Zalando is a publicly traded e-commerce company that does business in 15 European markets and has more than 15 million active customers of very diverse origin. These customers speak various languages, have different tastes for products and styles, use different methods of payment, prefer different ways of having goods shipped, and require nonstop innovation.
Until very recently, Zalando focused on building a unified, comprehensive retail system, a system built on mutual trust with the sole purpose to solve just our problems. However, during the early years of Zalando’s existence, identity and access management has been neglected allowing for inconsistencies that cannot keep up with company growth. Zalando strives to focus on what its customers truly need. We not only had to rethink the way we are building our systems, we also had to change how Identity and Access Management is perceived. Following the motto “”You build it, you run it”” autonomous teams are end-to-end responsible for their own applications – which means they are also entrusted with securing them.
In this talk, Christian Kunert (Engineer) and Jan Löffler (Head of Platform Engineering) will take the audience on a journey. A journey of treacherous approaches, ill considered solutions and dangerous routes. Zalando has embarked on a voyage of epic proportions out of their classical datacenter and they will share the experience of how microservices enable Zalando’s engineers to move faster, build systems at scale, and keeping Zalando’s digital trade routes, as well as everybody on them, secure. They will show how microservices, in conjunction with a cloud infrastructure, support autonomous teams where security is of highest importance. Finally, they will draw upon their experiences to show how this all works in practice, and discuss what is necessary to really make identity matter for each and every Zalando customer, partner, service, and employee.
4. ONE of EUROPE’S LARGEST ONLINE FASHION RETAILERS
15 countries
3 fulfillment centers
15+ million active customers
2.2+ billion € revenue 2014
130+ million visits per month
8.000+ employees
Visit us: tech.zalando.com
15. TOPIC 1
WHERE
TO GO
THIS NEEDS TO STOP
Doing it yourself is not the
most sensible thing.
Amazon invested already
thousands of engineering
hours… we must utilize this.
(Eric Bowman)
26. Securing REST APIs - The Candidates
Basic Auth
● Very simple, supported by all tools.
● More or less no transport overhead.
● Stateless.
SAML
● OASIS standard
● Used by AWS to authenticate users
● Assertions can express sophisticated
use cases
Kerberos
● There are no passwords on the network
● Flexible lifetime and must be revalidate
after it expired
● Works with Postgres Databases
OAuth 2.0
● Open standard for Authorization
● Provides client applications a delegated
access on behalf of a resource owner
● Specifies a process for resource owners
to authorize access to third party
resources
Notariat
● Claim-based approach similar to SAML
using a PKI.
● Authentication can be implemented for
different sources (SAML, Kerberos, ... )
● Rotating the signing keys
32. Project
Start
WE KNOW WHAT - LEAVES THE QUESTION - HOW?
December
2014
March
2015
Hack
Week
Initial
TelCo
PoC
January
2015
February
2015
First
Delivery
April
2015
38. Unified Identity
Being in control of account, data and access regardless of its source
Unified Password
One password only to manage all accounts
Unified Flows
Ability to authenticate and authorize reliably for any identity
Unified cohesive architecture
Know you can trust an identity, without being aware of the protocol
The Vision
40. THE PROJECT PLAN
Phase III
New South Wales
Phase I
Tasmania
Phase II
Victoria
Phase IV
Queensland
End of April End of July ETA October ETA December
Employee
Services
API’s
Roles Partner/Brands
Customer
Portal
Provisioning
41. ■ Team Info
■ Service Management
■ Token Retrieval
All written in GOLang
Follow 12FactorApp Guides
APIs
all can be reached via
a common domain:
https://auth.zalando.com
42. GTM
PHYSICAL INFRASTRUCTURE
F5 Load-Balancer F5 Load-Balancer F5 Load-Balancer Elastic Load-Balancer
Office
Berlin
OpenAM
Service
API
Team
API
config-store
session
store
sae
store
employee
store
AD brands
store
OpenAM
Service
API
Team
API
config-store
session
store
sae
store
employee
store
AD brands
store
OpenAM
Service
API
Team
API
config-store
session
store
sae
store
employee
store
brands
store
OpenAM
Service
API
Team
API
config-store
session
store
sae
store
employee
store
AD brands
store
OpenIDM
DC
Berlin
DC
Gütersloh
AWS
43.
44. • Mai
Get AWS tokens via SAML/OAuth
• Piu
Request SSH access to a server
• Senza
Cloud formation based deploy
TOOL OVERVIEW
Fork us on Github
https://github.com/zalando-stups
45. AWS ACCOUNT SETUP
DMZ DMZ DMZ
internalinternal
eu-west-1a eu-west-1b eu-west-1c
ELB
EC2
internal
• ELB for inbound
traffic
• NAT Instances for
outbound
• HTTPS Only
• Internal VPC with
own subnet
EC2
NAT
VPCVPC
46. Mai
$ mai create stups
Identity provider: https://aws.zalando.net
Available roles:
1) AWS Account 600231584188 (zalando-hackweek): Shibboleth-PowerUser
2) AWS Account 786011980701 (zalando-stups): Shibboleth-PowerUser
Please select (1-4): 2
‘stups’ profile created.
$ mai login stups # logs in and stores keys for ‘stups’ profile
$ mai Shibboleth-PowerUser
$ mai --set-default stups # define ‘stups’ to be the default
$ mai # login to default (‘stups’ in this case)
$ mai --env stups # instead of storing, print env variables
AWS_ACCESS_KEY_ID=ASIAIA2JMCGTEH64IK2A
AWS_SECRET_KEY=265nbjuqugAMWeZbS9ABhd3m6F2oik/dj37fonyl
47. Piu
$ piu --even https://even.stups.zalan.do # you can specify
defaults
--odd odd-eu-central-1.stups.zalan.do
johndoe@172.31.148.155
health debugging
ssh -tA johndoe@odd.stups.zalan.do ssh johndoe@172.31.148.155
$ piu defaults https://even.stups.zalan.do odd-eu-central-1.stups.zalan.do johndoe # store all defaults
ssh -tA johndoe@odd.stups.zalan.do ssh johndoe@172.31.148.155
$ piu 172.31.148.155 health debugging # uses all the defaults
ssh -tA johndoe@odd.stups.zalan.do ssh johndoe@172.31.148.155
$ piu --odd odd-eu-west-1.zalan.do 172.31.148.155 fun project restart # overwritable
ssh -tA johndoe@odd.stups.zalan.do ssh johndoe@172.31.148.155
48. Senza
$ senza create kio.yaml b123 DockerImageVersion 0.1.0-SNAPSHOT
$ senza show kio.yaml # shows DNS weights
90% 180 kio-b122
10% 20 kio-b121
? 0 kio-b123
$ senza weight kio.yaml # sets DNS weights
kio-b121:0
kio-b123:10
$ senza delete kio.yaml b121 # deletes a stack
$ senza cf-template kio.yaml b123 DockerImageVersion 0.1.0-SNAPSHOT # prints the effective cf template
… cf json …
$ senza manifest kio.yaml b123 DockerImageVersion 0.1.0-SNAPSHOT # prints the effective manifest
… manifest yaml …