How do you support many different authorization methods (OAUTH, HTTP Basic/Digest, SSL certificates…) for many different apps (a Rails website, a Python/Flask API, realtime events streaming with Node.js, and more…)? We review a bunch of options, and propose an original way to do it with Docker and Containers.
- 1. Auth doesnt have to be anightmareDockerto the rescue! APIStrat SF October 2013 Jrme Petazzoni @jpetazzo
2. Whats The Problem? 3. Multiple auths in multiple apps OAUTH OAUTH2 OpenID SSL client certs HTTP Basic HTTP Digest IP addresses(in SSL, right?)(seriously?) VPNs, IPSEC custom tokens website (e.g. Ruby on Rails) API (e.g. Python+Flask) realtime events (e. g. Node.js) secret project (Golang, Rust) 4. The Matrix from Hell of authentication/authorization OAUTH?????OAUTH2?????OpenID?????SSL certs?????HTTP Basic or Digest?????IP addresses, VPN...?????custom auth?????RubyPythonPython (Django!)JavaOther langs... 5. Whats The Solution? 6. areWhats The Solutions? 7. Solution 1 8. Solution 1 this is actually what most people do because at first the matrix isnt that big then you add more services want to support more backends you end up picking one auth method N implementations instead of MxN 9. Solution 1 this is actually what most people do because at first the matrix isnt that big then you add more services want to support more backends you end up picking one auth method N implementations instead of MxNGrade: C 10. Solution 1 this is actually what most people do because at first the matrix isnt that big then you add more services want to support more backends you end up picking one (or two) auth method e.g. basic auth over SSL + API tokens N implementations (or 2xN) instead of MxNGrade: B 11. Solution 2 delegate auth to a proxy/external processClient Here there be $AUTHProxy Here there be simple HTTP headersService 12. Solution 2: the problems I work on the Ruby API I dont want to install the Node.js stuff but the auth component is in Node.js! I have to learn how to deploy Node.js also, deployment is more complex 13. Solution 2: the problems I work on the Ruby API I dont want to install the Node.js stuff but the auth component is in Node.js! I have to learn how to deploy Node.js also, deployment is more complexGrade: B (single lang shops)Grade: D (everybody else) 14. Solution 3 15. Solution 3 put each component in a VMClient Here there be $AUTHProxy VM Here there be simple HTTP headersService VM 16. Solution 3: the problems create (and maintain) VM images VMs are RAM-heavy now you have a good reason to get 16 GB of RAM! VMs are disk-heavy now you need to download a 500 MB VM to update the auth proxy to test a 4-lines commit VM networking is not awesome discovery and plumbing can require some voodoo 17. Solution 3Grade: B (if you have a vagrant guru in residence, and super shiny awesome laptops)Grade: D (everybody else) 18. Solution 4: the container 19. Solution 4: the Linux container 20. Solution 4 put each component in a containerClient Here there be $AUTHProxy LXC Here there be simple HTTP headersService LXC 21. Solution 4: pros and cons your dev env must be Linux or you can use a VM but just one no Hogwarts diploma required containers are lightweight I can run 100 containers on my laptop updating a container is more like git pull networking is easier and is getting even more easier! service discovery 22. Solution 4Grade: ? you tell me at the end of the presentation 23. Whats a Linux Container? 24. Whats a Linux container? High level approach Lightweight Virtual Machine looks like a VM can run stuff as root can install packages can run sshd, syslog, cron... Machine Container 25. Whats a Linux container? Low level approach Chroot on steroids normal processes, but isolated share kernel with the host doesnt need to run ssh, syslog, cron... Application Container 26. Whats a Linux container? Technical approach Two big sets of kernel features: namespaces isolate containers one namespace cannot see/affect another control groups meter and limit resources CPU, RAM, disk I/O prevent a single container from hogging the hostNote: you can use namespaces and/or cgroups without using containers 27. Whats Docker? Open Source project (i.e. satisfaction guaranteed, or your money back) 28. 1. Runtime for Linux containers jpetazzo@tarrasque:~$ sudo docker run -t -i ubuntu bash root@092ee318746f:/# create an Ubuntu VM, and run a shell in it.Total time: less than 0.5s (If necessary, the ubuntu image will be downloaded automatically.) 29. But Docker is also... 30. 2. Standard format for containers 3. Public place to share them library of standard images (ubuntu, fedora, redis, postgresql) create your own images (from scratch or based on existing ones) upload them to the public registry (searchable index w/ social features) upload them to private registry 3rd party hosted registries already exist 31. Real world example: Test this new Ghost blog engine Look for ghost on http://index.docker.io/ Find orchardup/ghost jpetazzo@tarrasque:~$ sudo docker run -d orchardup/ghost c6000fa5ddc6Total time: /usr/local/etc/couchdb/local.d/docker.ini EXPOSE 8101 CMD ["/usr/local/bin/couchdb"]docker build -t jpetazzo/couchdb . docker push jpetazzo/couchdb 37. SHARE auth containers app containers 38. Solution 4: moment of truth we just built perfect packages: distro-independent without dependency issues that can run in dev, staging, production without getting our hands dirty and barely rolling up our sleeves we can share them with other projects/shops Please allow me to verbosely formulate my genuine enthusiasm. 39. BONUS We can ship our code with those containers 40. Deploying Containers docker pull + docker run from registry Docker can be controlled through REST API, so you can control a fleet of Docker hosts PAAS-like: Cocaine, Deis, Maestro OpenStack? Nova can deploy Docker containers (since Havana) Heat can deploy Docker containers (since last week) 41. Thank you! Questions? twitter.com/jpetazzo twitter.com/docker http://docker.io/ https://github.com/dotcloud/docker 42. Future of Docker service discovery (containers will be able to discover resources) compatibility with Red Hat Enterprise Linux (currently Docker runs best on Ubuntu) support for other runtimes and storage (Jails, Zones, BTRFS, ZFS)