Product Version

Quickstart

Time: 15 minutes

Learning objectives

  • Prerequisites, Download, and run Tribestream API Gateway (TAG)

  • Run and secure your first microservice with Authentication and Authorization

Prerequisites

Architectural Diagram

architectual diagram

During this guide we are going to learn how to secure a microservice with authentication and authorization using the Tribestream API Gateway. In the diagram the main actors are:

  • A Client who want’s to consume a REST endpoint to list the movies catalog from the cinema corporation.

  • Tribestream API server who is securing the movie microservice with Authentication and Authorization.

  • A movie microservice that contains the list of available movies in it’s database.

Run the demo Microservices

The following diagrams shows a client who obtain a list of movies form the microservice by executing a request to the movie-api/api/movies endpoint. Notice that at this point all the communication is done without security.

movie endpoint diagram

In order to run our demo microservice we need to open a terminal and execute the following command:

docker run -it -p 9090:9090 --name movie-api  tomitribedev/movie-api

The movie microservice is ready when you see the following message on the log:

> [email protected] start /usr/src/app
> node server.js
Running on http://0.0.0.0:9090

To detach the container log output, type on the terminal: ctrl+p followed by ctrl+q

We can validate that our microservice is up and running by executing the following command:

curl -i http://localhost:9090/movie-api/api/movies

You should be able to see the response obtained from the microservice, a 200 HTTP Code and a payload with the list of movies in JSON Format:

HTTP/1.1 200 OK
X-Powered-By: Express
Content-Type: application/json; charset=utf-8
Content-Length: 907
ETag: W/"38b-nH1wH3YovzhC6d7xYfLwUga8Hf8"
Date: Wed, 04 Jul 2018 17:19:33 GMT
Connection: keep-alive

[{"comments":[],"year":2008,"director":"Sylvester Stallone","genrer":"Action","rating":7,"id":2,"title":"John Rambo"},{"comments":[],"year":2008,"director":"Sylvester Stallone","genrer":"Action","rating":7,"id":52,"title":"John Rambo"},{"comments":[],"year":1999,"director":"Syl","genrer":"Sci-Fi","rating":9,"id":1,"title":"The Matrix"},{"comments":[],"year":1999,"director":"Syl","genrer":"Sci-Fi","rating":9,"id":51,"title":"The Matrix"},{"comments":[],"year":1997,"director":"Paul Verhoeven","genrer":"Sci-Fi","rating":7,"id":3,"title":"Starship Troopers"},{"comments":[],"year":1997,"director":"Paul Verhoeven","genrer":"Sci-Fi","rating":7,"id":53,"title":"Starship Troopers"},{"comments":[],"year":1994,"director":"Roland Emmerich","genrer":"Sci-Fi","rating":7,"id":4,"title":"Stargate"},{"comments":[],"year":1994,"director":"Roland Emmerich","genrer":"Sci-Fi","rating":7,"id":54,"title":"Stargate"}]

Run Tribestream API Gateway (TAG)

The Tribestream API Gateway is going to seat between the Client and the Microservice in order to enforce Basic Auth security to the Microservice. Other TAG features like Advance Security, Routing, Load Balancing and Monitoring are cover later in the Learning Journey.

tag run diagram

On a terminal execute the following command according to your operating system:

For linux:

docker run --net="host" -it -e LICENSE=accept --name tag tomitribe/tribestream-api-gateway

For OSX or Windows:

docker run -it -e LICENSE=accept --name tag -p 8080:8080  tomitribe/tribestream-api-gateway

TAG is ready when you see the following message on the TAG log:

INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-bio-8080"]
INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["ajp-bio-8009"]
INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 18348 ms

To detach the TAG container log output, type on the terminal: ctrl+p followed by ctrl+q

Open a browser and navigate to: http://localhost:8080/tag

Login into the TAG dashboard using the following credentials:

  • username: admin

  • password: admin

login

Secure your microservice

In order to secure the movie microservice we need to create a TAG Security Profile, for the purpose of demonstration we are going to use the built in Basic Auth Profile but we recommend stronger Authenticator such as OAuth 2 or HTTP Signatures which are shown later in the learning journey. For the authorization we are going to rely on TAG User Roles.

secure your microservice
TAG Account creation

A client who want to access the microservice through the TAG, will require an Account with a User, valid credentials and one or more valid roles. We are going to create this entities right from the TAG UI but you can also use an authorization system like Ldap or Active Directory.

tag users roles

We are going to create two accounts in TAG, Alice is going to have the administrator role and Bob the user role.

tag accounts diagram

To create the two accounts we are going to use to authenticate and authorize the deployed microservices, follow the next steps:

Click on the Accounts option to navigate to Accounts page, click the + button on the upper right side and select Account. Create a new account with the following data and make sure you enable the Create another check box before clicking the Save button. Notice that the administrator role is automatically created and assigned to Alice when you create the account.

create alice account

For the second account use the following data.

Notice that Bob account only needs to have the role user. After filling in the data click Save button and then close the Create Account modal window.

create bob account

You should be able to see the two accounts as part of the list displayed on the Accounts page.

accounts list

Now we are going to assign a basic auth password to both accounts. From the Accounts page, click on Alice account to open the account detail page. Click the ​ button on the upper right side and select Add Password from the menu. In the Add Password modal window, type supersecret as the password and then click the Save button.

add alice password

From Alice account deail page go back to Accounts page by doing a click on the < ACCOUNTS option in the upper left corner and repeat the previous steps to add superpassword as the password for Bob account.

From Bob account detail page, click the Tribestream API Gateway home icon located on the upper left corner of the screen to navigate back to the Dashboard page.

home button
Route Creation

The mechanism used by the Tribestream API Gateway (TAG) to orchestrate and secure the traffic to and from API endpoints is called Route.

We need to create a Route that will expose in TAG a /cinema-corp/movies-catalog endpoint, that will enforce Authentication (Basic Auth) and Authorization (via administrator role) for incoming requests before routing to the actual /movie-api/api/movies endpoint.

general route diagram

From the Dashboard page, click the Route button and then from the Routes page click the + button on the upper right side and select Mod_Rewrite Route.

open create route

Create a new Route with the following data and click Save:

create route window

If you want to know more about the mod_rewrite syntax, we have more guides in the Learning Journey that will explains the syntax with details and examples. But for now we need to emphasize that the route we created is going to provide the endpoint /cinema-corp/movies-catalog in TAG and internally is going to redirect incoming request to the microservice if and only if the Authentication and Authorization is the right one in the incoming request.

Test the secured microservice using curl

test scenario diagram

To successfully test the secured microservice you can use Alice account because it already contains the required administrator role. We are going to use curl command to send a GET request to the TAG endpoint /cinema-corp/movies-catalog we configured on the route and we are going to use basic auth to authenticate and authorize Alice request.

On a terminal the following command.:

curl -i -u alice:supersecret http://localhost:8080/cinema-corp/movies-catalog

You should be able to see the TAG response with a 200 HTTP code and the microservice payload:

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: origin, content-type, accept, authorization, Etag, if-none-match, x-xsrf-token
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS, HEAD
Access-Control-Max-Age: 1209600
Access-Control-Expose-Headers: origin, content-type, accept, authorization, ETag, if-none-match
X-Proxy-Do-Rewrite: 6277575
X-Request-ID: bb629a0c5a4959da
X-Proxy-Received-HTTP-Status: 200
X-Proxy-Elapsed: 534119396
X-Powered-By: Express
ETag: W/"38b-nH1wH3YovzhC6d7xYfLwUga8Hf8"
Content-Type: application/json;charset=utf-8
Transfer-Encoding: chunked
Date: Thu, 02 Aug 2018 18:53:00 GMT
Server: Tomitribe-TAG

[{"comments":[],"year":2008,"director":"Sylvester Stallone","genrer":"Action","rating":7,"id":2,"title":"John Rambo"},{"comments":[],"year":2008,"director":"Sylvester Stallone","genrer":"Action","rating":7,"id":52,"title":"John Rambo"},{"comments":[],"year":1999,"director":"Syl","genrer":"Sci-Fi","rating":9,"id":1,"title":"The Matrix"},{"comments":[],"year":1999,"director":"Syl","genrer":"Sci-Fi","rating":9,"id":51,"title":"The Matrix"},{"comments":[],"year":1997,"director":"Paul Verhoeven","genrer":"Sci-Fi","rating":7,"id":3,"title":"Starship Troopers"},{"comments":[],"year":1997,"director":"Paul Verhoeven","genrer":"Sci-Fi","rating":7,"id":53,"title":"Starship Troopers"},{"comments":[],"year":1994,"director":"Roland Emmerich","genrer":"Sci-Fi","rating":7,"id":4,"title":"Stargate"},{"comments":[],"year":1994,"director":"Roland Emmerich","genrer":"Sci-Fi","rating":7,"id":54,"title":"Stargate"}]

You can now test the secured microservice using Bob account. This time TAG is going to deny access to the microservice because Bob doesn’t have the administrator role. Execute the following command:

curl -i -u bob:superpassword http://localhost:8080/cinema-corp/movies-catalog

You should be able to see the TAG response with at 403 HTTP code:

HTTP/1.1 403 Forbidden
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: origin, content-type, accept, authorization, Etag, if-none-match, x-xsrf-token
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS, HEAD
Access-Control-Max-Age: 1209600
Access-Control-Expose-Headers: origin, content-type, accept, authorization, ETag, if-none-match
X-Proxy-Do-Rewrite: 5416110
X-Request-ID: 32b385417e7ead74
Content-Type: application/json;charset=ISO-8859-1
Content-Language: en
Content-Length: 64
Date: Thu, 02 Aug 2018 18:54:04 GMT
Server: Tomitribe-TAG

{"error":"Access to the specified resource has been forbidden."}

Test the secured microservice using the Route Test Window

You can also test the TAG routing, authentication and authorization right from the Cinema Corp Route detail page. For this you need to open the Test Routes window by clicking the button at the top right corner and then selecting the Test option.

open test window

In the Test Routes window click the button and select Add Basic Auth. Then add the following information and click the Test button:

  • Resource URL: /cinema-corp/movies-catalog

  • Username: alice

  • Password: supersecreet

You will be able to see the 200 HTTP Response code along with details about the routing applied by TAG for the requests.

alice test window result

In the same Test Routes windows we can now execute a request using Bob account using the following information:

  • Resource URL: /cinema-corp/movies-catalog

  • Username: bob

  • Password: superpassword

This time you will see the 403 HTTP response code along with the details about the routing applied by TAG for the requests.

bob testwindow 403
bob testwindow routing

Stop Tribestream API Gateway

Since both the TAG and the microservice were created with a specific container name, you can now stop both containers. On a terminal execute the following command.

Stopping TAG

docker stop tag

Stopping the microservice

docker stop movie-api

Summary

Congratulations! in this module you learned about:

  • Prerequisites, Download, and run Tribestream API Gateway

  • How to run and secure your first microservice with Authentication and Authorization