an introduction to .net services · an introduction to .net services pedro félix (pedrofelix em...
TRANSCRIPT
An introduction to .Net Services
Pedro Félix(pedrofelix em cc.isel.ipl.pt)
.NET Services
• Set of services
– Service Bus (SB)
– Access Control Service (ACS)
• Running in the cloud
– Based on Windows Azure
• Providing
– SB : Service Addressability, Connectivity and Discoverability
– ACS : Service Access Control2
A Motivating Scenario
CloudTrack
.
FabrikamContoso
Create/view issuesView/manage issues
3
• Issue Tracker web app.• Cloud-based• Multi-tenant
Connectivity challenges
CloudTrack
.
Notify new issue
4
Fetch log data
FW, NAT, …FW, NAT, …
Create new issue
Connectivity Challenges
• Addressability
– Private addresses and Network Address Translation (NAT)
– Dynamic addresses (e.g. ISP)
• Connectivity
– Firewalls
• Discoverability
5
Service Bus Relay
6
FW, NAT, …
RegistryOutbound TCP connection
Relay
Query via HTTP + ATOM
Public Name
• Connectivity - public projection of private endpoints
• Addressability and discoverability
Service Bus
• Naming
– Public namespace
– {scheme}://{solution}.servicebus.windows.net/{relpath}
• Registry
– Mapping between URIs and services
– Readable via HTTP+ATOM
• Connectivity and eventing
– Relaying between public (SB) and private endpoints7
Demo
http://felixdemos.servicebus.windows.net/remix09
8
Service Bus Security
9
FW, NAT, …ACS
Send Listen
• DMZ externalization
– Public endpoints hosted on the cloud
• Flexible Access Control with ACS
– Claims-based model
Connectivity
10
FW, NAT, …
• WCF integration via transport binding elements
• Bidirectional (similar to NetTcpBinding)
• Request-reply (similar to *HttpBinding)
TCP TCP
HTTP
Datagram multicast (pub-sub)
11
TCP TCP
• NetEventRelayBinding (oneway)
– Multiple opened service hosts on the same URI
– Multicast – message delivered to all listeners
– Support for HTTP pooling
CloudTrack
.
Access Control Service
• Identity and access control
• Distributed systems
– Decentralized authority
– Heterogeneous technologies
• Claims-based model
• SB integration
12
Identity and Authorization
credsContoso::
Alicewebapp::IssueView
Contoso::LeadDev
webapp::IssueMgr
13
webapp (IssueTracker)
Centralized Solution
credsContoso::
Alicewebapp::IssueView
Contoso::LeadDev
webapp::IssueMgr
14
MembershipProvider
RoleProvider
IPrincipal.IsInRole(...)
webapp (IssueTracker)
Decentralized Authority
credsContoso::
Alicewebapp::IssueView
Contoso::LeadDev
webapp::IssueMgr
15
Contoso Authority
Contoso Identity Provider webapp
Decentralized Authority
credsContoso::
Alicewebapp::IssueView
Contoso::LeadDev
webapp::IssueMgr
16
IdentityDirectory
Contoso webapp
Decision Enforcement
credsContoso::
Alicewebapp::IssueView
Contoso::LeadDev
webapp::IssueMgr
17
ServiceBus
webapp::SB.Listen
AuthorizationDecision
AuthorizationEnforcement
IdentityInformation
webappAccess Control ServiceContoso
Access Control Service
credsContoso::LeadDev
Alice
webapp::IssueView
SBwebapp::SB.Listen
18
Identity Provider Authorization Decision
Authorization Enforcement
Access Control Service
• Claims-based Identity and Access Control
• Claims transformer (“claims in, claims out”)
– Consumes claims from federated issuers
– Provides claims to applications and services
• Rule based issuance policy
– Rule: If has claim1 then output claim2
• Not an identity provider
– Does not manage user’s identities19
Protocols and technologies
20
CloudTrack
.
WIF
Active DirectoryAccess Control
Service
CardSpace
LeadDevAlice
IssueView
ADFS v2
WS-*SAMLP
WS-*SAMLP
WS-* ?