Container-Native Applications Security, Logging, Tracing Matthias Fuchs, @hias222 DOAG 2018 Exa & Middleware Days, 2018/06/19
Microservice Example Flow Oracle Cloud Details Logging Security, OAuth, TLS Tracing Service Mesh Lessons Learned Agenda 3
Microservices Example Flow Implementatition Cloud Access through Loadbalancer Login with OAuth Angular App Logging Tracing Docker Images Logging Service Docker Container Frontend Frontend Angular/nginx Angular/nginx Loadbalancer Services Services Rest/Spring Services Resource Rest/Spring Server Resource Rest/Spring Server Resource Server Login Web Service Call Web Page Call App Authorization Server OAuth Persistence Logging 4 4
Integrated Cloud Services Logging Oracle Management Cloud (Agents) Elastic Search Kibana (Cloud Watch, Lamdba, Elastic) Authentication/Authorization Oracle Identity Service Cognito, Keycloak, OAM, Ping Identity Docker Services Infrastructure Container Service - Kubernetes Enterprise Container Services (AWS), Openshift Google Kubernetes Engine Service Rest/Spring Resource Servce Server Rest/Spring Resource Server Service Logging Identity Container 5
Parameter More Cloud Services Object Storage, maybe File Storage? Oracle Key Vault (Cloud ready?) Identity and Access Management (IAM) AWS Secrets Manager Hashicorp Vault S3 Buckets, Systems Manager Parameter Store Secrets 6
Microservice Example Flow Oracle Cloud Details Logging Security, OAuth, TLS Tracing Service Mesh Lessons Learned Agenda 7
Container Services Application Container (PaaS) Container Service Classic (IaaS) Oracle Cloud Infrastructure (OCI) Own VMs or Bare Metal Kubernetes (wercker) 8
Kubernetes in Oracle Cloud 9
Kubernetes Architecture 10 https://kubernetes.io/docs/concepts/architecture/cloud-controller/
11
Microservice Example Flow Oracle Cloud Details Logging Security, OAuth, TLS Tracing Service Mesh Lessons Learned Agenda 13
Logging/Monitoring Cloud Services Self Service Logging Services Services Services Services Agent Infrastructure Data Metric App Data Cloud Service Dashboard Analyze 14
Oracle Cloud Agent Cloud agents on hosts where entities are running. Cloud agents collect metrics and logs data that is processed, analyzed and visualized in Oracle Management Cloud. APM agents specifically for monitoring applications end to end. APM agents can be configured for a wide range of application servers and they collect metrics that are processed, analyzed and visualized in Oracle Application Performance Monitoring. 15
Logging in Microservices Centralize and Externalize Log Storage Log Structured Data Correlation IDs Dynamic Logging Levels and async Logging For analyses and search, user information, security concept 18
Log View Kibana/Lambda/CloudWatch Oracle 19
Logging in Microservices User information Security aware Security Concept Security Correlation ID Basic for Tracing Common log structure (JSON, XML,..) Tracing 20
Microservice Example Flow Oracle Cloud Details Logging Security, OAuth, TLS Tracing Service Mesh Lessons Learned Agenda 22
IAAA Framework for Microservices APIs Identification Must support multiple identities and attributes (end users, system components, domains) Authentication Must support multiple authentication methods as well as delegated authentication Authorization Authorization for a single request may be decided at multiple points in the request path Accountability Capture of relevant security data or metadata from API messages 23
Current Approches Network Network-Level Controls Localhost, Network isolation SSL SPIFFE SPIFFE Secure Production Identity Framework for Everyone SPIFFE is a set of open-source standards for securely identifying software systems in dynamic and heterogeneous environments Infra Tookens Application-Level Controls (Tokens) Oauth, OpenID Connect, JWT Infrastructure API Intermediaries API Gateway, Service Proxies Network Overlays Kubernetes, CloudFoundry, AWS IAM, Rules SAML Next Application-Level Controls (Traditional) Cookie-based Sessions, SAML Emerging Approaches Serverless, Service Mesh Istio, nginx DHARMA Foundational Concepts 24
Network: TLS, SSL, openssl TLS separate protocol mostly based on HTTP As interceptor between existing protocols e.g. HTTP - TCP Interceptor on other application protocols (SMTP, Kafka,..) Transparent out of the scope of user or client Not possible with all transport protocols e.g. UDP Always use it 19.06.18 26 26
Network: TLS, SSL, openssl Higher Layer Handshake Change Cipher Spec, depends on handshake Alert Protocol Application Data Protocol TLS Layer Fragment Compression Encrypt to cipher spec Add Header Application Layer e.g. HTTP SSL/TLS Higher Layer Subprotocol TLS Layer Subprotocol Transport Layer TCP Network Layer IP 19.06.18 27 27
https://www.youtube.com/watch?v=iqigxgccezi Modern Secret Managements with Vault, HashiCorp 28
Tokens: OAuth 2.0/(OpenID Connect) OAuth History Open Authorization ca. 2008: OAuth 1.0 IETF Group 2012: OAuth 2.0 ca. 2014 OpenID Connect (Extension ofoauth 2.0) Before: SAML - SSO for web applications Security Assertation Markup Language SAML since 2002, SAML 2.0 2005 29 29 19.06.18
Java Script Third Party Implicit Redirect/Callback Call: response_type=access_token& client_id&redirect_uri Response: Access Token Refresh Token Authorization Code OAuth Resource Owner Credentials Backward OAuth 1.0 Call: Response: grant_type=password Username/password + Client credentials Access Token or Refresh Token Redirect/Callback Call: Response_type=code& client_id&redirect_uri Response: Authorization Code 2 Trip: Access Token Client Credential Call: Response: Client: grant_type=client_credentials Client_id/client_secret Access Token Application 30
Infra: API or Access Gateway API Gateway Central Midtier Loadbalncer Switches Security Many more Features like throttling or routing Loadbalancer Other Services Tokens Mutual TLS API GAteway e.g. SSL+Header Information Docker Container Services Frontend Services Frontend Rest/Spring Services Angular/nginx Angular/nginx Resource Rest/Spring Server Resource Rest/Spring Server Resource Server 32
Infra: Example Access GW Access Mgmt Proxy OpenID Token Identity Federation Mutual TLS CloudFoundry Routing TLS Authentication Header Mutual TLS 3rd Party 33 LDAP Login, Token App -> Auth Service Apps Apps Apps
Microservice Example Flow Oracle Cloud Details Logging Security, OAuth, TLS Tracing Service Mesh Lessons Learned Agenda 34
Tracing Wikipedia: In software engineering, tracing involves a specialized use of logging to record information about a program's execution. This information is typically used by programmers for debugging purposes, and additionally, depending on the type and detail of information contained in a trace log, by experienced system administrators or technical-support personnel and by software monitoring tools to diagnose common problems with software. Tracing is a cross-cutting concern. 35
Microservice and Tracing Distributed Tracing Collect all Traces on central position Correlated our tracing Information Extended Logging Create Correlation ID Take existing Correlation ID Collect central for analyze 36
Poor Man's Distributed Tracing One solution is at the beginning of the call chain we can create a CORRELATION_ID and add it to all log statements. Along with it, send CORRELATION_ID as a header to all the downstream services as well so that those downstream services also use CORRELATION_ID in logs. This way we can identify all the log statements related to a particular action across services. 37 https://dzone.com/articles/microservices-part-6- distributed-tracing-with-spri
Where to create Correlation ID 1. Client 2. LB API GW 3. Identity 4. First Service Docker Container Frontend Frontend Angular/nginx Angular/nginx 2 1 Loadbalancer/ API Gateway Services Services Rest/Spring Services Resource Rest/Spring Server Resource Rest/Spring Server Resource Server 4 Authorization Server OAuth 3 Persistence Logging 38
Enterprise Way: Correlation IDs Identity ECID Execution Context ID Down to DB Header trace and span ids Header X-Amzn- Trace-Id Header X-ORACLE-DMS-ECID X-ORACLE-DMS-RID or build your own library 39
Example: ID Tracing shared Library 40
Microservice Example Flow Oracle Cloud Details Logging Security, OAuth, TLS Tracing Service Mesh Lessons Learned Agenda 43
Service Mesh - Istio Standard: Docker Container Frontend Angular/nginx Services Rest/Spring Resource Server Docker Container Istio Sidecar: Proxy Frontend Angular/nginx Proxy Services Rest/Spring Resource Server 44
Istio Detail - Sidecar 45 https://istio.io/docs/concepts/what-is-istio/img/overview/arch.svg
Example View 46
Service Mesh - Istio Easy To use Quick implementation Easy Monitoring For Correlation ID extra dependency Complex Architecture 47
Microservice Example Flow Oracle Cloud Details Logging Security, OAuth, TLS Tracing Service Mesh Lessons Learned Agenda 48
Lessons Learned Infrastructure and Development, DevOps Prepare your Infrastructure with logging etc. Start setup infrastructure from first development Logging, Tracing isn t easy User authentication/authorization Choose your way to authenticate user Maybe cloud Services are the fastest way, but customization Using open source Frameworks, Cloud Services or enterprise apps? The key for success 49
50