TIPS AND TRICKS FOR YOURSERVICE ORIENTED

ARCHITECTURECakeFest, San Francisco, Sep 2013

WARNING

NO CAKEPHP

AHEAD

This talk is for those...

Stuck with the legacy

dealing with CRONs

in the need of a solid foundation

rely on web services

need a pluggable software architecture

SOA

Agenda

1. Service Oriented WHAT?!?!

2. Tips, Tricks and lessons learned (the hard way)

3. Conclusion

1

SO(A) WHAT?

A software design based on discrete software components, "services", that collectively provide the functionalities of the larger

software application

You typically start with theinfamous web application

which does everything on its own

Then you realize that to providea chat system to your users

PHP might not be the best...

And soon you also decide,to improve performances,

that your frontend should have its ownin-memory persistence, to be faster

and you put it into another service

Then, as always...

SCALE.

And eventually, your lead architectwill come up and tell youthat your Java-based chat

sucks and should bereplaced with...

NODEJS

In human-understandable words, SOA is a software design which embraces splitting a monolithic, totalitarian software

architecture into smaller pieces, thus making them independent, loosely coupled and more maintainable

Ok, but in the real world?

A few points...

DATA

each service might have its own data-layer, but nothingprevents you from sharing data across the services

reads: abstract the data

WEBSERVICES

Services can request data to other services,usually through WSs

POX

SOAP

HTTP

REST

Note to self:check the difference between HTTP and

REST APIs

Note to self:check the difference between HTTP and

REST APIs

(HATEOAS)

Note to self:check the difference between HTTP and

REST APIs

(HATEOAS)

EVENTS

services notify the architecture that an event has happened

asynchronous messaging queues

2

TIPS ANDTRICKS

LEARNT THEHARD WAY

2.1 AVOID SOA

DIFFICULT TO TEST

COMPLEX

SOA would beoverkill for mostof the common

scenarios

But if you're handlinga product or a

monolithic softwarestack, the added

complexity pays offon the long run

2.2 FREETHE DATA

CONSIDER ELIMINATING FK CONSTRAINTS

A service might need to handle data withanother DBMS, so FKs are virtually impossible

ABSTRACT THE DATA

You might think in "rows" but the architecturethinks in "resources"

No more FKs andthe ability of

JOINing to retrievesome related data

But you choosewhat perfectly fits

each service:your transactionsover a RDBMS andyour communityover a graph DB

2.3 Standardize

Build a vast suite of E2E tests

and give your developer a way to easily test

EVERY DEVELOPER NEEDSTHE ENTIRE ARCHITECTURE ON LOCAL

The architecture needsto be installed in

~1 hour

Setting up VMsis an hassle and

they are so slow!

go #vagrant

2.4 IDENTIFYWISELY

AUTHENTICATION IS KING

Centralized authentication = identity service

NEVER HANDLE CREDENTIALS IN CLEAR

NEVER.

man in the middle

NEVER.

man in the middle

SSL

NEVER.

man in the middle

SSL

tokenize

OAuth

OpenID

JWS

JSON WEB SIGNATURE

JSON WEB TOKEN

JSON WEB SIGNATURE

JAVASCRIPT OBJECT SIGNING & ENCRYPTION

JOSEhttp://www.thread-safe.com/2012/03/json-object-signing-and-encryption-jose.html

1. The user enters the credentials once in your frontend

JS APP

AUTHSERVICE

2. The JS app will forward themto your Auth webservice

3. The Auth webservice will then generate the encryptedJWS and set a cookie withits value

JS APP

4. The JS app can now just execute calls usingthat cookie

1. The user enters the credentials once in your frontend

JS APP

AUTHSERVICE

2. The JS app will forward themto your Auth webservice

JS APP

AUTHSERVICE

3. The Auth webservice will then generate the encrypted JWS and set a cookie with its value

JS APP

AUTHSERVICE

4. The JS app can now just execute calls using that cookie

1. The user enters the credentials once in your frontend

JS APP

AUTHSERVICE

2. The JS app will forward themto your Auth webservice

3. The Auth webservice will then generate the encryptedJWS and set a cookie withits value

JS APP

4. The JS app can now just execute calls usingthat cookie

setcookie($name, $jws,$ttl, $path, $domain, true);

setcookie($name, $jws,$ttl, $path, $domain, true);

HTTPS

JWS in PHP?

namshi/jose

use Namshi\JOSE\JWS;

$jws = new JWS('RS256');$jws->setPayload(array( 'uid' => $user->getid(),));

$privateKey = openssl_get_privatekey("file://path/to/private.key");$jws->sign($privateKey);setcookie('identity', $jws->getTokenString());

use Namshi\JOSE\JWS;

$jws = JWS::load($_COOKIE['identity']);$public_key = openssl_pkey_get_public("/path/to/public.key");

if ($jws->verify($public_key)) { echo "EUREKA!;}

use Namshi\JOSE\JWS;

$jws = new JWS('RS256');$jws->setPayload(array( 'uid' => $user->getid(),));

$privateKey = openssl_get_privatekey("file://path/to/private.key");$jws->sign($privateKey);setcookie('identity', $jws->getTokenString());

use Namshi\JOSE\JWS;

$jws = JWS::load($_COOKIE['identity']);$public_key = openssl_pkey_get_public("/path/to/public.key");

if ($jws->verify($public_key)) { echo "EUREKA!;}

use Namshi\JOSE\JWS;

$jws = new JWS('RS256');$jws->setPayload(array( 'uid' => $user->getid(),));

$privateKey = openssl_get_privatekey("file://path/to/private.key");$jws->sign($privateKey);setcookie('identity', $jws->getTokenString());

use Namshi\JOSE\JWS;

$jws = JWS::load($_COOKIE['identity']);$public_key = openssl_pkey_get_public("/path/to/public.key");

if ($jws->verify($public_key)) { echo "EUREKA!;}

use Namshi\JOSE\JWS;

$jws = new JWS('RS256');$jws->setPayload(array( 'uid' => $user->getid(),));

$privateKey = openssl_get_privatekey("file://path/to/private.key");$jws->sign($privateKey);setcookie('identity', $jws->getTokenString(), ...);

use Namshi\JOSE\JWS;

$jws = JWS::load($_COOKIE['identity']);$public_key = openssl_pkey_get_public("/path/to/public.key");

if ($jws->verify($public_key)) { echo "EUREKA!;}

use Namshi\JOSE\JWS;

$jws = new JWS('RS256');$jws->setPayload(array( 'uid' => $user->getid(),));

$privateKey = openssl_get_privatekey("file://path/to/private.key");$jws->sign($privateKey);setcookie('identity', $jws->getTokenString());

use Namshi\JOSE\JWS;

$jws = JWS::load($_COOKIE['identity']);$public_key = openssl_pkey_get_public("/path/to/public.key");

if ($jws->verify($public_key)) { echo "EUREKA!;}

use Namshi\JOSE\JWS;

$jws = new JWS('RS256');$jws->setPayload(array( 'uid' => $user->getid(),));

$privateKey = openssl_get_privatekey("file://path/to/private.key");$jws->sign($privateKey);setcookie('identity', $jws->getTokenString());

use Namshi\JOSE\JWS;

$jws = JWS::load($_COOKIE['identity']);$public_key = openssl_pkey_get_public("/path/to/public.key");

if ($jws->verify($public_key)) { echo "EUREKA!;}

I can't simplyuse the HTTP

basic authentication,it was so

convenient!

...and flawed.

Modern apps,modern tech.

All myauthenticated

traffic needs to gothrough HTTPS:

it will be soSLOW!

Only if youdon't know

about...

WebP

WebP

lossless compression

WebP

lossless compression

30% smaller than PNG

And if you don'tknow about...

SPDY

HTTP on steroids

(come to my next talk)

(that one won't suck)

2.5 EMBRACEMESSAGING

Don't wait, notify instead

Different services can intercept an even, separately

If one is down, the others keep working

Who cares about milliseconds for notifications?

The human body is the bottleneck

Email?

SMS?

Be reliable

“Daemons are great”

“Daemons are great”- No PHP developer ever

SUPERVISORhttp://supervisord.org/

SUPERVISEhttp://cr.yp.to/daemontools/supervise.html

use python ;-)

It doesn’t matter...

if you talk الحروف العربیة

Rabbit makes everyone talk the same language

chat

Batch processing

frontend

sync daemons

transcoding

agony

ERP

telcom

But I PHP

Monogamyis so ‘90

“given a hammer,everything

becomes a nail”

One size doesn’t fit all

2.5 ALWAYS SUNDAY?

Monitor in real time

and do retrospectives

Talking about retrospectives?

Logs are first-class citizens

Sharpen asmuch as possible

Assume thingswill break

All in all...

SOA is complex

A puzzle with more pieces

More things to keep in mind

COMPLEXIS NOT

COMPLICATED

Loose coupling

every service is independent, not forced to theconstraints of a monolithic block

you have the freedom of changing or replacing serviceswithout the hassle of touching an entire system

State-of-the-art defense against outages

Fault tolerance

if one of the services has an outage, the restof the architecture still works

if a service, listening for messages, is down,the publisher doesn't get stuck

Cleaner architecture

SoC happens at architectural, not application, level and you can perform large-scale refactorings without the fear of destroying the entire system

Perfect ground for advanced tooling

...yawn...

Alessandro Nadalin

Alessandro Nadalin

@_odino_

Alessandro Nadalin

@_odino_

Namshi | Rocket Internet

Alessandro Nadalin

@_odino_

Namshi | Rocket Internet

VP Technology

Alessandro Nadalin

@_odino_

Namshi | Rocket Internet

VP Technology

odino.org

Thanks!Alessandro Nadalin

@_odino_

Namshi | Rocket Internet

VP Technology

odino.org

Image credits

http://www.flickr.com/photos/randystiefer/6998037429/sizes/h/in/photostream/http://www.flickr.com/photos/55432818@N02/5500963965/

http://www.flickr.com/photos/pamhule/4503305775/http://www.flickr.com/photos/wili/1427890704/

http://www.flickr.com/photos/nickpiggott/5212959770/sizes/l/in/photostream/http://www.flickr.com/photos/nomad9491/2549965427/sizes/l/in/photostream/

http://www.flickr.com/photos/amyvdh/95764607/sizes/l/in/photostream/http://www.flickr.com/photos/matthoult/4524176654/

http://www.flickr.com/photos/kittyeden/2416355396/sizes/l/in/photostream/http://www.flickr.com/photos/jpverkamp/3078094381/

http://www.flickr.com/photos/madpoet_one/5554416836/http://www.flickr.com/photos/87792096@N00/2732978107/

http://www.flickr.com/photos/petriv/4787037035/http://www.flickr.com/photos/51035796522@N01/111091247/sizes/l/in/photostream/

http://www.flickr.com/photos/m-i-k-e/6366787693/sizes/l/in/photostream/http://www.flickr.com/photos/39065466@N04/9111005211/

http://www.flickr.com/photos/marchorowitz/5449945176/sizes/l/in/photolist-9iAoQ1-8s4ueH-bCWef9-bCWdPh-e48XUm-bu67nh-a7xaEr-8wLiNh-9aYU1k-9F4VUN-dYqzr1-9vosHb-8BtFuw-8P3h2e-9tqc6M-82qpt4-7UgkBJ-dgSnfS-aJiubZ-9Xji2U-9UVpkC-

7BSh7Y-8GE54k-91GHtB-8VMHJ2-8wiwvo-aCmPCg-925Tg8-bcBv9T-dGUseY/http://www.flickr.com/photos/blegg/745322703/sizes/l/in/photostream/

http://www.flickr.com/photos/centralasian/4649550142/sizes/l/in/photostream/http://www.flickr.com/photos/pennstatelive/4947279459/sizes/l/in/photostream/

http://www.flickr.com/photos/tjblackwell/7819341478/http://www.flickr.com/photos/brainbitch/6066375386/

http://www.flickr.com/photos/nnova/4215594009/http://www.flickr.com/photos/publicenergy/2246574379/

http://www.flickr.com/photos/andrewteman/4592833017/sizes/o/in/photostream/http://www.flickr.com/photos/beautifulrevelry/8548004964/sizes/o/in/photostream/

http://www.flickr.com/photos/denaldo/5066810104/sizes/l/in/photostream/http://www.flickr.com/photos/picturewendy/8365723674/sizes/l/in/photostream/http://www.flickr.com/photos/danielygo/6644679037/sizes/l/in/photostream/

http://www.flickr.com/photos/ross/7614352/sizes/l/in/photostream/http://www.flickr.com/photos/75932013@N02/6874087329/sizes/l/in/photostream/

http://crucifixjel.deviantart.com/art/300-Wallpaper-03-66516887