Reuni Server
Reuni Server is a core in reuni system, this server created following REST API standards. We created the server to handle every business logic and process, and also provide a security system. The server is coded in Golang and created to be stateless and disposable server.
Functionality:
Provide Authentication
Provide Authorization max at Service Level using User-Group Access Control
Provide a CRUD for services, namespaces and configurations
Provide a Agent-sync handler
Authentication
To support statelessness in reuni server, we decided to use JWT as our token-based authentication with RS256 (RSA + SHA256) digital signature algorithm. The token will be saved by user and look like this:
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwibmFtZSI6Iktlbm5ldGggSGFsaW0iLCJ1c2VybmFtZSI6ImthbmlzaXVza2VubmV0aCIsImVtYWlsIjoia2VubmV0aEBnby1zcXVhZHMuY29tIiwiaWF0IjoxNTMzMTExNTg5NTUzfQ.F1SUGY85lZhsK4lIFcceecjsRsagiqEiI3joRMNCP8aswvpDTwJ9wSaEyf59r6CO7AwEeW-5ZlwCev8O9NIFAg
And the RSA Key used in our system need to follow PEM format and look like this:
-----BEGIN RSA PUBLIC KEY-----
MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMuMh/1/Qpi2ORGiCG6TLi4kULPU5qkh FQ20hK/77UY8mmpgsntFM/UVc54DvhkrNACjYUjEJUF6pgqdTXORFV8CAwEAAQ==
-----END RSA PUBLIC KEY-----
Authorization
Authorization will check for every service accessed by both user and agent. We authorize user with the user-group that he/she become a part of, basically we use a modified Role-Based Access Control (RBAC). For the agent we authorize it using authorization token which is a random byte stream encoded with base64 that can be copied by user and paste it in reuni agent environment.
Versioning
In our system, configuration that saved are immutable, and to change it the user need to create new version of the configuration. Current versioning method is by using serial number as its identifier that always increment by 1. User cannot rolled back the configuration to specific version, the only way to achieve roll-back is by create new version with the exact same configuration. This are chosen for better accountability and audit trailing.
Audit Trail
Audit trailing supported along with versioning, each configuration version created, we will save who create it to provide better accountability.
Secret Handling
Handling secret are the hardest thing we can think of, we haven't decided yet how to handle secret. Probably the best way is to use Hashicorp Vault to save encryption key.
API Specification
Authentication Middleware
Every user endpoints are guarded by authentication middleware which fetch user token from HTTP Header:
Get Services List
GET reuni-server/services
Create Services
POST reuni-server/services
Request body should be formatted as JSON
Request Body
name
string
The service name
Delete Services
DELETE reuni-server/services/{service_name}
Get Namespaces List
GET reuni-server/services/{service_name}/namespaces
Path Parameters
string
Create Namespace
POST reuni-server/services/namespaces
Request body should be formatted as JSON
Request Body
configurations
object
The version 1 configuration for the namespaces contain list of key value in JSON format
namespace
string
Namespace name
Get Namespaces Latest Version
GET reuni-server/services/{service_name}/{namespace}/latest
Get Namespace Version for Agent
GET reuni-host/services/{service_name}/{namespace}/agent
This method response exactly the same with above, but the authentication skipped and instead to verification to agent token authorization
Get Configuration List
GET reuni-host/services/{service_name}/{namespace}/{version}
Response with list of configuration that are set
Get Configuration List
GET reuni-host/services/{service_name}/{namespace}/{version}/agent
Same as above, but designed for agent
Create new version for the namespace
POST reuni-server/services/{service_name}/{namespace}
Path Parameters
configuration
object
Configuration should contain list of key-value in JSON format
Last updated