Contenu connexe Similaire à Hands-on SaaS: Constructing a Multi-Tenant Solution on AWS (ARC327-R1) - AWS re:Invent 2018 (20) Plus de Amazon Web Services (20) Hands-on SaaS: Constructing a Multi-Tenant Solution on AWS (ARC327-R1) - AWS re:Invent 20182. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Hands-on SaaS: Constructing a Multi-Tenant
Solution on AWS
Seth Fox
Solutions Architecture Manager, AWS SaaS Factory
Amazon Web Services
A R C 3 2 7
3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Bootcamp goals
• Introduce SaaS architecture fundamentals
• Build the working elements of a SaaS environment
• Introduce real-world strategies for addressing common multi-
tenant practices
• Provide a foundation that can inform the creation of your
own SaaS solutions
4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The SaaS motive
Web
App
Customer
Web
App
Customer
Web
App
Tenant Tenant Tenant
5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Key concepts
Onboarding
Data partitioningApplication
services
Authentication
Service
Tenant isolation
6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Not here, but key to SaaS
• Management and monitoring
• Analytics
• Operations
• Billing
• SaaS DevOps
7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
High level flow
Lab one: Tenant onboarding
Lab two: Multi-tenant services
Lab three: Tenant isolation
8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Lab one: Tenant onboarding
Architecting SaaS applications on AWS
9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Lab one: Onboarding
• Configure an identity provider
• Review user management service
• Provision a new user via REST API
• Review tenant management service
• Provision a new tenant via REST API
• Register a tenant via web app
• Authenticate as the new user
• Inspect the JWT token
Identity
management
Tenant
management
Tenant registration &
authentication
10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Onboarding architecture
User manager
Tenant
manager
Tenant registration
Authentication
manager
Web application
API Gateway
11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Configuring Amazon Cognito
User pool
User
management
POST/user
Validation
Attributes
Policies
Identity pool
12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Tenant management
Tenant
manager
Generated Tenant Identifier
492c83ba-d565-47a8-a987-634bd01189db
Status
Active/Inactive
Tier
Basic, Advanced
• UserId
• TenantId
• Name
• Status
• Role
1:Many
13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Onboarding flow
Amazon S3
Web
application
Authenticate
Register
Tenant
registration
Authentication
manager
APIGateway
14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Lab two: Building multi-tenant microservices
Architecting SaaS applications on AWS
15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Lab two: A multi-tenant progression
Single tenant
product manager
Multi-tenant product
manager
Add tenant security
context
• Single tenant table in Amazon DynamoDB
• Use ProductId as partition key
• No awareness of tenant identity
• Multi-tenant, pooled table in DynamoDB
• Use TenantId as partition key
• Tenant supplied as REST parameter
• Add security token to HTTP headers
• Load products for two tenants
• Verify tenant partitioning in DynamoDB
16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Building application services
Application service
Identity & tenant context
Multi-tenant data partitioning
Tenantawarelogging,
metering,andanalytics
17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Data partitioning model
Partition Key Product ID Title
Tenant-1 ECHO-123 Echo Dot
Tenant-3 ECHO-456 Echo Show
Tenant-1 ECHO-456 Echo Show
Tenant-4 ECHO-910 Echo Spot
Pooled Multi-Tenant Table
Product ID Title
ECHO-123 Echo Dot
ECHO-456 Echo Show
ECHO-456 Echo Show
ECHO-910 Echo Spot
Single Tenant Table
Product manager Product manager
/product/id=TenantId/product
18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Injecting tenant context
Product manager
JWT Token
1
GetTenantId(Token)
Token manager
2
TenantId
3
4
19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Lab three: Tenant isolation
Architecting SaaS applications on AWS
20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Isolating tenant data
• Alter the product manager service
• Manually inject a tenant identifier
• Verify cross tenant access enable
• Leverage policies to restrict tenant access
• Edit existing policies
• Introduce leading key conditions
• Examine roles emitted by provisioning
• Examine Amazon Cognito role mapping
• View the tenant admin/user mapping
• Deploy the web application
• Register a tenant
• Authenticate the new user
Cross tenant
access
Configure
policies
Map role to
policies
Get scoped
credentials
21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cross tenant access
Tenant One
Tenant Two
Tenant-11943
Tenant-9492 Product Table
Tenant Identifier
Partition Key Sort Key
Tenant-9492 14019
Tenant-11943 49104
Tenant-11943 91044
Tenant-9492 85145
Tenant Identifier
22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Tenant-scoped policies
{
"Sid": "TenantReadOnlyOrderTable",
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:DescribeTable"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:000000000000:table/Order"
],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"3aecf790-7dfd-4aef-a95a-b63fc413bdc9"
]
}
}
}
23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Mapping tenant roles to policies
IAM policiesAmazon Cognito role
mapping
Tenant
admin role
Tenant user
role
24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Temporary credentials (the payoff)
getCredentialsForIdentity(idToken)
Application
service
Amazon
Cognito
IAM role
polices
{
”custom:tenantId” : ”8391-9393-9933”
“custom:role” : “TenantAdmin”
}
Cognito ID Token (JWT)
Match role
Return role scoped credentials
Credentials": {
"SecretKey":"2gZ8QJQqkAHBzebQmghavFAfgmYpKWRqexample",
"AccessKeyId":"ASIAJIOA37R6EXAMPLE"
}
25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Accounts
By engaging in this workshop, you acknowledge that the AWS account used
for ARC327 may be used only for this workshop.
All accounts used during the workshop will be closed immediately at the
conclusion of the workshop.
Any content in this AWS account will not be retrievable by you or any other
workshop participants after the workshop has finished.
27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Session repeats
Friday, Nov. 30
ARC 327 – Hands-On SaaS: Constructing a Multi-Tenant Solution on AWS
9:15 a.m. – 11:15 a.m. | Mirage, Mirage Event Center C2
28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Additional SaaS breakouts
Monday, 11/26
ARC324 - Architecting Next Generation Serverless SaaS Solutions on AWS
6:15 p.m. | Venetian, Level 2, Venetian Theater
Tuesday, 11/27
ARC324 - Architecting Next Generation Serverless SaaS Solutions on AWS (Repeat)
4:00 p.m. | Venetian, Level 2, Titian 2204
Wednesday, 11/28
ARC418 Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS
12:15 p.m. | Mirage, Mirage Event Center B
Thursday, 11/29
ARC418 Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (Repeat)
4:00 p.m. | Aria, Aria West, Level 3, Ironwood 5
29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SaaS chalk talks
Monday, 11/26
ARC216 - SaaS Operations: The Foundation of SaaS Agility
11:30 a.m. – 12:30 a.m. | Venetian, Level 2, Veronese 2406
Tuesday, 11/27
ARC210 - SaaS Jumpstart: A Primer for Launching Your SaaS Journey
9:15 a.m. – 10:15 a.m. | Venetian, Level 4, Lando 4304
Wednesday, 11/28
ARC419 – Optimizing Your SaaS Solutions on AWS
1:00 p.m. – 2:00 p.m. | Venetian, Level 3, Murano 3202
ARC326 - Migrating Single-Tenant Applications to Multi-Tenant SaaS
4:00 p.m. – 5:00 p.m. | Aria West, Level 3, Starvine 7
ARC210 - SaaS Jumpstart: A Primer for Launching Your SaaS Journey
1:45 p.m. – 2:45 p.m. | Aria West, Level 3, Ironwood 8
30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SaaS chalk talks
Thursday, 11/29
ARC210 - SaaS Jumpstart: A Primer for Launching Your SaaS Journey
1:45 p.m. – 2:45 p.m. | MGM, Level 1, South Concourse 105
Friday, 11/30
ARC326 – Migrating Single-Tenant Applications to Multi-Tenant SaaS
10:00 a.m. – 11:00 a.m. | MGM, Level 1, South Concourse 105
ARC419 – Optimizing Your SaaS Architecture on AWS
1:00 p.m. – 2:00 p.m. | Venetian, Level 3, Murano 3202
31. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Seth Fox
foseth@amazon.com
32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.