Posts

In the world of concurrent programming, “thread safety” usually means “locking”. From the synchronized keyword to ReentrantLock, we’ve grown accustomed to ensuring data consistency by exclusively locking resources. However, locks are not a silver bullet. In scenarios pursuing extreme performance, the context switching and waiting costs brought by locks can become system bottlenecks. So, is there a way to safely modify shared variables across multiple threads without suspending (blocking) threads? ...

Preface: The “Day Two” Challenge After Database and Table Sharding In the architectural evolution of large-scale microservices, database and table sharding is often regarded as the “silver bullet” for solving massive data storage and high-concurrency write challenges. When we excitedly use Apache ShardingSphere to split a monolithic database into 16 sharded databases and 1,024 sharded tables, watching system throughput soar, we often overlook a serious problem that follows closely—operations and consistency. On the “day two” after sharding goes live, development and operations teams typically face the following soul-searching questions: ...

The Spring framework provides developers with a powerful and flexible transaction management mechanism. Whether it’s a complex distributed system or a simple monolithic application, Spring’s transaction abstraction layer allows us to control transaction behavior in a unified and concise way. This article will start with why to use Spring transactions, and then deeply explore its core configuration, working principles, key attributes, and common pitfalls and best practices. Part I: Why Choose Spring’s Transaction Model? In traditional JDBC operations, we need to manually handle the acquisition, commit (commit), and rollback (rollback) of Connection objects, which is tedious and error-prone. Although JTA (Java Transaction API) provides the capability for cross-resource transactions, its API is relatively complex. ...

1. Evolution of Access Control (AC) Access Control determines who can access what and perform which operations. The Key Phases: MAC (Mandatory Access Control): Fixed centralized management. High security, low flexibility (e.g., military). DAC (Discretionary Access Control): Owner-based sharing. High flexibility, low consistency (e.g., file systems). RBAC (Role-Based Access Control): Permissions mapped to roles. Simplifies management for enterprise structures. ABAC (Attribute-Based Access Control): Permissions calculated dynamically based on attributes of users, resources, and environment. Trend: Moving from static/coarse-grained to dynamic/fine-grained control. Hybrid RBAC-ABAC is the current industry trend. ...

Overview Modern cryptography handles information in three main forms: Digest: Primarily used for data validation (e.g., storing passwords). A digest is a one-way hash. Hash functions are characterized by their sensitivity (even tiny changes produce totally different results) and irreversibility. Common algorithms include MD5 and SHA-256. Encryption: Used to ensure secure transmission so that only authorized parties can access the real message. Unlike digests, encrypted data can be decrypted back to plaintext. Keys are categorized into symmetric and asymmetric (public/private). Common algorithms include AES and RSA. Signature: Used to ensure the integrity and authenticity of plaintext messages. For example, a JWT contains a signature to guarantee that the payload was not tampered with. Signatures do not guarantee privacy; the message itself is often public. In summary: ...

Overview In the movie The Imitation Game (based on real events), the scientist Alan Turing led his team to crack the German communications encryption device “Enigma” after two years of intense effort. This feat laid a solid foundation for the victory in World War II. Today, we will discuss the data encryption technology behind such communications. Data confidentiality refers to encryption and decryption. In academic terms: using an algorithm to change the original form of information so that even if an attacker steals the information, they cannot understand it without the corresponding decryption method. Confidentiality can be applied in three stages: ...

Overview In the previous article, we discussed the process of authorization. After the server completes authorization for the client, it issues a corresponding credential. When the client accesses the server with this credential, the server knows who you are and what permissions you have. In this chapter, we will discuss common credential management technologies. In software architecture, there have been two different ideas regarding how credentials are stored and transmitted, reflecting two different architectural approaches: ...

Overview In security systems, Authorization is part of the “4A” framework (Account, Authentication, Authorization, and Audit). To build a reliable security module, it is best to follow industry standards. Authorization involves: Control of the Process: Protocols like OAuth2, SAML2, or CAS. Control of the Outcome: Models like RBAC or ABAC. The mainstream approach for most applications is a combination of OAuth2 + RBAC. RBAC (Role-Based Access Control) RBAC maps permissions to Roles, and then assigns roles to Users. This decouples users from specific permissions, making management much simpler. ...

Overview Almost all systems face issues related to security authentication, but security-related problems are quite troublesome. Because they do not generate direct business value and are complex and tedious to handle, they are often easily overlooked. Many major security risks that arise later are often caused by a lack of attention in the early stages. Fortunately, security issues are universal, and the problems everyone faces are almost identical. Therefore, industry standards can be formulated to regulate handling, and specialized infrastructure (e.g., AD, LDAP, etc.) can even be extracted to specifically solve these common problems. In short, security issues are very complex and troublesome. For the vast majority of 99% of systems, do not think about inventing or innovating in the field of security issues; it’s easy to fall into traps. Moreover, industry-standard solutions are already very mature and have undergone long-term verification. Therefore, in the field of security, down-to-earth adherence to specifications and standards is the best security design. ...

The Control Loop The Controller Manager is the “brain” of the control plane. It runs various controllers that watch the state of the cluster and make changes to move the actual state toward the desired state. Workflow: Watch: Observe current state via the API Server. Reconcile: Compare actual state (e.g., 2 Pods running) with desired state (e.g., 3 Pods requested). Action: Issue commands to the API Server to reach the target (e.g., create 1 Pod). Key Controllers Deployment Controller: Manages ReplicaSets and ensures the correct number of Pods are running. Node Controller: Monitors node health and handles evictions. Job/CronJob Controllers: Manage one-time or scheduled tasks. Cloud Controller Manager: Integrates with cloud provider APIs to manage storage, load balancers, and network routes. Kubelet and Runtimes Kubelet is the agent running on every node. It receives PodSpecs from the API Server and ensures they are running. ...