1 / 38

Uma introdução ao Azure AppFabric

ARC204. Pedro Félix. CCISEL pedrofelix@cc.isel.ipl.pt. Uma introdução ao Azure AppFabric. Azure AppFabric. Set of services Service Bus (SB) Access Control Service (ACS) Running in the cloud Based on Windows Azure Platform Providing

braith
Télécharger la présentation

Uma introdução ao Azure AppFabric

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ARC204 Pedro Félix CCISEL pedrofelix@cc.isel.ipl.pt Uma introdução ao AzureAppFabric

  2. Azure AppFabric • Set of services • Service Bus (SB) • Access Control Service (ACS) • Running in the cloud • Based on Windows Azure Platform • Providing • SB : Service Connectivity, Addressability and Discoverability • ACS : Service Access Control

  3. Service Bus

  4. A Scenario • Issue Tracker web app. • Cloud-based • Multi-tenant CloudTrack . View/manage issues Create/view issues Contoso Fabrikam

  5. Connectivity challenges CloudTrack . Notify new issue Create new issue Fetch trace data FW, NAT, … FW, NAT, …

  6. Challenges • Addressability and discoverability • Private addresses and Network Address Translation (NAT) • Dynamic addresses (e.g. ISP) • Connectivity • Firewalls (denial of inbound connections) • Event distribution • Transient connectivity

  7. Service Bus address? outbound inbound

  8. Service Bus “All problems in computer science can be solved by another level of indirection” Butler Lampson Service Bus outbound inbound

  9. Connectivity and addressability • Relay • Service “listens” on the SB via outbound connection • Client “sends” to the SB • SB relays between client and service sends listens public address Service Bus outbound

  10. Naming and discovery • Naming • Service is exposed via a public name • Local DNS binds these public names to IP addresses • Local registry describes available public names DNS Registry sends listens public name Service Bus outbound outbound

  11. Naming and discovery • Naming • Public service namespaces • One Azure project – multiple service namespaces • {scheme}://{namespace}.servicebus.windows.net/{relpath} • Registry • Mapping between URIs and services • Readable via HTTP+ATOM

  12. Demo http://demos-pfelix.servicebus.windows.net/techdays REST-like Services

  13. Buffering • Buffering • One-way messaging • Temporal decoupling sends listens public name outbound outbound

  14. Eventing (pub-sub) • Eventing – multicast • One-way messages • Multiple listeners • Message distribution - multicast outbound listens sends listens Service Bus outbound outbound

  15. Demo http://demos-pfelix.servicebus.windows.net/techdays Publish-Subscribe

  16. Security • Access Control • Both “listen” and “send” subject to access control • Programmable authorization policy, defined by ACS • Isolation – SB is the DMZ ACS sends listens Service Bus outbound outbound

  17. WCF architecture • Channel stack with transport and protocol channels • Channels described by binding elements • One binding contains several binding elements User code Service Impl. Client Dispatcher Binding element Protocol Protocol Binding element Protocol Protocol Binding element Encoding Encoding Binding element Transport Transport Binding

  18. WCF and SB • New bindings • New transport channels and binding elements • New behaviors User code Service Impl. Client Dispatcher Binding element Protocol Protocol Binding element Protocol Protocol Binding element Encoding Encoding Service Bus Binding element Transport Transport Binding

  19. Bindings • WebHttpRelayBinding • HTTP (Web programming model) • Client interoperability • BasicHttpRelayBinding e WS2007HttpRelayBinding • SOAP over HTTP (basic profile | WS-*) • Client interoperability • NetTcpRelayBinding • Similar to NetTcpBinding (request-response and duplex) • NetOnewayRelayBinding e NetEventRelayBinding • One- way w/buffering and multicast

  20. Binding elements • Http(s)RelayTransportBindingElement • TcpRelayTransportBindingElement • RelayedOnewayTransportBindingElement

  21. Access ControlService

  22. Access Control Service • Identity and access control • Distributed systems • Decentralized authority • Heterogeneous technologies • Claims-based model • Service Bus integration

  23. Identity and Authorization creds Contoso:: Alice Contoso:: LeadDev webapp:: IssueMgr webapp:: IssueView

  24. Centralized Solution webapp (IssueTracker) creds Contoso:: Alice Contoso:: LeadDev webapp:: IssueMgr webapp:: IssueView Membership Provider Role Provider IPrincipal.IsInRole(...)

  25. Decentralized Authority webapp (IssueTracker) creds Contoso:: Alice Contoso:: LeadDev webapp:: IssueMgr webapp:: IssueView Contoso Authority

  26. Decentralized Authority Contoso Identity Provider webapp creds Contoso:: Alice Contoso:: LeadDev webapp:: IssueMgr webapp:: IssueView Identity Directory

  27. Decision  Enforcement Identity Information Authorization Decision Contoso webapp creds Contoso:: Alice Contoso:: LeadDev webapp:: IssueMgr webapp:: IssueView Authorization Enforcement Service Bus webapp:: SB.Listen

  28. Access Control Service Authorization Enforcement Identity Provider Authorization Decision Contoso Access Control Service webapp creds Contoso:: LeadDev Alice webapp:: IssueView SB webapp:: SB.Listen

  29. Demo Access Control Service WRAP Membership WIF WS-Trust LeadDev Alice username + password SAML Listen Service Bus SWT WIF

  30. Access Control Service • Claims-based Identity and Access Control • Claims transformer (“claims in, claims out”) • Consumes claims from federated issuers • Provides claims to applications and services • Rule based issuance policy • Rule: If has claim1 then output claim2 • Not an identity provider • Does not manage user’s identities

  31. Protocols and technologies • AppFabric 1.0 • OAuth WRAP (Web Resource Authorization Protocol) • Simple Web Token • Future (and past)? • WS-Federation – “passive” (browser based) federation • WS-Trust – “active” (SOAP based) federation • LiveID integration

  32. WRAP Identity Provider Authorization Server Identity : username + shared secret SWT token SAML token Bearer Token with authorization claims Bearer Token with authorization claims Client API Protected Resource

  33. WRAP and SWT • Simple Web Token (SWT) • Form encoded name-value pairs • HMAC-SHA-256 symmetric signature • WRAP token request • HTTP POST • username+password or authentication assertion (e.g. SAML) • WRAP protected client call • HTTP header (Authorization: WRAP access_token = “…”) • GET or POST parameter (wrap_access_token = “…”)

  34. Finally … • Service Bus • Connectivity • Addressability and discoverability • Eventing • Buffering • Access Control Service • Authorization Decision Point • For Service Bus • For other services, both cloud or on-premises • Flexible claims based policy

More Related