lessons from the trenches: building an api-centric architecture
TRANSCRIPT
Last Updated: May 2015
VP Products, WSO2Isabelle Mauny
Lessons from the trenchesAPI Management
Friday, May 22, 15
2
๏ French na)ve
๏ Living in Madrid
๏ Working mostly in Sri Lanka and Europe
๏ 17 years @ IBM, 5 years in startups
๏ Managing the overall WSO2 porEolio
๏ Worked in services , presales, product marke)ng , product management
๏ Java, SOA, APIs, Integra)on
About the speaker...
Friday, May 22, 15
3
280customers
66partners
>60%average yearly growth
1
480employees
10locaBons
10years old
PLATFORM
100%OPEN SOURCEAPACHE 2
COMPA
NY
RESU
LTS
PLAT
FORM
Friday, May 22, 15
4
APIs
Friday, May 22, 15
Architecture Roadmap
5
Decompose your exis7ng business processes, data
and capabili7es into services
Make all services accessible via APIs, externally and internally
Put services and APIs under control !
Build an ecosystem around
your APIs
Collect data on your new products and APIs
1
2
3
4
5
Friday, May 22, 15
6
Crea.ng and Managing Services
Friday, May 22, 15
7
๏ Service deals with implementa)on
๏ API deals with subscrip)on (consumer)
๏ Two very dis)nct life cycles !
๏ You don’t need the service to create the API...
Services and APIs
Friday, May 22, 15
8
API Lifecycle
๏ An API can pass through mul)ple states
๏ For example:๏ CREATED
๏ PUBLISHED
๏ DEPRECATED
๏ RETIRED
๏ BLOCKED
๏ Should integrate with complete governance lifecycle
Friday, May 22, 15
9
Building a Managed API
๏ Crea)ng APIs (interface, docs, samples,etc.)
๏ Adver)sing APIs
๏ Making APIs subscribe-‐able by consumers
๏ Associa)ng SLAs
๏ Securing APIs
๏ Mone)za)on and Analy)cs
Friday, May 22, 15
10
API Security
Friday, May 22, 15
11
API Security ๏ Security is not an a]er thought !
๏ APIs are part of a much larger enterprise picture
๏ How will consumers request an access token ? ๏ Using a SAML 2.0 asser)on ?
๏ Using an implicit grant ?
๏ Using userid/password ?
๏ Make sure you document thoroughly how developers need to manage tokens:
๏ Tokens are like passwords!
๏ Always use SSL for token transporta)on !
๏ Use Domain restric)ons (WSO2 API Manager)
Friday, May 22, 15
12
Fine-‐grained access to APIs
๏ Leverage OAuth scopes to manage fine-‐grained access control to APIs.
๏ All users can call GET /catalog/{id}๏ Only specific users can call PUT /catalog
๏ Addi)onally, can leverage XACML (en)tlements) to manage more authoriza)on which must take in account mul)ple agributes
๏ Verb is GET and Resource is Catalog and role is partner and partnershipLevel is Gold.
Friday, May 22, 15
13
Passing Auth InformaBon to back-‐end services
๏ Using JSON Web Tokens (JWT) ๏ Lightweight
๏ Can be signed
๏ Easy to parse and consume
๏ Standard
Friday, May 22, 15
14
Token Format
๏ JWT Structure {token info}.{claims list}.{signature}
๏ Base-‐64 Encoded
Friday, May 22, 15
15
What are Claims ?
๏ Claims are a set of agributes about a user, mapped to the underlying user store.
๏ A set of claims is called a dialect
Friday, May 22, 15
16
Deployment
Friday, May 22, 15
17
Gateway vs. ESB๏ Oh, but I already have an ESB ! Why do I need a
gateway ?
๏ Think ESB as an architecture pagern, not a product!๏ “NoESB: Don't Ride the Bus If You Don't Know Where It Goes” by Gartner in
“Choosing an API and SOA Governance Architecture”
๏ Use a gateway for lightweight interac)ons and basic integra)on capabili)es
๏ Use an ESB for complex integra)on requirements (needing adapters, messaging, etc.)
Friday, May 22, 15
18
Facade/Gateway Pa\ern
๏ Pros๏ No addi)onal hop in the network
๏ Single Server to be managed
๏ More suited for internal deployments
๏ Cons๏ Complexity of integra)on at edge of network
๏ API Management layer can’t really scale independently
๏ Not appropriate for DMZ deployments (direct access to backend services)
Friday, May 22, 15
19
Separated Facade & MediaBon
๏ API Gateway Layer acts as simple reverse proxy, enforcing basic policies
๏ Clear separa)on of concern between layers
๏ Media)on layer and API management layer scale independently
๏ Specific security checks/protec)on at edge of the network
๏ Provides protocol transforma)on to the edge of the network
Friday, May 22, 15
20
Specific WSO2 SoluBon
๏ Our API gateway is actually a full-‐blown ESB under the hood, constrained at UI level.
๏ You can install the missing ESB features on top of API manager and combine both architecture layers into a single run)me!
๏ Makes the choice a deployment one.
Friday, May 22, 15
21
Typical Deployment
Friday, May 22, 15
22
Users Store
๏ Separate admins / corporate users from the developers users’s store (created via self-‐sign up)
Friday, May 22, 15
23
You can’t manage what you can’t measure.
Friday, May 22, 15
24
Why AnalyBcs and API Management are important together?
๏ Build confidence in the API model
๏ Understand your customer ๏ Not just the developer but also the end-‐user
๏ Help manage services and versions๏ Understand when deprecated services can be re)red
๏ Plan beger๏ Monitor the growth of aggregated API traffic
๏ Monitor the growth of specific apps
๏ Even if you’re not going to put analy)cs in place, make sure you capture all events right from beginning of project.
Friday, May 22, 15
25
AnalyBcs 101: AggregaBon
• How to collect data efficiently
• How to store data effec)vely
• Choose which data to capture
Friday, May 22, 15
26
AnalyBcs 101 : Analysis• Data opera)ons
• Defining KPIs and analy)cs
• Opera)ng on large amounts of historical or current data
• Crea)ng intelligence
Friday, May 22, 15
27
AnalyBcs 101 : PresentaBon
• Visualiza)on
• Dashboards
• Reports
Friday, May 22, 15
28
Monitor And Analyze๏ Take decisions in real )me through Complex Event Processing
๏ Create dashboards for both technical and business monitoring
Friday, May 22, 15
29
DetecBng Usage Pa\erns
๏ My API customer is trying to steal my business : let’s block them.
๏ A customer is at 80% of API plan : let’s warn them
๏ A customer is systema)cally at 120% of the plan : propose an upgrade to the premium plan
Friday, May 22, 15
30
References๏ Building an ecosystem for API Security (White Paper)
๏ hgp://wso2.com/whitepapers/wso2-‐whitepaper-‐building-‐an-‐ecosystem-‐for-‐api-‐security/
๏ API Facade Pagern (Webinar)๏ hgp://wso2.com/library/webinars/2014/01/implemen)ng-‐api-‐facade-‐using-‐
wso2-‐api-‐management-‐plaEorm/
๏ API Management: missing link for SOA ๏ hgp://sanjiva.weerawarana.org/2012/08/api-‐management-‐missing-‐link-‐for-‐
soa.html
๏ Promo)ng Service Reuse ๏ hgp://wso2.com/whitepapers/promo)ng-‐service-‐reuse-‐within-‐your-‐enterprise-‐
and-‐maximizing-‐soa-‐success/
Friday, May 22, 15
31
Download API Manager today!
๏ hgp://wso2.com/products/api-‐manager/
Friday, May 22, 15
Contact us !
Friday, May 22, 15