Service Fabric 应用程序和服务安全性Service Fabric application and service security

微服务体系结构可以带来诸多好处A microservices architecture can bring many benefits. 但是,管理微服务的安全性有一定的难度,比管理传统单体式应用程序的安全性更复杂。Managing the security of microservices, however, is a challenge and different than managing traditional monolithic applications security.

单体式应用程序通常在网络中的一台或多台服务器上运行,因此更容易识别公开的端口和 API 以及 IP 地址。With a monolith, the application is typically running on one or more servers within a network and it's easier to identify the exposed ports and APIs and IP address. 往往只需保护一个周边或边界,以及一个数据库。There is often one perimeter or boundary and one database to protect. 如果安全漏洞或攻击导致系统泄露,该系统中的所有信息可能都会让攻击者利用。If that system is compromised because of a security breach or attack, it is likely that everything within the system will be available to the attacker. 包含微服务的系统更加复杂。With microservices, the system is more complex. 这些服务是分散式的,分布在多个主机之间,并且可从一台主机迁移到另一台主机。Services are decentralized and distributed across many hosts and migrate from host to host. 如果采用适当的安全措施,则可以限制攻击者可以获取的特权,以及在单次攻击中破解一个服务后可以获取的数据量。With proper security, you limit the privileges an attacker can get and the amount of data available in a single attack by breaching one service. 通信不是在内部进行,而是通过网络发生的,并且有许多公开的端口,服务之间存在大量的交互。Communication is not internal, but happens over a network, and there are many exposed ports and interactions between services. 了解具体的服务交互活动以及交互何时发生,对于应用程序的安全至关重要。Knowing what these service interactions are and when they happen is crucial to your application security.

本文不会提供有关微服务安全性的指导,因为网络上有大量此类资源,而是介绍如何在 Service Fabric 中实现安全性的各个层面。This article is not a guide to microservices security, there are many such resources available online, but describes how different aspects of security can be accomplished in Service Fabric.

身份验证和授权Authentication and authorization

通常,有必要将服务公开的资源和 API 限制给特定的受信任用户或客户端使用。It is often necessary for resources and APIs exposed by a service to be limited to certain trusted users or clients. 身份验证是可靠认定用户身份的过程。Authentication is the process of reliably ascertaining a user's identity. 授权是将 API 或服务提供给某些已经过身份验证的用户,而不提供给其他用户使用的过程。Authorization is the process that makes APIs or services available to some authenticated users but not others.

身份验证Authentication

做出 API 级信任决策的第一个步骤就是身份验证。The first step to making API-level trust decisions is authentication. 身份验证是可靠认定用户身份的过程。Authentication is the process of reliably ascertaining a user's identity. 在微服务场景中,身份验证通常以集中方式处理。In microservice scenarios, authentication is typically handled centrally. 如果使用 API 网关,可将身份验证任务卸载到网关。If you are using an API Gateway, you can offload authentication to the gateway. 如果使用此方法,请确保除非部署了额外的安全措施来对消息(不管是否来自网关)进行身份验证,否则不能直接访问单个服务(在不使用 API 网关的情况下)。If you use this approach, make sure that the individual services cannot be reached directly (without the API Gateway) unless additional security is in place to authenticate messages whether they come from the gateway or not.

如果可以直接访问服务,则可以使用某个身份验证服务(例如 Azure Active Directory,或充当安全令牌服务 (STS) 的专用身份验证微服务)对用户进行身份验证。If services can be accessed directly, an authentication service like Azure Active Directory or a dedicated authentication microservice acting as a security token service (STS) can be used to authenticate users. 信任决策在包含安全令牌或 Cookie 的服务之间共享。Trust decisions are shared between services with security tokens or cookies.

对于 ASP.NET Core,用于对用户进行身份验证的主要机制是 ASP.NET Core 标识成员身份系统。For ASP.NET Core, the primary mechanism for authenticating users is the ASP.NET Core Identity membership system. ASP.NET Core 标识在开发人员配置的数据存储中存储用户信息(包括登录信息、角色和声明)。ASP.NET Core Identity stores user information (including sign-in information, roles, and claims) in a data store configured by the developer. ASP.NET Core 标识支持双重身份验证。ASP.NET Core Identity supports two-factor authentication. 也支持外部身份验证提供程序,因此,用户可以使用 Microsoft 等提供程序中的现有身份验证过程登录。External authentication providers are also supported, so users can sign in using existing authentication processes from providers like Microsoft and so on.

授权Authorization

完成身份验证后,服务需要为用户访问授权,或确定哪些用户可以访问。After authentication, services need to authorize user access or determine what a user is able to do. 此过程可让服务将 API 提供给某些经过身份验证的用户使用,而不是提供给所有用户使用。This process allows a service to make APIs available to some authenticated users, but not to all. 授权是正交性的,它独立于身份验证,是认定用户身份的过程。Authorization is orthogonal and independent from authentication, which is the process of ascertaining who a user is. 身份验证可为当前用户创建一个或多个标识。Authentication may create one or more identities for the current user.

可以根据用户的角色或者根据自定义策略(可能包括检查声明或其他试探方法)实现 ASP.NET Core 授权ASP.NET Core authorization can be done based on users' roles or based on custom policy, which might include inspecting claims or other heuristics.

使用 API 网关限制和保护访问Restrict and secure access using an API gateway

云应用程序通常都需要使用前端网关,为用户、设备或其他应用程序提供同一个入口点。Cloud applications typically need a front-end gateway to provide a single point of ingress for users, devices, or other applications. API 网关位于客户端与服务之间,是应用程序提供的所有服务的入口点。An API gateway sits between clients and services and is the entry point to all the services that your application is providing. 它充当反向代理,将来自客户端的请求路由到服务。It acts as a reverse proxy, routing requests from clients to services. 它还可以执行各种横切任务,例如身份验证和授权、TLS 终止与速率限制。It may also perform various cross-cutting tasks such as authentication and authorization, TLS termination, and rate limiting. 如果未部署网关,则客户端必须直接向前端服务发送请求。If you don't deploy a gateway, clients must send requests directly to front-end services.

在 Service Fabric 中,网关可以是任意无状态服务(如 ASP.NET Core 应用程序),也可以是其他专为流量入口设计的服务(如 Traefik事件中心IoT 中心Azure API 管理)。In Service Fabric, a gateway can be any stateless service such as an ASP.NET Core application, or another service designed for traffic ingress, such as Traefik, Event Hubs, IoT Hub, or Azure API Management.

API 管理直接与 Service Fabric 集成,以便可以使用一组丰富的路由规则向后端 Service Fabric 服务发布 API。API Management integrates directly with Service Fabric, allowing you to publish APIs with a rich set of routing rules to your back-end Service Fabric services. 可以使用限制来保护对后端服务的访问、防止 DOS 攻击;还可以验证 API 密钥、JWT 令牌、证书和其他凭据。You can secure access to backend services, prevent DOS attacks by using throttling, or verify API keys, JWT tokens, certificates, and other credentials. 有关详细信息,请参阅有关 Service Fabric 与 Azure API 管理的概述To learn more, read Service Fabric with Azure API Management overview.

管理应用程序机密Manage application secrets

机密可以是任何敏感信息,例如存储连接字符串、密码或其他不应以明文形式处理的值。Secrets can be any sensitive information, such as storage connection strings, passwords, or other values that should not be handled in plain text. 本文使用 Azure Key Vault 来管理密钥和机密。This article uses Azure Key Vault to manage keys and secrets. 但是,在应用程序中 使用 机密的方式不区分云平台,因此可让应用程序部署到托管在任何位置的群集。However, using secrets in an application is cloud platform-agnostic to allow applications to be deployed to a cluster hosted anywhere.

建议通过服务配置包来管理服务配置设置。The recommended way to manage service configuration settings is through service configuration packages. 可以通过包含运行状况验证和自动回滚的托管滚动升级机制来控制配置包版本以及对其进行更新。Configuration packages are versioned and updatable through managed rolling upgrades with health-validation and auto rollback. 这比全局配置更有优势,因为可以减少全局服务中断的可能性。This is preferred to global configuration as it reduces the chances of a global service outage. 加密的机密也不例外。Encrypted secrets are no exception. 通过 Service Fabric 的内置功能,可以使用证书加密来加密和解密配置包 Settings.xml 文件中的值。Service Fabric has built-in features for encrypting and decrypting values in a configuration package Settings.xml file using certificate encryption.

下图演示了 Service Fabric 应用程序中机密管理的基本流程:The following diagram illustrates the basic flow for secret management in a Service Fabric application:

机密管理概述

此流程包括四个主要步骤:There are four main steps in this flow:

  1. 获取数据加密证书。Obtain a data encipherment certificate.
  2. 在群集中安装证书。Install the certificate in your cluster.
  3. 在部署应用程序时使用证书加密机密值,并将其注入服务的 Settings.xml 配置文件。Encrypt secret values when deploying an application with the certificate and inject them into a service's Settings.xml configuration file.
  4. 通过使用相同的加密证书进行解密,从 Settings.xml 中读取加密值。Read encrypted values out of Settings.xml by decrypting with the same encipherment certificate.

Azure 密钥保管库在此处用作证书的安全存储位置,可用于将证书安装在 Azure 中的 Service Fabric 群集上。Azure Key Vault is used here as a safe storage location for certificates and as a way to get certificates installed on Service Fabric clusters in Azure. 如果不部署到 Azure,则不需要使用密钥保管库来管理 Service Fabric 应用程序中的机密。If you are not deploying to Azure, you do not need to use Key Vault to manage secrets in Service Fabric applications.

有关示例,请参阅管理应用程序机密For an example, see Manage application secrets.

保护宿主环境Secure the hosting environment

使用 Azure Service Fabric,可以保护群集中以不同用户帐户运行的应用程序。By using Azure Service Fabric, you can secure applications that are running in the cluster under different user accounts. 使用用户帐户进行部署时,Service Fabric 还有助于保护应用程序所使用的资源,例如文件、目录和证书。Service Fabric also helps secure the resources that are used by applications at the time of deployment under the user accounts--for example, files, directories, and certificates. 这样,即使是在共享托管环境中,运行应用程序会更加安全。This makes running applications, even in a shared hosted environment, more secure from one another.

应用程序清单声明运行服务和保护资源时所需的安全主体(用户和组)。The application manifest declares the security principals (users and groups) required run the service(s) and secure resources. 这些安全主体在运行方式帐户、终结点绑定、包共享或安全访问策略等策略中引用。These security principals are referenced in policies, for example the run-as, endpoint binding, package sharing, or security access policies. 然后,将策略应用到应用程序清单的 ServiceManifestImport 节中的服务资源。Policies are then applied to service resources in the ServiceManifestImport section of the application manifest.

声明主体时,还可以定义和创建用户组,以便将一个或多个要统一管理的用户添加到每个组。When declaring principals, you can also define and create user groups so that one or more users can be added to each group to be managed together. 如果不同的服务入口点有多个用户,而且这些用户需要拥有可在组级别使用的某些常用权限,则这种做法很有用。This is useful when there are multiple users for different service entry points and they need to have certain common privileges that are available at the group level.

默认情况下,Service Fabric 应用程序在运行 Fabric.exe 进程的帐户之下运行。By default, Service Fabric applications run under the account that the Fabric.exe process runs under. Service Fabric 还允许使用应用程序清单中指定的本地用户帐户或本地系统帐户运行应用程序。Service Fabric also provides the capability to run applications under a local user account or local system account, which is specified within the application manifest. 有关详细信息,请参阅以本地用户帐户或本地系统帐户运行服务For more information, see Run a service as a local user account or local system account. 还可以本地用户或系统帐户身份运行服务启动脚本You can also Run a service startup script as a local user or system account.

在 Windows 独立群集上运行 Service Fabric 时,可以使用 Active Directory 域帐户组托管服务帐户运行服务。When you're running Service Fabric on a Windows standalone cluster, you can run a service under Active Directory domain accounts or group managed service accounts.

保护容器Secure containers

Service Fabric 提供一种机制,供容器内服务访问在 Windows 或 Linux 群集(5.7 版或更高版本)的节点中安装的证书。Service Fabric provides a mechanism for services inside a container to access a certificate that is installed on the nodes in a Windows or Linux cluster (version 5.7 or higher). 此 PFX 证书可以用于对应用程序或服务或与其他服务的安全通信进行身份验证。This PFX certificate can be used for authenticating the application or service or secure communication with other services. 有关详细信息,请参阅将证书导入容器For more information, see Import a certificate into a container.

此外,Service Fabric 还支持 Windows 容器的 gMSA(组托管服务帐户)。In addition, Service Fabric also supports gMSA (group Managed Service Accounts) for Windows containers. 有关详细信息,请参阅设置 Windows 容器的 gMSAFor more information, see Set up gMSA for Windows containers.

保护服务通信Secure service communication

在 Service Fabric 中,服务在 Service Fabric 群集(通常分布在多个 VM 间)中的某个位置运行。In Service Fabric, a service runs somewhere in a Service Fabric cluster, typically distributed across multiple VMs. Service Fabric 提供多个选项用于保护服务通信。Service Fabric provides several options for securing your service communications.

可以在 ASP.NET Core 或 Java Web 服务中启用 HTTPS 终结点。You can enable HTTPS endpoints in your ASP.NET Core or Java web services.

可以在反向代理与服务之间建立安全连接,从而启用端到端安全通道。You can establish secure connection between the reverse proxy and services, thus enabling an end to end secure channel. 仅当反向代理配置为侦听 HTTPS 时,才支持连接到安全服务。Connecting to secure services is supported only when reverse proxy is configured to listen on HTTPS. 有关配置反向代理的信息,请参阅 Azure Service Fabric 中的反向代理For information on configuring the reverse proxy, read Reverse proxy in Azure Service Fabric. 连接到安全服务介绍了如何在反向代理与服务之间建立安全连接。Connect to a secure service describes how to establish secure connection between the reverse proxy and services.

Reliable Services 应用程序框架提供了一些预先生成的通信堆栈和工具供你用来提高安全性。The Reliable Services application framework provides a few prebuilt communication stacks and tools that you can use to improve security. 了解如何在使用服务远程处理(在 C#Java 中)或 WCF 时提高安全性。Learn how to improve security when you're using service remoting (in C# or Java) or using WCF.

加密应用程序的静态数据Encrypt application data at rest

在 Azure 中运行的 Service Fabric 群集中的每个节点类型都受虚拟机规模集的支持。Each node type in a Service Fabric cluster running in Azure is backed by a virtual machine scale set. 可以使用 Azure 资源管理器模板将数据磁盘附加到组成 Service Fabric 群集的规模集。Using an Azure Resource Manager template, you can attach data disks to the scale set(s) that make up the Service Fabric cluster. 如果服务将数据保存到附加的数据磁盘,则你可以加密这些数据磁盘,以保护应用程序数据。If your services save data to an attached data disk, you can encrypt those data disks to protect your application data.

后续步骤Next steps