Uma introdução ao Azure AppFabric
Azure AppFabric
• Set of services
• Service Bus (SB)
• Access Control Service (ACS)
• Running in the cloud
• Based on Windows Azure Platform
• Providing
• SB : Service Connectivity, Addressability and Discoverability
• ACS : Service Access Control
4
Service Bus
A Scenario
CloudTrack
.
View/manage issues
Contoso
• Issue Tracker web app.
• Cloud-based
• Multi-tenant
Create/view issues
Fabrikam
6
Connectivity challenges
CloudTrack
.
Notify new issue
Create new issue
Fetch trace data
FW, NAT, …
FW, NAT, …
7
Challenges
• Addressability and discoverability
• Private addresses and Network Address Translation (NAT)
• Dynamic addresses (e.g. ISP)
• Connectivity
• Firewalls (denial of inbound connections)
• Event distribution
• Transient connectivity
8
Service Bus
address?
outbound
inbound
9
Service Bus
“All problems in computer science can be solved by another level of indirection”
Butler Lampson
outbound
Service Bus
inbound
10
Connectivity and addressability
• Relay
• Service “listens” on the SB via outbound connection
• Client “sends” to the SB
• SB relays between client and service
sends
public
address
listens
Service Bus
outbound
11
Naming and discovery
• Naming
• Service is exposed via a public name
• Local DNS binds these public names to IP addresses
• Local registry describes available public names
DNS
Registry
sends
outbound
public
name
listens
Service Bus
outbound
12
Naming and discovery
• Naming
• Public service namespaces
• One Azure project – multiple service namespaces
• {scheme}://{namespace}.servicebus.windows.net/{relpath}
• Registry
• Mapping between URIs and services
• Readable via HTTP+ATOM
13
Demo
http://demos-pfelix.servicebus.windows.net/techdays
REST-like Services
14
Buffering
• Buffering
• One-way messaging
• Temporal decoupling
sends
outbound
public
name
listens
outbound
15
Eventing (pub-sub)
• Eventing – multicast
• One-way messages
• Multiple listeners
• Message distribution - multicast
listens
sends
outbound
outbound
listens
Service Bus
outbound
16
Demo
http://demos-pfelix.servicebus.windows.net/techdays
Publish-Subscribe
17
Security
• Access Control
• Both “listen” and “send” subject to access control
• Programmable authorization policy, defined by ACS
• Isolation – SB is the DMZ
ACS
sends
outbound
listens
Service Bus
outbound
18
WCF architecture
• Channel stack with transport and protocol channels
• Channels described by binding elements
• One binding contains several binding elements
Binding element
Binding element
Binding element
Binding element
Binding
User code
Service Impl.
Client
Protocol
Protocol
Encoding
Transport
Dispatcher
Protocol
Protocol
Encoding
Transport
19
WCF and SB
• New bindings
• New transport channels and binding elements
• New behaviors
Binding element
Binding element
Binding element
Binding element
Binding
User code
Service Impl.
Client
Protocol
Protocol
Encoding
Transport
Dispatcher
Protocol
Protocol
Encoding
Transport
Service
Bus
20
Bindings
• WebHttpRelayBinding
• HTTP (Web programming model)
• Client interoperability
• BasicHttpRelayBinding e WS2007HttpRelayBinding
• SOAP over HTTP (basic profile | WS-*)
• Client interoperability
• NetTcpRelayBinding
• Similar to NetTcpBinding (request-response and duplex)
• NetOnewayRelayBinding e NetEventRelayBinding
• One- way w/buffering and multicast
21
Binding elements
• Http(s)RelayTransportBindingElement
• TcpRelayTransportBindingElement
• RelayedOnewayTransportBindingElement
22
Access Control Service
Access Control Service
• Identity and access control
• Distributed systems
• Decentralized authority
• Heterogeneous technologies
• Claims-based model
• Service Bus integration
24
Identity and Authorization
creds
Contoso::
Alice
Contoso::
LeadDev
webapp::
IssueMgr
webapp::
IssueView
25
Centralized Solution
webapp (IssueTracker)
creds
Contoso::
Alice
Membership
Provider
Contoso::
LeadDev
webapp::
IssueMgr
Role
Provider
webapp::
IssueView
IPrincipal.IsInRole(...)
26
Decentralized Authority
webapp (IssueTracker)
creds
Contoso::
Alice
Contoso::
LeadDev
webapp::
IssueMgr
webapp::
IssueView
Contoso Authority
27
Decentralized Authority
Contoso Identity Provider
creds
Contoso::
Alice
webapp
Contoso::
LeadDev
webapp::
IssueMgr
webapp::
IssueView
Identity
Directory
28
Decision Enforcement
creds
Contoso
Identity
Contoso::
Information
Alice
Contoso::
LeadDev
webapp
Authorization
webapp::
Decision
IssueMgr
webapp::
SB.Listen
webapp::
IssueView
Service
Authorization
Bus
Enforcement
29
Access Control Service
Identity Provider
Authorization Decision
Contoso
Access Control Service
creds
Contoso::
LeadDev
Alice
Authorization
Enforcement
webapp
webapp::
IssueView
SB
webapp::
SB.Listen
30
Demo
WRAP
Membership
Access Control
Service
WIF
WS-Trust
LeadDev
Alice
username
+
password
SAML
Listen
SWT
Service Bus
WIF
31
Access Control Service
• Claims-based Identity and Access Control
• Claims transformer (“claims in, claims out”)
• Consumes claims from federated issuers
• Provides claims to applications and services
• Rule based issuance policy
• Rule: If has claim1 then output claim2
• Not an identity provider
• Does not manage user’s identities
32
Protocols and technologies
• AppFabric 1.0
• OAuth WRAP (Web Resource Authorization Protocol)
• Simple Web Token
• Future (and past)?
• WS-Federation – “passive” (browser based) federation
• WS-Trust – “active” (SOAP based) federation
• LiveID integration
33
WRAP
Identity
Provider
Client
Authorization
Server
Bearer Token with
authorization claims
API
Protected
Resource
34
WRAP and SWT
• Simple Web Token (SWT)
• Form encoded name-value pairs
• HMAC-SHA-256 symmetric signature
• WRAP token request
• HTTP POST
• username+password or authentication assertion (e.g. SAML)
• WRAP protected client call
• HTTP header (Authorization: WRAP access_token = “…”)
• GET or POST parameter (wrap_access_token = “…”)
35
Finally …
• Service Bus
•
•
•
•
Connectivity
Addressability and discoverability
Eventing
Buffering
• Access Control Service
• Authorization Decision Point
• For Service Bus
• For other services, both cloud or on-premises
• Flexible claims based policy
36
Q&A
A sua opinião é importante!
Complete o questionário de avaliação e devolva-o à saida.
Download
