b104fafa85
- Renamed auth-service to iam-service across various files for consistency. - Updated Dockerfiles, deployment configurations, and documentation to reflect the service name change. - Enhanced testing commands in documentation to point to the new iam-service. - Removed outdated auth-service files and configurations to streamline the project structure. - Improved bilingual documentation for clarity on the new service structure and usage.
11 KiB
11 KiB
Đề Xuất Kiến Trúc IAM Service
Tài liệu này mô tả đề xuất kiến trúc cho IAM Service (Identity and Access Management Service), mở rộng từ auth-service hiện tại.
Tổng Quan: Auth Service → IAM Service
Auth Service hiện tại tập trung vào:
- Authentication (xác thực)
- Authorization (phân quyền)
- Session & Token management
- RBAC/ABAC
IAM Service mở rộng thêm:
- Identity Management (quản lý danh tính toàn diện)
- Access Governance (quản trị truy cập)
- Compliance & Reporting (tuân thủ và báo cáo)
- Lifecycle Management (quản lý vòng đời tài khoản)
1. Phạm Vi IAM Service
1.1 Identity Management (Quản Lý Danh Tính)
A. User Lifecycle Management
- User CRUD operations
- User provisioning/deprovisioning workflows
- Bulk user operations (import/export)
- User deactivation/reactivation với approval workflow
- Account merging/deduplication
- User archival (soft delete với retention policy)
B. Profile Management
- Extended attributes (custom fields)
- Profile picture upload & management
- Contact information (phone, address)
- Preferences & settings
- Profile versioning/audit trail
C. Identity Verification
- Email verification
- Phone/SMS verification
- Identity document verification (KYC)
- Multi-level verification (verified, pending, rejected)
D. Organizations & Groups
- Organization management (multi-tenant)
- Group/Team management
- Organization hierarchy
- Group-based access control
- Organization-level policies
1.2 Access Management (Quản Lý Truy Cập)
A. Advanced Access Control
- Just-In-Time (JIT) access provisioning
- Privileged Access Management (PAM)
- Temporary access grants
- Access request/approval workflows
- Delegation & impersonation (admin view)
- Conditional access policies (location, time, device)
B. Access Reviews & Certifications
- Periodic access reviews
- Access certification campaigns
- Access analytics & reporting
- Risk scoring for access decisions
- Anomaly detection (unusual access patterns)
1.3 Governance & Compliance (Quản Trị & Tuân Thủ)
A. Audit & Logging
- Compliance reporting (GDPR, SOC2, ISO 27001)
- Data retention policies
- Audit log search & analytics
- Export audit logs
B. Policy Governance
- Policy versioning & rollback
- Policy templates library
- Policy testing & validation
- Policy compliance checks
C. Risk Management
- Risk scoring engine
- Risk-based authentication
- Threat detection
- Incident response workflows
- Security posture dashboard
2. Kiến Trúc Module Structure
services/iam-service/
├── src/
│ ├── config/ # Configuration files
│ ├── core/
│ │ ├── cache/ # Multi-layer cache
│ │ ├── security/ # Zero-trust, encryption
│ │ ├── events/ # Event sourcing
│ │ └── workflows/ # Workflow engine (NEW)
│ ├── modules/
│ │ ├── auth/ # ✅ Core authentication
│ │ ├── rbac/ # ✅ RBAC system
│ │ ├── social/ # ✅ Social authentication
│ │ ├── oidc/ # ✅ OIDC implementation
│ │ ├── token/ # ✅ JWT & Cookie management
│ │ ├── session/ # ✅ Session management
│ │ ├── mfa/ # ✅ Multi-factor auth
│ │ │
│ │ ├── identity/ # 🆕 Identity Management
│ │ │ ├── user/ # User lifecycle
│ │ │ ├── profile/ # Profile management
│ │ │ ├── verification/ # Identity verification
│ │ │ └── organization/ # Organizations & groups
│ │ │
│ │ ├── access/ # 🆕 Access Management
│ │ │ ├── request/ # Access requests
│ │ │ ├── review/ # Access reviews
│ │ │ ├── pam/ # Privileged access
│ │ │ └── analytics/ # Access analytics
│ │ │
│ │ ├── governance/ # 🆕 Governance & Compliance
│ │ │ ├── compliance/ # Compliance reporting
│ │ │ ├── policy/ # Policy governance
│ │ │ ├── risk/ # Risk management
│ │ │ └── reporting/ # Reporting & dashboards
│ │ │
│ │ └── workflow/ # 🆕 Workflow Engine
│ │ ├── engine/ # Workflow engine
│ │ ├── approval/ # Approval workflows
│ │ └── automation/ # Automated workflows
│ │
│ ├── middlewares/ # Express middlewares
│ ├── repositories/ # Data access layer
│ └── routes/ # Route definitions
└── prisma/
└── schema.prisma # Database schema (mở rộng)
3. Database Schema Mở Rộng
3.1 Identity Management Models
- Organization: Quản lý tổ chức với hierarchy
- Group: Quản lý nhóm trong organization
- GroupMember: Thành viên của group
- GroupPermission: Permissions cho group
- UserProfile: Thông tin profile mở rộng của user
- IdentityVerification: Xác thực danh tính (email, phone, document)
3.2 Access Management Models
- AccessRequest: Yêu cầu truy cập
- AccessRequestApprover: Người phê duyệt request
- AccessReview: Đánh giá truy cập định kỳ
- AccessReviewItem: Item trong review
3.3 Governance Models
- ComplianceReport: Báo cáo tuân thủ (GDPR, SOC2, ISO27001)
- PolicyTemplate: Template cho policies
- RiskScore: Điểm rủi ro của user
4. API Endpoints Mở Rộng
4.1 Identity Management APIs
# User Management
GET /api/v1/identity/users
POST /api/v1/identity/users
GET /api/v1/identity/users/:id
PUT /api/v1/identity/users/:id
DELETE /api/v1/identity/users/:id
POST /api/v1/identity/users/bulk-import
GET /api/v1/identity/users/bulk-export
# Profile Management
GET /api/v1/identity/users/:id/profile
PUT /api/v1/identity/users/:id/profile
POST /api/v1/identity/users/:id/profile/avatar
# Identity Verification
POST /api/v1/identity/verification/email/request
POST /api/v1/identity/verification/email/verify
POST /api/v1/identity/verification/phone/request
POST /api/v1/identity/verification/phone/verify
# Organizations & Groups
GET /api/v1/identity/organizations
POST /api/v1/identity/organizations
GET /api/v1/identity/organizations/:id/groups
POST /api/v1/identity/organizations/:id/groups
GET /api/v1/identity/groups/:id/members
POST /api/v1/identity/groups/:id/members
4.2 Access Management APIs
# Access Requests
GET /api/v1/access/requests
POST /api/v1/access/requests
PUT /api/v1/access/requests/:id/approve
PUT /api/v1/access/requests/:id/reject
# Access Reviews
GET /api/v1/access/reviews
POST /api/v1/access/reviews
POST /api/v1/access/reviews/:id/start
POST /api/v1/access/reviews/:id/complete
GET /api/v1/access/reviews/:id/items
# Access Analytics
GET /api/v1/access/analytics/usage
GET /api/v1/access/analytics/permissions
GET /api/v1/access/analytics/risks
4.3 Governance APIs
# Compliance Reports
GET /api/v1/governance/compliance/reports
POST /api/v1/governance/compliance/reports/generate
GET /api/v1/governance/compliance/reports/:id/export
# Policy Governance
GET /api/v1/governance/policies/templates
POST /api/v1/governance/policies/templates
GET /api/v1/governance/policies/:id/versions
POST /api/v1/governance/policies/:id/test
# Risk Management
GET /api/v1/governance/risk/scores
GET /api/v1/governance/risk/scores/:userId
POST /api/v1/governance/risk/calculate
# Reporting
GET /api/v1/governance/reports/access-summary
GET /api/v1/governance/reports/user-activity
GET /api/v1/governance/reports/security-events
5. Implementation Roadmap
Phase 1: Foundation (Weeks 1-4)
- ✅ Migrate từ auth-service sang iam-service
- 🔄 Tổ chức lại modules theo IAM structure
- 🔄 Mở rộng database schema với identity models
- 🔄 Implement User Profile module
Phase 2: Identity Management (Weeks 5-8)
- 🔄 User lifecycle management
- 🔄 Identity verification (email, phone, document)
- 🔄 Organization & Group management
- 🔄 Profile management with extended attributes
Phase 3: Access Management (Weeks 9-12)
- 🔄 Access request/approval workflows
- 🔄 Access review & certification system
- 🔄 Access analytics
- 🔄 Privileged Access Management (PAM)
Phase 4: Governance (Weeks 13-16)
- 🔄 Compliance reporting engine
- 🔄 Policy governance & versioning
- 🔄 Risk scoring & management
- 🔄 Reporting dashboards
Phase 5: Advanced Features (Weeks 17-20)
- 🔄 Workflow engine
- 🔄 Advanced analytics & ML-based insights
- 🔄 Integration APIs (SCIM, LDAP sync)
- 🔄 Performance optimization & scaling
6. Lợi Ích Của IAM Service
6.1 Cho Doanh Nghiệp
- ✅ Tuân thủ (GDPR, SOC2, ISO 27001)
- ✅ Quản lý rủi ro bảo mật tốt hơn
- ✅ Tự động hóa quy trình quản lý truy cập
- ✅ Báo cáo và audit trail đầy đủ
- ✅ Hỗ trợ multi-tenant/organization
6.2 Cho Developers
- ✅ API thống nhất cho identity & access
- ✅ Workflow engine linh hoạt
- ✅ Extensible architecture
- ✅ Comprehensive documentation
- ✅ SDK support
6.3 Cho End Users
- ✅ Self-service profile management
- ✅ Transparent access requests
- ✅ Better user experience
- ✅ Enhanced security với MFA & verification
7. Migration Strategy
Từ Auth Service → IAM Service
- Rename Service:
services/auth-service→services/iam-service - Update Package Name:
@goodgo/auth-service→@goodgo/iam-service - Update Routes:
- Giữ backward compatibility với
/api/v1/auth/* - Thêm routes mới cho
/api/v1/identity/*,/api/v1/access/*,/api/v1/governance/*
- Giữ backward compatibility với
- Database Migration:
- Thêm schema mới cho identity, access, governance
- Giữ nguyên các tables hiện có (backward compatible)
- Gradual Rollout:
- Phase 1: Deploy cùng auth-service (dual deployment)
- Phase 2: Migrate clients dần dần
- Phase 3: Deprecate auth-service khi migration hoàn tất
Kết Luận
Đề xuất này mở rộng auth-service thành IAM Service với đầy đủ các tính năng:
- Identity Management đầy đủ
- Access Management nâng cao
- Governance & Compliance toàn diện
- Workflow automation linh hoạt
Điều này biến service từ authentication/authorization cơ bản thành một IAM platform toàn diện, phù hợp cho enterprise.