bk2015 arkitektur sikkerhet og skalering
TRANSCRIPT
Enterprise GIS i praksis
• Mulige deploymentscenarioer for ArcGIS for Server
• Hvordan ivareta sikkerhet
• Brukere, roller, pålogging (autentisering og autorisering)
• Skaleringsmekanismer
• Verktøy for å overvåke status og identifisere flaskehalser
Single machine deployment
• Advantages• Straightforward to install, maintain, and upgrade.• High performance because local paths are used
to access resources; this is ideal for hosting cached map and image services.
• Disadvantages• May not fit your security requirements, since
ArcGIS Server Manager and ArcGIS Server Administrator Directory are exposed through the same port (6080) that everyone else uses to access the services.
• Nonstandard HTTP ports (6080 and 6443 if using HTTPS) are used to expose services to clients.
• Web tier authentication is not available without ArcGIS Web Adaptor.
• Not highly available; the GIS server is a single point of failure.
Konfigurasjon av brukere og roller i AGS
• Brukere og roller hentes fra en user store.
• Autorisering skjer i ArcGIS Manager• Tjenester og mapper gjøres tilgjengelige for Public eller
for et utvalg roller• Brukere og roller administreres også i Manager når man
bruker built-in user store
• Autentisering skjer i ArcGIS Server eller i Web Tier
• ArcGIS Server authentication• Built-in users and roles• Users in Active Directory and roles in either Active
Directory or the built-in store• Users in LDAP and roles in either LDAP or the built-in
store• Users in a custom store and roles in the custom or the
built-in store
• Web Tier authentication• Any user store for which the web server has built-in or
extensible support• For example, if your web server has built-in support for
Active Directory, LDAP, and custom identity stores, you may use one of the following configurations:
• Users in Active Directory and roles in either Active Directory or the built-in store
• Users in LDAP and roles in either LDAP or the built-in store
• Users in a custom store and roles in the custom or the built-in store
Single machine med reverse proxy
• Advantages
• Complements the single-machine deployment with an extra level of security.
• Disadvantages
• The use of a reverse proxy server can potentially add an overhead to requests to your ArcGIS Server services. This is especially true when leveraging web tier authentication for very large and complex (nested groups or federated) enterprise identity stores.
• Not highly available; the GIS server and reverse proxy server are single points of failure if either go offline.
Single-machine high-availability (active-passive)
• Advantages• The active-passive failover
configuration allows you to build a redundant GIS server tier without incurring additional licensing fees. Standby servers can be licensed at no additional cost.
• Oppgraderinger/endringer utennedetid
• Disadvantages• Hver site må administreres uavhengig
og manuelt holdes i "synk".• When switching to the standby site,
any active requests in the primary site are lost
Single-machine high-availability (active-active)
• Advantages• Conceptually straightforward. Minimal
interdependencies between GIS servers make it easy to replace stale or faulty machines, apply upgrades, or add and remove machines from the pool of GIS servers as needed without interrupting services or aborting requests.
• If map tiles are stored locally on every machine, this configuration provides significant performance advantages as compared to multiple-machine sites. In fact, this configuration is ideal if your objective is to increase the capacity of cached map services.
• Disadvantages• It is your responsibility to keep all sites in sync. This
adds an administrative overhead that can make this deployment pattern impractical for cases where you have many machines or services/caches that change frequently.
• Requires knowledge of third-party load balancers.• Asynkrone GP-tjenester krever sticky sessions i
lastbalansereren
Multiple machine deployment with Web Adaptor
• Advantages• A single ArcGIS Server site provides the
means to easily administer ArcGIS Server and its services across a number of machines.
• Easy to adjust the capacity of your site by adding and removing GIS server machines.
• Load balancing is handled among GIS servers.
• Integrate standard organization authentication by using web tier authentication through ArcGIS Web Adaptor.
• Disadvantages• Use of server directories and data in shared
network locations can negatively affect performance of services under heavy load.
• Config store er SPOF
Multiple machine deployment with third party load balancer
• Advantages• A single ArcGIS Server site provides the means to
easily administer ArcGIS Server and its services across a number of machines.
• Easy to adjust the capacity of your site by adding and removing GIS server machines.
• Load balancing is handled among GIS servers.• Kan benytte avansert tredjeparts funksjonalitet I
reverse proxy – f.eks. IP-filtrert tilgang til WMS-tjenester
• Disadvantages• Use of ArcGIS Server directories and data in
shared network locations can negatively affect performance of services under heavy load.
• Requires understanding of third party load balancers.
• Does not support web tier authentication. Brukforrige oppsett for å støtte dette.
Multiple machine deployment with GIS server clusters
• Advantages• Integrates with your organization's network load balancer (NLB) and web server
through ArcGIS Web Adaptor.
• More secure as administrative URLs to the site can be blocked with ArcGIS Web Adaptor.
• Load balancing is handled at NLB and among GIS servers.
• Single sign on (SSO) can be set up using web-tier authentication on the web server hosting ArcGIS Web Adaptor.
• GIS server machines can be configured to run dedicated subsets of services.
• Disadvantages• Administrators need to install, set up, and maintain multiple GIS server machines.
• Not ideal for hosting cached map and image services, because the cache is on a shared network directory or duplicated on each machine.
• A cluster can be a single point of failure if it's configured to run on a single GIS server. If the machine goes offline, the services running on the cluster will be unavailable.
• Depending on the number of machines within a site and within a cluster, network bandwidth, and shared network drive performance (where the configuration store and other server directories may be located), this architecture is subject to scalability restrictions. It's recommended that you create single cluster sites (which can have multiple machines) whenever possible.
• Scalability• A multiple machine site with clusters is subject to scalability restrictions, introduces
challenges in isolating issues and troubleshooting, and increases overall network communication. As mentioned above, it's recommended that you create single cluster sites (which can have multiple machines) whenever possible.
Skalering av ArcGIS Server
• Skalering av tjenesteinstanser• AGS skalerer opp og ned
tjenesteinstanser (arcsoc-prosesser)
• Skalere flere maskiner inn i en site
• Skalere flere sites inn i en lastbalansert konfigurasjon
Livssyklus for tjenesteinstanser
• Hver tjeneste i AGS konfigureres til å ha fra min til max antall kjørende instanser (arcsoc-prosesser)
• Ved oppstart startes min antall instanser
• Når en request til tjenesten skal håndteres:• En ledig, kjørende instans får jobben. Hvis ingen
er ledige, og det ikke kjører max antall instanser, startes en ny instans som så får jobben.
• Hvis max antall instanser allerede kjører, settes requesten i kø helt til en instans blir ledig.
• Requester kan time ut• Fordi instansen som gjør jobben bruker for lang
tid• Fordi det tar for lang tid å starte en ny instans• Fordi man må vente for lenge på en ledig instans
• Hvis en instans er ledig over lengre tid kan den stanses av AGS for å spare ressurser
Responstid
ArcMap/
Web
ArcGIS
Server
EnterpriseGeodatabase
Intra/Internet Resources
Network
I/O
Disk I/OSQL
ArcMap/
Web
Response
time
Cloud Resources
Tilgjengelige verktøy
• Mxdperfstat
• System Monitor
• ArcGIS for server statistics
• System Test
• PerfQAnalyzer
• SQL-Trace
mxdperfstat Demo
mxdperfstat -mxd <DocumentName.mxd>
[-scale scale1;scale2;...]
[-xy <x;y>]
[-width <screen width> -height <screen height>]
Et verktøy for å samle inn statistikk fra ArcGIS og underliggende servere
• Requests/sec
• Free instances
• Busy time/request
• Cpu/memory
• database
• +++
System Monitor
• Nytt i 10.3
• Analysere bruken over tid• Responstid
• Totalt antall requests
• Antall instanser
ArcGIS for server statistics
• Verktøy for å teste GIS-løsninger basert på ArcGIS for server
• Brukes til å• Lage realistiske tester
• Kjøre tester
• Samler inn testresultater og lager en rapport
System Test
• Verktøy for å ytelsesteste ArcMapbasert løsninger
• Måler• Opptegningstider
• Redigering
• Databaseaktivitet
PerfQAnalyzer
SQL Trace
• Kan logge alle SQL’er og gi • Eksekveringstid
• Antall rader lest
• ++++
• SQLServer (SQL Profiler)
• PostgreSQL (postgresql.conf)
• Oracle (dbms_system.set_ev)
SQL Trace
SELECT 1 SHAPE, Element, N5_OSLO_TEKST5000TEKST.OBJECTID,
..
..
FROM
GEONIS.N5_OSLO_TEKST5000TEKST N5_OSLO_TEKST5000TEKST WHERE
SDE.ST_EnvIntersects(N5_OSLO_TEKST5000TEKST.SHAPE,:1,:2,:3,:4) = 1 AND
((NOT Status = 1 OR Status is NULL))
call count cpu elapsed disk query current rows
------- ------ -------- ---------- ---------- ---------- ---------- ----------
Parse 0 0.00 0.00 0 0 0 0
Execute 1 0.00 0.00 0 0 0 0
Fetch 3 0.01 0.07 0 280 0 289
------- ------ -------- ---------- ---------- ---------- ---------- ----------
total 4 0.01 0.08 0 280 0 289
Hvor ligger verktøyene?
• http://www.arcgis.com/home/item.html?id=a269d03aa1c840638680e2902dadecac (mxdperfstat)
• http://www.arcgis.com/home/item.html?id=848f48b0f88e4de7a036377197453efe (System Monitor)
• http://www.arcgis.com/home/item.html?id=e8bac3559fd64352b799b6adf5721d81 (System Test)
• http://blogs.esri.com/esri/supportcenter/2014/02/03/calibrating-arcgis-performance-with-perfqanalyzer-new-build-available-for-download/ (PerfQAnalyzer)