This file maps the abstract security roles from 01 — Concepts to the actual components running in this PoC.

Components

Component Role
Keycloak IdP
Kong PEP
OPA PDP
banking-api-service Resource server
identity-bootstrap-service Demo setup only

Role of Each Component

Keycloak

Keycloak is the IdP for this project.

It:

  • stores demo users (alice, ops-admin)
  • authenticates username and password
  • issues JWT access tokens
  • adds claims such as customer_id and account_ids

Kong

Kong is the PEP for this project.

It:

  • receives every client request at the edge
  • checks that a bearer token exists
  • introspects the token with Keycloak
  • calls OPA for an authorization decision
  • forwards allowed requests to banking-api-service

OPA

OPA is the PDP for this project.

It:

  • receives request context from Kong
  • evaluates the Rego policy in infra/opa/policies/banking_authz.rego
  • returns allow or deny

banking-api-service

banking-api-service is the resource server for this project.

It:

  • validates the JWT signature, issuer, and audience
  • checks account ownership again as defense in depth
  • returns account and transaction data

identity-bootstrap-service

identity-bootstrap-service exists only to make the PoC repeatable.

It:

  • creates demo users (alice, ops-admin) in Keycloak
  • sets demo claims and roles
  • removes the need for manual Keycloak setup steps

Architecture Diagram

Security Layers

0. create demo users

1. login

2. JWT access token

3. API request with JWT

4. introspect token

5. policy input

6. allow or deny

7. allowed request

identity-bootstrap-service

Keycloak

Client

Kong

OPA

banking-api-service

Why This Architecture Makes Sense

The three-role separation keeps concerns isolated:

  • Keycloak owns identity — no other component stores credentials.
  • OPA owns policy logic — changing a rule means editing one Rego file.
  • Kong owns enforcement — services behind Kong do not need to re-implement gateway logic.

Defense in depth is also demonstrated:

  • Kong checks token validity and calls OPA before forwarding.
  • banking-api-service validates the JWT again independently.
  • banking-api-service re-checks account ownership before returning data.

Project File Mapping

Path Purpose
docker-compose.yml Defines and wires all runtime containers
infra/keycloak/realm-export.json Keycloak realm, client, and role configuration
infra/kong/kong.yml Kong services, routes, and plugin config
infra/kong/plugins/opa-authz/handler.lua Kong plugin — calls OPA and enforces the decision
infra/kong/plugins/opa-authz/schema.lua Kong plugin — declares configuration schema
infra/opa/policies/banking_authz.rego OPA policy (Rego)
infra/opa/policies/banking_authz_test.rego OPA policy unit tests
services/banking-api-service/ Protected banking API (resource server)
services/identity-bootstrap-service/ Demo user provisioning service
scripts/demo.sh End-to-end demo script

← Prev: 01 — Concepts · Next: 03 — Request Flows

📚 返回专栏目录

# 微服务
Logo
openEuler 社区

openEuler 是由开放原子开源基金会孵化的全场景开源操作系统项目,面向数字基础设施四大核心场景(服务器、云计算、边缘计算、嵌入式),全面支持 ARM、x86、RISC-V、loongArch、PowerPC、SW-64 等多样性计算架构

更多推荐

【程序运行】完整梳理应用程序从加载到 CPU 执行全流程,对比 C/Java/Python、Windows/Linux 底层差异

本文作者,资深底层技术爱好者,专注计算机体系结构、操作系统内核与编程语言实现原理。长期在 CSDN 分享硬核技术文章,致力于用通俗语言讲透计算机背后的运行逻辑。本文核心思想基于作者的两篇前置文章,强烈建议配合阅读:《深入CPU与操作系统的底层骗局,彻底吃透程序运行本质》《从CPU权限控制看懂Linux、Windows、鸿蒙的本质区别》你每天双击图标、敲命令、启动服务,少说几十次——为什么有些软件拷

avatar openEuler 社区

《源纹天书》第91-95章:调度殿的试炼——时间片轮转与协程切换

《源纹天书:调度殿篇》以修仙世界观解构操作系统核心调度技术。程序员CodeStats与同伴进入调度殿秘境,通过五重考验: 时间片轮转:实现公平任务分配,优化上下文切换 优先级调度:解决优先级反转问题,引入继承机制 协程切换:对比有栈/无栈协程,演示用户态调度优劣 抢占式调度:时钟中断驱动强制切换,详解上下文保存流程 调度器设计:程一念提出混合调度策略,融合响应性、公平性与实时性 最终获得《调度天书

avatar openEuler 社区

CTF密码学必考RSA算法|例题完整演算过程+加密解密数学原理

进阶比赛题型会利用模数分解漏洞、低指数攻击、共模攻击破解RSA,是应用密码学课程以及CTF进阶的重中之重。已知RSA参数:大素数p=11,q=13,公钥e=7,密文C=32,求解明文Flag。3. 私钥d:e\times d \equiv 1 \pmod{\varphi(n)}2. 欧拉值:\varphi(n)=10\times12=120。3. 求解私钥d:7d mod 120 = 1,算出d=

avatar openEuler 社区