isolation SSL
• Application-Level Controls (Tokens)– Oauth, OpenID Connect, JWT
• Infrastructure – API Intermediaries– API Gateway, Service Proxies– Network Overlays– Kubernetes, CloudFoundry, AWS– IAM, Rules …
• SPIFFE• Secure Production Identity Framework for Everyone• SPIFFE is a set of open-source standards for securely
identifying software systems in dynamic and heterogeneous environments
• Application-Level Controls (Traditional)– Cookie-based Sessions, SAML
• Emerging Approaches– Serverless, Service Mesh– Istio, nginx
• DHARMA Foundational Concepts
Net
wor
k
SAM
L
Infr
aTo
oken
s
SPIF
FEN
ext
Microservice Applications - Security, Logging, Tracing21
Network: TLS, SSL, openSSL• TLS separate protocol mostly
based on HTTP• As interceptor between existing
protocols e.g. HTTP - TCP• Interceptor on other application
protocols (SMTP, Kafka, ..)• Transparent out of the scope of
user or client• Not possible with all transport
protocols e.g. UDP• Always use it
11.06.18 21
Microservice Applications - Security, Logging, Tracing22
Network: TLS, SSL, openSSL• Higher Layer
– Handshake– Change Cipher Spec, depends on handshake– Alert Protocol– Application Data Protocol
• TLS Layer– Fragment– Compression– Encrypt to cipher spec– Add Header
11.06.18 22
Application Layer
Transport Layer
Network Layer
SSL/TLSHigher Layer Subprotocol
TLS Layer Subprotocol
e.g. HTTP
TCP
IP
Microservice Applications - Security, Logging, Tracing23
https://www.youtube.com/watch?v=iqigxGccezI Modern Secret Managements with Vault, HashiCorp
Microservice Applications - Security, Logging, Tracing2411.06.1824
Tokens: OAuth 2.0/(OpenID Connect)
• OAuth History– Open Authorization– ca. 2008: OAuth 1.0 IETF Group– 2012: OAuth 2.0– ca. 2014 OpenID Connect
(Extension ofOAuth 2.0)• Before: SAML - SSO for web
applications– Security Assertation Markup
Language– SAML since 2002, SAML 2.0 2005
Microservice Applications - Security, Logging, Tracing25
OAuth
Implicit
ResourceOwner
Credentials
Client Credential
Authorization Code
Redirect/Callback
Call: response_type=access_token&client_id&redirect_uri
Response: Access TokenRefresh Token
Backward OAuth 1.0
Call: grant_type=passwordUsername/password + Client credentials
Response: Access Token or Refresh Token
Call: grant_type=client_credentialsClient_id/client_secret
Response: Access TokenClient: Application
Redirect/CallbackCall: Response_type=code&
client_id&Redirect_uriResponse: Authorization Code2 Trip: Access Token
Java ScriptThird Party
Microservice Applications - Security, Logging, Tracing27
• API Gateway Central Midtier Loadbalncer
• Switches Security
• Many more Features like throttling or routing
Infra: API or Access Gateway
Loadbalancer
Frontend
Angular/nginx
Services
Rest/SpringResource Server
Frontend
Angular/nginx
Docker Container
Services
Rest/SpringResource Server
Services
Rest/SpringResource Server
API GAteway
Tokens
e.g. SSL+Header Information
Other Services
Mutual TLS
Microservice Applications - Security, Logging, Tracing28
Infra: Example Access GW
Access MgmtProxy
IdentityFederation
LDAP
CloudFoundry
3rd PartyMutualTLSRouting
TLS Authentication
Header
AppsAppsApps
MutualTLS
OpenID Token
Login, Token
App -> AuthService
Microservice Applications - Security, Logging, Tracing29
Agenda• Microservice Example• Details
– Logging– Security, OAuth, TLS– Tracing
• Lessons Learned
Microservice Applications - Security, Logging, Tracing30
TracingWikipedia:In software engineering, tracing involves a specialized use of logging to record information about a program's execution.This information is typically used by programmers for debugging purposes, and additionally, depending on the type and detail of information contained in a trace log, by experienced system administrators or technical-support personnel and by software monitoring tools to diagnose common problems with software. Tracing is a cross-cutting concern.
Microservice Applications - Security, Logging, Tracing31
Microservice and Tracing• Distributed Tracing• Collect all Traces on central position• Correlated our tracing Information
Extended Logging
Create Correlation
ID
Take existing Correlation
ID
Collect central for
analyze
Microservice Applications - Security, Logging, Tracing32
Poor Man's Distributed TracingOne solution is at the beginning of the call chain we can create a CORRELATION_ID and add it to all log statements. Along with it, send CORRELATION_ID as a header to all the downstream services as well so that those downstream services also use CORRELATION_ID in logs. This way we can identify all the log statements related to a particular action across services.
https://dzone.com/articles/microservices-part-6-distributed-tracing-with-spri
Microservice Applications - Security, Logging, Tracing33
Where to create Correlation ID
1. Client2. LB – API GW3. Identity4. First Service
AuthorizationServer
OAuth
Frontend
Angular/nginx
Services
Rest/SpringResource Server
Frontend
Angular/nginx
Docker Container
Loadbalancer/ API Gateway
Services
Rest/SpringResource Server
Services
Rest/SpringResource Server
Persistence Logging
1
2
3
4
Microservice Applications - Security, Logging, Tracing34
Enterprise Way: Correlation IDs
ECIDExecutionContext ID Down to DB
Headertrace andspan ids
HeaderX-Amzn-Trace-Id
Identity
HeaderX-ORACLE-DMS-ECIDX-ORACLE-DMS-RID
… or build your own library
Microservice Applications - Security, Logging, Tracing35
Example: ID Tracing – shared Library
Microservice Applications - Security, Logging, Tracing
Agenda
• Microservice Example• Details
– Logging– Security, OAuth, TLS– Tracing
• Lessons Learned
Microservice Applications - Security, Logging, Tracing39
Lessons Learned• Infrastructure and Development, DevOps
– Prepare your Infrastructure with logging etc.– Start setup infrastructure from first development– Logging, Tracing isn’t easy
• User authentication/authorization– Choose your way to authenticate user– Maybe cloud Services are the fastest way, but customization– Using open source Frameworks, Cloud Services or enterprise
apps?– The key for success
Microservice Applications - Security, Logging, Tracing40