Container-Native Applications Security, Logging, Tracing · 5 Container-Native Applications- Security, Logging, Tracing Integrated Cloud Services • Logging – Oracle Management

Container-Native ApplicationsSecurity, Logging, Tracing

Matthias Fuchs, @hias222DOAG 2018 Exa & Middleware Days, 2018/06/19

Container-Native Applications - Security, Logging, Tracing3

Agenda• Microservice

– Example Flow– Oracle Cloud

• Details– Logging– Security, OAuth, TLS– Tracing– Service Mesh

• Lessons Learned


Microservices Example Flow• Implementatition

Cloud– Access through

Loadbalancer– Login with OAuth– Angular App

• Logging Tracing– Docker Images– Logging Service

4

AuthorizationServer

OAuth

FrontendAngular/nginx

Services

Rest/SpringResourceServer

FrontendAngular/nginx

Docker Container

Loadbalancer

Services


Services


Persistence Logging

Call Web AppLoginService CallWeb Page


Integrated Cloud Services• Logging

– Oracle Management Cloud (Agents)– Elastic Search Kibana (Cloud Watch, Lamdba, Elastic)

• Authentication/Authorization– Oracle Identity Service– Cognito, Keycloak, OAM, Ping Identity

• Docker Services– Infrastructure Container Service - Kubernetes– Enterprise Container Services (AWS), Openshift– Google Kubernetes Engine

ServiceRest/Spring

Resource ServerServce Rest/SpringResource ServerService

Logging

Identity

Container


More Cloud Services

• Parameter– Object Storage, maybe File Storage– S3 Buckets, Systems Manager Parameter Store

• Secrets– Oracle Key Vault (Cloud ready?)– Identity and Access Management (IAM) – AWS Secrets Manager

– Hashicorp Vault

?





• Lessons Learned


Container Services• Application Container (PaaS)• Container Service Classic (IaaS)• Oracle Cloud Infrastructure (OCI)– Own VMs or Bare Metal– Kubernetes (wercker)


Kubernetes in Oracle Cloud


Kubernetes Architecture

https://kubernetes.io/docs/concepts/architecture/cloud-controller/






• Lessons Learned


Logging/Monitoring Cloud Services

ServicesServices

ServicesServices

Agent

Dashboard Analyze

Logging

Infrastructure Data

Metric App Data

Self Service

Cloud Service


Oracle Cloud AgentCloud agents on hosts where entities are running. Cloud agents collect metrics and logs data that is processed, analyzed and visualized in Oracle Management Cloud.

APM agents specifically for monitoring applications end to end. APM agents can be configured for a wide range of application servers and they collect metrics that are processed, analyzed and visualized in Oracle Application Performance Monitoring.


Logging in Microservices• Centralize and

Externalize Log Storage• Log Structured Data• Correlation IDs• Dynamic Logging Levels

and async Logging• For analyses and search,

user information, security concept


Log View

Oracle

Kibana/Lambda/CloudWatch


User information• Security aware• Security Concept

Correlation ID• Basic for Tracing• Common log structure

(JSON, XML, ..)

Logging in Microservices

Security Tracing





• Lessons Learned


IAAA Framework for Microservices APIs

• Must support multiple identities and attributes(end users, system components, domains)Identification

• Must support multiple authentication methodsas well as delegated authenticationAuthentication

• Authorization for a single request may bedecided at multiple points in the request pathAuthorization

• Capture of relevant security data or metadatafrom API messagesAccountability


Current Approches• Network-Level Controls

– Localhost, Network isolation SSL

• Application-Level Controls (Tokens)– Oauth, OpenID Connect, JWT

• Infrastructure – API Intermediaries– API Gateway, Service Proxies– Network Overlays– Kubernetes, CloudFoundry, AWS– IAM, Rules …

• SPIFFE• Secure Production Identity Framework for Everyone• SPIFFE is a set of open-source standards for securely

identifying software systems in dynamic and heterogeneous environments

• Application-Level Controls (Traditional)– Cookie-based Sessions, SAML

• Emerging Approaches– Serverless, Service Mesh– Istio, nginx

• DHARMA Foundational Concepts

Net

wo

rk

SAM

L

Infr

aTo

oke

ns

SPIF

FEN

ext


Network: TLS, SSL, openSSL• TLS separate protocol mostly

based on HTTP• As interceptor between existing

protocols e.g. HTTP - TCP• Interceptor on other application

protocols (SMTP, Kafka, ..)• Transparent out of the scope of

user or client• Not possible with all transport

protocols e.g. UDP• Always use it

19.06.18 26


Network: TLS, SSL, openSSL

• Higher Layer

– Handshake

– Change Cipher Spec, depends on handshake

– Alert Protocol

– Application Data Protocol

• TLS Layer

– Fragment

– Compression

– Encrypt to cipher spec

– Add Header

19.06.18 27

Application Layer

Transport Layer

Network Layer

SSL/TLS

Higher Layer Subprotocol

TLS Layer Subprotocol

e.g. HTTP

TCP

IP


https://www.youtube.com/watch?v=iqigxGccezI Modern Secret Managements with Vault, HashiCorp

https://www.youtube.com/watch?v=iqigxGccezI

Container-Native Applications - Security, Logging, Tracing291 9 .0 6 .1 82 9

Tokens: OAuth 2.0/(OpenID Connect)

• OAuth History– Open Authorization– ca. 2008: OAuth 1.0 IETF Group– 2012: OAuth 2.0– ca. 2014 OpenID Connect

(Extension ofOAuth 2.0)• Before: SAML - SSO for web

applications– Security Assertation Markup

Language– SAML since 2002, SAML 2.0 2005


OAuth

Implicit

ResourceOwner

Credentials

Client Credential

Authorization Code

Redirect/Callback

Call: response_type=access_token&client_id&redirect_uri

Response: Access TokenRefresh Token

BackwardOAuth1.0

Call: grant_type=passwordUsername/password+ Client credentials

Response: Access Token or Refresh Token

Call: grant_type=client_credentialsClient_id/client_secret

Response: Access TokenClient: Application

Redirect/CallbackCall: Response_type=code&

client_id&Redirect_uriResponse: AuthorizationCode2 Trip: Access Token

Java Script

Third Party


• API Gateway Central Midtier Loadbalncer

• Switches Security• Many more Features

like throttling or routing

Infra: API or Access Gateway

Loadbalancer

Frontend

Angular/nginx

Services


Frontend

Angular/nginx

Docker Container

Services


Services


API GAtewayTokens

e.g. SSL+Header Information

Other Services

Mutual TLS


Infra: Example Access GW

Access MgmtProxy

IdentityFederation

LDAP

CloudFoundry

3rd PartyMutualTLSRouting

TLS Authentication

Header

AppsAppsApps

MutualTLS

OpenID Token

Login, Token

App -> AuthService





• Lessons Learned


TracingWikipedia:In software engineering, tracing involves a specialized use of logging to record information about a program's execution.This information is typically used by programmers for debugging purposes, and additionally, depending on the type and detail of information contained in a trace log, by experienced system administrators or technical-support personnel and by software monitoring tools to diagnose common problems with software. Tracing is a cross-cutting concern.


Microservice and Tracing• Distributed Tracing• Collect all Traces on central position• Correlated our tracing Information

Extended Logging

Create Correlation

ID

Take existing Correlation

ID

Collect central for

analyze


Poor Man's Distributed TracingOne solution is at the beginning of the call chain we can create a CORRELATION_ID and add it to all log statements. Along with it, send CORRELATION_ID as a header to all the downstream services as well so that those downstream services also use CORRELATION_ID in logs. This way we can identify all the log statements related to a particular action across services.

https://dzone.com/articles/microservices-part-6-distributed-tracing-with-spri


Where to create Correlation ID1. Client2. LB – API GW3. Identity4. First Service

AuthorizationServer

OAuth

Frontend

Angular/nginx

Services


Frontend

Angular/nginx

Docker Container

Loadbalancer/ API Gateway

Services


Services


Persistence Logging

1

2

3

4


Enterprise Way: Correlation IDs

ECIDExecutionContext ID Down to DB

Headertrace andspan ids

HeaderX-Amzn-Trace-Id

Identity

HeaderX-ORACLE-DMS-ECIDX-ORACLE-DMS-RID

… or build your own library


Example: ID Tracing – shared Library





• Lessons Learned


Service Mesh - Istio

Frontend

Angular/nginx

Docker Container

Services


Standard:

Proxy

Docker Container

Services


Frontend

Angular/nginxProxyIstio

Sidecar:


Istio Detail - Sidecar

https://istio.io/docs/concepts/what-is-istio/img/overview/arch.svg


Example View


• Easy To use• Quick implementation• Easy Monitoring

• For Correlation ID extra dependency

• Complex Architecture

Service Mesh - Istio





• Lessons Learned


Lessons Learned• Infrastructure and Development, DevOps

– Prepare your Infrastructure with logging etc.– Start setup infrastructure from first development– Logging, Tracing isn’t easy

• User authentication/authorization– Choose your way to authenticate user

– Maybe cloud Services are the fastest way, but customization– Using open source Frameworks, Cloud Services or enterprise

apps?– The key for success


Documents

Container-Native Applications Security, Logging, Tracing · 5 Container-Native Applications- Security, Logging, Tracing Integrated Cloud Services • Logging – Oracle Management