AVOIDING SPEED BUMPS ON THE ROAD TO MICROSERVICES · 2019-09-23 · AVOIDING SPEED BUMPS ON THE...
Transcript of AVOIDING SPEED BUMPS ON THE ROAD TO MICROSERVICES · 2019-09-23 · AVOIDING SPEED BUMPS ON THE...
AVOIDING SPEED BUMPS ON THE ROAD TO MICROSERVICESScott Shaw Head of Technology, ThoughtWorks Australia
1
MICROSERVICE ENVY
2
service oriented architecture
microservices
GOOGLE TRENDS DATA
3
XTHE SPEED BUMPS
3
XTHE SPEED BUMPS
DDD REST Automation Cloud DevOps Logging Monitoring
Resilience Testing with CDCs Conway Postel
3
X
Data Aggregation
THE SPEED BUMPS
DDD REST Automation Cloud DevOps Logging Monitoring
Resilience Testing with CDCs Conway Postel
3
X
Data Aggregation
Access Control & Security
THE SPEED BUMPS
DDD REST Automation Cloud DevOps Logging Monitoring
Resilience Testing with CDCs Conway Postel
3
X
Managing Change
Data Aggregation
Access Control & Security
THE SPEED BUMPS
DDD REST Automation Cloud DevOps Logging Monitoring
Resilience Testing with CDCs Conway Postel
4
Aggregating Data
SINGLE DATASTORE PRINCIPAL
5
SINGLE DATASTORE PRINCIPAL
5
SINGLE DATASTORE PRINCIPAL
5
6
BUT AS A SYSTEM EVOLVES…
6
BUT AS A SYSTEM EVOLVES…
6
BUT AS A SYSTEM EVOLVES…
6
BUT AS A SYSTEM EVOLVES…
6
BUT AS A SYSTEM EVOLVES…
7
BUT AS A SYSTEM EVOLVES…
7
BUT AS A SYSTEM EVOLVES…
JIA YANG’S STORY
8
JIA YANG’S STORY
8
SIDEBAR: SERVICE COMPOSITION
9
Customers in the EC
tax regime
JOIN
Tax Regime Service
THE MONOLITHIC APPROACH
SIDEBAR: SERVICE COMPOSITION
10
NAIVE SERVICE IMPLEMENTATION
geography
customers
tax
Countries in the EC
Customersin the EC
Countries in the EC
SIDEBAR: SERVICE COMPOSITION
COMPOSED SERVICES
geography
customers
tax
Customers in the EC
GET …?country_list=UK,NL,SE...
GET
Countries in the EC
SIDEBAR: SERVICE COMPOSITION
COMPOSED SERVICES
geography
customers
tax
Customers in the EC
GET … ?filter=https://geo/countries?r=ec
Customers in the EC
Countries in the EC
AGGREGATING DATA
12
geography
customers
tax
Customers in the EC
Countries in the EC
AGGREGATING DATA
12
geography
customers
tax
How do we knowif these states are consistent?
AGGREGATING DATA
12
geography
customers
tax
How do we knowif these states are consistent?
Events to rescue!Reacts to
event streams
Changes incustomer status
Changes in EC Membership
AGGREGATING DATA
13
geography
customers
tax
AGGREGATING DATA
13
geography
customers
tax
GET https://integration-toolkit.com/customers/events
AGGREGATING DATA
13
geography
customers
tax
GET https://integration-toolkit.com/customers/events
IMPLEMENTING EVENTS
14
OPTION 1: CHUCK ‘EM IN THE DB
IMPLEMENTING EVENTS
15
OPTION 2: HIPSTER BATCH
Shared Storage (S3)
Geography Customer
Tax
IMPLEMENTING EVENTS
16
OPTION 3: SPECIAL-PURPOSE EVENT STORE
Event Store
JSCustomers
Geography
Event Subscription
IMPLEMENTING EVENTS
16
OPTION 3: SPECIAL-PURPOSE EVENT STORE
Event Store
JSCustomers
Geography
Event Subscription“Projections”
17
Delegated Authority & Access Control
OpenID 2.0
DELEGATED ACCESS MANAGEMENT
18
HMAC
SAML v2 OAuth 2.0OpenID Connect
ADFSJWT
OpenID 2.0
DELEGATED ACCESS MANAGEMENT
18
HMAC
SAML v2 OAuth 2.0OpenID Connect
ADFSJWT
FENDY’S STORY
19
FENDY’S STORY
19
THE OLD WORLD OF PERIMETER SECURITY
20
cookietoken
credentials
token
verification
Identity Provider
End User Application
WebApplication
THE OLD WORLD OF PERIMETER SECURITY
20
cookietoken
credentials
token
verification
Identity Provider
End User Application
WebApplication
stateless?
THE OLD WORLD OF PERIMETER SECURITY
20
cookietoken
credentials
token
verification
Identity Provider
End User Application
WebApplication
stateless?
whose identity?
THE OLD WORLD OF PERIMETER SECURITY
20
cookietoken
credentials
token
verification
Identity Provider
End User Application
WebApplication
token
token
VARIOUS APPROACHES
▫︎ 2-Way SSL/TLS
▫︎HMAC signing
▫︎ JWT
▫︎NTLM/WIF/ADFS
▫︎ SAML v2
▫︎OAUTH 2.0
▫︎OPENID Connect
21
VARIOUS APPROACHES
▫︎ 2-Way SSL/TLS
▫︎HMAC signing
▫︎ JWT
▫︎NTLM/WIF/ADFS
▫︎ SAML v2
▫︎OAUTH 2.0
▫︎OPENID Connect
21
Ask these questions ...
VARIOUS APPROACHES
▫︎ 2-Way SSL/TLS
▫︎HMAC signing
▫︎ JWT
▫︎NTLM/WIF/ADFS
▫︎ SAML v2
▫︎OAUTH 2.0
▫︎OPENID Connect
21
Ask these questions ...• Considered both authentication
and authorisation?
VARIOUS APPROACHES
▫︎ 2-Way SSL/TLS
▫︎HMAC signing
▫︎ JWT
▫︎NTLM/WIF/ADFS
▫︎ SAML v2
▫︎OAUTH 2.0
▫︎OPENID Connect
21
Ask these questions ...• Considered both authentication
and authorisation?
VARIOUS APPROACHES
▫︎ 2-Way SSL/TLS
▫︎HMAC signing
▫︎ JWT
▫︎NTLM/WIF/ADFS
▫︎ SAML v2
▫︎OAUTH 2.0
▫︎OPENID Connect
21
Ask these questions ...• Considered both authentication
and authorisation?• Based on open standards?
VARIOUS APPROACHES
▫︎ 2-Way SSL/TLS
▫︎HMAC signing
▫︎ JWT
▫︎NTLM/WIF/ADFS
▫︎ SAML v2
▫︎OAUTH 2.0
▫︎OPENID Connect
21
Ask these questions ...• Considered both authentication
and authorisation?• Based on open standards?
VARIOUS APPROACHES
▫︎ 2-Way SSL/TLS
▫︎HMAC signing
▫︎ JWT
▫︎NTLM/WIF/ADFS
▫︎ SAML v2
▫︎OAUTH 2.0
▫︎OPENID Connect
21
Ask these questions ...• Considered both authentication
and authorisation?• Based on open standards?• Simple enough to be widely used?
VARIOUS APPROACHES
▫︎ 2-Way SSL/TLS
▫︎HMAC signing
▫︎ JWT
▫︎NTLM/WIF/ADFS
▫︎ SAML v2
▫︎OAUTH 2.0
▫︎OPENID Connect
21
Ask these questions ...• Considered both authentication
and authorisation?• Based on open standards?• Simple enough to be widely used?• Supports a modern web integration
strategy?
VARIOUS APPROACHES
▫︎ 2-Way SSL/TLS
▫︎HMAC signing
▫︎ JWT
▫︎NTLM/WIF/ADFS
▫︎ SAML v2
▫︎OAUTH 2.0
▫︎OPENID Connect
21
Ask these questions ...• Considered both authentication
and authorisation?• Based on open standards?• Simple enough to be widely used?• Supports a modern web integration
strategy?
VARIOUS APPROACHES
▫︎ 2-Way SSL/TLS
▫︎HMAC signing
▫︎ JWT
▫︎NTLM/WIF/ADFS
▫︎ SAML v2
▫︎OAUTH 2.0
▫︎OPENID Connect
21
Ask these questions ...• Considered both authentication
and authorisation?• Based on open standards?• Simple enough to be widely used?• Supports a modern web integration
strategy?• Has proven implementations?
VARIOUS APPROACHES
▫︎ 2-Way SSL/TLS
▫︎HMAC signing
▫︎ JWT
▫︎NTLM/WIF/ADFS
▫︎ SAML v2
▫︎OAUTH 2.0
▫︎OPENID Connect
21
Ask these questions ...• Considered both authentication
and authorisation?• Based on open standards?• Simple enough to be widely used?• Supports a modern web integration
strategy?• Has proven implementations?
EXAMPLE OPENID CONNECT FLOW
22
access code
OpenID Connect Provider
Resource
access code
Another Resource
id token
{“iss":"op.example.com",! "c_hash":"HK6E_P6Dh8Y93mRNtsDB1Q",! "email_verified":"true",! "sub":"10769150350006150715113082367",! “azp”:”another_resource",! “email":"[email protected]",! “aud”:[”resource”, “another_resource”],! "iat":1353601026,! "exp":1353604926 }
access code
id token
Resource
Another Resource
End User App
BEWARE PKI
23
ssshh!
secrets
How to manage anddistribute?
keys
Also Need
• CSRF • Nonce • Correct implementation
• Expire • Revoke • Distribute
24
Managing Change
MANAGING CHANGE
25
DOES YOUR SYSTEM LOOK LIKE THIS?
?
MANAGING CHANGE
26
MAYBE IT SHOULD LOOK LIKE THIS INSTEAD
MANAGING CHANGE
26
MAYBE IT SHOULD LOOK LIKE THIS INSTEAD
JUICE!
RYAN’S STORY
27
RYAN’S STORY
27
BACK TO THE TAX EXAMPLE …
28
geography customers
tax
BACK TO THE TAX EXAMPLE …
28
geography customers
tax
BACK TO THE TAX EXAMPLE …
28
geography customers
tax
BACK TO THE TAX EXAMPLE …
28
geography customers
tax
Assignment
BACK TO THE TAX EXAMPLE …
28
geography customers
tax
Assignment
Some logic from here
Some logic from here
And fromhere
BACK TO THE TAX EXAMPLE …
28
geography customers
tax
Assignment
Some logic from here
Some logic from here
And fromhere
But How?
HOW TO MANAGE THE CHANGE
29
1.DO NOTHING May be better than the chaos of not having clear ownership and accountability
2.ONE BIG VERSION CHANGEVersion all your services, test them together, release them together
HOW TO MANAGE THE CHANGE
29
1.DO NOTHING May be better than the chaos of not having clear ownership and accountability
2.ONE BIG VERSION CHANGEVersion all your services, test them together, release them together#fail
MANAGING CHANGE
30
geo cust
tax
assignment
MANAGING CHANGE
30
geo cust
tax
assignment
Temp Team
MANAGING CHANGE
31
geo cust
tax
assignment
?
MANAGING CHANGE
31
geo cust
tax
assignment
Long-term ownershipcan’t be ambiguous
SUMMARY
32
1.MICROSERVICES More than a grab-bag of techniques and tools
2.MINDSET SHIFTState Perimeter Punctuated equilibrium
EventsEndpointsContinuous evolution
SUMMARY
32
1.MICROSERVICES More than a grab-bag of techniques and tools
2.MINDSET SHIFTState Perimeter Punctuated equilibrium
EventsEndpointsContinuous evolution
SUMMARY
32
1.MICROSERVICES More than a grab-bag of techniques and tools
2.MINDSET SHIFTState Perimeter Punctuated equilibrium
EventsEndpointsContinuous evolution
SUMMARY
32
1.MICROSERVICES More than a grab-bag of techniques and tools
2.MINDSET SHIFTState Perimeter Punctuated equilibrium
EventsEndpointsContinuous evolution