Reuni Server
Last updated
Last updated
Reuni Server is a core in reuni system, this server created following REST API standards. We created the server to handle every business logic and process, and also provide a security system. The server is coded in Golang and created to be stateless and disposable server.
Provide Authentication
Provide Authorization max at Service Level using User-Group Access Control
Provide a CRUD for services, namespaces and configurations
Provide a Agent-sync handler
To support statelessness in reuni server, we decided to use as our token-based authentication with RS256 (RSA + SHA256) digital signature algorithm. The token will be saved by user and look like this:
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwibmFtZSI6Iktlbm5ldGggSGFsaW0iLCJ1c2VybmFtZSI6ImthbmlzaXVza2VubmV0aCIsImVtYWlsIjoia2VubmV0aEBnby1zcXVhZHMuY29tIiwiaWF0IjoxNTMzMTExNTg5NTUzfQ.F1SUGY85lZhsK4lIFcceecjsRsagiqEiI3joRMNCP8aswvpDTwJ9wSaEyf59r6CO7AwEeW-5ZlwCev8O9NIFAg
And the RSA Key used in our system need to follow PEM format and look like this:
-----BEGIN RSA PUBLIC KEY-----
MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMuMh/1/Qpi2ORGiCG6TLi4kULPU5qkh FQ20hK/77UY8mmpgsntFM/UVc54DvhkrNACjYUjEJUF6pgqdTXORFV8CAwEAAQ==
-----END RSA PUBLIC KEY-----
Authorization will check for every service accessed by both user and agent. We authorize user with the user-group that he/she become a part of, basically we use a modified Role-Based Access Control (RBAC). For the agent we authorize it using authorization token which is a random byte stream encoded with base64 that can be copied by user and paste it in reuni agent environment.
In our system, configuration that saved are immutable, and to change it the user need to create new version of the configuration. Current versioning method is by using serial number as its identifier that always increment by 1. User cannot rolled back the configuration to specific version, the only way to achieve roll-back is by create new version with the exact same configuration. This are chosen for better accountability and audit trailing.
Audit trailing supported along with versioning, each configuration version created, we will save who create it to provide better accountability.
Handling secret are the hardest thing we can think of, we haven't decided yet how to handle secret. Probably the best way is to use Hashicorp Vault to save encryption key.
Every user endpoints are guarded by authentication middleware which fetch user token from HTTP Header:
GET reuni-server/services
POST reuni-server/services
Request body should be formatted as JSON
name
string
The service name
DELETE reuni-server/services/{service_name}
GET reuni-server/services/{service_name}/namespaces
string
POST reuni-server/services/namespaces
Request body should be formatted as JSON
configurations
object
The version 1 configuration for the namespaces contain list of key value in JSON format
namespace
string
Namespace name
GET reuni-server/services/{service_name}/{namespace}/latest
GET reuni-host/services/{service_name}/{namespace}/agent
This method response exactly the same with above, but the authentication skipped and instead to verification to agent token authorization
GET reuni-host/services/{service_name}/{namespace}/{version}
Response with list of configuration that are set
GET reuni-host/services/{service_name}/{namespace}/{version}/agent
Same as above, but designed for agent
POST reuni-server/services/{service_name}/{namespace}
configuration
object
Configuration should contain list of key-value in JSON format