pedrofelix em...
Transcript of pedrofelix em...
An introduction to the
Azure AppFabricWebDay, Porto, Feb. 2, 2010
Pedro Félix
(pedrofelix em cc.isel.ipl.pt)
Azure AppFabric
• Set of services
– Service Bus (SB)
– Access Control Service (ACS)
• Running in the cloud
– Based on Windows Azure Platform
• Providing
– SB : Service Connectivity, Addressability and Discoverability
– ACS : Service Access Control
2
A Motivating Scenario
CloudTrack
.
FabrikamContoso
Create/view issuesView/manage issues
3
• Issue Tracker web app.• Cloud-based• Multi-tenant
Connectivity challenges
CloudTrack
.
Notify new issue
4
Fetch trace data
FW, NAT, …FW, NAT, …
Create new issue
Challenges
• Addressability and discoverability
– Private addresses and Network Address Translation (NAT)
– Dynamic addresses (e.g. ISP)
• Connectivity
– Firewalls (denial of inbound connections)
– Event distribution
– Transient connectivity
5
Service Bus
6
outbound inbound
address?
Service Bus
7
“All problems in computer science can be solved by another level of indirection”
Butler Lampson
inboundService Busoutbound
Connectivity and addressability
8
outboundService Bus
• Relay
– Service “listens” on the SB via outbound connection
– Client “sends” to the SB
– SB relays between client and service
sends
public address
listens
Naming and discovery
9
outboundService Bus
• Naming
– Service is exposed via a public name
– Local DNS binds these public names to IP addresses
– Local registry describes available public names
outbound
public name
Registry
DNS
sends listens
Naming and discovery
• Naming
– Public service namespaces
– One Azure project – multiple service namespaces
– {scheme}://{namespace}.servicebus.windows.net/{relpath}
• Registry
– Mapping between URIs and services
– Readable via HTTP+ATOM
10
Buffering
11
outbound
• Buffering
– One-way messaging
– Temporal decoupling
outbound
public name
sends listens
Eventing (pub-sub)
12
outboundService Bus
• Eventing – multicast
– One-way messages
– Multiple listeners
– Message distribution - multicast
outbound
outbound
sends listens
listens
Security
13
outboundService Bus
• Access Control
– Both “listen” and “send” subject to access control
– Programmable authorization policy, defined by ACS
• Isolation – SB is the DMZ
outbound
ACS
sends listens
WCF architecture
14
Transport
Client
User code
Encoding
Protocol
Protocol
Transport
Dispatcher
Service Impl.
Encoding
Protocol
Protocol
Binding element
Binding element
Binding element
Binding element
Binding
• Channel stack with transport and protocol channels
• Channels described by binding elements
• One binding contains several binding elements
WCF and SB
15
Transport
Client
User code
Encoding
Protocol
Protocol
Transport
Dispatcher
Service Impl.
Encoding
Protocol
Protocol
Binding element
Binding element
Binding element
Binding element
Binding
ServiceBus
• New bindings
– New transport channels and binding elements
• New behaviors
Bindings
• WebHttpRelayBinding
– HTTP (Web programming model)
– Client interoperability
• BasicHttpRelayBinding e WS2007HttpRelayBinding
– SOAP over HTTP (basic profile | WS-*)
– Client interoperability
• NetTcpRelayBinding
– Similar to NetTcpBinding (request-response and duplex)
• NetOnewayRelayBinding e NetEventRelayBinding
– One- way w/buffering and multicast
16
Binding elements
• Http(s)RelayTransportBindingElement
• TcpRelayTransportBindingElement
• RelayedOnewayTransportBindingElement
17
Demo
http://demos-pfelix.servicebus.windows.net/webday
18
Access Control Service
• Identity and access control
• Distributed systems
– Decentralized authority
– Heterogeneous technologies
• Claims-based model
• SB integration
19
Identity and Authorization
credsContoso::
Alicewebapp::IssueView
Contoso::LeadDev
webapp::IssueMgr
20
webapp (IssueTracker)
Centralized Solution
credsContoso::
Alicewebapp::IssueView
Contoso::LeadDev
webapp::IssueMgr
21
MembershipProvider
RoleProvider
IPrincipal.IsInRole(...)
webapp (IssueTracker)
Decentralized Authority
credsContoso::
Alicewebapp::IssueView
Contoso::LeadDev
webapp::IssueMgr
22
Contoso Authority
Contoso Identity ProviderContoso Identity Provider webapp
Decentralized Authority
credsContoso::
Alicewebapp::IssueView
Contoso::LeadDev
webapp::IssueMgr
23
IdentityDirectory
Contoso webapp
Decision Enforcement
credsContoso::
Alicewebapp::IssueView
Contoso::LeadDev
webapp::IssueMgr
24
ServiceServiceBuswebapp::
SB.Listen
AuthorizationDecision
AuthorizationEnforcementAuthorizationEnforcement
IdentityInformation
webappwebappAccess Control ServiceAccess Control ServiceContoso
Access Control Service
credsContoso::LeadDev
Alice
webapp::IssueView
SB
webapp::SB.Listen
25
Identity Provider Authorization Decision
Authorization Enforcement
Access Control Service
• Claims-based Identity and Access Control
• Claims transformer (“claims in, claims out”)
– Consumes claims from federated issuers
– Provides claims to applications and services
• Rule based issuance policy
– Rule: If has claim1 then output claim2
• Not an identity provider
– Does not manage user’s identities
26
Protocols and technologies
• AppFabric 1.0
– OAuth WRAP (Web Resource Authorization Protocol)
– Simple Web Token
• Future (and past)?
– WS-Federation – “passive” (browser based) federation
– WS-Trust – “active” (SOAP based) federation
– LiveID integration
27
WRAP
28
ClientProtected Resource
IdentityProvider
Bearer Token with Bearer Token with authorization claims API
Authorization Server
WRAP and SWT
• Simple Web Token (SWT)
– Form encoded name-value pairs
– HMAC-SHA-256 symmetric signature
• WRAP token request
– HTTP POST
– username+password or authentication assertion (e.g. SAML)
• WRAP protected client call
– HTTP header (Authorization: WRAP access_token = “…”)
– GET or POST parameter (wrap_access_token = “…”)
29
Demo
30
Membership
Access Control Service
WIF
LeadDevAlice
Listen
WIF
WS-Trust
WRAP
Service Bus
SAML
SWT
username+
password
Finally …
• Service Bus
– Connectivity
– Addressability and discoverability
– Eventing
– Buffering
• Access Control Service
– Authorization Decision Point• For Service Bus
• For other services, both cloud or on-premises
– Flexible claims based policy
31