AVOIDING SPEED BUMPS ON THE ROAD TO MICROSERVICESyowconference.com.au/.../Shaw-AvoidingSpeedbumpsMicroservices.pdf · AVOIDING SPEED BUMPS ON THE ROAD TO MICROSERVICES ... stateless?

AVOIDING SPEED BUMPS ON THE ROAD TO MICROSERVICESScott Shaw Head of Technology, ThoughtWorks Australia

1

MICROSERVICE ENVY

2

service oriented architecture

microservices

GOOGLE TRENDS DATA

3

XTHE SPEED BUMPS

3

XTHE SPEED BUMPS

DDD REST Automation Cloud DevOps Logging Monitoring

Resilience Testing with CDCs Conway Postel

3

X

Data Aggregation

THE SPEED BUMPS



3

X

Data Aggregation

Access Control & Security

THE SPEED BUMPS



3

X

Managing Change

Data Aggregation

Access Control & Security

THE SPEED BUMPS



4

Aggregating Data

SINGLE DATASTORE PRINCIPAL

5


5


5

6

BUT AS A SYSTEM EVOLVES…

6


6


6


6


7


7


JIA YANG’S STORY

8

JIA YANG’S STORY

8

SIDEBAR: SERVICE COMPOSITION

9

Customers in the EC

tax regime

JOIN

Tax Regime Service

THE MONOLITHIC APPROACH


10

NAIVE SERVICE IMPLEMENTATION

geography

customers

tax

Countries in the EC

Customersin the EC

Countries in the EC


COMPOSED SERVICES

geography

customers

tax

Customers in the EC

GET …?country_list=UK,NL,SE...

GET

Countries in the EC


COMPOSED SERVICES

geography

customers

tax

Customers in the EC

GET … ?filter=https://geo/countries?r=ec

Customers in the EC

Countries in the EC

AGGREGATING DATA

12

geography

customers

tax

Customers in the EC

Countries in the EC

AGGREGATING DATA

12

geography

customers

tax

How do we knowif these states are consistent?

AGGREGATING DATA

12

geography

customers

tax

How do we knowif these states are consistent?

Events to rescue!Reacts to

event streams

Changes incustomer status

Changes in EC Membership

AGGREGATING DATA

13

geography

customers

tax

AGGREGATING DATA

13

geography

customers

tax

GET https://integration-toolkit.com/customers/events

AGGREGATING DATA

13

geography

customers

tax

GET https://integration-toolkit.com/customers/events

IMPLEMENTING EVENTS

14

OPTION 1: CHUCK ‘EM IN THE DB

IMPLEMENTING EVENTS

15

OPTION 2: HIPSTER BATCH

Shared Storage (S3)

Geography Customer

Tax

IMPLEMENTING EVENTS

16

OPTION 3: SPECIAL-PURPOSE EVENT STORE

Event Store

JSCustomers

Geography

Event Subscription

IMPLEMENTING EVENTS

16

OPTION 3: SPECIAL-PURPOSE EVENT STORE

Event Store

JSCustomers

Geography

Event Subscription“Projections”

17

Delegated Authority & Access Control

OpenID 2.0

DELEGATED ACCESS MANAGEMENT

18

HMAC

SAML v2 OAuth 2.0OpenID Connect

ADFSJWT

OpenID 2.0

DELEGATED ACCESS MANAGEMENT

18

HMAC

SAML v2 OAuth 2.0OpenID Connect

ADFSJWT

FENDY’S STORY

19

FENDY’S STORY

19

THE OLD WORLD OF PERIMETER SECURITY

20

cookietoken

credentials

token

verification

Identity Provider

End User Application

WebApplication


20

cookietoken

credentials

token

verification

Identity Provider


WebApplication

stateless?


20

cookietoken

credentials

token

verification

Identity Provider


WebApplication

stateless?

whose identity?


20

cookietoken

credentials

token

verification

Identity Provider


WebApplication

token

token

VARIOUS APPROACHES

▫︎ 2-Way SSL/TLS

▫︎HMAC signing

▫︎ JWT

▫︎NTLM/WIF/ADFS

▫︎ SAML v2

▫︎OAUTH 2.0

▫︎OPENID Connect

21

VARIOUS APPROACHES


▫︎HMAC signing

▫︎ JWT

▫︎NTLM/WIF/ADFS

▫︎ SAML v2

▫︎OAUTH 2.0


21

Ask these questions ...

VARIOUS APPROACHES


▫︎HMAC signing

▫︎ JWT

▫︎NTLM/WIF/ADFS

▫︎ SAML v2

▫︎OAUTH 2.0


21

Ask these questions ...• Considered both authentication

and authorisation?

VARIOUS APPROACHES


▫︎HMAC signing

▫︎ JWT

▫︎NTLM/WIF/ADFS

▫︎ SAML v2

▫︎OAUTH 2.0


21


and authorisation?

VARIOUS APPROACHES


▫︎HMAC signing

▫︎ JWT

▫︎NTLM/WIF/ADFS

▫︎ SAML v2

▫︎OAUTH 2.0


21


and authorisation?• Based on open standards?

VARIOUS APPROACHES


▫︎HMAC signing

▫︎ JWT

▫︎NTLM/WIF/ADFS

▫︎ SAML v2

▫︎OAUTH 2.0


21


and authorisation?• Based on open standards?

VARIOUS APPROACHES


▫︎HMAC signing

▫︎ JWT

▫︎NTLM/WIF/ADFS

▫︎ SAML v2

▫︎OAUTH 2.0


21


and authorisation?• Based on open standards?• Simple enough to be widely used?

VARIOUS APPROACHES


▫︎HMAC signing

▫︎ JWT

▫︎NTLM/WIF/ADFS

▫︎ SAML v2

▫︎OAUTH 2.0


21


and authorisation?• Based on open standards?• Simple enough to be widely used?• Supports a modern web integration

strategy?

VARIOUS APPROACHES


▫︎HMAC signing

▫︎ JWT

▫︎NTLM/WIF/ADFS

▫︎ SAML v2

▫︎OAUTH 2.0


21



strategy?

VARIOUS APPROACHES


▫︎HMAC signing

▫︎ JWT

▫︎NTLM/WIF/ADFS

▫︎ SAML v2

▫︎OAUTH 2.0


21



strategy?• Has proven implementations?

VARIOUS APPROACHES


▫︎HMAC signing

▫︎ JWT

▫︎NTLM/WIF/ADFS

▫︎ SAML v2

▫︎OAUTH 2.0


21



strategy?• Has proven implementations?

EXAMPLE OPENID CONNECT FLOW

22

access code

OpenID Connect Provider

Resource

access code

Another Resource

id token

{“iss":"op.example.com",! "c_hash":"HK6E_P6Dh8Y93mRNtsDB1Q",! "email_verified":"true",! "sub":"10769150350006150715113082367",! “azp”:”another_resource",! “email":"[email protected]",! “aud”:[”resource”, “another_resource”],! "iat":1353601026,! "exp":1353604926 }

access code

id token

Resource

Another Resource

End User App

BEWARE PKI

23

ssshh!

secrets

How to manage anddistribute?

keys

Also Need

• CSRF • Nonce • Correct implementation

• Expire • Revoke • Distribute

24

Managing Change

MANAGING CHANGE

25

DOES YOUR SYSTEM LOOK LIKE THIS?

?

MANAGING CHANGE

26

MAYBE IT SHOULD LOOK LIKE THIS INSTEAD

MANAGING CHANGE

26

MAYBE IT SHOULD LOOK LIKE THIS INSTEAD

JUICE!

RYAN’S STORY

27

RYAN’S STORY

27

BACK TO THE TAX EXAMPLE …

28

geography customers

tax


28

geography customers

tax


28

geography customers

tax


28

geography customers

tax

Assignment


28

geography customers

tax

Assignment

Some logic from here


And fromhere


28

geography customers

tax

Assignment



And fromhere

But How?

HOW TO MANAGE THE CHANGE

29

1.DO NOTHING May be better than the chaos of not having clear ownership and accountability

2.ONE BIG VERSION CHANGEVersion all your services, test them together, release them together

HOW TO MANAGE THE CHANGE

29

1.DO NOTHING May be better than the chaos of not having clear ownership and accountability

2.ONE BIG VERSION CHANGEVersion all your services, test them together, release them together#fail

MANAGING CHANGE

30

geo cust

tax

assignment

MANAGING CHANGE

30

geo cust

tax

assignment

Temp Team

MANAGING CHANGE

31

geo cust

tax

assignment

?

MANAGING CHANGE

31

geo cust

tax

assignment

Long-term ownershipcan’t be ambiguous

SUMMARY

32

1.MICROSERVICES More than a grab-bag of techniques and tools

2.MINDSET SHIFTState Perimeter Punctuated equilibrium

EventsEndpointsContinuous evolution

SUMMARY

32




SUMMARY

32




SUMMARY

32




33

THANKS!

http://www.thoughtworks.com/radar [email protected]

@scottwshaw

mailto:[email protected]

Documents

AVOIDING SPEED BUMPS ON THE ROAD TO MICROSERVICESyowconference.com.au/.../Shaw-AvoidingSpeedbumpsMicroservices.pdf · AVOIDING SPEED BUMPS ON THE ROAD TO MICROSERVICES ... stateless?