After a day of learning about the exciting features of Forge, get ready for a peek under the hood to discover how it’s all implemented. Join Forge Architect Patrick Streule as he goes deep on topics such as Forge FaaS infrastructure, the internal workings of tenant isolation, and automatic authentication.
Attendees will also get a glimpse of some features we’re looking at building into the future of Forge, such as a serverless data store for apps and more!
10. MANAGED AUTH
const watchersResponse = await api
.asUser()
.requestJira(`/rest/api/3/issue/${issue.key}/watchers`);
const watchersResponse = await api
.asApp()
.requestJira(`/rest/api/3/issue/${issue.key}/watchers`);
11. Better security
Long-lived secrets are kept within Atlassian
infrastructure, unaccessible from the outside
Manageable for end users
Users can see and revoke all their grants on the
Atlassian Account profile page.
Easier to use
No need to deal with OAuth2 flows or secure
credential and token storage.
Managed
Auth Goals
12. Better security
Long-lived secrets are kept within Atlassian
infrastructure, unaccessible from the outside
Manageable for end users
Users can see and revoke all their grants on the
Atlassian Account profile page.
Easier to use
No need to deal with OAuth2 flows or secure
credential and token storage.
Managed
Auth Goals
13. Better security
Long-lived secrets are kept within Atlassian
infrastructure, unaccessible from the outside
Manageable for end users
Users can see and revoke all their grants on the
Atlassian Account profile page.
Easier to use
No need to deal with OAuth2 flows or secure
credential and token storage.
Managed
Auth Goals
23. REUSING BROWSER TECHNOLOGY
NodeJS: V8
const rest = await api
.asUser()
.requestJira(`/rest…`);
Fetch implementation
Isolates
The technology behind
iframes in Chrome
No shared resources
Marshalling of data across
isolate boundaries
25. APPLICATION-LEVEL ISOLATION
const doc = await api
.fetch(`https://docs.google.com/document/...`);
const mail = await api
.fetch(`https://mail.google.com/...`);
Fetch
manifest.yml
https://docs.google.com/**
Egress config
URL patterns of hosts
that may be contacted
33. AWS LAMBDA: ISOLATION CONT’D
Your Code
Forge Runtime
Sandbox
Guest OS
Hypervisor
Host OS
Hardware
Isolates
cgroups, namespaces, seccomp
Firecracker virtualization
EC2 Bare Metal
34. AWS LAMBDA: MULTIPLE ACCOUNTS
ManagedAuth…
Forge AWS Accounts
ServiceAWSAccounts
Deploy
Deploy
Invoke
Deployment
Service
Invocation
Service
api.atlassian.com Public API Calls
AWS API Calls (assumeRole)
43. We have devoted significant resources
towards ensuring our cloud products are
built and designed in accordance with
widely accepted standards and
certifications.
https://www.atlassian.com/trust/privacy/gdpr
44. Data storage for apps today
Define Data
Model
Taking multi-tenancy
into account
Implement API
For data retrieval and
modification
Handle
Operations
Backups, Migration,
Capacity planning,
DB upgrades, …
Trust &
Compliance
GDPR, SOC2,
Data Residency,
Encryption@rest
48. Data deletion
Data is deleted with when its parent chain is
deleted.
Data encryption
Data is encrypted with the same key as its
parent.
Data movement
Moving to another realm, container or
organization, whenever its parent moves.
Data follows
its parent
49. Data deletion
Data is deleted with when its parent chain is
deleted.
Data encryption
Data is encrypted with the same key as its
parent.
Data movement
Moving to another realm, container or
organization, whenever its parent moves.
Data follows
its parent
50. Data deletion
Data is deleted with when its parent chain is
deleted.
Data encryption
Data is encrypted with the same key as its
parent.
Data movement
Moving to another realm, container or
organization, whenever its parent moves.
Data follows
its parent
51. How could a possible Forge
implementation look like?
HYPOTHETICALLY!