AVOIDING SPEED BUMPS ON THE ROAD TO MICROSERVICES Scott Shaw Head of Technology, ThoughtWorks Australia 1
MICROSERVICE ENVY GOOGLE TRENDS DATA service oriented architecture microservices 2
THE SPEED BUMPS X 3
THE SPEED BUMPS X DDD REST Automation Cloud DevOps Logging Monitoring Resilience Testing with CDCs Conway Postel 3
THE SPEED BUMPS X Data Aggregation DDD REST Automation Cloud DevOps Logging Monitoring Resilience Testing with CDCs Conway Postel 3
THE SPEED BUMPS X Access Control & Security Data Aggregation DDD REST Automation Cloud DevOps Logging Monitoring Resilience Testing with CDCs Conway Postel 3
THE SPEED BUMPS X Managing Change Access Control & Security Data Aggregation DDD REST Automation Cloud DevOps Logging Monitoring Resilience Testing with CDCs Conway Postel 3
Aggregating Data 4
SINGLE DATASTORE PRINCIPAL 5
SINGLE DATASTORE PRINCIPAL 5
SINGLE DATASTORE PRINCIPAL 5
BUT AS A SYSTEM EVOLVES… 6
BUT AS A SYSTEM EVOLVES… 6
BUT AS A SYSTEM EVOLVES… 6
BUT AS A SYSTEM EVOLVES… 6
BUT AS A SYSTEM EVOLVES… 6
BUT AS A SYSTEM EVOLVES… 7
BUT AS A SYSTEM EVOLVES… 7
JIA YANG’S STORY 8
JIA YANG’S STORY 8
SIDEBAR: SERVICE COMPOSITION THE MONOLITHIC APPROACH Customers JOIN in the EC tax regime Tax Regime Service 9
SIDEBAR: SERVICE COMPOSITION NAIVE SERVICE IMPLEMENTATION tax geography Customers in the EC Countries customers in the EC 10
SIDEBAR: SERVICE COMPOSITION COMPOSED SERVICES tax geography Countries in the EC GET … ?country_list=UK,NL,SE... customers Customers in the EC
SIDEBAR: SERVICE COMPOSITION COMPOSED SERVICES tax geography Countries in the EC GET … ? fi lter=https://geo/countries?r=ec customers GET Customers in the EC
AGGREGATING DATA tax geography Countries in the EC customers Customers in the EC 12
AGGREGATING DATA tax geography Countries in the EC customers How do we know if these states are consistent? Customers in the EC 12
AGGREGATING DATA tax geography Changes in EC Membership Reacts to Events to rescue! event streams customers How do we know if these states are consistent? Changes in customer status 12
AGGREGATING DATA tax geography customers 13
AGGREGATING DATA tax geography customers GET https://integration-toolkit.com/customers/events 13
AGGREGATING DATA tax geography customers GET https://integration-toolkit.com/customers/events 13
IMPLEMENTING EVENTS OPTION 1: CHUCK ‘EM IN THE DB 14
IMPLEMENTING EVENTS OPTION 2: HIPSTER BATCH Tax Geography Customer Shared Storage (S3) 15
IMPLEMENTING EVENTS OPTION 3: SPECIAL-PURPOSE EVENT STORE Geography Event Subscription JS Customers Event Store 16
IMPLEMENTING EVENTS OPTION 3: SPECIAL-PURPOSE EVENT STORE Geography “Projections” Event Subscription JS Customers Event Store 16
Delegated Authority & Access Control 17
DELEGATED ACCESS MANAGEMENT JWT ADFS OpenID 2.0 HMAC OAuth 2.0 SAML v2 OpenID Connect 18
DELEGATED ACCESS MANAGEMENT JWT ADFS OpenID 2.0 HMAC OAuth 2.0 SAML v2 OpenID Connect 18
FENDY’S STORY 19
FENDY’S STORY 19
THE OLD WORLD OF PERIMETER SECURITY credentials Identity End User Provider Application token token cookie veri fi cation Web Application 20
THE OLD WORLD OF PERIMETER SECURITY credentials Identity End User Provider Application token token cookie veri fi cation Web Application stateless? 20
THE OLD WORLD OF PERIMETER SECURITY credentials Identity End User Provider Application token token cookie veri fi cation Web Application stateless? whose identity? 20
THE OLD WORLD OF PERIMETER SECURITY credentials Identity End User Provider Application token token cookie veri fi cation Web Application token token 20
VARIOUS APPROACHES ▫︎ 2-Way SSL/TLS ▫︎ HMAC signing ▫︎ JWT ▫︎ NTLM/WIF/ADFS ▫︎ SAML v2 ▫︎ OAUTH 2.0 ▫︎ OPENID Connect 21
VARIOUS APPROACHES ▫︎ 2-Way SSL/TLS ▫︎ HMAC signing Ask these questions ... ▫︎ JWT ▫︎ NTLM/WIF/ADFS ▫︎ SAML v2 ▫︎ OAUTH 2.0 ▫︎ OPENID Connect 21
VARIOUS APPROACHES ▫︎ 2-Way SSL/TLS ▫︎ HMAC signing Ask these questions ... ▫︎ JWT • Considered both authentication ▫︎ NTLM/WIF/ADFS and authorisation? ▫︎ SAML v2 ▫︎ OAUTH 2.0 ▫︎ OPENID Connect 21
VARIOUS APPROACHES ▫︎ 2-Way SSL/TLS ▫︎ HMAC signing Ask these questions ... ▫︎ JWT • Considered both authentication ▫︎ NTLM/WIF/ADFS and authorisation? ▫︎ SAML v2 ▫︎ OAUTH 2.0 ▫︎ OPENID Connect 21
VARIOUS APPROACHES ▫︎ 2-Way SSL/TLS ▫︎ HMAC signing Ask these questions ... ▫︎ JWT • Considered both authentication ▫︎ NTLM/WIF/ADFS and authorisation? ▫︎ SAML v2 • Based on open standards? ▫︎ OAUTH 2.0 ▫︎ OPENID Connect 21
VARIOUS APPROACHES ▫︎ 2-Way SSL/TLS ▫︎ HMAC signing Ask these questions ... ▫︎ JWT • Considered both authentication ▫︎ NTLM/WIF/ADFS and authorisation? ▫︎ SAML v2 • Based on open standards? ▫︎ OAUTH 2.0 ▫︎ OPENID Connect 21
VARIOUS APPROACHES ▫︎ 2-Way SSL/TLS ▫︎ HMAC signing Ask these questions ... ▫︎ JWT • Considered both authentication ▫︎ NTLM/WIF/ADFS and authorisation? ▫︎ SAML v2 • Based on open standards? ▫︎ OAUTH 2.0 • Simple enough to be widely used? ▫︎ OPENID Connect 21
VARIOUS APPROACHES ▫︎ 2-Way SSL/TLS ▫︎ HMAC signing Ask these questions ... ▫︎ JWT • Considered both authentication ▫︎ NTLM/WIF/ADFS and authorisation? ▫︎ SAML v2 • Based on open standards? ▫︎ OAUTH 2.0 • Simple enough to be widely used? ▫︎ OPENID Connect • Supports a modern web integration strategy? 21
VARIOUS APPROACHES ▫︎ 2-Way SSL/TLS ▫︎ HMAC signing Ask these questions ... ▫︎ JWT • Considered both authentication ▫︎ NTLM/WIF/ADFS and authorisation? ▫︎ SAML v2 • Based on open standards? ▫︎ OAUTH 2.0 • Simple enough to be widely used? ▫︎ OPENID Connect • Supports a modern web integration strategy? 21
VARIOUS APPROACHES ▫︎ 2-Way SSL/TLS ▫︎ HMAC signing Ask these questions ... ▫︎ JWT • Considered both authentication ▫︎ NTLM/WIF/ADFS and authorisation? ▫︎ SAML v2 • Based on open standards? ▫︎ OAUTH 2.0 • Simple enough to be widely used? ▫︎ OPENID Connect • Supports a modern web integration strategy? • Has proven implementations? 21
VARIOUS APPROACHES ▫︎ 2-Way SSL/TLS ▫︎ HMAC signing Ask these questions ... ▫︎ JWT • Considered both authentication ▫︎ NTLM/WIF/ADFS and authorisation? ▫︎ SAML v2 • Based on open standards? ▫︎ OAUTH 2.0 • Simple enough to be widely used? ▫︎ OPENID Connect • Supports a modern web integration strategy? • Has proven implementations? 21
EXAMPLE OPENID CONNECT FLOW End User access code access code App access code OpenID Resource Resource id token Connect id token Provider Another Another {“iss":"op.example.com", � Resource Resource "c_hash":"HK6E_P6Dh8Y93mRNtsDB1Q", � "email_verified":"true", � "sub":"10769150350006150715113082367", � “azp”:”another_resource", � “email":"sshaw@thoughtworks.com", � “aud”:[”resource”, “another_resource”], � "iat":1353601026, � "exp":1353604926 } 22
BEWARE PKI secrets Also Need ssshh! How to • CSRF manage and • Nonce distribute? • Correct implementation keys • Expire • Revoke • Distribute 23
Managing Change 24
MANAGING CHANGE DOES YOUR SYSTEM LOOK LIKE THIS? ? 25
MANAGING CHANGE MAYBE IT SHOULD LOOK LIKE THIS INSTEAD 26
MANAGING CHANGE MAYBE IT SHOULD LOOK LIKE THIS INSTEAD JUICE! 26
RYAN’S STORY 27
RYAN’S STORY 27
BACK TO THE TAX EXAMPLE … tax geography customers 28
BACK TO THE TAX EXAMPLE … tax geography customers 28
BACK TO THE TAX EXAMPLE … tax geography customers 28
BACK TO THE TAX EXAMPLE … tax geography customers Assignment 28
BACK TO THE TAX EXAMPLE … tax geography customers And from here Some logic Some logic from here from here Assignment 28
BACK TO THE TAX EXAMPLE … tax But How? geography customers And from here Some logic Some logic from here from here Assignment 28
HOW TO MANAGE THE CHANGE 1. DO NOTHING May be better than the chaos of not having clear ownership and accountability 2. ONE BIG VERSION CHANGE Version all your services, test them together, release them together 29
Recommend
More recommend