container-native applications security, logging, tracing · 5 container-native applications-...
TRANSCRIPT
Container-Native ApplicationsSecurity, Logging, Tracing
Matthias Fuchs, @hias222DOAG 2018 Exa & Middleware Days, 2018/06/19
Container-Native Applications - Security, Logging, Tracing3
Agenda• Microservice
– Example Flow– Oracle Cloud
• Details– Logging– Security, OAuth, TLS– Tracing– Service Mesh
• Lessons Learned
Container-Native Applications - Security, Logging, Tracing4
Microservices Example Flow• Implementatition
Cloud– Access through
Loadbalancer– Login with OAuth– Angular App
• Logging Tracing– Docker Images– Logging Service
4
AuthorizationServer
OAuth
FrontendAngular/nginx
Services
Rest/SpringResourceServer
FrontendAngular/nginx
Docker Container
Loadbalancer
Services
Rest/SpringResourceServer
Services
Rest/SpringResourceServer
Persistence Logging
Call Web AppLoginService CallWeb Page
Container-Native Applications - Security, Logging, Tracing5
Integrated Cloud Services• Logging
– Oracle Management Cloud (Agents)– Elastic Search Kibana (Cloud Watch, Lamdba, Elastic)
• Authentication/Authorization– Oracle Identity Service– Cognito, Keycloak, OAM, Ping Identity
• Docker Services– Infrastructure Container Service - Kubernetes– Enterprise Container Services (AWS), Openshift– Google Kubernetes Engine
ServiceRest/Spring
Resource ServerServce Rest/SpringResource ServerService
Logging
Identity
Container
Container-Native Applications - Security, Logging, Tracing6
More Cloud Services
• Parameter– Object Storage, maybe File Storage– S3 Buckets, Systems Manager Parameter Store
• Secrets– Oracle Key Vault (Cloud ready?)– Identity and Access Management (IAM) – AWS Secrets Manager
– Hashicorp Vault
?
Container-Native Applications - Security, Logging, Tracing7
Agenda• Microservice
– Example Flow– Oracle Cloud
• Details– Logging– Security, OAuth, TLS– Tracing– Service Mesh
• Lessons Learned
Container-Native Applications - Security, Logging, Tracing8
Container Services• Application Container (PaaS)• Container Service Classic (IaaS)• Oracle Cloud Infrastructure (OCI)– Own VMs or Bare Metal– Kubernetes (wercker)
Container-Native Applications - Security, Logging, Tracing10
Kubernetes Architecture
https://kubernetes.io/docs/concepts/architecture/cloud-controller/
Container-Native Applications - Security, Logging, Tracing13
Agenda• Microservice
– Example Flow– Oracle Cloud
• Details– Logging– Security, OAuth, TLS– Tracing– Service Mesh
• Lessons Learned
Container-Native Applications - Security, Logging, Tracing14
Logging/Monitoring Cloud Services
ServicesServices
ServicesServices
Agent
Dashboard Analyze
Logging
Infrastructure Data
Metric App Data
Self Service
Cloud Service
Container-Native Applications - Security, Logging, Tracing15
Oracle Cloud AgentCloud agents on hosts where entities are running. Cloud agents collect metrics and logs data that is processed, analyzed and visualized in Oracle Management Cloud.
APM agents specifically for monitoring applications end to end. APM agents can be configured for a wide range of application servers and they collect metrics that are processed, analyzed and visualized in Oracle Application Performance Monitoring.
Container-Native Applications - Security, Logging, Tracing18
Logging in Microservices• Centralize and
Externalize Log Storage• Log Structured Data• Correlation IDs• Dynamic Logging Levels
and async Logging• For analyses and search,
user information, security concept
Container-Native Applications - Security, Logging, Tracing19
Log View
Oracle
Kibana/Lambda/CloudWatch
Container-Native Applications - Security, Logging, Tracing20
User information• Security aware• Security Concept
Correlation ID• Basic for Tracing• Common log structure
(JSON, XML, ..)
Logging in Microservices
Security Tracing
Container-Native Applications - Security, Logging, Tracing22
Agenda• Microservice
– Example Flow– Oracle Cloud
• Details– Logging– Security, OAuth, TLS– Tracing– Service Mesh
• Lessons Learned
Container-Native Applications - Security, Logging, Tracing23
IAAA Framework for Microservices APIs
• Must support multiple identities and attributes(end users, system components, domains)Identification
• Must support multiple authentication methodsas well as delegated authenticationAuthentication
• Authorization for a single request may bedecided at multiple points in the request pathAuthorization
• Capture of relevant security data or metadatafrom API messagesAccountability
Container-Native Applications - Security, Logging, Tracing24
Current Approches• Network-Level Controls
– Localhost, Network isolation SSL
• Application-Level Controls (Tokens)– Oauth, OpenID Connect, JWT
• Infrastructure – API Intermediaries– API Gateway, Service Proxies– Network Overlays– Kubernetes, CloudFoundry, AWS– IAM, Rules …
• SPIFFE• Secure Production Identity Framework for Everyone• SPIFFE is a set of open-source standards for securely
identifying software systems in dynamic and heterogeneous environments
• Application-Level Controls (Traditional)– Cookie-based Sessions, SAML
• Emerging Approaches– Serverless, Service Mesh– Istio, nginx
• DHARMA Foundational Concepts
Net
wo
rk
SAM
L
Infr
aTo
oke
ns
SPIF
FEN
ext
Container-Native Applications - Security, Logging, Tracing26
Network: TLS, SSL, openSSL• TLS separate protocol mostly
based on HTTP• As interceptor between existing
protocols e.g. HTTP - TCP• Interceptor on other application
protocols (SMTP, Kafka, ..)• Transparent out of the scope of
user or client• Not possible with all transport
protocols e.g. UDP• Always use it
19.06.18 26
Container-Native Applications - Security, Logging, Tracing27
Network: TLS, SSL, openSSL
• Higher Layer
– Handshake
– Change Cipher Spec, depends on handshake
– Alert Protocol
– Application Data Protocol
• TLS Layer
– Fragment
– Compression
– Encrypt to cipher spec
– Add Header
19.06.18 27
Application Layer
Transport Layer
Network Layer
SSL/TLS
Higher Layer Subprotocol
TLS Layer Subprotocol
e.g. HTTP
TCP
IP
Container-Native Applications - Security, Logging, Tracing28
https://www.youtube.com/watch?v=iqigxGccezI Modern Secret Managements with Vault, HashiCorp
Container-Native Applications - Security, Logging, Tracing291 9 .0 6 .1 82 9
Tokens: OAuth 2.0/(OpenID Connect)
• OAuth History– Open Authorization– ca. 2008: OAuth 1.0 IETF Group– 2012: OAuth 2.0– ca. 2014 OpenID Connect
(Extension ofOAuth 2.0)• Before: SAML - SSO for web
applications– Security Assertation Markup
Language– SAML since 2002, SAML 2.0 2005
Container-Native Applications - Security, Logging, Tracing30
OAuth
Implicit
ResourceOwner
Credentials
Client Credential
Authorization Code
Redirect/Callback
Call: response_type=access_token&client_id&redirect_uri
Response: Access TokenRefresh Token
BackwardOAuth1.0
Call: grant_type=passwordUsername/password+ Client credentials
Response: Access Token or Refresh Token
Call: grant_type=client_credentialsClient_id/client_secret
Response: Access TokenClient: Application
Redirect/CallbackCall: Response_type=code&
client_id&Redirect_uriResponse: AuthorizationCode2 Trip: Access Token
Java Script
Third Party
Container-Native Applications - Security, Logging, Tracing32
• API Gateway Central Midtier Loadbalncer
• Switches Security• Many more Features
like throttling or routing
Infra: API or Access Gateway
Loadbalancer
Frontend
Angular/nginx
Services
Rest/SpringResourceServer
Frontend
Angular/nginx
Docker Container
Services
Rest/SpringResourceServer
Services
Rest/SpringResourceServer
API GAtewayTokens
e.g. SSL+Header Information
Other Services
Mutual TLS
Container-Native Applications - Security, Logging, Tracing33
Infra: Example Access GW
Access MgmtProxy
IdentityFederation
LDAP
CloudFoundry
3rd PartyMutualTLSRouting
TLS Authentication
Header
AppsAppsApps
MutualTLS
OpenID Token
Login, Token
App -> AuthService
Container-Native Applications - Security, Logging, Tracing34
Agenda• Microservice
– Example Flow– Oracle Cloud
• Details– Logging– Security, OAuth, TLS– Tracing– Service Mesh
• Lessons Learned
Container-Native Applications - Security, Logging, Tracing35
TracingWikipedia:In software engineering, tracing involves a specialized use of logging to record information about a program's execution.This information is typically used by programmers for debugging purposes, and additionally, depending on the type and detail of information contained in a trace log, by experienced system administrators or technical-support personnel and by software monitoring tools to diagnose common problems with software. Tracing is a cross-cutting concern.
Container-Native Applications - Security, Logging, Tracing36
Microservice and Tracing• Distributed Tracing• Collect all Traces on central position• Correlated our tracing Information
Extended Logging
Create Correlation
ID
Take existing Correlation
ID
Collect central for
analyze
Container-Native Applications - Security, Logging, Tracing37
Poor Man's Distributed TracingOne solution is at the beginning of the call chain we can create a CORRELATION_ID and add it to all log statements. Along with it, send CORRELATION_ID as a header to all the downstream services as well so that those downstream services also use CORRELATION_ID in logs. This way we can identify all the log statements related to a particular action across services.
https://dzone.com/articles/microservices-part-6-distributed-tracing-with-spri
Container-Native Applications - Security, Logging, Tracing38
Where to create Correlation ID1. Client2. LB – API GW3. Identity4. First Service
AuthorizationServer
OAuth
Frontend
Angular/nginx
Services
Rest/SpringResourceServer
Frontend
Angular/nginx
Docker Container
Loadbalancer/ API Gateway
Services
Rest/SpringResourceServer
Services
Rest/SpringResourceServer
Persistence Logging
1
2
3
4
Container-Native Applications - Security, Logging, Tracing39
Enterprise Way: Correlation IDs
ECIDExecutionContext ID Down to DB
Headertrace andspan ids
HeaderX-Amzn-Trace-Id
Identity
HeaderX-ORACLE-DMS-ECIDX-ORACLE-DMS-RID
… or build your own library
Container-Native Applications - Security, Logging, Tracing43
Agenda• Microservice
– Example Flow– Oracle Cloud
• Details– Logging– Security, OAuth, TLS– Tracing– Service Mesh
• Lessons Learned
Container-Native Applications - Security, Logging, Tracing44
Service Mesh - Istio
Frontend
Angular/nginx
Docker Container
Services
Rest/SpringResourceServer
Standard:
Proxy
Docker Container
Services
Rest/SpringResourceServer
Frontend
Angular/nginxProxyIstio
Sidecar:
Container-Native Applications - Security, Logging, Tracing45
Istio Detail - Sidecar
https://istio.io/docs/concepts/what-is-istio/img/overview/arch.svg
Container-Native Applications - Security, Logging, Tracing47
• Easy To use• Quick implementation• Easy Monitoring
• For Correlation ID extra dependency
• Complex Architecture
Service Mesh - Istio
Container-Native Applications - Security, Logging, Tracing48
Agenda• Microservice
– Example Flow– Oracle Cloud
• Details– Logging– Security, OAuth, TLS– Tracing– Service Mesh
• Lessons Learned
Container-Native Applications - Security, Logging, Tracing49
Lessons Learned• Infrastructure and Development, DevOps
– Prepare your Infrastructure with logging etc.– Start setup infrastructure from first development– Logging, Tracing isn’t easy
• User authentication/authorization– Choose your way to authenticate user
– Maybe cloud Services are the fastest way, but customization– Using open source Frameworks, Cloud Services or enterprise
apps?– The key for success