APIStrat Conference Workshop: WSO2 - Best Practices for API Management
-
Upload
isamauny -
Category
Technology
-
view
650 -
download
2
description
Transcript of APIStrat Conference Workshop: WSO2 - Best Practices for API Management
Last Updated: March 2014
Director, Product Management, WSO2Isabelle Mauny
Best Prac1ces for API Management
Thursday, March 27, 14
About the speaker...
๏ French na)ve
๏ Living in Spain
๏ Works mostly with Sri Lanka
๏ 18 years of IBM, 4 years in startups
๏ Managing the overall WSO2 porDolio
๏ Linux command line user
2Thursday, March 27, 14
Who is WSO2 ? ๏ Open Source Middleware
Pla2orm Provider
๏ Apache 2.0 License
๏ Provides Integra?on, API Management and Mobile enterprise management products
๏ Main contributor to Apache Stratos PaaS
๏ Creators of DevOps “AppFactory” cloud solu?on
3Thursday, March 27, 14
Business Model
4Thursday, March 27, 14
Define a Business Model
5
๏ What are the business goals ? ๏ Enable 3rd-‐party Mobile Apps development ?
๏ Increase brand recogni)on ?
๏ Open new revenue channels ?
๏ Define Mone)za)on model ๏ Free ?
๏ Pay per usage ?
๏ Free APIs, but paid via Ads
Thursday, March 27, 14
Development
6Thursday, March 27, 14
๏ Service deals with implementa)on
๏ API deals with subscrip)on (consumer)
๏ Two very dis)nct life cycles !
๏ You don’t need the service to create the API...
Services and APIs
7Thursday, March 27, 14
Building a Managed API
๏ Crea)ng APIs (interface, docs, samples,etc.)
๏ Adver)sing APIs
๏ Making APIs subscribe-‐able by consumers
๏ Associa)ng SLAs
๏ Securing APIs
๏ Mone)za)on and Analy)cs
8Thursday, March 27, 14
API Security
9Thursday, March 27, 14
API Security
๏ Security is not an aYer thought !
๏ APIs are part of a much larger enterprise picture
๏ How will consumers request an access token ? ๏ Using a SAML 2.0 asser)on ?
๏ Using client_creden)als ?
๏ Using userid/password ?
๏ Make sure you document thoroughly how developers need to manage tokens:
๏ Tokens are like passwords!
๏ Always use SSL for token transporta)on !
๏ Use Domain restric)ons (WSO2 API Manager)10
Thursday, March 27, 14
Fine-‐grained access to APIs
๏ OAuth2 is all about access control: a token is associated to a scope.
๏ XACML (eXtensible Access Control Markup Language) is the de-‐facto standard for fine-‐grained access control.
๏ OAuth scope can be represented in XACML policies
๏ Provides fine grain control over what a user/applica?on can do ( i.e. you can call GET but not POST on an API)
11Thursday, March 27, 14
Passing Auth Informa6on to back-‐end services
๏ Using JSON Web Tokens (JWT) ๏ Lightweight
๏ Can be signed
๏ Easy to parse and consume
๏ Standard
API Gateway
API Management Layer
Services LayerInternal and External Applications
OAuth 2 Access Token
JSON Web Token
12Thursday, March 27, 14
Token Format
๏ JWT Structure {token info}.{claims list}.{signature}
๏ Base-‐64 Encoded
13Thursday, March 27, 14
What are Claims ?
๏ Claims are a set of aTributes about a user, mapped to the underlying user store.
๏ A set of claims is called a dialect
14Thursday, March 27, 14
Publishing
15Thursday, March 27, 14
Choosing an API Management Pla=orm
16
๏ What the pla2orm must do, at a minimum:๏ Users Management (self-‐sign up, profile management)
๏ API Publica?on / API Store
๏ API Security
๏ Sta?s?cs
๏ SLA control
๏ ThroTling / Rate Limi?ng
๏ API Versioning
๏ Mone?za?on/Billing
๏ and more !
๏ You could build all of this yourself, but...
Thursday, March 27, 14
Need for API Versioning
๏ Need to support API evolu)on
๏ While Maintaining๏ Backward compa)bility -‐> Func)onality
๏ Rates/Throhling agreements
๏ Different versioning mechanisms
17Thursday, March 27, 14
API Versioning Strategies
๏ Version as a query parameter๏ Ne=lix -‐ hTp://api.ne2lix.com/catalog/?tles/series/70023522?v=1.5
๏ Google Data API -‐ “GData-‐Version: X.0″₺ or “v=X.0″₺
๏ Version as part of URI๏ Salesforce -‐ hTps://na1.salesforce.com/services/data/v20.0/sobjects/Account/
๏ TwiDer -‐ hTps://api.twiTer.com/1.1/statuses/men?ons_?meline.json
๏ Version as a date in URI๏ Twilio -‐ /2010-‐04-‐01/Accounts/{AccountSid}/Calls
๏ hTp://www.twilio.com/docs/api/rest/making-‐calls
๏ Version as a ๏ Custom HTTP Header
๏ Accept Header
18Thursday, March 27, 14
API Lifecycle
๏ An API can pass through mul)ple states
๏ For example:๏ CREATED
๏ PUBLISHED
๏ DEPRECATED
๏ RETIRED
๏ BLOCKED
๏ Should integrate with complete governance lifecycle
19Thursday, March 27, 14
Show some developer’s love :)
20
๏ Docs , docs and more docs
๏ API Samples, in many languages
๏ Embedded Tes)ng
๏ Provide sandbox and produc)on run)mes
๏ SDK ๏ Wraps API access, including security
Thursday, March 27, 14
Deployment
21Thursday, March 27, 14
Gateway vs. ESB
22
๏ Oh, but I already have an ESB ! Why do I need a gateway ?
๏ API Gateway vs. Media)on Layer (ESB)๏ Gateway = light ESB ?
๏ Think ESB as an architecture pahern, not a product!
Thursday, March 27, 14
Generic Facade PaZern
๏ Pros๏ No addi)onal hop in the network
๏ Single Server to be managed
๏ More suited for internal deployments
๏ Cons๏ Complexity of integra)on at edge of network
๏ API Management layer can’t really scale independently
๏ Not appropriate for DMZ deployments (direct access to backend services)
23
API Gateway
API Management Layer
Services Layer
Internal and External Applications
Thursday, March 27, 14
Separated Facade & Media\on
๏ API Gateway Layer acts as simple reverse proxy, enforcing basic policies
๏ Clear separa?on of concern between layers
๏ Media?on layer and API management layer scale independently
๏ Specific security checks/protec?on at edge of the network
๏ Provides protocol transforma?on to the edge of the network
24
API Gateway
API Management Layer
Services Layer
Internal and External Applications
API Gateway
API Management Layer
Services LayerMediationLayer
Services Composition
Services Orchestration
Thursday, March 27, 14
Specific WSO2 Solu\on
๏ Our API gateway is actually a full-‐blown ESB under the hood, constrained at UI level.
๏ You can install the missing ESB features on top of API manager and combine both architecture layers into a single run)me!
๏ Makes the choice a deployment one.
25Thursday, March 27, 14
Typical Deployment
26
Web Tier
BPSServer
API GatewayLoad balancer
API Gateway
External APIs Tier Orchestration Layer
External Web Application
External Mobile Application
Token Validation, Policy Decision Point, Users Store Management
ESBServer
Data Access Layer
ESB
BPM
Data Services Server
Identity Server
Messaging Layer
Message BrokerServer
API Gateway
Load balancer
API Gateway
Internal APIs TierIdentity Server
Thursday, March 27, 14
Users Store
๏ Separate admins / corporate users from the developers users’s store (created via self-‐sign up)
27Thursday, March 27, 14
You can’t manage what you can’t measure.
28Thursday, March 27, 14
Why Analy6cs and API Management are important together?
๏ Build confidence in the API model
๏ Understand your customer ๏ Not just the developer but also the end-‐user
๏ Help manage services and versions๏ Understand when deprecated services can be re?red
๏ Plan beTer๏ Monitor the growth of aggregated API traffic
๏ Monitor the growth of specific apps
๏ Even if you’re not going to put analy?cs in place, make sure you capture all events right from beginning of project.
29Thursday, March 27, 14
Analy\cs 101: Aggrega\on
• How to collect data efficiently
• How to store data effec)vely
• Choose which data to capture
30Thursday, March 27, 14
Analy\cs 101 : Analysis• Data opera)ons
• Defining KPIs and analy)cs
• Opera)ng on large amounts of historical or current data
• Crea)ng intelligence
31Thursday, March 27, 14
Analy\cs 101 : Presenta\on
• Visualiza)on
• Dashboards
• Reports
32Thursday, March 27, 14
Events Collector
EVENTSDATASTORE
3rd party Products
WRITES EVENTS
Report Generator
CEP Engine
FEEDS EVENTS
GENERATE NEW EVENTS
Analytics Engine
Real Time Decision Engine
DEPLOYS LOGIC
ANALYTICSDATASTORE
User Engagement Server
33
Monitor And Analyze๏ Take decisions in real ?me through Complex Event Processing๏ Create dashboards for both technical and business monitoring
Thursday, March 27, 14
Detec\ng Usage PaZerns
๏ My API customer is trying to steal my business : let’s block them.
๏ A customer is at 80% of API plan : let’s warn them
๏ A customer is systema)cally at 120% of the plan : propose an upgrade to the premium plan
34Thursday, March 27, 14
Demo
35Thursday, March 27, 14
Demo Setup
36
Web Tier
API Gateway
APIs tier Mediation Layer
External Web Application
Token Validation, Policy Decision Point, IdentityProvider, Users Store Manager
ESBServer
Services Layer
ESBApplication
Server
Messaging Layer
Message BrokerServer
Identity Server
Reporting, Logging, Operational Analysis
BAM CEP
Thursday, March 27, 14
References๏ Building an ecosystem for API Security (White Paper)
๏ hhp://wso2.com/whitepapers/wso2-‐whitepaper-‐building-‐an-‐ecosystem-‐for-‐api-‐security/
๏ API Facade Pahern (Webinar)๏ hhp://wso2.com/library/webinars/2014/01/implemen)ng-‐api-‐facade-‐using-‐
wso2-‐api-‐management-‐plaDorm/
๏ API Management: missing link for SOA ๏ hhp://sanjiva.weerawarana.org/2012/08/api-‐management-‐missing-‐link-‐for-‐
soa.html
๏ Promo)ng Service Reuse ๏ hhp://wso2.com/whitepapers/promo)ng-‐service-‐reuse-‐within-‐your-‐enterprise-‐
and-‐maximizing-‐soa-‐success/
37Thursday, March 27, 14
Download API Manager today!
๏ hhp://wso2.com/products/api-‐manager/
38Thursday, March 27, 14
Contact us !
Thursday, March 27, 14