wso2con usa 2017: building an effective api architecture
TRANSCRIPT
WSO2APIManager:BuildinganEffectiveAPIArchitecture
NuwanDiasArchitectWSO2
KnowingtheComponents
Publisher Store Admin
TrafficManager
GatewayKey
Manager
Nonscalablecomponents
Analytics
Scalablecomponents
UnderstandingtheStorage
StorageTypes
• RegistryDatabase-StoresAPIMetaData,TenantKeyStores,Documents,Tags
• APIManagerDatabase-StoresAPIRuntimeData,ApplicationData,TokenData,etc.
• PermissionsDatabase-Storesroletopermissionsandusertopermissionsmappings.
• AnalyticsSummaryDatabase-StoreAPI/Applicationusagesummary.
UnderstandingtheStorageContd…
Component Readsonlyfrom Writesto
Publisher PermissionsDB,AnalyticsDB Registry,APIMDB
Store PermissionsDB,AnalyticsDB,Registry
APIMDB
KeyManager PermissionsDB,APIMDB,Registry
TrafficManager PermissionsDB
CreatinganAPI
Publisher Store
APIManagerDB(RuntimeData)
RegistryDB(MetaData)
PublishinganAPILANDMZ
PublisherGatewayManagerGatewayWorker
GatewayWorker
SecureWebServiceCall
Store
PublishinganAPILANDMZ
PublisherGatewayManagerGatewayWorker
GatewayWorker
SecureWebServiceCall
Store
API:Therunnableartifact<api name="nuwan--Petstore" context="/petstore/1.0.0" version="1.0.0" version-type="context">
<resource methods="POST PUT" url-mapping="/pet"> …………………………..
<resource methods="DELETE PUT GET" uri-template="/user/{username}"> …………………………..
<handlers> <handler class="org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler">
……………………………
API:Thehandlerflow<handlers> <handler class="org.wso2.carbon.apimgt.gateway.handlers.common.APIMgtLatencyStatsHandler"/> <handler class="org.wso2.carbon.apimgt.gateway.handlers.security.CORSRequestHandler"> <property name="apiImplementationType" value="ENDPOINT"/> </handler> <handler class="org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler"/> <handler class="org.wso2.carbon.apimgt.gateway.handlers.throttling.ThrottleHandler"/> <handler class="org.wso2.carbon.apimgt.gateway.handlers.analytics.APIMgtUsageHandler"/> <handler class="org.wso2.carbon.apimgt.gateway.handlers.ext.APIManagerExtensionHandler"/> </handlers>
APISecurity
SecurityValidation
APIGateway
ApplicationUser
KeyServer
OAuth2.0Grants-ClientCredentials
ImageCredits:PrabathSiriwardena
OAuth2.0Grants-ResourceOwnerPassword
ImageCredits:PrabathSiriwardena
OAuth2.0Grants-AuthorizationCode
ImageCredits:PrabathSiriwardena
OAuth2.0Grants-Implicit
ImageCredits:PrabathSiriwardena
http://callback/#access_token=car292msdjtuis92lla
TheRoleoftheAuthorization/KeyServer
POST/register
GET,PUT,DELETE/register/{client_id}
POST/introspection
POST/token
POST/revoke
APIStore
ResourceServer(Gateway)
Authorization/KeyServer
Authentication
Authorization
ClientRegistration
ClientManagement
Introspection
Revocation
TokenManagement
Federation
TrafficManagementArchitecture
Gateway GatewayPolicy
Designer
RequestEvent
ThrottleEvent
ThrottlingPolicies
TrafficManager
TrafficManagerScalability
• TheTrafficManagerdoesnotscale• AsingleTrafficManagercanhandleupto10Gatewaysat
maximumcapacity• Ifadeploymentconsistsofmorethan10Gateways,theGateways
shouldbedividedintogroupsofclustersof10nodeseach,having1trafficmanagerpergroup.
AnalyticsArchitecture
Gateway Admin
Publisher/Store
REST/h
ttp
RawEventsStorage(BigData)
ProcessedData(Summary)
API:StagesvsEnvironments-Stages
Production
Staging
Dev
Back-EndSystemsData
Runtime
Useappropriatetooling/processesforthepromotion/demotionofartifacts
API:StagesvsEnvironments-Environments
Gateway(External)
Production
Gateway(Internal)
KeyManager(External)
KeyManager(Internal)
Publisher
Store
API:StagesvsEnvironmentsStage Environment
RepresentsastateofanAPI RepresentstheexecutionruntimeofanAPIinagivenstate
AnAPImaygothroughmodificationswhentransferringbetweenstages
TheAPIDefinitionisfixedacrossenvironments
Shouldn’tsharedatabetweenstages Maysharedataacrossenvironments
OwnershipoftheAPI/datamaychangeacrossstages
OwnershipoftheAPI/dataremainssameacrossallenvironments
RegionalGateways-DatabaseSyncPatternUS-East
US-West
Load-Balancer
Gateway
Gateway
KeyManager
KeyManager
SyncTablesSelectively
RegionalGateways-TokenPrefixPatternUS-East
US-West
Load-Balancer
Gateway
Gateway
KeyManager
KeyManager
Createtokenwithprefix“EAST”
Createtokenwithprefix“WEST”
Validatetokenprefix“WEST”
Validatetokenprefix“EAST”
RegionalGateways-TokenPrefixPattern
public class CustomTokenGenerator extends OauthTokenIssuerImpl {
@Overridepublic String accessToken(OAuthTokenReqMessageContext tokReqMsgCtx) throws OAuthSystemException { String regionID = System.getProperty(REGION_ID); if(log.isDebugEnabled()){ log.debug("Region ID = " + regionID); } String accessToken = UUID.randomUUID().toString(); return regionID != null ? regionID + accessToken : accessToken;}
RegionalGateways-TokenPrefixPatternpublic class RegionValidator extends AbstractHandler {
public boolean handleRequest(MessageContext messageContext) { String regionId = System.getProperty(REGION_ID); if (log.isDebugEnabled()) { log.debug("Region ID = " + regionId); }
. . . . . . . . .
if(bearerToken == null || bearerToken.split(" ")[1].startsWith(regionId)){ //No bearer token provided or the provided bearer token is of the expected region. return true; } handleAuthFailure(messageContext);
return false;
APIManager:MultiDatacenterDeployment
TypesofDataCenterDeployments
• SingleMaster,Active-Active• SingleMaster,Active-Passive(DisasterRecovery)• MultiMaster,Active-Active
APIManager:MultiDatacenterDeployment
Master MasterorSlave
ThankYou!