wso2con usa 2017: building an effective api architecture

WSO2APIManager:BuildinganEffectiveAPIArchitecture

NuwanDiasArchitectWSO2

KnowingtheComponents

Publisher Store Admin

TrafficManager

GatewayKey

Manager

Nonscalablecomponents

Analytics

Scalablecomponents

UnderstandingtheStorage

StorageTypes

• RegistryDatabase-StoresAPIMetaData,TenantKeyStores,Documents,Tags

• APIManagerDatabase-StoresAPIRuntimeData,ApplicationData,TokenData,etc.

• PermissionsDatabase-Storesroletopermissionsandusertopermissionsmappings.

• AnalyticsSummaryDatabase-StoreAPI/Applicationusagesummary.

UnderstandingtheStorageContd…

Component Readsonlyfrom Writesto

Publisher PermissionsDB,AnalyticsDB Registry,APIMDB

Store PermissionsDB,AnalyticsDB,Registry

APIMDB

KeyManager PermissionsDB,APIMDB,Registry

TrafficManager PermissionsDB

CreatinganAPI

Publisher Store

APIManagerDB(RuntimeData)

RegistryDB(MetaData)

PublishinganAPILANDMZ

PublisherGatewayManagerGatewayWorker

GatewayWorker

SecureWebServiceCall

Store

PublishinganAPILANDMZ

PublisherGatewayManagerGatewayWorker

GatewayWorker

SecureWebServiceCall

Store

API:Therunnableartifact<api name="nuwan--Petstore" context="/petstore/1.0.0" version="1.0.0" version-type="context">

<resource methods="POST PUT" url-mapping="/pet"> …………………………..

<resource methods="DELETE PUT GET" uri-template="/user/{username}"> …………………………..

<handlers> <handler class="org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler">

……………………………

API:Thehandlerflow<handlers> <handler class="org.wso2.carbon.apimgt.gateway.handlers.common.APIMgtLatencyStatsHandler"/> <handler class="org.wso2.carbon.apimgt.gateway.handlers.security.CORSRequestHandler"> <property name="apiImplementationType" value="ENDPOINT"/> </handler> <handler class="org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler"/> <handler class="org.wso2.carbon.apimgt.gateway.handlers.throttling.ThrottleHandler"/> <handler class="org.wso2.carbon.apimgt.gateway.handlers.analytics.APIMgtUsageHandler"/> <handler class="org.wso2.carbon.apimgt.gateway.handlers.ext.APIManagerExtensionHandler"/> </handlers>

APISecurity

SecurityValidation

APIGateway

ApplicationUser

KeyServer

OAuth2.0Grants-ClientCredentials

ImageCredits:PrabathSiriwardena

OAuth2.0Grants-ResourceOwnerPassword

ImageCredits:PrabathSiriwardena

OAuth2.0Grants-AuthorizationCode

ImageCredits:PrabathSiriwardena

OAuth2.0Grants-Implicit

ImageCredits:PrabathSiriwardena

http://callback/#access_token=car292msdjtuis92lla

TheRoleoftheAuthorization/KeyServer

POST/register

GET,PUT,DELETE/register/{client_id}

POST/introspection

POST/token

POST/revoke

APIStore

ResourceServer(Gateway)

Authorization/KeyServer

Authentication

Authorization

ClientRegistration

ClientManagement

Introspection

Revocation

TokenManagement

Federation

TrafficManagementArchitecture

Gateway GatewayPolicy

Designer

RequestEvent

ThrottleEvent

ThrottlingPolicies

TrafficManager

TrafficManagerScalability

• TheTrafficManagerdoesnotscale• AsingleTrafficManagercanhandleupto10Gatewaysat

maximumcapacity• Ifadeploymentconsistsofmorethan10Gateways,theGateways

shouldbedividedintogroupsofclustersof10nodeseach,having1trafficmanagerpergroup.

AnalyticsArchitecture

Gateway Admin

Publisher/Store

REST/h

ttp

RawEventsStorage(BigData)

ProcessedData(Summary)

API:StagesvsEnvironments-Stages

Production

Staging

Dev

Back-EndSystemsData

Runtime

Useappropriatetooling/processesforthepromotion/demotionofartifacts

API:StagesvsEnvironments-Environments

Gateway(External)

Production

Gateway(Internal)

KeyManager(External)

KeyManager(Internal)

Publisher

Store

API:StagesvsEnvironmentsStage Environment

RepresentsastateofanAPI RepresentstheexecutionruntimeofanAPIinagivenstate

AnAPImaygothroughmodificationswhentransferringbetweenstages

TheAPIDefinitionisfixedacrossenvironments

Shouldn’tsharedatabetweenstages Maysharedataacrossenvironments

OwnershipoftheAPI/datamaychangeacrossstages

OwnershipoftheAPI/dataremainssameacrossallenvironments

RegionalGateways-DatabaseSyncPatternUS-East

US-West

Load-Balancer

Gateway

Gateway

KeyManager

KeyManager

SyncTablesSelectively

RegionalGateways-TokenPrefixPatternUS-East

US-West

Load-Balancer

Gateway

Gateway

KeyManager

KeyManager

Createtokenwithprefix“EAST”

Createtokenwithprefix“WEST”

Validatetokenprefix“WEST”

Validatetokenprefix“EAST”

RegionalGateways-TokenPrefixPattern

public class CustomTokenGenerator extends OauthTokenIssuerImpl {

@Overridepublic String accessToken(OAuthTokenReqMessageContext tokReqMsgCtx) throws OAuthSystemException { String regionID = System.getProperty(REGION_ID); if(log.isDebugEnabled()){ log.debug("Region ID = " + regionID); } String accessToken = UUID.randomUUID().toString(); return regionID != null ? regionID + accessToken : accessToken;}

RegionalGateways-TokenPrefixPatternpublic class RegionValidator extends AbstractHandler {

public boolean handleRequest(MessageContext messageContext) { String regionId = System.getProperty(REGION_ID); if (log.isDebugEnabled()) { log.debug("Region ID = " + regionId); }

. . . . . . . . .

if(bearerToken == null || bearerToken.split(" ")[1].startsWith(regionId)){ //No bearer token provided or the provided bearer token is of the expected region. return true; } handleAuthFailure(messageContext);

return false;

APIManager:MultiDatacenterDeployment

TypesofDataCenterDeployments

• SingleMaster,Active-Active• SingleMaster,Active-Passive(DisasterRecovery)• MultiMaster,Active-Active

APIManager:MultiDatacenterDeployment

Master MasterorSlave

ThankYou!