生CAx软件是在设计时便将云平台作为部署运行环境CAx软件。通常,为了降低成本、方便管理,云原生CAx系统需要能为多个租户提供服务,即多租户(Multi-tenancy),而实现这种多租户系统,关键是要处理好身份认证权限控制资源隔离等问题。

Kubernetes: Multi-tenancy

Sharing clusters saves costs and simplifies administration. However, sharing clusters also presents challenges such as security, fairness, and managing noisy neighbors.

云原生平台一般提供了资源隔离的方案。比如,在K8s中,可以通过命名空间(namespace)等方式轻松实现资源的隔离。因此,本文仅总结身份认证权限管等方面的技术。

注1:限于研究水平,分析难免不当,欢迎批评指正。

注2:文章内容会不定期更新。

一、HTTP Access Authentication

Ref. from Hypertext Transfer Protocol -- HTTP/1.0: Access Authentication

HTTP provides a simple challenge-response authentication mechanism which may be used by a server to challenge a client request and by a client to provide authentication information.

The 401 (unauthorized) response message is used by an origin server to challenge the authorization of a user agent. The WWW-Authenticate response-header field must be included in 401 (unauthorized) response messages. The field value consists of at least one challenge that indicates the authentication scheme(s) and parameters applicable to the Request-URI.

WWW-Authenticate = "WWW-Authenticate" ":" 1#challenge
auth-scheme    = token
auth-param     = token "=" quoted-string
challenge      = auth-scheme 1*SP realm *( "," auth-param )
realm          = "realm" "=" realm-value
realm-value    = quoted-string

A user agent that wishes to authenticate itself with a server-- usually, but not necessarily, after receiving a 401 response--may do so by including an Authorization header field with the request. The Authorization field value consists of credentials containing the authentication information of the user agent for the realm of the resource being requested.

Authorization  = "Authorization" ":" credentials
credentials    = basic-credentials | ( auth-scheme #auth-param )

If the server does not wish to accept the credentials sent with arequest, it should return a 403 (forbidden) response.

The HTTP protocol does not restrict applications to this simple challenge-response mechanism for access authentication. Additional mechanisms may be used, such as encryption at the transport level or via message encapsulation, and with additional header fields specifying authentication information.

The "basic" authentication scheme is based on the model that the useragent must authenticate itself with a user-ID and a password for each realm.

basic-credentials = "Basic" SP basic-cookie
basic-cookie      = <base64 [5] encoding of userid-password,except not limited to 76 char/line>
userid-password   = [ token ] ":" *TEXT

Upon receipt of an unauthorized request for a URI within the protection space, the server should respond with a challenge like the following:

WWW-Authenticate: Basic realm="WallyWorld"

where "WallyWorld" is the string assigned by the server to identify the protection space of the Request-URI.

If the user agent wishes to send the user-ID "Aladdin" and password "open sesame", it would use the following header field:

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

The basic authentication scheme is a non-secure method of filtering unauthorized access to resources on an HTTP server. It is based on the assumption that the connection between the client and the server can be regarded as a trusted carrier. As this is not generally true on an open network, the basic authentication scheme should be used accordingly.

二、 Cookies

Ref. from HTTP State Management Mechanism draft-abarth-cookie-07

The origin server initiates a session, if it so desires, by including a Set-Cookie header in an HTTP response. Using the Set-Cookie header, an HTTP server can store name/value pairs (called cookies) at the user agent.

When the user agent generates an HTTP request, the user agent SHOULD attach exactly one HTTP header named Cookie if the cookie-string (defined below) for the Request-URI is non-empty. A user agent MAY elide the Cookie header in its entirety if the user agent is configured to block sending cookies.

三、JWT

Ref. from JWT

JSON Web Token (JWT) is a compact claims representation format intended for space constrained environments such as HTTP Authorization headers and URI query parameters. JWTs encode claims to be transmitted as a JSON [RFC7159] object that is used as the payload of a JSON Web Signature (JWS) [JWS] structure or as the plaintext of a JSON Web Encryption (JWE) [JWE] structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted. JWTs are always represented using the JWS Compact Serialization or the JWE Compact Serialization.

A JWT is represented as a sequence of URL-safe parts separated by period ('.') characters. Each part contains a base64url-encoded value.  The number of parts in the JWT is dependent upon the representation of the resulting JWS using the JWS Compact Serialization or JWE using the JWE Compact Serialization.

网络资料

Kubernetes: Multi-tenancyhttps://kubernetes.io/docs/concepts/security/multi-tenancy/

Hypertext Transfer Protocol -- HTTP/1.0https://datatracker.ietf.org/doc/html/rfc1945#autoid-1

HTTP Access Authenticationhttps://datatracker.ietf.org/doc/html/rfc1945#section-11

HTTP State Management Mechanism draft-abarth-cookie-07https://datatracker.ietf.org/doc/html/draft-abarth-cookie-07

JSON Web Token (JWT)https://datatracker.ietf.org/doc/html/rfc7519

JSON Web Signature (JWS)https://www.rfc-editor.org/rfc/rfc7515.htmlJSON Web Encryption (JWE)https://www.rfc-editor.org/rfc/rfc7516.html

云原生CAx软件:多租户的认证相关推荐

  1. 云原生SaaS软件服务与开源框架

    1.概述 云原生SaaS软件服务相对于传统软件服务是云计算背景下的软件服务模式.云计算软件栈主要分为IaaS.PaaS和SaaS,其中,IaaS提供基础设施服务,将海量计算.存储和网络资源集中管理并以 ...

  2. 谈谈我对云原生与软件供应链安全的思考

    作者:易立 2011 年,互联网技术先驱 Marc Andreessen 宣称,软件正在吞噬世界(Software is eating the world).由软件驱动的行业创新正在颠覆着传统业务模式 ...

  3. 大厂技术专家:云原生与软件供应链安全的思考

    来源:阿里巴巴中间件 2011 年,互联网技术先驱 Marc Andreessen 宣称,软件正在吞噬世界(Software is eating the world).由软件驱动的行业创新正在颠覆着传 ...

  4. 云原生周报 | 入门级KCNA认证即将推出,BFE Ingress Controller 正式发布

    业界要闻 1. 官宣!入门级 Kubernetes 认证 KCNA 推动云计算人才培养及职业发展 摘要:KCNA 由 CNCF 和 Linux 基金会推出 覆盖 Kubernetes 和云原生架构的基 ...

  5. 万字长文揭穿你,根本就不懂云原生!

    近年来,随着云计算概念和技术的普及,云原生一词也越来越热门,无论是应用还是安全,凡是和云相关的,都要在云后面加上原生二字,好像不提云原生,在技术上就落后了一大截. 一.云原生产生背景 随着云计算技术的 ...

  6. 万字长文让您搞懂云原生!

    点击上方"程序猿技术大咖",关注并选择"设为星标" 回复"加群"获取入群讨论资格! 来源丨https://www.freebuf.com/a ...

  7. 全网热议的云原生技术到底什么?看完这25点你就知道了

    近年来,随着云计算概念和技术的普及,云原生一词也越来越热门,无论是应用还是安全,凡是和云相关的,都要在云后面加上原生二字,好像不提云原生,在技术上就落后了一大截. 那到底什么是云原生?云原生是怎么产生 ...

  8. 云原生相关介绍,25 个点很全面

    欢迎关注方志朋的博客,回复"666"获面试宝典 近年来,随着云计算概念和技术的普及,云原生一词也越来越热门,无论是应用还是安全,凡是和云相关的,都要在云后面加上原生二字,好像不提云 ...

  9. 云原生相关介绍,什么是云原生很全面

    近年来,随着云计算概念和技术的普及,云原生一词也越来越热门,无论是应用还是安全,凡是和云相关的,都要在云后面加上原生二字,好像不提云原生,在技术上就落后了一大截. 那到底什么是云原生?云原生是怎么产生 ...

最新文章

  1. 五种常用的JavaScript自定义对象方式
  2. 【Android 逆向】修改运行中的 Android 进程的内存数据 ( 运行环境搭建 Android 模拟器安装 | 拷贝 Android 平台可执行文件和动态库到 /data/system )
  3. 打造炫酷通用的ViewPager指示器 Adapter模式适配所有 1
  4. python只能对列表进行切片_Python中的列表
  5. oracle反复查询一个集合,oracle集合查询
  6. 添加mysql组合主键_mysql怎么添加复合主键?
  7. python爬虫金融数据_python爬虫项目-爬取雪球网金融数据(关注、持续更新)
  8. jquery实现全选功能
  9. 181010词霸扇贝有道每日一句
  10. SSM(Spring+springMVC+MyBatis)框架-springMVC实现图片上传
  11. 使用.tar文件 升级cisco 3550 IOS
  12. Servlet菜鸟教程
  13. CentOS 安装SVN客户端
  14. Android VLC 加载ass字幕乱码问题
  15. 身心灵觉醒视频汇总【建议收藏】
  16. onenote同步问题
  17. img标签 src路径正确 但图片不显示
  18. 2010年电子信息产业销售收入7.8万亿元
  19. 计算机组成原理-哈工大刘宏伟(第一篇)
  20. SQL 开窗函数使用

热门文章

  1. Tableau——双柱图和折线图的组合图表
  2. 关于测试工程师面试过程中的一些小记
  3. 【前端】搭建一个VUE框架
  4. 删除 SQL Server 的默认实例
  5. 为什么互联网的员工都容易掉头发?
  6. 学python后还要学什么语言_除了 Python,为什么机器学习还需要一种新的编程语言?...
  7. 桥接模式NAT模式 详解
  8. 【STM32】HAL库——点亮LED灯
  9. php石头剪刀布源码,剪刀石头布微信小程序配套源码
  10. 数字化、智能化将成为未来经济发展的主流