[DRAFT] joola.io workshop - System and Security

50 %
50 %
Information about [DRAFT] joola.io workshop - System and Security
Technology

Published on March 8, 2014

Author: itayweinberger

Source: slideshare.net

Description

This workshop focuses on system and security aspects of the joola.io framework.

For a complete breakdown of the Workshop itself, refer to the project's wiki @ http://github.com/joola/joola.io/wiki/workshops

joola.io Workshops System and Security Workshop Details and Instructions

About the workshop For system and security engineers This is a hands-on workshop Lab materials are available for this workshop This workshop and materials are available on our GitHub repo

Workshop Goals Understand joola.io on all of its components Deploy and configure joola.io Control and monitor joola.io Define workspaces, roles and users Monitor security violations

Lab Details During this workshop we'll be accessing an online lab Please SSH with the following $ ssh workshop@lab-sec.joola.io Password: password * access to the above lab is whitelisted

Understanding joola.io

What is joola.io? $ npm install joola.io Data Analytics and Visualization Framework Scalable to deal with high volumes of data and queries Secure and multi-tenant Embed and integrate data visualizations into existing sites Open Source

Scalability and Availability Written in Node.JS Uses Redis and MongoDB (by default) as underlying stores Masterless node/grid based approach $ node joola.io Easily scripted using Puppet or Chef for VM deployments

A Secure System Multi-tenancy All actions are executed within a context Role based permissions Cascading security filters Granular permissions on content and data $ joola.io.cli -e "joolaio.users.list()"

Role Based Permissions Roles are mapped to permissions Canvases, Dimensions and Metrics are mapped to roles Users are mapped to Roles Roles can have Filters

Data Integration Data is pushed using REST API Multiple data store types are supported Pushing is role and permissions based Once data is pushed in, it's immediately available Guaranteed write operation Scalable to support increase in write ops

Website Integration Bundled Javascript SDK Copy-paste Visualizations Rich documentation and examples All API actions are supported by SDK (CLI uses SDK) Role and Permissions based

Deploy and Configure

Install and Run joola.io Before installing you need to have node, MongoDB and Redis installed. $ npm install joola.io -g To run joola.io $ node joola.io joola.io is now running and available on https://localhost:8080

Connect to joola.io Connect to joola.io either using the web interface @ https://localhost:8080 or use the CLI $ npm install joola.io.cli -g $ joola.io.cli

The Grid joola.io is grid based, each node is part of the hive Master-less Actions are carried over the grid Nothing is committed locally to a single node $ joola.io.cli joola.io # admin@localhost:8080 > joolaio.system.listnodes(); Connect to a single node and you're connected to the entire grid

Configuration Base configuration stored at config/baseline.json Assumes redis is running on localhost //get config value joolaio.config.get('store'); //set config value joolaio.config.set('store:cache:mongo:host', 'mymongoserver'); Override config settings by $ joola.io --store:cache:redis:host myredishost

Authentication

Security Context Built-in Authentication Store or Single Sign On (SSO) Supports username/password and/or APITokens Each request is validated for permissions Content endpoints validate content permissions Dispatched messages contain security context

Authentication Methods //using APIToken joolaio.init({APIToken: 'apitoken'}); //using username/password joolaio.users.authenticate('workspace', 'user', 'password', function(err, user){ console.log(user); }); //server-side joolaio.users.authenticate('workspace', 'user', 'password', function(err, user){ console.log('pass this to client as _token', user.token); }); //client-side joolaio.init({token: _token});

Single Sign On Use API to generate security context and token and Pass generated token to SDK //server-side var user = { username: 'user', name: 'Display Name', _roles: ['user'], _filter: ['tag', 'eq', 'tagvalue'] }; joolaio.users.generateToken('workspace', user, function(err, token){ //pass token._ down to the SDK }); //client-side joolaio.init({token: _token});

Control and Monitor

Controlling joola.io Starting/Stopping $ joola.io #start $ joola.io.cli -e "joolaio.system.terminate('nodeuid')" #stop Stop Grid $ joola.io.cli -e "joolaio.system.shutdown()" Status Report $ joola.io.cli -e "joolaio.system.nodelist()"

Daemonizing (PM2) We use PM2 for daemonizing node.js processes Arrives with a full suite of tools and monitors Utilizes multi-cores to allow vertical scaling $ npm install -g pm2 $ pm2 start joola.io -i max This will start joola.io on all available cores

Logging Each node has three logging channels: local fs, MongoDB (by default) and in-memory ring-buffer. For node specific logs, use `pm2 logs` on the node machine or review local fs. For a centralized log, use the web interface or CLI. $ joola.io.cli -e "joolaio.logger.fetch()" This will print out the last 1,000 logged events.

Health Monitor Done by sampling API endpoints Dedicated endpoints for system/node status A simple nagios for checking general health define service { use generic-service host_name host.name.com service_description HTTP check_command check_http!--port=8080 check_interval 1 max_check_attempts 3 first_notification_delay 0 notifications_enabled 1 }

Workspaces, Roles and Users

Multi-Tenancy Secure access with data fencing [workspaces] |--[root workspace] |--[custom workspace] |--[roles] |--[users] |--[collections] |--[dimensions] |--[metrics] |--[canvases] |--[reports] |--[dashboards] |--[custom2 workspace]

Add a Workspace Workspace is the top-level entity var workspace = { id: 'sampleWorkspace', name: 'This is a sample workspace' }; joolaio.workspaces.add(workspace, function(err, result) { console.log(result); }); Now that we have a workspace, we can create roles and users

Add a Beacon Role & User The Beacon user will push data into joola.io var role = { name: 'beacon', permissions: ['access_system', 'collections_stats', 'beacon_insert'] }; var user = { username: 'beacon', _password: 'beacon', _roles: ['beacon'], workspace: 'sampleWorkspace', APIToken: 'apitoken-beacon' }; joolaio.roles.add('sampleWorkspace', role); joolaio.users.add('sampleWorkspace', user);

Add a Reader Role and User The Reader user will query and visualize data var role = { name: 'reader', permissions: ['access_system', 'query_fetch'] }; var user = { username: 'reader', _password: 'reader', _roles: ['reader'], workspace: 'sampleWorkspace', APIToken: 'apitoken-reader' }; joolaio.roles.add('sampleWorkspace', role); joolaio.users.add('sampleWorkspace', user);

Push Some Data Switch to Beacon user and push data joolaio.set('APIToken', 'apitoken-beacon'); var doc = { timestamp: new Date(), machine: { hostname: 'myhost', os: 'centos 6.5', uptime: 123 } open_files: 123, no_of_logged_in_users }; joolaio.beacon.insert('sampleCollection', doc); joolaio.collections.stats('sampleCollection')

Security Alerts and Events

Event Screening We screen logs for relevant events using CLI $ joola.io.cli -e "joolaio.logger.fetch({category:'security'})" { time: '2014-03-04T19:05:42.605Z', msg: 'Token [fFlzoNklT] is valid for user [root].', hostname: 'lab01', pid: 922, level: 20, category: 'security', req: { start_ts: '2014-03-04T19:05:42.590Z', remoteaddr: '127.0.0.1', params: { resource: 'users', action: 'verifyAPIToken', APIToken: 'apitoken-root' }, url: 'api/users/verifyAPIToken', headers: { 'joolaio-apitoken': 'apitoken-root' } } }

Security Alerts $joola.io.cli -e "joolaio.alerts.add({ key: 'failed_login', endpoint: { type: 'email', target: 'alerts@joo.la' }, query: { timeframe: 'last_minute', dimensions: ['username', 'password', 'token', 'APIToken', 'remoteaddr'], metrics: ['failed_logins'], filter: [['event', 'eq', 'failed_login']] } });"

#start presentations

Add a comment

Related presentations

Related pages

Workshop System | LinkedIn

Current Workshop System Analyst at BHL INVESTMENT AND TECH Past Senior Accounts Supervisor at Mandilas Enterprises limited See less
Read more

Package - express - 淘宝 NPM 镜像

View system supporting 14+ template engines; ... If you discover a security vulnerability in Express, ... joola.io.logger; joola.io.sdk;
Read more

Package - coffee-script - Taobao

applious-draft; appril; apps-a-middleware; apps-b-builder; ... cozy-data-system; cozy-ical; cozy-monitor; ... joola.io; joosy; josi; josi-access; josi-admin;
Read more