20th of February, 2022:
I have published a version of this article adapted for Keycloak 17: Keycloak 17.0.0 with TLS in Docker compose behind Envoy proxy.
The 24 hours of Nürburgring race was just red flagged for the remainder of the night due to the fog.
While building a couple of browser based prototypes, I’ve hit an interesting problem. Basically, I am trying to replicate a full remote setup with a reverse proxy and TLS SNI while running everything on localhost. Getting the DNS functioning is pretty easy—I just add the required hosts to the /etc/hosts file and I’m done with it.
Oh boy, 20 years of software engineering definitely makes you tune your BS radar when reading claims about how awesome and mature a relatively new technology is. Every new project claims to solve all the problems for the current itch on hand. Do you know that feeling?
S3, Azure Blob, Google Storage and Minio, they’re all a K/V storage at the core. Yes, of course, they provide much, much more functionality beyond that but—at the core—object storage systems, S3, GCS, Minio and the likes, are K/V stores.
Each one provides a HTTP interface.
I must admin—I struggled understanding Oathkeeper. Looking back, I think the reason was, I compared it one for one to things like Traefik or Envoy. Turns out, Oathkeeper does not necessarily intend replacing a reverse proxy, although many people probably use it as such.
There was an interesting question coming up related to the previous article on RBAC with Ory Keto1.
The question was:
how do I list the roles of a user
At the end of the previous article, the solution allowed finding out if the user is allowed to access the resources.
Role-base Access Control is an access control method whereby the entity roles define the level of access. Usually when talking about RBAC, the entity is a person and the object is a resource or a task (function) granted to a person. The usual example goes like this:
Software almost never runs in isolation. Today’s systems integrate with a vast number of external services. Ensuring reliability is difficult because the external dependencies, be it a database or an authentication system, adds an element of unpredictability which is difficult to emulate in isolation.
Some two months ago, when I started the Firecracker journey, I set myself a goal to run en etcd cluster in Firecracker microVMs. Many lines of code later, after tackling the problem the hard way, there’s an outcome.
Okay, it’s not etcd but rather HashiCorp Consul.
Permissions management is an interesting topic. Modern applications are often complex beasts. It doesn’t take much time to hit the point where certain functionality must be allowed only to the selected users or access to a resource should be granted only under certain conditions.