Más contenido relacionado La actualidad más candente (20) Similar a Hands-on SaaS: Constructing multi-tenant solutions with AWS - SVC307 - New York AWS Summit (20) Más de Amazon Web Services (20) Hands-on SaaS: Constructing multi-tenant solutions with AWS - SVC307 - New York AWS Summit1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Hands-on SaaS: Constructing multi-
tenant solutions with AWS
Tod Golding
Principal Partner Solutions Architect
AWS
S V C 3 0 7
Judah Bernstein
Partner Solutions Architect
AWS
2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Workshop goals
• Introduce SaaS architecture fundamentals
• Build the working elements of a SaaS environment
• Introduce real-world strategies for addressing common multi-
tenant practices
• Provide a foundation that can inform the creation of your own
SaaS solutions
3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
The SaaS motive
Web
App
Customer
Web
App
Customer
Web
App
Tenant Tenant Tenant
4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Key concepts
On-boarding
Data partitioningApplication
services
Authentication
Service
Tenant isolation
5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Not here, but key to SaaS
• Management and monitoring
• Analytics
• Operations
• Billing
• SaaS DevOps
6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
High-level flow
Lab 1: Tenant onboarding
Lab 2: Multi-tenant services
Lab 3: Tenant isolation
7. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Architecting SaaS applications on AWS
8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Lab 1: Onboarding
• Configure an identity provider
• Review user management service
• Provision a new user via REST API
• Review tenant management service
• Provision a new tenant via REST API
• Register a tenant via web app
• Authenticate as the new user
• Inspect the JWT token
Identity
management
Tenant
management
Tenant registration &
authentication
9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Onboarding architecture
User manager
Tenant
manager
Tenant registration
Authentication
manager
Web application
Amazon API Gateway
10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Configuring Amazon Cognito
User pool
User
management
POST / user
Validation
Attributes
Policies
Identity pool
11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Tenant management
Tenant
manager
Generated tenant identifier
492c83ba-d565-47a8-a987-634bd01189db
Status
Active / inactive
Tier
Basic, advanced
• UserID
• TenantID
• Name
• Status
• Role
1: Many
12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Onboarding flow
Amazon S3
Web
application
Authenticate
Register
Tenant
registration
Authentication
manager
APIGateway
13. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Architecting SaaS applications on AWS
14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Lab 2: A multi-tenant progression
Single tenant
product manager
Multi-tenant product
manager
Add tenant security
context
• Single tenant table in Amazon DynamoDB
• Use ProductId as partition key
• No awareness of tenant identity
• Multi-tenant, pooled table in DynamoDB
• Use TenantId as partition key
• Tenant supplied as REST parameter
• Add security token to HTTP headers
• Load products for two tenants
• Verify tenant partitioning in DynamoDB
15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Building application services
Application service
Identity & tenant context
Multi-tenant data partitioning
Tenantawarelogging,
metering,andanalytics
16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Data partitioning model
Partition Key Product ID Title
Tenant-1 ECHO-123 Echo Dot
Tenant-3 ECHO-456 Echo Show
Tenant-1 ECHO-456 Echo Show
Tenant-4 ECHO-910 Echo Spot
Pooled multi-tenant table
Product ID Title
ECHO-123 Echo Dot
ECHO-456 Echo Show
ECHO-456 Echo Show
ECHO-910 Echo Spot
Single tenant table
Product manager Product manager
/product/id=TenantId/product
17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Injecting tenant context
Product manager
JWT token
1
GetTenantId(Token)
Token manager
2
TenantId
3
4
18. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Architecting SaaS applications on AWS
19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Isolating tenant data
• Alter the product manager service
• Manually inject a tenant identifier
• Verify cross tenant access enable
• Leverage policies to restrict tenant access
• Edit existing policies
• Introduce leading key conditions
• Examine roles emitted by provisioning
• Examine Amazon Cognito’s role mapping
• View the tenant admin/user mapping
• Deploy the web application
• Register a tenant
• Authenticate the new user
Cross tenant
access
Configure
policies
Map role to
policies
Get scoped
credentials
20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Cross tenant access
Tenant 1
Tenant 2
Tenant-11943
Tenant-9492 Product table
Tenant identifier
Partition Key Sort Key
Tenant-9492 14019
Tenant-11943 49104
Tenant-11943 91044
Tenant-9492 85145
Tenant identifier
21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Tenant-scoped policies
{
"Sid": "TenantReadOnlyOrderTable",
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:DescribeTable"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:000000000000:table/Order"
],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"3aecf790-7dfd-4aef-a95a-b63fc413bdc9"
]
}
}
}
22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Mapping tenant roles to policies
IAM policiesAmazon Cognito
role mapping
Tenant
admin role
Tenant user
role
23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Temporary credentials (the payoff)
getCredentialsForIdentity(idToken)
Application
service
Cognito
IAM role
polices
{
”custom:tenantId” : ”8391-9393-9933”
“custom:role” : “TenantAdmin”
}
Cognito ID Token (JWT)
Match role
Return role scoped credentials
Credentials": {
"SecretKey":"2gZ8QJQqkAHBzebQmghavFAfgmYpKWRqexample",
"AccessKeyId":"ASIAJIOA37R6EXAMPLE"
}
25. Thank you!
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.