{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"本文最初發佈於Netflix技術博客,由InfoQ中文站翻譯並分享。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"正如大多數開發人員可以證明的那樣,處理安全協議和身份令牌,以及用戶和設備身份驗證都是很有挑戰性的。想象一下,如果有多種協議、多個令牌、2億多用戶和數千種設備類型,那麼問題的規模可能會急劇擴大。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"幾年前,我們決定解決這種複雜性,並提出了一個新方案,最終形成一個新團隊,我們將複雜的用戶和設備身份驗證以及各種安全協議和令牌的處理移到網絡邊緣,集中由一組服務和一個團隊來管理。在此過程中,我們更改了服務網絡中的端到端身份傳播,從而使用一種密碼驗證的令牌無關的身份對象。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們是如何做到的:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"降低服務所有者的複雜性,他們不再需要了解並負責終止安全協議和處理無數的安全令牌"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通過將令牌管理授權給具有領域專業知識的服務和團隊來提高安全性"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"提高審計能力和取證分析能力"}]}]}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"我們是如何做到的"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"最初,Netflix是一個允許會員管理他們的DVD隊列的網站。後來,網站增加了流媒體內容的功能。流媒體設備出現的時間稍晚一些,但這些設備最初的能力有限。隨着時間推移,設備的性能和功能不斷提高,以前只能在網站上訪問,現在可以通過流媒體設備訪問。Netflix服務的規模迅速增長,支持超過2000種設備類型。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"現在,支持這些功能的服務需要理解多個令牌和安全協議,以便識別用戶和設備,並授權對這些功能的訪問,這增加了服務的負擔。整個系統相當複雜,並且開始變得脆弱。此外,邊緣層的架構正在演變爲PaaS(平臺即服務)模型,我們需要做出一些艱難的決定,包括如何以及在何處進行身份令牌處理。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"複雜性:多個服務處理認證令牌"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"爲了說明系統的複雜性,下圖展示了在做出本文介紹的更改之前,用戶的登錄流程:"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/88\/88ea07d44f7a6b65fe2bb9e22562165a.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"從大的方面說,這個(大大簡化的)流程涉及如下步驟:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"numberedlist","attrs":{"start":1,"normalizeStart":1},"content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","text":"用戶輸入他們的憑據,Netflix客戶端將憑據連同設備的ESN一起傳送到邊緣網關,即Zuul。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","text":"Zuul 將用戶調用重定向到API\/login端點。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":3,"align":null,"origin":null},"content":[{"type":"text","text":"API服務器編排後端系統來驗證用戶。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":4,"align":null,"origin":null},"content":[{"type":"text","text":"如果驗證成功,API服務器就向上遊發送一個cookie響應,包括customerId(一個Long值)、ESN(一個字符串)和一個過期指令。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":5,"align":null,"origin":null},"content":[{"type":"text","text":"Zuul將cookie發回給Netflix客戶端。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這個模型有一些問題,比如:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"外部有效的令牌是在驗證棧的深處生成的,需要一直向上傳播,這可能導致記錄不當或管理不當。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"上游系統必須重新打開令牌來識別用戶登錄,並可能管理多個並行的身份數據結構,這些數據結構很容易出現不同步。"}]}]}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"多個協議&令牌"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"上面的示例顯示了一個處理一種協議(HTTP\/S)和一種令牌類型(cookie)的流。Netflix流媒體產品中使用了多種協議和令牌,彙總如下:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/80\/807bef00c4bf4cfb181f98bb5dd6a794.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這些令牌被Netflix流媒體生態系統中的多個系統消費,並可能被它們更改,例如:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/c3\/c353aa95f1b3421a08cd5bcce1149ca0.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"讓情況變得更復雜的是,有多種方法可以將這些令牌或其中包含的數據從一個系統傳輸到另一個系統。在某些情況下,令牌被破解,身份數據元素被提取爲簡單的原語或字符串,用於API調用,或通過請求上下文頭從一個系統傳遞到另一個系統,甚至作爲URL參數。系統中沒有適當的檢查來確保令牌或其中包含的數據的完整性。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"Netflix的規模"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"與此同時,Netflix的經營規模呈指數級增長。如今,Netflix擁有2億多訂閱用戶,每月有數百萬活躍設備。我們每秒處理超過250萬個請求,其中很大一部分請求需要某種形式的身份驗證。在舊有的架構中,每個請求都會導致一個API調用來進行驗證,如下所示:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/61\/612f2a6d765a44a0b60ffa3123c28ea7.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"EdgePaas半路殺出"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"使情況進一步複雜化的是,Edge工程團隊正在從舊的API服務器架構遷移到新的基於Paas的方法。當我們遷移到EdgePaaS時,前端服務從基於Java的API移到了BFF(爲前端應用開發的後端),也就是NodeQuark,如下圖所示:"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/35\/35027b724fbeb9713856d77d232a361f.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這個模型使前端工程師能夠在覈心API框架之外擁有和操作他們自己的服務。然而,這又帶來了另一層複雜性——這些NodeQuark服務將如何處理身份令牌?NodeQuark服務是用JavaScript編寫的,終止像"},{"type":"link","attrs":{"href":"https:\/\/www.infoq.com\/news\/2014\/11\/netflix-msl\/?fileGuid=pqijKPaZWzE0UD55","title":"","type":null},"content":[{"type":"text","text":"MSL"}]},{"type":"text","text":"這樣複雜的協議既困難又浪費,因爲要複製令牌管理的所有邏輯。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"讓我們總結一下"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"總之,我們發現,我們用於處理大規模的身份驗證和身份令牌的解決方案複雜而低效。我們有多種身份令牌類型和來源,每種都需要特殊處理,其邏輯被複制到不同的系統中。關鍵身份數據以不一致的方式在整個服務器生態系統中傳播。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"邊緣身份驗證服務來救場"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們意識到,爲解決這個問題,需要一個統一的身份模型。我們需要在更上游的地方處理身份驗證令牌(和協議)。爲此,我們將身份驗證和協議終止移到網絡邊緣,並新建了一個具有完整性保護的、令牌無關的身份對象,它可以在整個服務器生態系統中傳播。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"將身份驗證移到邊緣"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"考慮到我們的目標是提高安全性和降低複雜性,並最終提供更好的用戶體驗,我們的策略是將設備身份驗證操作、用戶身份識別和身份驗證令牌管理集中到服務邊緣。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"從大的方面來說,Zuul(雲網關)將成爲令牌檢查和有效負載加密\/解密的終止點。如果Zuul無法處理這些操作(一小部分),比如令牌不存在,需要更新,或者無效,Zuul會將這些操作委託給一套新的邊緣身份驗證服務來處理加密密鑰交換和令牌創建或更新。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"邊緣身份驗證服務"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"邊緣身份驗證服務(EAS)既是一種將設備和用戶身份驗證和識別移至雲邊緣的架構概念,也是一套爲處理每種令牌類型而開發的服務。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在功能上,EAS是一系列運行在Zuul中的過濾器,它可以調用外部服務來支持它們的域,例如,調用一個服務來處理MSL令牌,或調用另一個服務來處理Cookie。EAS還涵蓋了令牌的只讀處理(稍後詳細介紹),以便用於創建Passport。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"EAS處理請求的基本模式如下:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/6c\/6cc53e4e25c562cb0aa1de8151893c3b.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對於進入Netflix服務的每個請求,Zuul中的EAS入站過濾器檢查設備客戶端提供的令牌,並將請求傳遞給Passport注入過濾器,或委託給一個邊緣身份驗證服務來處理。Passport注入過濾器生成一個與令牌無關的身份,向下傳播到服務器生態系統的其餘部分。在響應路徑上,EAS出站過濾器根據需要,在邊緣身份驗證服務的幫助下,確定並生成發送回客戶端設備所需的令牌。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"現在,系統的架構形式如下:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/7e\/7e6573aed385d21781ee1f700a02b79d.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"注意,令牌從未越過邊緣網關\/ EAS邊界。MSL安全協議在邊緣終止,所有令牌都被破解打開,身份數據通過服務器生態系統以與令牌無關的方式傳播。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"關於彈性的說明"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在基本路徑上,Zuul能夠處理大部分有效且未過期的令牌,而邊緣身份驗證服務處理其餘的請求。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/51\/5108eb9d2e743a27b47da92a7ed4d422.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"根據設計,EAS服務有容錯性,例如,當Zuul識別出Cookie有效但已經過期時,對EAS的更新調用會失敗:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/ff\/ff28687d474de67f049b9a30010d1865.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在失敗的情況下,Zuul中的EAS過濾器將放寬限制,允許傳播已解析的標識,並指示在下一個請求上重新安排更新調用。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"令牌無關的身份(Passport)"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"容易發生變化的身份結構是無法滿足需求的,因爲這意味着從一個服務傳遞到另一個服務時可信身份信息會減少。因此,需要一個與令牌無關的身份結構。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們引入了一個名爲“Passport”的身份結構,它允許我們以統一的方式傳播用戶和設備的身份信息。Passport也是一種令牌,但是使用不同於外部令牌的內部結構有很多好處。不過,下游系統仍然需要訪問用戶和設備標識。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/f6\/f601b758759b2969100508c8f1ccd546.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Passport是在每個請求的邊緣創建的短期身份結構,也就是說,它的作用域是請求的生命週期,它完全是在Netflix生態系統的內部。它們是通過一組身份過濾器在Zuul中生成的。Passport包含了用戶和設備的身份信息,是protobuf格式的,並受到HMAC的完整性保護。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"Passport結構"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如上所述,Passport被建模爲協議緩衝區。Passport的定義如下:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":"plain"},"content":[{"type":"text","text":"message Passport {\n Header header = 1;\n UserInfo user_info = 2;\n DeviceInfo device_info = 3;\n Integrity user_integrity = 4;\n Integrity device_integrity = 5;\n}\n"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Header元素傳遞創建Passport的服務的名稱。更有趣的是,傳播的內容與用戶和設備有關。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"用戶&設備信息"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"UserInfo元素包含識別請求發起用戶的所有信息,DeviceInfo元素包含用戶訪問Netflix所使用設備的必要信息:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":"plain"},"content":[{"type":"text","text":"message UserInfo {\n Source source = 1;\n int64 created = 2;\n int64 expires = 3;\n Int64Wrapper customer_id = 4;\n … (some internal stuff) …\n PassportAuthenticationLevel authentication_level = 11;\n repeated UserAction actions = 12;\n}\nmessage DeviceInfo {\n Source source = 1;\n int64 created = 2;\n int64 expires = 3;\n StringValue esn = 4;\n Int32Value device_type = 5;\n repeated DeviceAction actions = 7;\n PassportAuthenticationLevel authentication_level = 8;\n … (some more internal stuff) …\n}\n"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"codeinline","content":[{"type":"text","text":"UserInfo"}]},{"type":"text","text":"和"},{"type":"codeinline","content":[{"type":"text","text":"DeviceInfo"}]},{"type":"text","text":"都攜帶請求的"},{"type":"codeinline","content":[{"type":"text","text":"Source"}]},{"type":"text","text":"和"},{"type":"codeinline","content":[{"type":"text","text":"PassportAuthenticationLevel"}]},{"type":"text","text":"。"},{"type":"codeinline","content":[{"type":"text","text":"Source"}]},{"type":"text","text":"列表是請求的分類,包含使用的協議和用於驗證請求的服務。"},{"type":"codeinline","content":[{"type":"text","text":"PassportAuthenticationLevel"}]},{"type":"text","text":"是我們放在身份驗證聲明中的信任級別。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":"plain"},"content":[{"type":"text","text":"enum Source {\n NONE = 0;\n COOKIE = 1;\n COOKIE_INSECURE = 2;\n MSL = 3;\n PARTNER_TOKEN = 4;\n …\n}\nenum PassportAuthenticationLevel {\n LOW = 1; \/\/ untrusted transport\n HIGH = 2; \/\/ secure tokens over TLS\n HIGHEST = 3; \/\/ MSL or user credentials\n}\n"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"下游應用程序可以使用這些值來做授權和\/或用戶體驗決策。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"Passport Integrity"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Passport的完整性通過HMAC(基於哈希的消息驗證碼)來保護,HMAC是一種特定類型的MAC,涉及加密哈希函數和祕密加密密鑰。它可用於同時驗證消息的數據完整性和真實性。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"用戶和設備完整性定義爲:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":"plain"},"content":[{"type":"text","text":"message Integrity {\n int32 version = 1;\n string key_name = 2;\n bytes hmac = 3;\n}\n"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Integrity元素的版本1對HMAC使用SHA-256,它被編碼爲ByteArray。Integrity的未來版本可能會使用不同的哈希函數或編碼。在版本1中,HMAC字段包含來自MacSpec.SHA_256的256位的值。完整性保護可以保證Passport的字段在創建後不會發生變化。在使用其中包含的任何值之前,客戶端應用程序可以使用Passport Introspector檢查Passport的完整性。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"Passport Introspector"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Passport對象本身是不透明的;客戶端可以使用Passport Introspector從報頭中提取Passport,並檢索其中的內容。Passport Introspector是Passport二進制數據的封裝器。客戶端通過工廠創建Introspector,然後訪問基本的訪問器方法:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":"plain"},"content":[{"type":"text","text":"public interface PassportIntrospector {\n Long getCustomerId();\n Long getAccountOwnerId();\n String getEsn();\n Integer getDeviceTypeId();\n String getPassportAsString();\n …\n}\n"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"Passport Action"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在上面的Passport協議緩衝區定義中,還包含Passport Action的定義:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":"plain"},"content":[{"type":"text","text":"message UserInfo {\n repeated UserAction actions = 12;\n …\n}\nmessage DeviceInfo {\n repeated DeviceAction actions = 7;\n …\n}\n"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Passport Action是下游服務在對用戶或設備標識執行更新時顯式發送的信號。EAS使用該信號來創建或更新相應類型的令牌。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"再談登錄流"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"讓我們以一個所有這些解決方案一起工作的例子來做下總結。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"隨着身份驗證和協議終止移到邊緣,以及Passport作爲身份標識的引入,前面描述的登錄流已經演變爲下面這個樣子:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/ac\/ac7ff4f6c5a534af3cdcc0616265e3bb.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"numberedlist","attrs":{"start":1,"normalizeStart":1},"content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","text":"用戶輸入他們的憑據,Netflix客戶端將憑據連同設備的ESN一起傳送到邊緣網關,也就是Zuul。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","text":"運行在Zuul中的身份過濾器生成一個設備綁定的Passport,並將其傳遞給API\/login端點。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":3,"align":null,"origin":null},"content":[{"type":"text","text":"API服務器將Passport傳播到負責對用戶進行身份驗證的中間層服務。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":4,"align":null,"origin":null},"content":[{"type":"text","text":"在成功地驗證所提供的聲明後,這些服務創建一個Passport Action,並將其與原始的Passport一起發送到上游的API和Zuul。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":5,"align":null,"origin":null},"content":[{"type":"text","text":"Zuul調用Cookie服務來解析Passport和Passport Action,並將Cookie發回給Netflix客戶端。"}]}]}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"主要的好處和經驗"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"簡化了授權"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"外部令牌流入下游系統的原因之一是,授權決策通常依賴於令牌中的身份驗證聲明以及與每種令牌類型相關聯的信任。在我們的Passport結構中,我們爲這種信任分配了級別,這意味着需要做授權決策的系統可以圍繞Passport編寫合理的規則,而不是在多個服務的代碼中複製信任規則。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"顯式、可擴展的身份模型"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"規範化的身份結構是非常有用的。傳遞標識原語的方案很脆弱,也很難調試。如果調用鏈中的客戶身份從服務A到服務D更改了,是誰更改的呢?一旦身份結構通過所有關鍵系統,添加新的外部令牌類型、新的信任級別或表示身份的新方法就相對容易了。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"操作關注點和可見性"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"有了一個結構(如Passport),就可以定義服務寫Passport,並定義其他服務驗證它。當Passport在傳播時,我們可以在日誌中看到它,打開它,並驗證它,從而知道其身份是什麼。我們也知道Passport的來源,可以追溯到它在哪裏進入的系統。這使得調試任何與身份相關的異常變得更加容易。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"減少下游系統複雜性&負載"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"將統一的結構傳遞給下游系統,意味着這些系統可以使用內省庫輕鬆地查找設備和用戶標識。它們可以使用公共結構,而不是單獨處理每種類型的外部令牌。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通過將令牌處理從這些系統轉移到中心化的邊緣身份驗證服務,下游系統在CPU、請求延遲和垃圾收集方面的指標有了顯著改善,所有這些都有助於減少集羣佔用的空間和雲成本。以下這些收益的示例來自主API服務。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在之前的實現中,每個請求需要兩次解密\/終止成本,因爲我們需要有在邊緣路由的能力,但也需要在下游服務中有多樣性的協議終止。一些性能改進就是由於這種整合——現在只需要處理一次MSL請求。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"CPU與RPS比值"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"卸載令牌處理導致每個請求的CPU成本減少了30%,平均負載減少了40%。下圖爲CPU與RPS的比值,越低越好:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/1d\/1d52ceb5a922c3ff59a2cb630695ca4c.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"API響應時間"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"API服務上所有調用的響應時間都有了顯著的改善,平均延遲減少了30%,99百分位延遲減少了20%:"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/a9\/a94ee50a296cf7aa6c71e30ac9433457.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"垃圾收集"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"API服務也顯著減少了GC壓力和GC暫停時間,如Stop The World垃圾收集指標所示:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/07\/07e663d2c54b632a93d521bf6a0e9ae7.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"開發速度"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"將這些身份驗證和身份相關的問題從微服務的開發人員身上抽離出來,意味着他們可以專注於自己的核心領域。這個領域的更改現在只需在一組專門的服務中完成一次,而不是分佈在多個服務中。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"未來展望"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"(更)強大的身份驗證"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們目前正在擴展邊緣認證服務,以通過一個名爲“Resistor”的新服務支持多因素認證。基於機器學習模型,我們有選擇地引入了針對可疑連接的第二個因素。當引入新的流程時,我們也會引入新的因素,例如,發送到電子郵件或手機上的一次性密碼(OTP)、向移動設備推送通知和第三方身份驗證程序。對於希望增加賬戶安全性的用戶,我們也在探索可選的多因素身份驗證。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"靈活的授權"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"現在,既然已經有了流經系統的經過驗證的身份,我們可以使用它作爲授權決策的強信號。去年,我們開始探索一種新的產品訪問策略(PACS),目前正致力於將其投入生產,爲Netflix流媒體產品提供一些新的體驗。最近,PACS爲"},{"type":"link","attrs":{"href":"https:\/\/about.netflix.com\/en\/news\/streamfest-india?fileGuid=pqijKPaZWzE0UD55","title":"","type":null},"content":[{"type":"text","text":"Streamfest"}]},{"type":"text","text":"(Netflix在印度的免費週末)提供了體驗訪問控制。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"原文鏈接:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"https:\/\/netflixtechblog.com\/edge-authentication-and-token-agnostic-identity-propagation-514e47e0b602"}]}]}
Netflix如何解決身份驗證問題?
{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"本文最初發佈於Netflix技術博客,由InfoQ中文站翻譯並分享。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"正如大多數開發人員可以證明的那樣,處理安全協議和身份令牌,以及用戶和設備身份驗證都是很有挑戰性的。想象一下,如果有多種協議、多個令牌、2億多用戶和數千種設備類型,那麼問題的規模可能會急劇擴大。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"幾年前,我們決定解決這種複雜性,並提出了一個新方案,最終形成一個新團隊,我們將複雜的用戶和設備身份驗證以及各種安全協議和令牌的處理移到網絡邊緣,集中由一組服務和一個團隊來管理。在此過程中,我們更改了服務網絡中的端到端身份傳播,從而使用一種密碼驗證的令牌無關的身份對象。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們是如何做到的:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"降低服務所有者的複雜性,他們不再需要了解並負責終止安全協議和處理無數的安全令牌"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通過將令牌管理授權給具有領域專業知識的服務和團隊來提高安全性"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"提高審計能力和取證分析能力"}]}]}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"我們是如何做到的"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"最初,Netflix是一個允許會員管理他們的DVD隊列的網站。後來,網站增加了流媒體內容的功能。流媒體設備出現的時間稍晚一些,但這些設備最初的能力有限。隨着時間推移,設備的性能和功能不斷提高,以前只能在網站上訪問,現在可以通過流媒體設備訪問。Netflix服務的規模迅速增長,支持超過2000種設備類型。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"現在,支持這些功能的服務需要理解多個令牌和安全協議,以便識別用戶和設備,並授權對這些功能的訪問,這增加了服務的負擔。整個系統相當複雜,並且開始變得脆弱。此外,邊緣層的架構正在演變爲PaaS(平臺即服務)模型,我們需要做出一些艱難的決定,包括如何以及在何處進行身份令牌處理。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"複雜性:多個服務處理認證令牌"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"爲了說明系統的複雜性,下圖展示了在做出本文介紹的更改之前,用戶的登錄流程:"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/88\/88ea07d44f7a6b65fe2bb9e22562165a.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"從大的方面說,這個(大大簡化的)流程涉及如下步驟:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"numberedlist","attrs":{"start":1,"normalizeStart":1},"content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","text":"用戶輸入他們的憑據,Netflix客戶端將憑據連同設備的ESN一起傳送到邊緣網關,即Zuul。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","text":"Zuul 將用戶調用重定向到API\/login端點。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":3,"align":null,"origin":null},"content":[{"type":"text","text":"API服務器編排後端系統來驗證用戶。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":4,"align":null,"origin":null},"content":[{"type":"text","text":"如果驗證成功,API服務器就向上遊發送一個cookie響應,包括customerId(一個Long值)、ESN(一個字符串)和一個過期指令。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":5,"align":null,"origin":null},"content":[{"type":"text","text":"Zuul將cookie發回給Netflix客戶端。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這個模型有一些問題,比如:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"外部有效的令牌是在驗證棧的深處生成的,需要一直向上傳播,這可能導致記錄不當或管理不當。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"上游系統必須重新打開令牌來識別用戶登錄,並可能管理多個並行的身份數據結構,這些數據結構很容易出現不同步。"}]}]}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"多個協議&令牌"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"上面的示例顯示了一個處理一種協議(HTTP\/S)和一種令牌類型(cookie)的流。Netflix流媒體產品中使用了多種協議和令牌,彙總如下:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/80\/807bef00c4bf4cfb181f98bb5dd6a794.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這些令牌被Netflix流媒體生態系統中的多個系統消費,並可能被它們更改,例如:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/c3\/c353aa95f1b3421a08cd5bcce1149ca0.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"讓情況變得更復雜的是,有多種方法可以將這些令牌或其中包含的數據從一個系統傳輸到另一個系統。在某些情況下,令牌被破解,身份數據元素被提取爲簡單的原語或字符串,用於API調用,或通過請求上下文頭從一個系統傳遞到另一個系統,甚至作爲URL參數。系統中沒有適當的檢查來確保令牌或其中包含的數據的完整性。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"Netflix的規模"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"與此同時,Netflix的經營規模呈指數級增長。如今,Netflix擁有2億多訂閱用戶,每月有數百萬活躍設備。我們每秒處理超過250萬個請求,其中很大一部分請求需要某種形式的身份驗證。在舊有的架構中,每個請求都會導致一個API調用來進行驗證,如下所示:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/61\/612f2a6d765a44a0b60ffa3123c28ea7.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"EdgePaas半路殺出"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"使情況進一步複雜化的是,Edge工程團隊正在從舊的API服務器架構遷移到新的基於Paas的方法。當我們遷移到EdgePaaS時,前端服務從基於Java的API移到了BFF(爲前端應用開發的後端),也就是NodeQuark,如下圖所示:"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/35\/35027b724fbeb9713856d77d232a361f.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這個模型使前端工程師能夠在覈心API框架之外擁有和操作他們自己的服務。然而,這又帶來了另一層複雜性——這些NodeQuark服務將如何處理身份令牌?NodeQuark服務是用JavaScript編寫的,終止像"},{"type":"link","attrs":{"href":"https:\/\/www.infoq.com\/news\/2014\/11\/netflix-msl\/?fileGuid=pqijKPaZWzE0UD55","title":"","type":null},"content":[{"type":"text","text":"MSL"}]},{"type":"text","text":"這樣複雜的協議既困難又浪費,因爲要複製令牌管理的所有邏輯。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"讓我們總結一下"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"總之,我們發現,我們用於處理大規模的身份驗證和身份令牌的解決方案複雜而低效。我們有多種身份令牌類型和來源,每種都需要特殊處理,其邏輯被複制到不同的系統中。關鍵身份數據以不一致的方式在整個服務器生態系統中傳播。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"邊緣身份驗證服務來救場"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們意識到,爲解決這個問題,需要一個統一的身份模型。我們需要在更上游的地方處理身份驗證令牌(和協議)。爲此,我們將身份驗證和協議終止移到網絡邊緣,並新建了一個具有完整性保護的、令牌無關的身份對象,它可以在整個服務器生態系統中傳播。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"將身份驗證移到邊緣"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"考慮到我們的目標是提高安全性和降低複雜性,並最終提供更好的用戶體驗,我們的策略是將設備身份驗證操作、用戶身份識別和身份驗證令牌管理集中到服務邊緣。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"從大的方面來說,Zuul(雲網關)將成爲令牌檢查和有效負載加密\/解密的終止點。如果Zuul無法處理這些操作(一小部分),比如令牌不存在,需要更新,或者無效,Zuul會將這些操作委託給一套新的邊緣身份驗證服務來處理加密密鑰交換和令牌創建或更新。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"邊緣身份驗證服務"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"邊緣身份驗證服務(EAS)既是一種將設備和用戶身份驗證和識別移至雲邊緣的架構概念,也是一套爲處理每種令牌類型而開發的服務。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在功能上,EAS是一系列運行在Zuul中的過濾器,它可以調用外部服務來支持它們的域,例如,調用一個服務來處理MSL令牌,或調用另一個服務來處理Cookie。EAS還涵蓋了令牌的只讀處理(稍後詳細介紹),以便用於創建Passport。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"EAS處理請求的基本模式如下:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/6c\/6cc53e4e25c562cb0aa1de8151893c3b.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對於進入Netflix服務的每個請求,Zuul中的EAS入站過濾器檢查設備客戶端提供的令牌,並將請求傳遞給Passport注入過濾器,或委託給一個邊緣身份驗證服務來處理。Passport注入過濾器生成一個與令牌無關的身份,向下傳播到服務器生態系統的其餘部分。在響應路徑上,EAS出站過濾器根據需要,在邊緣身份驗證服務的幫助下,確定並生成發送回客戶端設備所需的令牌。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"現在,系統的架構形式如下:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/7e\/7e6573aed385d21781ee1f700a02b79d.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"注意,令牌從未越過邊緣網關\/ EAS邊界。MSL安全協議在邊緣終止,所有令牌都被破解打開,身份數據通過服務器生態系統以與令牌無關的方式傳播。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"關於彈性的說明"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在基本路徑上,Zuul能夠處理大部分有效且未過期的令牌,而邊緣身份驗證服務處理其餘的請求。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/51\/5108eb9d2e743a27b47da92a7ed4d422.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"根據設計,EAS服務有容錯性,例如,當Zuul識別出Cookie有效但已經過期時,對EAS的更新調用會失敗:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/ff\/ff28687d474de67f049b9a30010d1865.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在失敗的情況下,Zuul中的EAS過濾器將放寬限制,允許傳播已解析的標識,並指示在下一個請求上重新安排更新調用。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"令牌無關的身份(Passport)"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"容易發生變化的身份結構是無法滿足需求的,因爲這意味着從一個服務傳遞到另一個服務時可信身份信息會減少。因此,需要一個與令牌無關的身份結構。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們引入了一個名爲“Passport”的身份結構,它允許我們以統一的方式傳播用戶和設備的身份信息。Passport也是一種令牌,但是使用不同於外部令牌的內部結構有很多好處。不過,下游系統仍然需要訪問用戶和設備標識。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/f6\/f601b758759b2969100508c8f1ccd546.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Passport是在每個請求的邊緣創建的短期身份結構,也就是說,它的作用域是請求的生命週期,它完全是在Netflix生態系統的內部。它們是通過一組身份過濾器在Zuul中生成的。Passport包含了用戶和設備的身份信息,是protobuf格式的,並受到HMAC的完整性保護。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"Passport結構"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如上所述,Passport被建模爲協議緩衝區。Passport的定義如下:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":"plain"},"content":[{"type":"text","text":"message Passport {\n Header header = 1;\n UserInfo user_info = 2;\n DeviceInfo device_info = 3;\n Integrity user_integrity = 4;\n Integrity device_integrity = 5;\n}\n"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Header元素傳遞創建Passport的服務的名稱。更有趣的是,傳播的內容與用戶和設備有關。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"用戶&設備信息"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"UserInfo元素包含識別請求發起用戶的所有信息,DeviceInfo元素包含用戶訪問Netflix所使用設備的必要信息:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":"plain"},"content":[{"type":"text","text":"message UserInfo {\n Source source = 1;\n int64 created = 2;\n int64 expires = 3;\n Int64Wrapper customer_id = 4;\n … (some internal stuff) …\n PassportAuthenticationLevel authentication_level = 11;\n repeated UserAction actions = 12;\n}\nmessage DeviceInfo {\n Source source = 1;\n int64 created = 2;\n int64 expires = 3;\n StringValue esn = 4;\n Int32Value device_type = 5;\n repeated DeviceAction actions = 7;\n PassportAuthenticationLevel authentication_level = 8;\n … (some more internal stuff) …\n}\n"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"codeinline","content":[{"type":"text","text":"UserInfo"}]},{"type":"text","text":"和"},{"type":"codeinline","content":[{"type":"text","text":"DeviceInfo"}]},{"type":"text","text":"都攜帶請求的"},{"type":"codeinline","content":[{"type":"text","text":"Source"}]},{"type":"text","text":"和"},{"type":"codeinline","content":[{"type":"text","text":"PassportAuthenticationLevel"}]},{"type":"text","text":"。"},{"type":"codeinline","content":[{"type":"text","text":"Source"}]},{"type":"text","text":"列表是請求的分類,包含使用的協議和用於驗證請求的服務。"},{"type":"codeinline","content":[{"type":"text","text":"PassportAuthenticationLevel"}]},{"type":"text","text":"是我們放在身份驗證聲明中的信任級別。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":"plain"},"content":[{"type":"text","text":"enum Source {\n NONE = 0;\n COOKIE = 1;\n COOKIE_INSECURE = 2;\n MSL = 3;\n PARTNER_TOKEN = 4;\n …\n}\nenum PassportAuthenticationLevel {\n LOW = 1; \/\/ untrusted transport\n HIGH = 2; \/\/ secure tokens over TLS\n HIGHEST = 3; \/\/ MSL or user credentials\n}\n"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"下游應用程序可以使用這些值來做授權和\/或用戶體驗決策。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"Passport Integrity"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Passport的完整性通過HMAC(基於哈希的消息驗證碼)來保護,HMAC是一種特定類型的MAC,涉及加密哈希函數和祕密加密密鑰。它可用於同時驗證消息的數據完整性和真實性。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"用戶和設備完整性定義爲:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":"plain"},"content":[{"type":"text","text":"message Integrity {\n int32 version = 1;\n string key_name = 2;\n bytes hmac = 3;\n}\n"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Integrity元素的版本1對HMAC使用SHA-256,它被編碼爲ByteArray。Integrity的未來版本可能會使用不同的哈希函數或編碼。在版本1中,HMAC字段包含來自MacSpec.SHA_256的256位的值。完整性保護可以保證Passport的字段在創建後不會發生變化。在使用其中包含的任何值之前,客戶端應用程序可以使用Passport Introspector檢查Passport的完整性。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"Passport Introspector"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Passport對象本身是不透明的;客戶端可以使用Passport Introspector從報頭中提取Passport,並檢索其中的內容。Passport Introspector是Passport二進制數據的封裝器。客戶端通過工廠創建Introspector,然後訪問基本的訪問器方法:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":"plain"},"content":[{"type":"text","text":"public interface PassportIntrospector {\n Long getCustomerId();\n Long getAccountOwnerId();\n String getEsn();\n Integer getDeviceTypeId();\n String getPassportAsString();\n …\n}\n"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"Passport Action"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在上面的Passport協議緩衝區定義中,還包含Passport Action的定義:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":"plain"},"content":[{"type":"text","text":"message UserInfo {\n repeated UserAction actions = 12;\n …\n}\nmessage DeviceInfo {\n repeated DeviceAction actions = 7;\n …\n}\n"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Passport Action是下游服務在對用戶或設備標識執行更新時顯式發送的信號。EAS使用該信號來創建或更新相應類型的令牌。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"再談登錄流"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"讓我們以一個所有這些解決方案一起工作的例子來做下總結。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"隨着身份驗證和協議終止移到邊緣,以及Passport作爲身份標識的引入,前面描述的登錄流已經演變爲下面這個樣子:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/ac\/ac7ff4f6c5a534af3cdcc0616265e3bb.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"numberedlist","attrs":{"start":1,"normalizeStart":1},"content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","text":"用戶輸入他們的憑據,Netflix客戶端將憑據連同設備的ESN一起傳送到邊緣網關,也就是Zuul。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","text":"運行在Zuul中的身份過濾器生成一個設備綁定的Passport,並將其傳遞給API\/login端點。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":3,"align":null,"origin":null},"content":[{"type":"text","text":"API服務器將Passport傳播到負責對用戶進行身份驗證的中間層服務。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":4,"align":null,"origin":null},"content":[{"type":"text","text":"在成功地驗證所提供的聲明後,這些服務創建一個Passport Action,並將其與原始的Passport一起發送到上游的API和Zuul。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":5,"align":null,"origin":null},"content":[{"type":"text","text":"Zuul調用Cookie服務來解析Passport和Passport Action,並將Cookie發回給Netflix客戶端。"}]}]}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"主要的好處和經驗"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"簡化了授權"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"外部令牌流入下游系統的原因之一是,授權決策通常依賴於令牌中的身份驗證聲明以及與每種令牌類型相關聯的信任。在我們的Passport結構中,我們爲這種信任分配了級別,這意味着需要做授權決策的系統可以圍繞Passport編寫合理的規則,而不是在多個服務的代碼中複製信任規則。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"顯式、可擴展的身份模型"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"規範化的身份結構是非常有用的。傳遞標識原語的方案很脆弱,也很難調試。如果調用鏈中的客戶身份從服務A到服務D更改了,是誰更改的呢?一旦身份結構通過所有關鍵系統,添加新的外部令牌類型、新的信任級別或表示身份的新方法就相對容易了。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"操作關注點和可見性"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"有了一個結構(如Passport),就可以定義服務寫Passport,並定義其他服務驗證它。當Passport在傳播時,我們可以在日誌中看到它,打開它,並驗證它,從而知道其身份是什麼。我們也知道Passport的來源,可以追溯到它在哪裏進入的系統。這使得調試任何與身份相關的異常變得更加容易。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"減少下游系統複雜性&負載"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"將統一的結構傳遞給下游系統,意味着這些系統可以使用內省庫輕鬆地查找設備和用戶標識。它們可以使用公共結構,而不是單獨處理每種類型的外部令牌。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通過將令牌處理從這些系統轉移到中心化的邊緣身份驗證服務,下游系統在CPU、請求延遲和垃圾收集方面的指標有了顯著改善,所有這些都有助於減少集羣佔用的空間和雲成本。以下這些收益的示例來自主API服務。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在之前的實現中,每個請求需要兩次解密\/終止成本,因爲我們需要有在邊緣路由的能力,但也需要在下游服務中有多樣性的協議終止。一些性能改進就是由於這種整合——現在只需要處理一次MSL請求。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"CPU與RPS比值"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"卸載令牌處理導致每個請求的CPU成本減少了30%,平均負載減少了40%。下圖爲CPU與RPS的比值,越低越好:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/1d\/1d52ceb5a922c3ff59a2cb630695ca4c.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"API響應時間"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"API服務上所有調用的響應時間都有了顯著的改善,平均延遲減少了30%,99百分位延遲減少了20%:"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/a9\/a94ee50a296cf7aa6c71e30ac9433457.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"垃圾收集"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"API服務也顯著減少了GC壓力和GC暫停時間,如Stop The World垃圾收集指標所示:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/07\/07e663d2c54b632a93d521bf6a0e9ae7.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"開發速度"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"將這些身份驗證和身份相關的問題從微服務的開發人員身上抽離出來,意味着他們可以專注於自己的核心領域。這個領域的更改現在只需在一組專門的服務中完成一次,而不是分佈在多個服務中。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"未來展望"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"(更)強大的身份驗證"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們目前正在擴展邊緣認證服務,以通過一個名爲“Resistor”的新服務支持多因素認證。基於機器學習模型,我們有選擇地引入了針對可疑連接的第二個因素。當引入新的流程時,我們也會引入新的因素,例如,發送到電子郵件或手機上的一次性密碼(OTP)、向移動設備推送通知和第三方身份驗證程序。對於希望增加賬戶安全性的用戶,我們也在探索可選的多因素身份驗證。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"靈活的授權"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"現在,既然已經有了流經系統的經過驗證的身份,我們可以使用它作爲授權決策的強信號。去年,我們開始探索一種新的產品訪問策略(PACS),目前正致力於將其投入生產,爲Netflix流媒體產品提供一些新的體驗。最近,PACS爲"},{"type":"link","attrs":{"href":"https:\/\/about.netflix.com\/en\/news\/streamfest-india?fileGuid=pqijKPaZWzE0UD55","title":"","type":null},"content":[{"type":"text","text":"Streamfest"}]},{"type":"text","text":"(Netflix在印度的免費週末)提供了體驗訪問控制。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"原文鏈接:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"https:\/\/netflixtechblog.com\/edge-authentication-and-token-agnostic-identity-propagation-514e47e0b602"}]}]}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章