lessons from the trenches: building an api-centric architecture

32
Last Updated: May 2015 VP Products, WSO2 Isabelle Mauny Lessons from the trenches API Management Friday, May 22, 15

Upload: wso2

Post on 20-Jul-2015

481 views

Category:

Technology


3 download

TRANSCRIPT

Page 1: Lessons from the Trenches: Building an API-Centric Architecture

Last Updated: May 2015

VP  Products,  WSO2Isabelle  Mauny

Lessons  from  the  trenchesAPI  Management

Friday, May 22, 15

Page 2: Lessons from the Trenches: Building an API-Centric Architecture

2

๏ French  na)ve

๏ Living  in  Madrid

๏ Working  mostly  in  Sri  Lanka  and  Europe

๏ 17  years  @  IBM,  5  years  in  startups

๏ Managing  the  overall  WSO2  porEolio

๏ Worked  in  services  ,  presales,  product  marke)ng  ,  product  management

๏ Java,  SOA,  APIs,  Integra)on

About  the  speaker...

Friday, May 22, 15

Page 3: Lessons from the Trenches: Building an API-Centric Architecture

3

280customers

66partners

>60%average  yearly  growth

1

480employees

10locaBons

10years  old

PLATFORM

100%OPEN  SOURCEAPACHE  2

COMPA

NY

RESU

LTS

PLAT

FORM

Friday, May 22, 15

Page 4: Lessons from the Trenches: Building an API-Centric Architecture

4

APIs

Friday, May 22, 15

Page 5: Lessons from the Trenches: Building an API-Centric Architecture

Architecture  Roadmap

5

Decompose  your  exis7ng  business  processes,  data  

and  capabili7es  into  services

Make  all  services  accessible  via  APIs,  externally  and  internally

Put  services  and  APIs  under  control  !

Build  an  ecosystem  around  

your  APIs

Collect  data  on  your  new  products  and  APIs

1

2

3

4

5

Friday, May 22, 15

Page 6: Lessons from the Trenches: Building an API-Centric Architecture

6

Crea.ng  and  Managing  Services

Friday, May 22, 15

Page 7: Lessons from the Trenches: Building an API-Centric Architecture

7

๏ Service  deals  with  implementa)on

๏ API  deals  with  subscrip)on  (consumer)

๏ Two  very  dis)nct  life  cycles  !

๏ You  don’t  need  the  service  to  create  the  API...

Services  and  APIs

Friday, May 22, 15

Page 8: Lessons from the Trenches: Building an API-Centric Architecture

8

API  Lifecycle

๏ An  API  can  pass  through  mul)ple  states

๏ For  example:๏ CREATED

๏ PUBLISHED

๏ DEPRECATED

๏ RETIRED

๏ BLOCKED

๏ Should  integrate  with  complete  governance  lifecycle

Friday, May 22, 15

Page 9: Lessons from the Trenches: Building an API-Centric Architecture

9

Building  a  Managed  API

๏ Crea)ng  APIs  (interface,  docs,  samples,etc.)

๏ Adver)sing  APIs

๏ Making  APIs  subscribe-­‐able  by  consumers

๏ Associa)ng  SLAs

๏ Securing  APIs

๏ Mone)za)on  and  Analy)cs

Friday, May 22, 15

Page 10: Lessons from the Trenches: Building an API-Centric Architecture

10

API  Security

Friday, May 22, 15

Page 11: Lessons from the Trenches: Building an API-Centric Architecture

11

API  Security  ๏ Security  is  not  an  a]er  thought  !  

๏ APIs  are  part  of  a  much  larger  enterprise  picture

๏ How  will  consumers  request  an  access  token  ?  ๏ Using  a  SAML  2.0  asser)on  ?  

๏ Using  an  implicit  grant  ?  

๏ Using  userid/password  ?  

๏ Make  sure  you  document  thoroughly  how  developers  need  to  manage  tokens:

๏ Tokens  are  like  passwords!

๏ Always  use  SSL  for  token  transporta)on  !

๏ Use  Domain  restric)ons  (WSO2  API  Manager)

Friday, May 22, 15

Page 12: Lessons from the Trenches: Building an API-Centric Architecture

12

Fine-­‐grained  access  to  APIs

๏ Leverage  OAuth  scopes  to  manage  fine-­‐grained  access  control  to  APIs.

๏ All  users  can  call  GET  /catalog/{id}๏ Only  specific  users  can  call  PUT  /catalog

๏ Addi)onally,  can  leverage  XACML  (en)tlements)  to  manage  more  authoriza)on  which  must  take  in  account  mul)ple  agributes

๏ Verb  is  GET  and  Resource  is  Catalog  and  role  is  partner  and  partnershipLevel  is  Gold.

Friday, May 22, 15

Page 13: Lessons from the Trenches: Building an API-Centric Architecture

13

Passing  Auth  InformaBon  to  back-­‐end  services

๏ Using  JSON  Web  Tokens  (JWT)  ๏ Lightweight

๏ Can  be  signed

๏ Easy  to  parse  and  consume

๏ Standard

Friday, May 22, 15

Page 14: Lessons from the Trenches: Building an API-Centric Architecture

14

Token  Format

๏ JWT  Structure  {token  info}.{claims  list}.{signature}  

๏ Base-­‐64  Encoded  

Friday, May 22, 15

Page 15: Lessons from the Trenches: Building an API-Centric Architecture

15

What  are  Claims  ?  

๏ Claims  are  a  set  of  agributes  about  a  user,  mapped  to  the  underlying  user  store.

๏ A  set  of  claims  is  called  a  dialect

Friday, May 22, 15

Page 16: Lessons from the Trenches: Building an API-Centric Architecture

16

Deployment

Friday, May 22, 15

Page 17: Lessons from the Trenches: Building an API-Centric Architecture

17

Gateway  vs.  ESB๏ Oh,  but  I  already  have  an  ESB  !  Why  do  I  need  a  

gateway  ?

๏ Think  ESB  as  an  architecture  pagern,  not  a  product!๏ “NoESB:  Don't  Ride  the  Bus  If  You  Don't  Know  Where  It  Goes”  by  Gartner  in  

“Choosing  an  API  and  SOA  Governance  Architecture”

๏ Use  a  gateway  for  lightweight  interac)ons  and  basic  integra)on  capabili)es

๏ Use  an  ESB  for  complex  integra)on  requirements  (needing  adapters,  messaging,  etc.)

Friday, May 22, 15

Page 18: Lessons from the Trenches: Building an API-Centric Architecture

18

Facade/Gateway  Pa\ern

๏ Pros๏ No  addi)onal  hop  in  the  network

๏ Single  Server  to  be  managed

๏ More  suited  for  internal  deployments

๏ Cons๏ Complexity  of  integra)on  at  edge  of  network

๏ API  Management  layer  can’t  really  scale  independently  

๏ Not  appropriate  for  DMZ  deployments  (direct  access  to  backend  services)

Friday, May 22, 15

Page 19: Lessons from the Trenches: Building an API-Centric Architecture

19

Separated  Facade  &  MediaBon

๏ API  Gateway  Layer  acts  as  simple  reverse  proxy,  enforcing  basic  policies

๏ Clear  separa)on  of  concern  between  layers

๏ Media)on  layer  and  API  management  layer  scale  independently

๏ Specific  security  checks/protec)on  at  edge  of  the  network

๏ Provides  protocol  transforma)on  to  the  edge  of  the  network

Friday, May 22, 15

Page 20: Lessons from the Trenches: Building an API-Centric Architecture

20

Specific  WSO2  SoluBon

๏ Our  API  gateway  is  actually  a  full-­‐blown  ESB  under  the  hood,  constrained  at  UI  level.  

๏ You  can  install  the  missing  ESB  features  on  top  of  API  manager  and  combine  both  architecture  layers  into  a  single  run)me!

๏ Makes  the  choice  a  deployment  one.

Friday, May 22, 15

Page 21: Lessons from the Trenches: Building an API-Centric Architecture

21

Typical  Deployment

Friday, May 22, 15

Page 22: Lessons from the Trenches: Building an API-Centric Architecture

22

Users  Store

๏ Separate  admins  /  corporate  users  from  the  developers  users’s  store  (created  via  self-­‐sign  up)

Friday, May 22, 15

Page 23: Lessons from the Trenches: Building an API-Centric Architecture

23

You  can’t  manage  what  you  can’t  measure.

Friday, May 22, 15

Page 24: Lessons from the Trenches: Building an API-Centric Architecture

24

Why  AnalyBcs  and  API  Management  are  important  together?

๏ Build  confidence  in  the  API  model

๏ Understand  your  customer  ๏ Not  just  the  developer  but  also  the  end-­‐user

๏ Help  manage  services  and  versions๏ Understand  when  deprecated  services  can  be  re)red

๏ Plan  beger๏ Monitor  the  growth  of  aggregated  API  traffic

๏ Monitor  the  growth  of  specific  apps

๏ Even  if  you’re  not  going  to  put  analy)cs  in  place,  make  sure  you  capture  all  events  right  from  beginning  of  project.

Friday, May 22, 15

Page 25: Lessons from the Trenches: Building an API-Centric Architecture

25

AnalyBcs  101:  AggregaBon

• How  to  collect  data  efficiently

• How  to  store  data  effec)vely

• Choose  which  data  to  capture

Friday, May 22, 15

Page 26: Lessons from the Trenches: Building an API-Centric Architecture

26

AnalyBcs  101  :  Analysis• Data  opera)ons

• Defining  KPIs  and  analy)cs

• Opera)ng  on  large  amounts  of  historical  or  current  data

• Crea)ng  intelligence  

Friday, May 22, 15

Page 27: Lessons from the Trenches: Building an API-Centric Architecture

27

AnalyBcs  101  :  PresentaBon

• Visualiza)on

• Dashboards

• Reports

Friday, May 22, 15

Page 28: Lessons from the Trenches: Building an API-Centric Architecture

28

Monitor  And  Analyze๏ Take  decisions  in  real  )me  through  Complex  Event  Processing

๏ Create  dashboards  for  both  technical  and  business  monitoring

Friday, May 22, 15

Page 29: Lessons from the Trenches: Building an API-Centric Architecture

29

DetecBng  Usage  Pa\erns

๏ My  API  customer  is  trying  to  steal  my  business  :  let’s  block  them.

๏ A  customer  is  at  80%  of  API  plan  :  let’s  warn  them  

๏ A  customer  is  systema)cally  at  120%  of  the  plan  :  propose  an  upgrade  to  the  premium  plan

Friday, May 22, 15

Page 30: Lessons from the Trenches: Building an API-Centric Architecture

30

References๏ Building  an  ecosystem  for  API  Security  (White  Paper)

๏ hgp://wso2.com/whitepapers/wso2-­‐whitepaper-­‐building-­‐an-­‐ecosystem-­‐for-­‐api-­‐security/

๏ API  Facade  Pagern  (Webinar)๏ hgp://wso2.com/library/webinars/2014/01/implemen)ng-­‐api-­‐facade-­‐using-­‐

wso2-­‐api-­‐management-­‐plaEorm/

๏ API  Management:  missing  link  for  SOA  ๏ hgp://sanjiva.weerawarana.org/2012/08/api-­‐management-­‐missing-­‐link-­‐for-­‐

soa.html

๏ Promo)ng  Service  Reuse  ๏ hgp://wso2.com/whitepapers/promo)ng-­‐service-­‐reuse-­‐within-­‐your-­‐enterprise-­‐

and-­‐maximizing-­‐soa-­‐success/

Friday, May 22, 15

Page 31: Lessons from the Trenches: Building an API-Centric Architecture

31

Download  API  Manager  today!

๏ hgp://wso2.com/products/api-­‐manager/

Friday, May 22, 15