Core Security Mechanisms in the Infra Request Flow (IAM, Credentials) #2000
yunkon-kim
started this conversation in
Show and tell
Replies: 2 comments 1 reply
-
|
일부 정리해보았습니다. sequenceDiagram
actor User
participant WA as "Web Console"
participant IAM as "IAM Manager"
participant STS as "Security Token Service (STS)"
participant TB as "Infra Manager (Tumblebug)"
Participant SP as "Infra Connector (Spider)"
participant CSP as "Cloud Service Provider"
%% === SSO Login Flow ===
activate IAM
User->>WA: access sign-in page
activate WA
WA->>IAM: redirect to IAM
IAM-->>User: sign-in page
User->>IAM: fill in the form and sign-in
IAM->>IAM: validate user
IAM-->>WA: redirect with the access token (JWT)
WA->>WA: save the access token (JWT) and create session
deactivate WA
%% === Service Request with Token ===
User->>WA: (optional) request<br/>registering a temporary credential
activate WA
WA->>WA: check user roles (authorization point #1)
WA->>TB: request<br/>registering a temporary credential
activate TB
TB->>TB: validate the access token (JWT) with JWKs
TB->>TB: check user permission (authorization point #2)
%% === Credential Acquisition ===
TB->>IAM: request "a temporary credential"<br/>with the access token (JWT)
IAM->>IAM: validate the access token (JWT) with JWKs
IAM->>IAM: check access policy (authorization point #3)
IAM->>STS: request the temporary credential
STS-->>IAM: the temporary credential
IAM-->>TB: the temporary credential
%% === Request a service and display the result ===
TB->>TB: (need to discuss) check and refresh the credential if it's expired (and it will be expired)
TB-->>TB: (???) create connectionConfig
loop for each regions
TB->>SP: register connectionConfig <br/>(configName: credentialHolder + region)
SP->>SP: register connectionConfig
end
note over TB,SP: Session ready<br/>(all temporary connections are registered)
%% === Service Request with Token ===
User->>WA: request a service (e.g., Create VPC)
activate WA
WA->>WA: check user roles (authorization point #1)
WA->>TB: request the service with token
activate TB
TB->>TB: validate the access token (JWT) with JWKs
TB->>TB: check user permission (authorization point #2)
TB->>SP: with teomporary connectionConfig (holder + region), <br/>request the service (e.g, call create VPC API)
activate SP
SP->>SP: (decided to skip this) Auths and authz
SP->>CSP: request to CRUD resource (e.g., VPC)
activate CSP
CSP-->>SP: return the result (e.g., the CRUDed info)
deactivate CSP
SP-->>TB: return the result (e.g., the CRUDed info)
deactivate SP
TB-->>WA: return the result (e.g., the CRUDed info)
deactivate TB
WA-->>User: display the result
deactivate IAM
|
Beta Was this translation helpful? Give feedback.
1 reply
-
|
@seokho-son 자세한 현황을 공유해 주셔서 감사합니다 :) |
Beta Was this translation helpful? Give feedback.
-
|
Ref.: The previous discussion for identity and access (auths and authz) - #1650 |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
I would like to open this discussion to share offline discussions about core security mechanisms of our platform in scenarios where users request infrastructure services.
(Background)
I illustrated a draft sequence diagram based on discussions with the IAM-Manager maintainer.
There are still some unclear parts, so I would like to hear opinions from subsystem maintainers on the following:(April 28, 2025) We discussed several aspects based on the following questions:
(Discussion result)
As a result, the following Sequence Diagrams show the As-Is and 3 To-Be candidates.
Note
Credentials mentioned in the sequence diagram refer to temporary or long-term credentials.
As-Is
sequenceDiagram actor User participant WA as "Web Console" participant IAM as "IAM Manager" participant STS as "Security Token Service (STS)" participant TB as "Infra Manager (Tumblebug)" Participant SP as "Infra Connector (Spider)" participant CSP as "Cloud Service Provider" %% === SSO Login Flow === User->>WA: Access sign-in page activate WA WA->>IAM: Redirect to IAM activate IAM IAM-->>User: Sign-in page User->>IAM: Fill in the form and sign-in IAM->>IAM: Validate user IAM-->>WA: Redirect with the access token (JWT) deactivate IAM WA->>WA: Save the access token (JWT) and create session WA-->>User: Display the sign-in result deactivate WA %% === Request registring credentials === User->>WA: (optional) Request<br/>registering a credential activate WA WA->>WA: Check user roles (authorization point 1) WA->>TB: Request<br/>registering a credential activate TB TB->>TB: Validate the access token (JWT) with JWKs TB->>TB: Check user permission (authorization point 2) loop for each regions TB->>SP: Register connectionConfig <br/>(configName: credentialHolder + region) activate SP SP->>SP: Register connectionConfig SP-->>TB: The result of registering connectionConfig deactivate SP end note over TB,SP: Session ready<br/>(all connections are registered) TB-->>WA: Return the connectionConfig registration result Deactivate TB WA-->>User: Display the connectionConfig registration result Deactivate WA %% === Service Request with Token === User->>WA: Request a service (e.g., Create VPC) activate WA WA->>WA: Check user roles (authorization point 1) WA->>TB: Request the service with token activate TB TB->>TB: Validate the access token (JWT) with JWKs TB->>TB: Check user permission (authorization point 2) TB->>SP: With connectionConfig (holder + region), <br/>request the service (e.g, call create VPC API) activate SP SP->>CSP: Request to CRUD resource (e.g., VPC) activate CSP CSP-->>SP: Return the result (e.g., the CRUDed info) deactivate CSP SP-->>TB: Return the result (e.g., the CRUDed info) deactivate SP TB-->>WA: Return the result (e.g., the CRUDed info) deactivate TB WA-->>User: Display the result deactivate WATo-Be candidate 1
Summary:
sequenceDiagram actor User participant WA as "Web Console" participant IAM as "IAM Manager" participant STS as "Security Token Service (STS)" participant TB as "Infra Manager (Tumblebug)" Participant SP as "Infra Connector (Spider)" participant CSP as "Cloud Service Provider" %% === SSO Login Flow === User->>WA: Access sign-in page activate WA WA->>IAM: Redirect to IAM activate IAM IAM-->>User: Sign-in page User->>IAM: Fill in the form and sign-in IAM->>IAM: Validate user IAM-->>WA: Redirect with the access token (JWT) deactivate IAM WA->>WA: Save the access token (JWT) and create session WA-->>User: Display the sign-in result deactivate WA %% === Request registring credentials === User->>WA: Request<br/>registering a credential activate WA WA->>WA: Check user roles (authorization point 1) WA->>IAM: Request<br/>registering a credential activate IAM IAM->>IAM: Validate the access token (JWT) with JWKs IAM->>IAM: Check user permission (authorization point 2) %% === Credential Acquisition === opt if temporary credential IAM->>STS: Request the credential STS-->>IAM: The credential end IAM->>TB: Request registering credential activate TB loop for each regions TB->>SP: Register connectionConfig <br/>(configName: credentialHolder + region) activate SP SP->>SP: Register connectionConfig SP-->>TB: The result of registering connectionConfig deactivate SP end note over TB,SP: Session ready<br/>(all connections are registered) TB-->>IAM: Return the connectionConfig registration result deactivate TB IAM-->>WA: Return the connectionConfig registration result deactivate IAM WA-->>User: Display the connectionConfig registration result deactivate WA %% === Service Request with Token === User->>WA: Request a service (e.g., Create VPC) activate WA WA->>WA: Check user roles (authorization point 1) WA->>TB: Request the service with token activate TB TB->>TB: Validate the access token (JWT) with JWKs TB->>TB: Check user permission (authorization point 2) TB->>SP: With connectionConfig (holder + region), <br/>request the service (e.g, call create VPC API) activate SP SP->>CSP: Request to CRUD resource (e.g., VPC) activate CSP CSP-->>SP: Return the result (e.g., the CRUDed info) deactivate CSP SP-->>TB: Return the result (e.g., the CRUDed info) deactivate SP TB-->>WA: Return the result (e.g., the CRUDed info) deactivate TB WA-->>User: Display the result deactivate WATo-Be candidate 2
Summary:
sequenceDiagram actor User participant WA as "Web Console" participant IAM as "IAM Manager" participant STS as "Security Token Service (STS)" participant TB as "Infra Manager (Tumblebug)" Participant SP as "Infra Connector (Spider)" participant CSP as "Cloud Service Provider" %% === SSO Login Flow === User->>WA: Access sign-in page activate WA WA->>IAM: Redirect to IAM activate IAM IAM-->>User: Sign-in page User->>IAM: Fill in the form and sign-in IAM->>IAM: Validate user IAM-->>WA: Redirect with the access token (JWT) deactivate IAM WA->>WA: Save the access token (JWT) and create session WA-->>User: Display the sign-in result deactivate WA %% === Request registring credentials === User->>WA: Request<br/>registering a credential activate WA WA->>WA: Check user roles (authorization point 1) WA->>TB: Request<br/>registering a credential activate TB TB->>TB: Validate the access token (JWT) with JWKs TB->>TB: Check user permission (authorization point 2) %% === Credential Acquisition === TB->>IAM: Request "a credential"<br/>with the access token (JWT) activate IAM IAM->>IAM: Validate the access token (JWT) with JWKs IAM->>IAM: Check access policy (authorization point 3) opt if temporary credentials IAM->>STS: Request the credential STS-->>IAM: The credential end IAM-->>TB: The credential deactivate IAM loop for each regions TB->>SP: Register connectionConfig <br/>(configName: credentialHolder + region) activate SP SP->>SP: Register connectionConfig SP-->>TB: The result of registering connectionConfig deactivate SP end note over TB,SP: Session ready<br/>(all connections are registered) TB-->>WA: Return the connectionConfig registration result deactivate TB WA-->>User: Display the connectionConfig registration result deactivate WA %% === Service Request with Token === User->>WA: Request a service (e.g., Create VPC) activate WA WA->>WA: Check user roles (authorization point 1) WA->>TB: Request the service with token activate TB TB->>TB: Validate the access token (JWT) with JWKs TB->>TB: Check user permission (authorization point 2) TB->>SP: With connectionConfig (holder + region), <br/>request the service (e.g, call create VPC API) activate SP SP->>CSP: Request to CRUD resource (e.g., VPC) activate CSP CSP-->>SP: Return the result (e.g., the CRUDed info) deactivate CSP SP-->>TB: Return the result (e.g., the CRUDed info) deactivate SP TB-->>WA: Return the result (e.g., the CRUDed info) deactivate TB WA-->>User: Display the result deactivate WATo-Be candidate 3
Summary:
sequenceDiagram actor User participant WA as "Web Console" participant IAM as "IAM Manager" participant STS as "Security Token Service (STS)" participant TB as "Infra Manager (Tumblebug)" Participant SP as "Infra Connector (Spider)" participant CSP as "Cloud Service Provider" %% === SSO Login Flow === User->>WA: Access sign-in page activate WA WA->>IAM: Redirect to IAM activate IAM IAM-->>User: Sign-in page User->>IAM: Fill in the form and sign-in IAM->>IAM: Validate user IAM-->>WA: Redirect with the access token (JWT) deactivate IAM WA->>WA: Save the access token (JWT) and create session WA-->>User: Display the sign-in result deactivate WA %% === Request registring credentials === alt if long-term credential User->>WA: Request<br/>registering a credential activate WA WA->>WA: Check user roles (authorization point 1) WA->>IAM: Request<br/>registering a credential activate IAM IAM->>IAM: Validate the access token (JWT) with JWKs IAM->>IAM: Check user permission (authorization point 2) IAM->>IAM: Register the credential IAM-->>WA: Return the registration result deactivate IAM WA-->>User: Display the registration result deactivate WA end %% === Service Request with Token === User->>WA: Request a service (e.g., Create VPC) activate WA WA->>WA: Check user roles (authorization point 1) WA->>TB: Request the service with token activate TB TB->>TB: Validate the access token (JWT) with JWKs TB->>TB: Check user permission (authorization point 2) %% === Credential Acquisition === TB->>IAM: Request "a credential" with the access token (JWT) activate IAM IAM->>IAM: Validate the access token (JWT) with JWKs IAM->>IAM: Check access policy (authorization point 3) opt if temporary credential IAM->>STS: Request the credential STS-->>IAM: The credential end IAM-->>TB: the credential deactivate IAM %% === Create connectionConfig === loop for each regions TB->>SP: Register connectionConfig <br/>(configName: credentialHolder + region) activate SP SP->>SP: Register connectionConfig SP-->>TB: The result of registering connectionConfig deactivate SP end note over TB,SP: Session ready<br/>(all connections are registered) %% === Request a service and display the result === TB->>SP: With the acquired teomporary security credential, request the service (e.g, call create VPC API) activate SP SP->>CSP: Request to CRUD resource (e.g., VPC resource) activate CSP CSP-->>SP: Return the result (e.g., the CRUDed resource info) deactivate CSP SP-->>TB: Return the result (e.g., the CRUDed resource info) deactivate SP TB-->>WA: Return the result (e.g., the CRUDed resource info) deactivate TB WA-->>User: Display the result deactivate WA(Appendix)
Click me
Future Discussions:
Typical systems and operation flow, which include IAM and Secret Management
sequenceDiagram actor User participant WA as "Web App" participant IAM as "Identity and access management system" participant SM as "Secret management system" participant BE as "Backend Server" participant CSP as "Cloud Service Provider" %% === SSO Login Flow === User->>WA: access sign-in page activate WA WA->>IAM: redirect to IAM activate IAM IAM-->>User: sign-in page User->>IAM: fill in the form and sign-in IAM->>IAM: validate user IAM-->>WA: redirect with the access token (JWT) deactivate IAM WA->>WA: save the access token (JWT) and create session WA-->>User: return the result deactivate WA %% === Service Request with Token === User->>WA: request a service activate WA WA->>WA: check user roles (authorization point #1) WA->>BE: request the service with token activate BE BE->>BE: validate the access token (JWT) with JWKs BE->>BE: check user permission (authorization point #2) %% === Credential Acquisition and Service Execution === BE->>SM: request a credential (i.e., secrets) with the access token (JWT) activate SM SM->>SM: validate the access token (JWT) with JWKs SM->>SM: check access policy (authorization point #3) SM-->>BE: the credential (i.e., secrets) deactivate SM %% === Request a service and display the result === BE->>CSP: request the service with the credential activate CSP CSP-->>BE: return the result deactivate CSP BE-->>WA: return the result deactivate BE WA-->>User: display the result deactivate WABeta Was this translation helpful? Give feedback.
All reactions