Post on 07-Jul-2015
description
Last Updated: Nov 2014
VP, Product, WSO2Isabelle Mauny
Lessons from the ba.lefield
Tuesday, December 9, 14
2
๏ French na)ve
๏ Living in Madrid
๏ Working mostly in Sri Lanka and Europe
๏ 17 years @ IBM, 5 years in startups
๏ Managing the overall WSO2 porEolio
๏ Linux command line user...
About the speaker...
Tuesday, December 9, 14
3
Who is WSO2 ?
๏ Open Source Middleware Pla2orm Provider
๏ Apache 2.0 License
๏ Provides Integra?on, API Management, Security and Mobile enterprise management products
๏ Main contributor to Apache Stratos PaaS
๏ Creators of DevOps “AppFactory” cloud solu?on
Tuesday, December 9, 14
4Tuesday, December 9, 14
Architecture Roadmap
5
Decompose your exis7ng business processes, data
and capabili7es into services
Make all services accessible via APIs, externally and internally
Put services and APIs under control !
Build an ecosystem around
your APIs
Collect data on your new products and APIs
1
2
3
4
5
Tuesday, December 9, 14
6
Crea%ng and Managing Services
Tuesday, December 9, 14
7
๏ Service deals with implementa)on
๏ API deals with subscrip)on (consumer)
๏ Two very dis)nct life cycles !
๏ You don’t need the service to create the API...
Services and APIs
Tuesday, December 9, 14
8
API Lifecycle
๏ An API can pass through mul)ple states
๏ For example:๏ CREATED
๏ PUBLISHED
๏ DEPRECATED
๏ RETIRED
๏ BLOCKED
๏ Should integrate with complete governance lifecycle
Tuesday, December 9, 14
9
Building a Managed API
๏ Crea)ng APIs (interface, docs, samples,etc.)
๏ Adver)sing APIs
๏ Making APIs subscribe-‐able by consumers
๏ Associa)ng SLAs
๏ Securing APIs
๏ Mone)za)on and Analy)cs
Tuesday, December 9, 14
10
API Security
Tuesday, December 9, 14
11
API Security ๏ Security is not an a\er thought !
๏ APIs are part of a much larger enterprise picture
๏ How will consumers request an access token ? ๏ Using a SAML 2.0 asser)on ?
๏ Using client_creden)als ?
๏ Using userid/password ?
๏ Make sure you document thoroughly how developers need to manage tokens:
๏ Tokens are like passwords!
๏ Always use SSL for token transporta)on !
๏ Use Domain restric)ons (WSO2 API Manager)
Tuesday, December 9, 14
12
Fine-‐grained access to APIs
๏ OAuth2 is all about access control: a token is associated to a scope.
๏ XACML (eXtensible Access Control Markup Language) is the de-‐facto standard for fine-‐grained access control.
๏ OAuth scope can be represented in XACML policies
๏ Provides fine grain control over what a user/applica?on can do ( i.e. you can call GET but not POST on an API)
Tuesday, December 9, 14
13
Passing Auth Informa:on to back-‐end services
๏ Using JSON Web Tokens (JWT) ๏ Lightweight
๏ Can be signed
๏ Easy to parse and consume
๏ Standard
Tuesday, December 9, 14
14
Token Format
๏ JWT Structure {token info}.{claims list}.{signature}
๏ Base-‐64 Encoded
Tuesday, December 9, 14
15
What are Claims ?
๏ Claims are a set of ahributes about a user, mapped to the underlying user store.
๏ A set of claims is called a dialect
Tuesday, December 9, 14
16
Deployment
Tuesday, December 9, 14
17
Gateway vs. ESB
๏ Oh, but I already have an ESB ! Why do I need a gateway ?
๏ API Gateway vs. Media)on Layer (ESB)๏ Gateway = light ESB ?
๏ Think ESB as an architecture pahern, not a product!
Tuesday, December 9, 14
18
Generic Facade Pa.ern
๏ Pros๏ No addi)onal hop in the network
๏ Single Server to be managed
๏ More suited for internal deployments
๏ Cons๏ Complexity of integra)on at edge of network
๏ API Management layer can’t really scale independently
๏ Not appropriate for DMZ deployments (direct access to backend services)
Tuesday, December 9, 14
19
Separated Facade & MediaWon
๏ API Gateway Layer acts as simple reverse proxy, enforcing basic policies
๏ Clear separa?on of concern between layers
๏ Media?on layer and API management layer scale independently
๏ Specific security checks/protec?on at edge of the network
๏ Provides protocol transforma?on to the edge of the network
Tuesday, December 9, 14
20
Specific WSO2 SoluWon
๏ Our API gateway is actually a full-‐blown ESB under the hood, constrained at UI level.
๏ You can install the missing ESB features on top of API manager and combine both architecture layers into a single run)me!
๏ Makes the choice a deployment one.
Tuesday, December 9, 14
21
Typical Deployment
Tuesday, December 9, 14
22
Users Store
๏ Separate admins / corporate users from the developers users’s store (created via self-‐sign up)
Tuesday, December 9, 14
23
You can’t manage what you can’t measure.
Tuesday, December 9, 14
24
Why Analy:cs and API Management are important together?
๏ Build confidence in the API model
๏ Understand your customer ๏ Not just the developer but also the end-‐user
๏ Help manage services and versions๏ Understand when deprecated services can be re?red
๏ Plan beZer๏ Monitor the growth of aggregated API traffic
๏ Monitor the growth of specific apps
๏ Even if you’re not going to put analy?cs in place, make sure you capture all events right from beginning of project.
Tuesday, December 9, 14
25
AnalyWcs 101: AggregaWon
• How to collect data efficiently
• How to store data effec)vely
• Choose which data to capture
Tuesday, December 9, 14
26
AnalyWcs 101 : Analysis• Data opera)ons
• Defining KPIs and analy)cs
• Opera)ng on large amounts of historical or current data
• Crea)ng intelligence
Tuesday, December 9, 14
27
AnalyWcs 101 : PresentaWon
• Visualiza)on
• Dashboards
• Reports
Tuesday, December 9, 14
28
Monitor And Analyze๏ Take decisions in real ?me through Complex Event Processing
๏ Create dashboards for both technical and business monitoring
Tuesday, December 9, 14
29
DetecWng Usage Pa.erns
๏ My API customer is trying to steal my business : let’s block them.
๏ A customer is at 80% of API plan : let’s warn them
๏ A customer is systema)cally at 120% of the plan : propose an upgrade to the premium plan
Tuesday, December 9, 14
30
Demo
Tuesday, December 9, 14
31
Demo Setup
Tuesday, December 9, 14
32
References๏ Building an ecosystem for API Security (White Paper)
๏ hhp://wso2.com/whitepapers/wso2-‐whitepaper-‐building-‐an-‐ecosystem-‐for-‐api-‐security/
๏ API Facade Pahern (Webinar)๏ hhp://wso2.com/library/webinars/2014/01/implemen)ng-‐api-‐facade-‐using-‐
wso2-‐api-‐management-‐plaEorm/
๏ API Management: missing link for SOA ๏ hhp://sanjiva.weerawarana.org/2012/08/api-‐management-‐missing-‐link-‐for-‐
soa.html
๏ Promo)ng Service Reuse ๏ hhp://wso2.com/whitepapers/promo)ng-‐service-‐reuse-‐within-‐your-‐enterprise-‐
and-‐maximizing-‐soa-‐success/
Tuesday, December 9, 14
33
Download API Manager today!
๏ hhp://wso2.com/products/api-‐manager/
Tuesday, December 9, 14
Contact us !
Tuesday, December 9, 14