Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Design notes. #1

Open
cgcgbcbc opened this issue Jul 14, 2015 · 5 comments
Open

Design notes. #1

cgcgbcbc opened this issue Jul 14, 2015 · 5 comments

Comments

@cgcgbcbc
Copy link
Member

Use koa or express for handling routes, use es6 rest syntax.

Use middleware passport and passport-local-mongoose for fetching user info.
@cgcgbcbc
Copy link
Member Author

koa's response and request objects are not compatible with node's native ones, so that koa may not be a choice unless abandon node-http-proxy.

Another difficulty is that if the resources are not under user namespace, e.g.

/user/someuser/posts/xxx
/posts/xxx

For authentication for these requests, there are two methods to use:

  1. do not validate at all, and add a header field X-xxx-user, pass the request to the backend.
  2. add backend url in config for these complex requests.

@cgcgbcbc
Copy link
Member Author

http://wiki.openiam.com/display/IAMSUITEV3/Single+Sign-on+to+Web+Applications+Using+the+Reverse+Proxy

@cgcgbcbc
Copy link
Member Author

Another approach is add complex logic in the gateway. This requires we implements mu-gateway as a library. This may be helpful if we want to add A&A for legacy systems without A&A, for example, the open source docker registry, consul, and so on.
Then the benefits of this project is that it will provided a single reusable passport system across all the services.

@cgcgbcbc
Copy link
Member Author

The third method is implement database plugin for common databases like mysql, mongo or postgre, and response for A&A query.

@cgcgbcbc
Copy link
Member Author

The function we need can be decoupled as three independent micro-service:

  1. authentication service:

    Authenticate who the user is, an oAuth2 service may work.

  2. authorization service:

    • Scope: under which application the authorization info is.
    • Register: register resources for user
    • Authorise: authorise whether the user has access to the resource

  3. gateway (reverse proxy):

    • ask the authentication service who the request user is.
    • ask the authorization service if the user has access to the resource under given scope.
    • deny or proxy request to the given service

How does this architecture work together with other service? Typically we only need to solve CRUD.

  1. Create
    • take create action as a resource.
    • a & a & gateway service have validated the request.
    • the backend service create the resource arbitrary, without validation.
    • if the created resource is not a user, grant correct access right to the resource (e.g. write: some user, read: anyone)
    • if the created resource is a user, no, you shouldn't do that. Leave the user management to authentication service.
    • register the create action resource under some group of users.
  2. Read
    • return the queried resources arbitrary
  3. Update
    • update resources arbitrary
  4. Delete
    • delete resources arbitrary

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@cgcgbcbc