user device identity for microservices netflix scale
play

User & Device Identity For Microservices @ Netflix Scale - PowerPoint PPT Presentation

User & Device Identity For Microservices @ Netflix Scale Satyajit Thadeshwar QCon San Francisco 2019 Logged out? #$%&! User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Logged out? #$%&! User


  1. EDGE ORIGINS MID-TIER SERVICES API Netflix Microservices Device Auth Zuul Service subscriber SIGNUP Legacy FLOW auth SERVICE API service EAS Lolomo / Search NodeJS Discovery Services API DRM Playback Cookie MSL Partner Other services API Service Service Service User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  2. EDGE ORIGINS MID-TIER SERVICES API Netflix Microservices Device Auth Zuul Service subscriber SIGNUP Legacy FLOW auth SERVICE API service EAS Lolomo / Search NodeJS Discovery Services API DRM Playback Cookie MSL Partner Other services API Service Service Service EDGE AUTHENTICATION SERVICES User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  3. EDGE valid and not expired 95% Zuul EAS renewal / device auth / key exchange 5% Cookie MSL Partner Service Service Service User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  4. EDGE valid but expired Zuul EAS renewal call Cookie Service User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  5. EDGE valid but expired Zuul EAS renewal call failed Cookie Service User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  6. EDGE valid but expired resolved identity Zuul EAS renewal call rescheduled Cookie Service User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  7. EDGE valid but expired resolved identity Zuul rescheduled cookie EAS renewal call rescheduled Cookie Service User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  8. EDGE ORIGINS MID-TIER SERVICES API Netflix Microservices Device Auth Zuul Service subscriber SIGNUP Legacy FLOW auth SERVICE API service EAS Lolomo / Search NodeJS Discovery Services API DRM Playback Cookie MSL Partner Other services API Service Service Service EDGE AUTHENTICATION SERVICES User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  9. EDGE ORIGINS MID-TIER SERVICES API Netflix Microservices Device Auth Zuul Service subscriber SIGNUP Legacy FLOW auth SERVICE API service EAS Lolomo / NodeJS Discovery Search Services API DRM Playback Cookie MSL Partner API Other services Service Service Service EDGE AUTHENTICATION SERVICES User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  10. Passport User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  11. Passport - Identity structure created at the edge for each request User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  12. Passport - Identity structure created at the edge for each request - Contains user & device identity User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  13. Passport - Identity structure created at the edge for each request - Contains user & device identity - Internal to Netflix ecosystem User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  14. Passport - Identity structure created at the edge for each request - Contains user & device identity - Internal to Netflix ecosystem - Integrity protected by HMAC User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  15. Passport - Identity structure created at the edge for each request - Contains user & device identity - Internal to Netflix ecosystem - Integrity protected by HMAC - Protobuf format User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  16. Passport message Passport { Header header = 1; UserInfo user_info = 2 ; DeviceInfo device_info = 3 ; Integrity user_integrity = 4 ; Integrity device_integrity = 5 ; } User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  17. Passport message Passport { Header header = 1; UserInfo user_info = 2; DeviceInfo device_info = 3; Integrity user_integrity = 4; Integrity device_integrity = 5; } message Header { string originator = 1; } User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  18. Passport message Passport { Header header = 1; UserInfo user_info = 2; DeviceInfo device_info = 3; Integrity user_integrity = 4; Integrity device_integrity = 5; } User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  19. Passport message Passport { Header header = 1; UserInfo user_info = 2; DeviceInfo device_info = 3; Integrity user_integrity = 4; Integrity device_integrity = 5; } message UserInfo { Source source = 1 ; AuthenticationLevel auth_level = 2 ; Int64Wrapper customer_id = 3 ; Int64Wrapper account_owner_id = 4 ; repeated UserAction actions = ; } User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  20. Passport message Passport { Header header = 1; UserInfo user_info = 2; DeviceInfo device_info = 3 ; Integrity user_integrity = 4; Integrity device_integrity = 5; } message DeviceInfo { Source source = 1 ; AuthenticationLevel auth_level = 2 ; StringValue esn = 3 ; Int32Value device_type = 4 ; repeated DeviceAction actions = 5 ; } User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  21. Passport message UserInfo { Source source = 1 ; AuthenticationLevel auth_level = 2 ; } message DeviceInfo { Source source = 1 ; AuthenticationLevel auth_level = 2 ; } User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  22. Passport message UserInfo { Source source = 1 ; AuthenticationLevel auth_level = 2; } message DeviceInfo { Source source = 1 ; AuthenticationLevel auth_level = 2; } enum Source { COOKIE = 1 ; MSL = 2 ; PARTNER_TOKEN = 3 ; CTICKET = 4 ; } User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  23. Passport message UserInfo { Source source = 1; AuthenticationLevel auth_level = 2 ; } message DeviceInfo { Source source = 1; AuthenticationLevel auth_level = 2 ; } enum AuthenticationLevel { LOW = 1 ; // untrusted transport HIGH = 2 ; // secure tokens over TLS HIGHEST = 3 ; // MSL or user credentials } User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  24. Passport message Passport { Header header = 1; UserInfo user_info = 2; DeviceInfo device_info = 3; Integrity user_integrity = 4; Integrity device_integrity = 5; } message Integrity { string key_name = 1 ; bytes hmac = 2 ; } User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  25. Passport Introspector - Wrapper over passport binary data User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  26. Passport Introspector - Wrapper over passport public interface PassportIntrospector { binary data Long getCustomerId (); Long getAccountOwnerId (); String getEsn (); String getPassportAsString (); ... } User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  27. Passport Introspector - Wrapper over passport public interface PassportIntrospector { binary data Long getCustomerId (); Long getAccountOwnerId (); String getEsn (); String getPassportAsString (); ... } - Consumers create factory.createIntrospector(passport); passportIntrospector from binary passport data User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  28. Tooling Self-service tool for teams to decrypt passport User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  29. Passport Actions message UserInfo { repeated UserAction actions = 6 ; ... } message DeviceInfo { repeated DeviceAction actions = 5 ; ... } User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  30. Passport Actions - Explicit signal sent by the message UserInfo { repeated UserAction actions = 6 ; downstream services, when an update ... to user or device identity has been } performed message DeviceInfo { repeated DeviceAction actions = 5 ; ... } User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  31. Passport Actions - Explicit signal sent by the message UserInfo { repeated UserAction actions = 6 ; downstream services, when an update ... to user or device identity has been } performed message DeviceInfo { repeated DeviceAction actions = 5 ; - This "signal" is used by EAS to either ... create or update the corresponding } type of token User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  32. Passport Action User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  33. Passport Action: User Login User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  34. Passport Action: User Login EDGE Email : jsmith@gmail.com Password : ******** ESN : LGTV20165-193456G568 Zuul User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  35. Passport Action: User Login EDGE ORIGIN (Device Bound) Email : jsmith@gmail.com Password : ******** ESN : LGTV20165-193456G568 /login Zuul API User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  36. Passport Action: User Login MID-TIER SERVICES EDGE ORIGIN (Device Bound) Netflix Microservices Email : jsmith@gmail.com Password : ******** ESN : LGTV20165-193456G568 /login Zuul API auth service success User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  37. Passport Action: User Login MID-TIER SERVICES EDGE ORIGIN (Device Bound) Netflix Microservices Email : jsmith@gmail.com Password : ******** ESN : LGTV20165-193456G568 /login Zuul API auth service success user login user login User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  38. Passport Action: User Login MID-TIER SERVICES EDGE ORIGIN (Device Bound) Netflix Microservices Email : jsmith@gmail.com Password : ******** ESN : LGTV20165-193456G568 /login Zuul API auth service Set-Cookie success user login user login Cookie Service User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  39. Passport Action: Profile Switch User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  40. Passport Action: Profile Switch - Each profile has its own identity User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  41. Passport Action: Profile Switch - Each profile has its own identity - Switched profile tokens sent back to the device User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  42. Passport Actions Separation Of Increased Concerns Visibility User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  43. What we did - Moved authentication to the edge - Streamlined the identity resolution and mutation path - Making consumption of user & device identity - Efficient, secure & simple User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  44. Wins User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  45. Token Agnostic Identity Downstream systems don't have to worry about authentication concerns User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  46. Simplified Authorization Downstream services use authentication level for authorization decisions User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  47. Simplified Authorization Before: long customerId = 2123125603L; String ESN = "NFXBOX-235F … "; User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  48. Extensible Identity Model New attributes about user or device can be added User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  49. Local cache for up to date message UserInfo { subscriber data BytesValue subscriber_account ... } Placeholder for local cache of subscriber data User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

  50. Offloaded & Offloaded token processing which Fine Tuned resulted into significant gains for - CPU - Request Latency - GC - Cluster Footprint We were able to fine-tune EAS systems based on the token processing profile User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar

Recommend


More recommend