Uma introdução ao Azure AppFabric Azure AppFabric • Set of services • Service Bus (SB) • Access Control Service (ACS) • Running in the cloud • Based on Windows Azure Platform • Providing • SB : Service Connectivity, Addressability and Discoverability • ACS : Service Access Control 4 Service Bus A Scenario CloudTrack . View/manage issues Contoso • Issue Tracker web app. • Cloud-based • Multi-tenant Create/view issues Fabrikam 6 Connectivity challenges CloudTrack . Notify new issue Create new issue Fetch trace data FW, NAT, … FW, NAT, … 7 Challenges • Addressability and discoverability • Private addresses and Network Address Translation (NAT) • Dynamic addresses (e.g. ISP) • Connectivity • Firewalls (denial of inbound connections) • Event distribution • Transient connectivity 8 Service Bus address? outbound inbound 9 Service Bus “All problems in computer science can be solved by another level of indirection” Butler Lampson outbound Service Bus inbound 10 Connectivity and addressability • Relay • Service “listens” on the SB via outbound connection • Client “sends” to the SB • SB relays between client and service sends public address listens Service Bus outbound 11 Naming and discovery • Naming • Service is exposed via a public name • Local DNS binds these public names to IP addresses • Local registry describes available public names DNS Registry sends outbound public name listens Service Bus outbound 12 Naming and discovery • Naming • Public service namespaces • One Azure project – multiple service namespaces • {scheme}://{namespace}.servicebus.windows.net/{relpath} • Registry • Mapping between URIs and services • Readable via HTTP+ATOM 13 Demo http://demos-pfelix.servicebus.windows.net/techdays REST-like Services 14 Buffering • Buffering • One-way messaging • Temporal decoupling sends outbound public name listens outbound 15 Eventing (pub-sub) • Eventing – multicast • One-way messages • Multiple listeners • Message distribution - multicast listens sends outbound outbound listens Service Bus outbound 16 Demo http://demos-pfelix.servicebus.windows.net/techdays Publish-Subscribe 17 Security • Access Control • Both “listen” and “send” subject to access control • Programmable authorization policy, defined by ACS • Isolation – SB is the DMZ ACS sends outbound listens Service Bus outbound 18 WCF architecture • Channel stack with transport and protocol channels • Channels described by binding elements • One binding contains several binding elements Binding element Binding element Binding element Binding element Binding User code Service Impl. Client Protocol Protocol Encoding Transport Dispatcher Protocol Protocol Encoding Transport 19 WCF and SB • New bindings • New transport channels and binding elements • New behaviors Binding element Binding element Binding element Binding element Binding User code Service Impl. Client Protocol Protocol Encoding Transport Dispatcher Protocol Protocol Encoding Transport Service Bus 20 Bindings • WebHttpRelayBinding • HTTP (Web programming model) • Client interoperability • BasicHttpRelayBinding e WS2007HttpRelayBinding • SOAP over HTTP (basic profile | WS-*) • Client interoperability • NetTcpRelayBinding • Similar to NetTcpBinding (request-response and duplex) • NetOnewayRelayBinding e NetEventRelayBinding • One- way w/buffering and multicast 21 Binding elements • Http(s)RelayTransportBindingElement • TcpRelayTransportBindingElement • RelayedOnewayTransportBindingElement 22 Access Control Service Access Control Service • Identity and access control • Distributed systems • Decentralized authority • Heterogeneous technologies • Claims-based model • Service Bus integration 24 Identity and Authorization creds Contoso:: Alice Contoso:: LeadDev webapp:: IssueMgr webapp:: IssueView 25 Centralized Solution webapp (IssueTracker) creds Contoso:: Alice Membership Provider Contoso:: LeadDev webapp:: IssueMgr Role Provider webapp:: IssueView IPrincipal.IsInRole(...) 26 Decentralized Authority webapp (IssueTracker) creds Contoso:: Alice Contoso:: LeadDev webapp:: IssueMgr webapp:: IssueView Contoso Authority 27 Decentralized Authority Contoso Identity Provider creds Contoso:: Alice webapp Contoso:: LeadDev webapp:: IssueMgr webapp:: IssueView Identity Directory 28 Decision Enforcement creds Contoso Identity Contoso:: Information Alice Contoso:: LeadDev webapp Authorization webapp:: Decision IssueMgr webapp:: SB.Listen webapp:: IssueView Service Authorization Bus Enforcement 29 Access Control Service Identity Provider Authorization Decision Contoso Access Control Service creds Contoso:: LeadDev Alice Authorization Enforcement webapp webapp:: IssueView SB webapp:: SB.Listen 30 Demo WRAP Membership Access Control Service WIF WS-Trust LeadDev Alice username + password SAML Listen SWT Service Bus WIF 31 Access Control Service • Claims-based Identity and Access Control • Claims transformer (“claims in, claims out”) • Consumes claims from federated issuers • Provides claims to applications and services • Rule based issuance policy • Rule: If has claim1 then output claim2 • Not an identity provider • Does not manage user’s identities 32 Protocols and technologies • AppFabric 1.0 • OAuth WRAP (Web Resource Authorization Protocol) • Simple Web Token • Future (and past)? • WS-Federation – “passive” (browser based) federation • WS-Trust – “active” (SOAP based) federation • LiveID integration 33 WRAP Identity Provider Client Authorization Server Bearer Token with authorization claims API Protected Resource 34 WRAP and SWT • Simple Web Token (SWT) • Form encoded name-value pairs • HMAC-SHA-256 symmetric signature • WRAP token request • HTTP POST • username+password or authentication assertion (e.g. SAML) • WRAP protected client call • HTTP header (Authorization: WRAP access_token = “…”) • GET or POST parameter (wrap_access_token = “…”) 35 Finally … • Service Bus • • • • Connectivity Addressability and discoverability Eventing Buffering • Access Control Service • Authorization Decision Point • For Service Bus • For other services, both cloud or on-premises • Flexible claims based policy 36 Q&A A sua opinião é importante! Complete o questionário de avaliação e devolva-o à saida.