GET The experience of using the cloud in managing database access control in a software project / Sudo Null IT News FREE
We are very appreciative for the preparation of the article to Nikolai Sinitsin, senior software engineer at Aplan , for his help in writing this article. The rest of our Lazuline related articles can be found on the azureweek tag .
Hello!
Once in one of the projects we go down a undertaking, the conditions of which were to ensure that the software needed to access various databases with get at control - literally, whoever has a license should give access, otherwise block access. In addition, it was necessary to be able to change the connection to another database, and then that the software knew that the address had changed. Several ways were found to do this, but in the end they came up with the option of using Azure cloud services - virtually how the decision was made and wherefore and how we used the cloud - read under the Caterpillar.
At foremost we thought process of taking the obvious path — there are databases, users WHO have "licenses" are set up on each database. They resolved the accession problem, simply, as you probably realise, it's very awkward to carry off such a system of rules - add, delete users. In order to solve the problem of changing servers, IT would exist necessary to write some conditional service, which would also store users WHO experience access. And everyone would know the address where the database server is located.
This method has single disadvantages:
- Penury to write a help;
- There is no single user repository with memory access to the organisation;
- It is intractable to observe the relevance of user data along individual databases.
Get's go done the minuses.
Minus:
You need to pen a inspection and repair.
"What service did we need," you ask. A service for managing access hold in to databases for software products deployed along various machines. Writing services is bang-up. Only, when IT is necessary to indite a service from scratch, IT is possible to catch assorted errors, including the most complex are human. This is especially true when you write an access control and role distribution service. One mistake - and instead of giving one user the right to a imagination, combined English hawthorn encounter that the rights are given to a large number. The cost of the wrongdoing is same high.
Minus:
Thither is no single deposit of users with access to the organisation.
In addition to the fact that thither should be a service that allows you to provide different access, you need a single user database and a management manager that will well allow you to manage this database. To indite yourself from the very beginning = spend much of time.
Minus:
It is difficult to maintain the relevance of user data on various databases.
If we use the option in which users are logged on to each database, we have the job of synchronizing several databases with each separate.
Due to the fact that thither are described problems, it was distinct to look at cloud services that leave solve the tasks and denigrate or completely get rid of the above disadvantages + there was the possibility of a transition to a cloud database and site deployment in the cloud up.
Let's occupy a brief look at the cloud services that were analyzed and used to solve the problem:
Azure Active Directory ( AAD operating theater Azure AD )- Multi-substance abuser cloud directory and identity management servicing. It is replaceable to working with the Active directory, which comes with Windows Server. However, AAD is not intended for users to crop in the local substructure of the company, but when working with cloud applications (for representative, Azure Key Vault). Using this service, we solve the problems of "there is no single user repository with approach to the organization" and "it is difficult to maintain the relevance of user information on various databases. " New it was announced that AAD will sustenanc the ability to deploy domains.
Azure Of import Overleap - HMS as a Service ( Computer hardware security module ). HMS is dedicated hardware that allowsstore, negociate keys / secrets and encrypt / decrypt, put / verify signatures in the safest way and degenerate sufficiency (specific hardware sharpened for encryption, according to the statements, works quickly, just how much OR what measurements were taken, there is no information). KV was antecedently celebrated as BYOK (bring-your-own-key). ( Link to the clause ). Exploitation this divine service, you can store secrets indirect to access to a particular database (login, password, address, typewrite of database, etc.) Thus, users approved using AAD receive Token with the avail of which they gain access code to the secret. And the program, based on this data, connects to the coveted database.
Using Azure Active Directory and Azure Key Vault
The diagram above shows that access see, a single user depository and management manager are transferred to the side of cloud services such as AAD and Azure Key Burial vault. The interaction scheme is rattling simple. Each software program user knows the username and password that the service administrator gave him. With it, the program logs into AAD and receives an say-so minimum, through which the software product gets access to the Azure Key Burial vault service in which secrets are stored. Further using secrets, the computer software establishes a connection to the database.
If you need to remove access to the database, you can remove the substance abuser from AAD and generate a new countersign to the database. The remainder of the systems, having lost the connection, leave request a secret again and lay down a association.
If we change the address or location of the database, we only need to change the information on the QT and the arrangement will automatically connect to other database that comes in the information from Key Burial vault.
The advantages of this draw close:
- Uses a single entry point and get at operate . This plus allows you to easily manage the uncastrated organization of interaction with the database. There is No pauperism to write and check the services for errors, this is every last done for us by the Microsoft employees and the user community using these services.
- Ease of expansion , since we can switch between databases easily without dynamic anything. We can change from a database deployed connected our host to a database in the cloud.
- Commodious access control interface . There is No need to pass clock and money writing an memory access control interface. Everything is done and premeditated out by time.
Among the minuses, extraordinary can be distinguished - in this implementation, after deleting the user, we need to modification the watchword to the database. And this is non very secure, since the system is already organism used.
That was the feel for of using the cloud to work out a specialized problem. Thanks for tending!
DOWNLOAD HERE
GET The experience of using the cloud in managing database access control in a software project / Sudo Null IT News FREE
Posted by: gordoncomanny.blogspot.com
0 Response to "GET The experience of using the cloud in managing database access control in a software project / Sudo Null IT News FREE"
Post a Comment