Les problmes que lon rencontre en microservice : configuration, authentification et autre joyeusets

Les problmes que lon rencontre en microservice : configuration, authentification et autre joyeusets

Quentin ADAM - @waxzce

Who am I ?

Quentin ADAM from the Clever Cloud@waxzce on twitter github- soundcloud instagram .

My day to day work : Clever Cloud, the IT automation company

Keep your apps online. made with node.js, scala, java, ruby, php, python, go

Cloud & on premise

And learn a lot of things about your code, apps, and good/bad design

Give back to the community

NEVER GONNA LET YOU DOWNclever-cloud.com

The beginning How Clever Cloud start?How the roadmap was define.

Remote CodeExecutionas a Service

Dog container

We are happy

Multiple stacks

Scaling

Evolution

Team management

Architecture as a playgroundLego FTW

Microservice communication

NO TRUSTED NETWORK

https://www.clever-cloud.com/blog/guests/2015/06/16/the-end-of-the-fortress-metaphor/

Server -> ServerAuthenticatedEncryptedAuditable/logged

Loosely coupled

Routing is a problem

Message box

Duplicate messages

Analytic and audit

HTTP for all?

Messages brokersRabbitMQFR: https://www.youtube.com/watch?v=VBUQXM96hpwEN: https://www.youtube.com/watch?v=15mzY2MfDgMKafkaRedis?0MQ?

Warp10 / time series DB

The right size?What is the boundaries of a microservice

Noisy Microworker army

Beware of (massive) RPC (Remote Procedure Call)

Network is two problems: Fragile and Slow

Micro services is not Workload Distribution akka, project avalon, Erlang OTP, hadoop

One service do have to actually provide a service by itself

Fat monoliths

Micro service creating too much lib?

Why theses two functions are in the same services?Or can I it?

Does we have a common data store?

Does this features need the same scaling agenda?

Example Clever Cloud

Exemple Clever Cloud38

Configuration on multiple spots

Configuration != Code

Zk, etcd, consul So many possibilities

Simpler way, never change on runtime

Immutable infrastructure (FR) https://www.youtube.com/watch?v=WrZCbgQsPVU

Agnostic solution: Environment variable

Clever Cloud service dependencies

https://www.clever-cloud.com/blog/features/2016/06/23/introducing-service-dependencies/

No over engineering on configuration, when you need to configure the configuration injector, you are too far

Who the hell are you?Distribute Authentication

Distribute Identity and ACL

Common solutions (or not)

Shared data repository

The first idea to many developer is to share the access to a database with the session data (memcached or redis), and read access to the ACL database (SQL or something)Issues on this :- change to the data model require to edit all the series- impose rude connection and pooling to the databases, which is an OPS problem- creating a SPOF- impose lots of code rewriting in each micro service

49

Authentication using a proxy

RequestReverse Proxy+Database call+Business code+AuthenticationService AService BService CAuthenticated request with user identity data

Good part is :- centralisation of authentication and code related to itIssues :- Very complicated to mock on developer laptop : you need to launch the proxy on dev computer- Security vision is optimistic- The user infos add by the proxys arent requested by service, so its standard or convention between proxy and service- proxy is a spotmix several mission on the proxy : routing, load balancing, authentication, session hydratation

PERFORMANCES

50

Central API call to authenticate request

RequestVia reverse proxyService AService BService CSerialized request + identity needsAuthentification APIGo/no go + identity data

Central authentication API called by servicesIn this architecture, service take request directly and call an API to authenticate the request, serializing verb, resources and headers and asking for extra info they will need (user infos), the authentication API respond authentication and user info requested by the service.Good parts :- easy to mock and work on developer part, no need to start on developer computer- centralisation of the authentication- security is better handled and there is less possibility to breach the system spoofing requests- services request additional infos, more simple to doIssues :- authentication API is a spof

51

We need more tools

JWT

Signature 53

Macaroons

Keep hackable and pluggable playground to enforce innovations

Maintenance

Clean legacy code on regular basisWhy and how bookkeepers f***d up IT FR https://www.youtube.com/watch?v=0ip1FoBsLB4EN https://www.youtube.com/watch?v=OngWRJ8txps

Deployment agility

No dogma, full developer hapiness oriented architecture

Thank you

find me on twitter @waxzce

Gift coupon for clever-cloud.com:

microdevoxx