OpenLiberty / docs

See Open Liberty documentation on https://openliberty.io/docs/
https://openliberty.io/docs/
Other
13 stars 47 forks source link

Cloud-native microservices security #891

Open Charlotte-Holt opened 4 years ago

Charlotte-Holt commented 4 years ago

From LC: This is a new concept topic for an introduction to securing microservices- authentication and authorization in securing cloud-native microservices. Jakarta EE Security provides the capability to configure the basic authentication, form authentication, or custom form authentication mechanism by using annotations in servlets.

Include basic concepts of authentication and authorization and provide a diagram and description of authorization/authentication (see the following list of KC topics for more information, but don't just transfer the long concept topics from the KC) in a microservices scenario (for example, a developer wants to view account page on a website and get prompted to log in).

Background information: https://www.ibm.com/cloud/garage/architectures/microservices/microservices-kubernetes-microprofile

Apps running on OL can be configured to use external security providers to handle authentication/authorization. This ensures that the app never directly accesses or stores the user's password. Using external security providers also relieves developers and administrators of the app of the effort of managing user accounts. Include information about Jakarta EE Security as it's relevant to these scenarios.

ManasiGandhi commented 4 years ago

Draft link for the issue https://draft-openlibertyio.mybluemix.net/docs/ref/general/#securing%20cloud%20native%20microservices.html

dmuelle commented 4 years ago

Peer review of draft at https://draft-openlibertyio.mybluemix.net/docs/ref/general/#securing%20cloud%20native%20microservices.html

here's a KC topic that might be helpful- https://www.ibm.com/support/knowledgecenter/SSD28V_liberty/com.ibm.websphere.wlp.core.doc/ae/rwlp_sec_quick_overview.html?pos=2

Link each of the features you list to their entry in the gen doc

Rwalls1 commented 4 years ago

@ManasiGandhi Peer review: Adding to the comments that you've already addressed in the PR here: https://github.com/OpenLiberty/docs/pull/982

chirp1 commented 4 years ago

Notes: We've concluded that the topic should be a broader topic than what was originally dscribed at the beginning of this topic. David, Mansi, and I came up with the following list of security ideas for the topic. Manasi can use them as a starting point to discuss the contents of the topic with Ajay and Alasdair.

The topic, including additions/subtractions to the list should explain the importance of these areas of security and then the basics of how to implement them in an Open Liberty enviroment, with links to the more detailed topics.

ManasiGandhi commented 4 years ago

Initial draft link, https://draft-openlibertyio.mybluemix.net/docs/ref/general/#securing-microservices.html

lauracowen commented 4 years ago

Some small comments below but I think there needs to be a lot more info in this topic. However, I don't know what just yet. I think it might be better to come back to this when we have a full set of security docs together we can review so I'm going to spend time reviewing the other topics then I'll come back to this, if that's okay. Just put this on hold for a little while while we pull the other security topics together.

ManasiGandhi commented 4 years ago

@lauracowen Here's a link to the draft https://draft-openlibertyio.mybluemix.net/docs/ref/general/#securing-cloud-native-microservices.html . It is an initial draft with an outline that I need to check for accuracy.

lauracowen commented 4 years ago

Thanks. I think we have largely the right tech areas covered here but I think it needs to be shorter and more focused. I know we didn't have the purpose of this topic very clear so it's good to have this draft to start from. I'll try to describe what the aims are below and then suggest an outline to refocus/restructure the information.

Audience The audience of this topic is, specifically, application developers. As a developer, when you're writing an application, it's really easy to disregard security until you really have to do it, and then only what you really have to do. The importance of security is generally seen by the operations people (or more senior people in the org), not developers, because it's the operations people who have to keep the app up and running and not have bad people break into the organisation. Unless the developer is also doing the production-time ops for their app, while they may care, they probably don't know a lot about security, and it's not their greatest priority to learn or spend time on (there are other things that they need to spend time on).

Aim/purpose of this topic This topic needs to help the developer know what they must do to secure their app without them having to take loads of time learning everything there is to know about security. The aim is not to be an overview of all the security topics we have. I don't know if you've seen the draft of the navigation for the OL docs? https://antora.mybluemix.net/docs/latest/overview.html You'll see there's a Development section and a Security section. Most of the security information is in the Security section. However, this topic will be moved to the Development section when it's written. This will probably be the only security-related topic in the Development section, though it will have links to the other security topics for if the developer wants to know more. However, this topic needs to be sufficient for most developers to know what they need to do in order to secure their app, even if they need to look elsewhere for the specific details of some parts of that process. Think about presenting it so that it's useful and practical, rather than a wall of text, so that it leads the developer easily through the considerations they need to make but without overwhelming them with information. Avoid duplicating info that's elsewhere. Just keep it brief here.

Outline

lauracowen commented 4 years ago

Can you delete the additional "Securing cloud-native microservices" topic from the draft website? I think it's the old version but it has a different file name so it's there as well.

lauracowen commented 4 years ago

This is a reasonable start. I like the structure of separating out development from production. But the text itself very sparse and really just a list of links in paragraph form once you get to the production section. Don't focus on providing links to every topic (that's not the purpose of this topic); focus instead on providing useful information (whatever links that requires will be obvious as a consequence of doing that).

I know I said to keep it brief but it needs to be more helpful and to speak to the developer as if we understand their situation. Be wordy and helpful for now - don't worry about being brief - I wrote the outline above for a reason - you don't need to just extract the bare, dry facts from it - explain things in a way the developer can relate to. We can edit it down later if it gets a bit long. Explain things like you would if you were talking to someone in person.

ManasiGandhi commented 4 years ago

@lauracowen I worked on your comments. I've pasted an initial diagram for your reference.

image

lauracowen commented 4 years ago
ManasiGandhi commented 4 years ago

@lauracowen I worked on your review. Here is the link to the draft https://draft-openlibertyio.mybluemix.net/docs/20.0.0.10/securing-cloud-native-microservices.html

image

ManasiGandhi commented 4 years ago

New link to the draft https://draft-openlibertyio.mybluemix.net/docs/20.0.0.10/securing-cloud-native-microservices.html

ManasiGandhi commented 4 years ago

Updated draft link https://draft-openlibertyio.mybluemix.net/docs/20.0.0.11/securing-cloud-native-microservices.html

lauracowen commented 3 years ago

Hi Manasi,

I just saw Karen's list of topics that you'd come up with as a team (sorry @chirp1 - not sure how I missed that before). I think maybe we can use some of that to give some more depth to this topic, so that it doesn't just become a list of links to other security topics.

Maybe frame the topic as providing best practice on how to design a secure application for a microservices architecture. Always from the developer's perspective (for this topic) though:

I think you'll need solid support from an SME to write this. Not necessarily someone from the security team if you can find someone with some experience at writing secure microservices. It might be worth arranging a chat with YK Chang for a first pass at what he'd consider important to mention. You could then find someone in the security team, maybe, to help write it.

I think the success of writing this topic will hinge largely on finding a good person (SME) to work with. And then ensuring that you can explain it clearly and well (regardless of how the SME expresses the info).

So you'll need to do some background research and self-learning (eg try doing the security-related guides but note that the JWT guide is about to be updated to something easier to read and more usable to follow - Charlotte might know when it's published as she edited it recently). Ideally, get some basic knowledge before talking to the SMEs so that you can put together a list of questions to ask them. The guides will probably explain or demonstrate some concepts relevant to the items on Karen's list above, which might help with both your understanding and what to ask SMEs.

This will be challenging (in a good way - and will give you a good knowledge basis that will generally be applicable across various IBM projects/products you might work on) so it might be something to work collaboratively on with another writer, at least at the start. It may be that it can provide a doc topic here but also the basis of a blog post or article on IBM Developer too in future.

ManasiGandhi commented 3 years ago

I'm planning to work on this issue later based on a discussion during OL scrum.