avoiding speed bumps on the road to microservices · 2019-09-23 · avoiding speed bumps on the...

AVOIDING SPEED BUMPS ON THE ROAD TO MICROSERVICESScott Shaw Head of Technology, ThoughtWorks Australia

1

MICROSERVICE ENVY

2

service oriented architecture

microservices

GOOGLE TRENDS DATA

3

XTHE SPEED BUMPS

3

XTHE SPEED BUMPS

DDD REST Automation Cloud DevOps Logging Monitoring

Resilience Testing with CDCs Conway Postel

3

X

Data Aggregation

THE SPEED BUMPS

DDD REST Automation Cloud DevOps Logging Monitoring

Resilience Testing with CDCs Conway Postel

3

X

Data Aggregation

Access Control & Security

THE SPEED BUMPS

DDD REST Automation Cloud DevOps Logging Monitoring

Resilience Testing with CDCs Conway Postel

3

X

Managing Change

Data Aggregation

Access Control & Security

THE SPEED BUMPS

DDD REST Automation Cloud DevOps Logging Monitoring

Resilience Testing with CDCs Conway Postel

4

Aggregating Data

SINGLE DATASTORE PRINCIPAL

5

SINGLE DATASTORE PRINCIPAL

5

SINGLE DATASTORE PRINCIPAL

5

6

BUT AS A SYSTEM EVOLVES…

6

BUT AS A SYSTEM EVOLVES…

6

BUT AS A SYSTEM EVOLVES…

6

BUT AS A SYSTEM EVOLVES…

6

BUT AS A SYSTEM EVOLVES…

7

BUT AS A SYSTEM EVOLVES…

7

BUT AS A SYSTEM EVOLVES…

JIA YANG’S STORY

8

JIA YANG’S STORY

8

SIDEBAR: SERVICE COMPOSITION

9

Customers in the EC

tax regime

JOIN

Tax Regime Service

THE MONOLITHIC APPROACH

SIDEBAR: SERVICE COMPOSITION

10

NAIVE SERVICE IMPLEMENTATION

geography

customers

tax

Countries in the EC

Customersin the EC

Countries in the EC

SIDEBAR: SERVICE COMPOSITION

COMPOSED SERVICES

geography

customers

tax

Customers in the EC

GET …?country_list=UK,NL,SE...

GET

Countries in the EC

SIDEBAR: SERVICE COMPOSITION

COMPOSED SERVICES

geography

customers

tax

Customers in the EC

GET … ?filter=https://geo/countries?r=ec

Customers in the EC

Countries in the EC

AGGREGATING DATA

12

geography

customers

tax

Customers in the EC

Countries in the EC

AGGREGATING DATA

12

geography

customers

tax

How do we knowif these states are consistent?

AGGREGATING DATA

12

geography

customers

tax

How do we knowif these states are consistent?

Events to rescue!Reacts to

event streams

Changes incustomer status

Changes in EC Membership

AGGREGATING DATA

13

geography

customers

tax

AGGREGATING DATA

13

geography

customers

tax

GET https://integration-toolkit.com/customers/events

AGGREGATING DATA

13

geography

customers

tax

GET https://integration-toolkit.com/customers/events

IMPLEMENTING EVENTS

14

OPTION 1: CHUCK ‘EM IN THE DB

IMPLEMENTING EVENTS

15

OPTION 2: HIPSTER BATCH

Shared Storage (S3)

Geography Customer

Tax

IMPLEMENTING EVENTS

16

OPTION 3: SPECIAL-PURPOSE EVENT STORE

Event Store

JSCustomers

Geography

Event Subscription

IMPLEMENTING EVENTS

16

OPTION 3: SPECIAL-PURPOSE EVENT STORE

Event Store

JSCustomers

Geography

Event Subscription“Projections”

17

Delegated Authority & Access Control

OpenID 2.0

DELEGATED ACCESS MANAGEMENT

18

HMAC

SAML v2 OAuth 2.0OpenID Connect

ADFSJWT

OpenID 2.0

DELEGATED ACCESS MANAGEMENT

18

HMAC

SAML v2 OAuth 2.0OpenID Connect

ADFSJWT

FENDY’S STORY

19

FENDY’S STORY

19

THE OLD WORLD OF PERIMETER SECURITY

20

cookietoken

credentials

token

verification

Identity Provider

End User Application

WebApplication

THE OLD WORLD OF PERIMETER SECURITY

20

cookietoken

credentials

token

verification

Identity Provider

End User Application

WebApplication

stateless?

THE OLD WORLD OF PERIMETER SECURITY

20

cookietoken

credentials

token

verification

Identity Provider

End User Application

WebApplication

stateless?

whose identity?

THE OLD WORLD OF PERIMETER SECURITY

20

cookietoken

credentials

token

verification

Identity Provider

End User Application

WebApplication

token

token

VARIOUS APPROACHES

▫︎ 2-Way SSL/TLS

▫︎HMAC signing

▫︎ JWT

▫︎NTLM/WIF/ADFS

▫︎ SAML v2

▫︎OAUTH 2.0

▫︎OPENID Connect

21

VARIOUS APPROACHES

▫︎ 2-Way SSL/TLS

▫︎HMAC signing

▫︎ JWT

▫︎NTLM/WIF/ADFS

▫︎ SAML v2

▫︎OAUTH 2.0

▫︎OPENID Connect

21

Ask these questions ...

VARIOUS APPROACHES

▫︎ 2-Way SSL/TLS

▫︎HMAC signing

▫︎ JWT

▫︎NTLM/WIF/ADFS

▫︎ SAML v2

▫︎OAUTH 2.0

▫︎OPENID Connect

21

Ask these questions ...• Considered both authentication

and authorisation?

VARIOUS APPROACHES

▫︎ 2-Way SSL/TLS

▫︎HMAC signing

▫︎ JWT

▫︎NTLM/WIF/ADFS

▫︎ SAML v2

▫︎OAUTH 2.0

▫︎OPENID Connect

21

Ask these questions ...• Considered both authentication

and authorisation?

VARIOUS APPROACHES

▫︎ 2-Way SSL/TLS

▫︎HMAC signing

▫︎ JWT

▫︎NTLM/WIF/ADFS

▫︎ SAML v2

▫︎OAUTH 2.0

▫︎OPENID Connect

21

Ask these questions ...• Considered both authentication

and authorisation?• Based on open standards?

VARIOUS APPROACHES

▫︎ 2-Way SSL/TLS

▫︎HMAC signing

▫︎ JWT

▫︎NTLM/WIF/ADFS

▫︎ SAML v2

▫︎OAUTH 2.0

▫︎OPENID Connect

21

Ask these questions ...• Considered both authentication

and authorisation?• Based on open standards?

VARIOUS APPROACHES

▫︎ 2-Way SSL/TLS

▫︎HMAC signing

▫︎ JWT

▫︎NTLM/WIF/ADFS

▫︎ SAML v2

▫︎OAUTH 2.0

▫︎OPENID Connect

21

Ask these questions ...• Considered both authentication

and authorisation?• Based on open standards?• Simple enough to be widely used?

VARIOUS APPROACHES

▫︎ 2-Way SSL/TLS

▫︎HMAC signing

▫︎ JWT

▫︎NTLM/WIF/ADFS

▫︎ SAML v2

▫︎OAUTH 2.0

▫︎OPENID Connect

21

Ask these questions ...• Considered both authentication

and authorisation?• Based on open standards?• Simple enough to be widely used?• Supports a modern web integration

strategy?

VARIOUS APPROACHES

▫︎ 2-Way SSL/TLS

▫︎HMAC signing

▫︎ JWT

▫︎NTLM/WIF/ADFS

▫︎ SAML v2

▫︎OAUTH 2.0

▫︎OPENID Connect

21

Ask these questions ...• Considered both authentication

and authorisation?• Based on open standards?• Simple enough to be widely used?• Supports a modern web integration

strategy?

VARIOUS APPROACHES

▫︎ 2-Way SSL/TLS

▫︎HMAC signing

▫︎ JWT

▫︎NTLM/WIF/ADFS

▫︎ SAML v2

▫︎OAUTH 2.0

▫︎OPENID Connect

21

Ask these questions ...• Considered both authentication

and authorisation?• Based on open standards?• Simple enough to be widely used?• Supports a modern web integration

strategy?• Has proven implementations?

VARIOUS APPROACHES

▫︎ 2-Way SSL/TLS

▫︎HMAC signing

▫︎ JWT

▫︎NTLM/WIF/ADFS

▫︎ SAML v2

▫︎OAUTH 2.0

▫︎OPENID Connect

21

Ask these questions ...• Considered both authentication

and authorisation?• Based on open standards?• Simple enough to be widely used?• Supports a modern web integration

strategy?• Has proven implementations?

EXAMPLE OPENID CONNECT FLOW

22

access code

OpenID Connect Provider

Resource

access code

Another Resource

id token

{“iss":"op.example.com",! "c_hash":"HK6E_P6Dh8Y93mRNtsDB1Q",! "email_verified":"true",! "sub":"10769150350006150715113082367",! “azp”:”another_resource",! “email":"sshaw@thoughtworks.com",! “aud”:[”resource”, “another_resource”],! "iat":1353601026,! "exp":1353604926 }

access code

id token

Resource

Another Resource

End User App

BEWARE PKI

23

ssshh!

secrets

How to manage anddistribute?

keys

Also Need

• CSRF • Nonce • Correct implementation

• Expire • Revoke • Distribute

24

Managing Change

MANAGING CHANGE

25

DOES YOUR SYSTEM LOOK LIKE THIS?

?

MANAGING CHANGE

26

MAYBE IT SHOULD LOOK LIKE THIS INSTEAD

MANAGING CHANGE

26

MAYBE IT SHOULD LOOK LIKE THIS INSTEAD

JUICE!

RYAN’S STORY

27

RYAN’S STORY

27

BACK TO THE TAX EXAMPLE …

28

geography customers

tax

BACK TO THE TAX EXAMPLE …

28

geography customers

tax

BACK TO THE TAX EXAMPLE …

28

geography customers

tax

BACK TO THE TAX EXAMPLE …

28

geography customers

tax

Assignment

BACK TO THE TAX EXAMPLE …

28

geography customers

tax

Assignment

Some logic from here

Some logic from here

And fromhere

BACK TO THE TAX EXAMPLE …

28

geography customers

tax

Assignment

Some logic from here

Some logic from here

And fromhere

But How?

HOW TO MANAGE THE CHANGE

29

1.DO NOTHING May be better than the chaos of not having clear ownership and accountability

2.ONE BIG VERSION CHANGEVersion all your services, test them together, release them together

HOW TO MANAGE THE CHANGE

29

1.DO NOTHING May be better than the chaos of not having clear ownership and accountability

2.ONE BIG VERSION CHANGEVersion all your services, test them together, release them together#fail

MANAGING CHANGE

30

geo cust

tax

assignment

MANAGING CHANGE

30

geo cust

tax

assignment

Temp Team

MANAGING CHANGE

31

geo cust

tax

assignment

?

MANAGING CHANGE

31

geo cust

tax

assignment

Long-term ownershipcan’t be ambiguous

SUMMARY

32

1.MICROSERVICES More than a grab-bag of techniques and tools

2.MINDSET SHIFTState Perimeter Punctuated equilibrium

EventsEndpointsContinuous evolution

SUMMARY

32

1.MICROSERVICES More than a grab-bag of techniques and tools

2.MINDSET SHIFTState Perimeter Punctuated equilibrium

EventsEndpointsContinuous evolution

SUMMARY

32

1.MICROSERVICES More than a grab-bag of techniques and tools

2.MINDSET SHIFTState Perimeter Punctuated equilibrium

EventsEndpointsContinuous evolution

SUMMARY

32

1.MICROSERVICES More than a grab-bag of techniques and tools

2.MINDSET SHIFTState Perimeter Punctuated equilibrium

EventsEndpointsContinuous evolution

33

THANKS!

http://www.thoughtworks.com/radar sshaw@thoughtworks.com

@scottwshaw