TRESOR – the modular cloud
Building a domain specific cloud
platform with OSGi
OSGi Community Event
Ludwigsburg
Eclipsecon...
About myself
Alexander
Grzesik

Head of Development
medisite Systemhaus

Working 15 years in
software
development

alexand...
Cloud – the future ?

By David Fletcher
Eclipsecon 2013

Building a domain specific cloud
platform with OSGi
TRESOR Partners
Trusted Ecosystem for Standardized and Open cloud-based
Resources

TRESOR is funded within the Trusted Clo...
TRESOR Cloud Ecosystem
Search, Maintain, Match

Marketplace

Authentication

IDM
(i.e. Active Directory)

Authorization

T...
TRESOR Goals
Extensible

Data Security

OSGi based

Encrypted Data

Use of Standards

Secure Communication

Development to...
TRESOR PaaS at a glance
Open
Platform

Strong
Encryption

Domain
specific
API
Eclipsecon 2013

6dfg4854
5454sff5
179hg45g
...
Domain specific API
Application

Glassfish Application Server
TRESOR Proxy
Server

Healthcare Applications and Services
Ap...
Cooking in the Cloud with OSGi

Eclipsecon 2013

Building a domain specific cloud
platform with OSGi
The Challenges
Component
Management

Provisioning

Dependencies

Architecture

Java
Enterprise
Integration

Security

Conf...
Bundle Structure
Application
Bundle

Service Bundle
Depends on
API

Impl

Straightforward
Tightly coupled API to Implement...
Better: Bundle Separation
Application
Bundle

Depends on

Service API
Bundle

Depends on

API

Separate API from Implement...
Managing with Blueprint
• Spring-style dependency injection
<bean id=“bmiServiceBean"
class="medisite.eclipsecon.bmi.impl....
Managing Dependencies

Eclipsecon 2013

Building a domain specific cloud
platform with OSGi
Manage Dependencies
• Maven allows managing dependencies
and versions
• Maven Bundle Plugin creates your
bundles
<plugin>
...
Non OSGi dependencies
• Problem:
A dependency is not an OSGi Bundle
• Option 1: Wrap bundle
<goals>
<goal>wrap</goal>
</go...
Java Enterprise Integration

Eclipsecon 2013

Building a domain specific cloud
platform with OSGi
Persistence
• JPA Persistence Units as OSGi Bundles
• Create Persistence.xml and include in bundle:
<Meta-Persistence>
MET...
Embeded Persitence Unit
Application
Bundle

Depends on

Service API
Bundle

Depends on

API

Eclipsecon 2013

Building a d...
Persistence Service
Application
Bundle

Service API
Bundle
API

Service Impl
Bundle

Impl

Persistence
Bundle

DAO
Eclipse...
Persistence Service via Blueprint
• Managed by Blueprint container (Aries)
• Declarative Transaction Management
<bean id=“...
Web Application Bundle
• Deploy a war as OSGi bundle (wab)
<instructions>
<Web-ContextPath>/bmi</Web-ContextPath>
<_wab>sr...
Configuration

Eclipsecon 2013

Building a domain specific cloud
platform with OSGi
Configuration Administration Service
• Blueprint integration from Apache Aries
<cm:property-placeholder id="property-place...
Security

Eclipsecon 2013

Building a domain specific cloud
platform with OSGi
ConditionalPermissionAdmin
• Control Permissions
ConditionalPermissionAdmin cpa = getConditionalPermissionAdmin(context);
...
Policy File Reader
ACCEPT {
[org.osgi.service.condpermadmin.BundleSignerCondition
"CN=tresor,O=medisite Systemhaus GmbH,C=...
More thoughts on Security
• Make sure PolicyManager starts before
custom bundles
• Restrict access to
ConditionalPermissio...
Provisioning

Eclipsecon 2013

Building a domain specific cloud
platform with OSGi
Cloud Provisioning
Repository Cloud Application Manager

Application

Application

Application

Application
Putting it all together
Blueprint
Configuration
Admin
Configure

Application
Bundle

Service API
Bundle

Service Impl
Bund...
Lessons learned
• Steep learning curve
• Detailed information is often missing
• From jar hell to bundle hell
– Managing d...
Benefits of OSGi for Architecture
•
•
•
•
•
•

Separation of components
Loose coupling
Detect dependencies
Encapsulation
V...
Think about your architecture

Eclipsecon 2013

Building a domain specific cloud
platform with OSGi
Useful Resources
• The OSGi Standard
• OSGi Books
– OSGi in Action
– OSGi in Depth
– Enterprise OSGi in Action

• IBM Webs...
Questions ?

Eclipsecon 2013

Building a domain specific cloud
platform with OSGi
Upcoming SlideShare
Loading in...5
×

TRESOR: The modular cloud - Building a domain specific cloud platform with OSGi - Alexander Grzesik

1,171

Published on

OSGi Community Event 2013 (http://www.osgi.org/CommunityEvent2013/Schedule)

ABSTRACT
The usage of cloud technologies for data exchange as well as the capability of services to run in the cloud brought this internet-based technology a gain of importance in the last years covering the private customer as well as the industry. This talk will give a practical introduction to an OSGi based architecture for cloud applications and gives an overview to the usage of OSGi Enterprise and Blueprint specifications. It will show some best practices, we established to develop with OSGi in an enterprise cloud environment.

With sight on the healthcare sector, the cloud is challenged with special requirements on data security during storage and transfer. Thus leading to the need to address customer concerns respecting privacy in much more detail than in other areas. To advance the research on the usage of cloud technologies in the healthcare sector as well as to enrich discussions on this theme, the German Federal Ministry of Economics and Technology funds 14 research projects as part of the Trusted Cloud initiative [1]. The TRESOR - Trusted Ecosystem for Standardized and Open cloud-based Resources – project as one of these projects has the aim to provide an open platform for cloud applications for the health care sector [2]. In this project, we combine modern cloud technologies and the OSGi service framework to build a modular and scalable PaaS (Platform as a Service) to provide flexible domain specific services for healthcare.

Topics covered:

Introduction to the TRESOR project
Why we decided to use OSGi
OSGi based architecture, benefits and pitfalls
OSGi Enterprise and Blueprint, What they provide and what is lacking
Some Best Practices
OSGi & Maven
From jar-hell to bundle hell ?
Fine grained control with Bundle Security
OSGi Bundles & JPA Persistence
Transaction management with Blueprint
OSGi in the cloud
References

[1] Trusted Cloud Project, BMWi

[2] TRESOR Homepage, BMWi

SPEAKER BIO
Current employment: Head of development of medisite Systemhaus GmbH responsible for the development of the Patient Data Management System (PDMS) m.life and Software architect for the TRESOR Project. 15 years of work experience in medical Software development, 10 of this as Team leader and Software architect. Expert for Software Architecture, OSGi, Java and Java EE

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,171
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
26
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

TRESOR: The modular cloud - Building a domain specific cloud platform with OSGi - Alexander Grzesik

  1. 1. TRESOR – the modular cloud Building a domain specific cloud platform with OSGi OSGi Community Event Ludwigsburg Eclipsecon 2013
  2. 2. About myself Alexander Grzesik Head of Development medisite Systemhaus Working 15 years in software development alexander.grzesik@medisite.de Java Software Architecture Medical Software Eclipsecon 2013 Building a domain specific cloud platform with OSGi
  3. 3. Cloud – the future ? By David Fletcher Eclipsecon 2013 Building a domain specific cloud platform with OSGi
  4. 4. TRESOR Partners Trusted Ecosystem for Standardized and Open cloud-based Resources TRESOR is funded within the Trusted Cloud project by the Federal Ministry of Economy on basis of a resolution passed by the German Bundestag Eclipsecon 2013 Building a domain specific cloud platform with OSGi
  5. 5. TRESOR Cloud Ecosystem Search, Maintain, Match Marketplace Authentication IDM (i.e. Active Directory) Authorization TRESOR Proxy (Client) Service Profile Repository SLA Monitoring TRESOR User Manage TRESOR Proxy (Client) Client Profile Repository Billing TRESOR Broker TRESOR Ecosystem TRESOR Billing Service use TRESOR Proxy (Client) Clients TRESOR Proxy (Trusted 3rd Party) TRESOR PaaS TRESOR Service Provider Service use IaaS-Provider MMV PAI TRESOR Proxy (Service) Eclipsecon 2013 ... Building a domain specific cloud platform with OSGi Dynamic Services
  6. 6. TRESOR Goals Extensible Data Security OSGi based Encrypted Data Use of Standards Secure Communication Development tools Open Secure Flexible Cloud Scalable Fast Time-to-Market Reliable No Vendor Lock-In High Availability Flexible deployment Eclipsecon 2013 Certified Powered by OpenShift Building a domain specific cloud platform with OSGi
  7. 7. TRESOR PaaS at a glance Open Platform Strong Encryption Domain specific API Eclipsecon 2013 6dfg4854 5454sff5 179hg45g 584551gh 2152fgh5 78dfd15d 98dfgh2d fgf72548 44485ddf 658g54d1 11fghf15 14925fg1 7654fghd 874dfg6d Polyglot Persistence 151fd545 151538fd 15414gfg 154215jh 15325sgd 897fg21d 3544sdfg Modular Architecture Building a domain specific cloud platform with OSGi Powered by OpenShift
  8. 8. Domain specific API Application Glassfish Application Server TRESOR Proxy Server Healthcare Applications and Services Applications & Services Plugin Build Service Vaadin Web Framework UI Components UI Module Management Plugin repository Laboratory Diagnostic Theraphy Planning Radiology Diagnostic Document Management Elastic Search Management & Monitoring Patient Adminstration Patient Timeline Clinical Documentation Order Entry Encryption Engine Terminology Reporting Encryption Business Rules Object Mapping User Management Configuration Search and Index Security Process Engine Persistence Notification Apache Felix OSGi Aries Blueprint Enterprise OSGi Java EE JPA/Eclipse Link 3rd Party Bundles OpenAM Eclipsecon 2013 Building a domain specific cloud platform with OSGi Integration Engine
  9. 9. Cooking in the Cloud with OSGi Eclipsecon 2013 Building a domain specific cloud platform with OSGi
  10. 10. The Challenges Component Management Provisioning Dependencies Architecture Java Enterprise Integration Security Configuration Eclipsecon 2013 Building a domain specific cloud platform with OSGi
  11. 11. Bundle Structure Application Bundle Service Bundle Depends on API Impl Straightforward Tightly coupled API to Implementation Replacing Implementation with high overhead Eclipsecon 2013 Building a domain specific cloud platform with OSGi
  12. 12. Better: Bundle Separation Application Bundle Depends on Service API Bundle Depends on API Separate API from Implementation Application only depends on API Implementation may be changed transparently Eclipsecon 2013 Building a domain specific cloud platform with OSGi Service Impl Bundle Impl
  13. 13. Managing with Blueprint • Spring-style dependency injection <bean id=“bmiServiceBean" class="medisite.eclipsecon.bmi.impl.BmiServiceImpl"> <property name=“calculatorBean" ref="bmiCalculatorBean"/> </bean> • Keeps code clean of OSGi dependencies <service id=“bmiService" ref=“bmiServiceBean" interface="medisite.eclipsecon.bmi.BmiService“ /> • Handles Service Lifecycle <reference id=“importedService" interface=" medisite.eclipsecon.bmi.BmiService" availability="mandatory”/> • Enterprise Extensions Eclipsecon 2013 Building a domain specific cloud platform with OSGi
  14. 14. Managing Dependencies Eclipsecon 2013 Building a domain specific cloud platform with OSGi
  15. 15. Manage Dependencies • Maven allows managing dependencies and versions • Maven Bundle Plugin creates your bundles <plugin> <groupId>org.apache.felix</groupId> <artifactId>maven-bundle-plugin</artifactId> <configuration> <instructions> <Export-Package>medisite.eclipsecon.bmi.*</Export-Package> <Import-Package> org.slf4j;provider=paxlogging, * </Import-Package> </instructions></configuration></plugin> Eclipsecon 2013 Building a domain specific cloud platform with OSGi
  16. 16. Non OSGi dependencies • Problem: A dependency is not an OSGi Bundle • Option 1: Wrap bundle <goals> <goal>wrap</goal> </goals> <configuration> <wrapImportPackage>;</wrapImportPackage> </configuration> • Option 2: Embed dependency <Embed-Dependency> *;scope=compile|runtime;type=!pom;inline=false </Embed-Dependency> <Embed-Transitive>false</Embed-Transitive> <Import-Package>*;resolution:=optional</Import-Package> Eclipsecon 2013 Building a domain specific cloud platform with OSGi
  17. 17. Java Enterprise Integration Eclipsecon 2013 Building a domain specific cloud platform with OSGi
  18. 18. Persistence • JPA Persistence Units as OSGi Bundles • Create Persistence.xml and include in bundle: <Meta-Persistence> META-INF/persistence.xml </Meta-Persistence> <Include-Resource> META-INF/persistence.xml=src/main/resources/METAINF/persistence.xml </Include-Resource> <JPA-PersistenceUnits> persistence-test </JPA-PersistenceUnits> Eclipsecon 2013 Building a domain specific cloud platform with OSGi
  19. 19. Embeded Persitence Unit Application Bundle Depends on Service API Bundle Depends on API Eclipsecon 2013 Building a domain specific cloud platform with OSGi Service Impl Bundle Impl Persist ence
  20. 20. Persistence Service Application Bundle Service API Bundle API Service Impl Bundle Impl Persistence Bundle DAO Eclipsecon 2013 Building a domain specific cloud platform with OSGi
  21. 21. Persistence Service via Blueprint • Managed by Blueprint container (Aries) • Declarative Transaction Management <bean id=“bmiDAO" class="medisite.eclipsecon.persistence.impl.BmiDAO" init-method="init"> <jpa:context property="entityManager" unitname="persistence-test" /> <tx:transaction method="*" value="Requires" /> </bean> Eclipsecon 2013 Building a domain specific cloud platform with OSGi
  22. 22. Web Application Bundle • Deploy a war as OSGi bundle (wab) <instructions> <Web-ContextPath>/bmi</Web-ContextPath> <_wab>src/main/resources</_wab> </instructions> • Interact with OSGi Services from Servlet BundleContext ctxt = (BundleContext) servletContext.getAttribute(“osgi-bundlecontext”); • JNDI Integration InitialContext ic = new InitialContext(); IBmiService calculator = (IBmiService) ic.lookup("osgi:service/" + IBmiService.class.getName()); Eclipsecon 2013 Building a domain specific cloud platform with OSGi
  23. 23. Configuration Eclipsecon 2013 Building a domain specific cloud platform with OSGi
  24. 24. Configuration Administration Service • Blueprint integration from Apache Aries <cm:property-placeholder id="property-placeholder" persistentid=“frameworkConfig" update-strategy="reload"> <cm:default-properties> <cm:property name=“selfTest" value="false"/> </cm:default-properties> </cm:property-placeholder> <bean id=“testerBean" class="medisite.eclipsecon.bmi.impl.BundleTest> <property name="selfTest" value="${selfTest}"/> </bean> • Managed Properties <bean id=“bmiService" class="medisite.eclipsecon.impl.BmiServiceImpl"> <cm:managed-properties persistent-id=“bmiServiceConfig" update-strategy="container-managed"/> </bean> Eclipsecon 2013 Building a domain specific cloud platform with OSGi
  25. 25. Security Eclipsecon 2013 Building a domain specific cloud platform with OSGi
  26. 26. ConditionalPermissionAdmin • Control Permissions ConditionalPermissionAdmin cpa = getConditionalPermissionAdmin(context); ConditionalPermissionUpdate u = cpa.newConditionalPermissionUpdate(); List infos = u.getConditionalPermissionInfos(); infos.clear(); for (String encodedInfo : encodedInfos) { infos.add(cpa.newConditionalPermissionInfo(encodedInfo)); } if (!u.commit()) throw new ConcurrentModificationException("Permissions changed during update"); Eclipsecon 2013 Building a domain specific cloud platform with OSGi
  27. 27. Policy File Reader ACCEPT { [org.osgi.service.condpermadmin.BundleSignerCondition "CN=tresor,O=medisite Systemhaus GmbH,C=de"] ( java.security.AllPermission "*" "*") } DENY { (org.osgi.framework.PackagePermission “medisite.eclipsecon.*" "IMPORT") } ALLOW { (org.osgi.framework.PackagePermission “*" "IMPORT") } Eclipsecon 2013 Building a domain specific cloud platform with OSGi
  28. 28. More thoughts on Security • Make sure PolicyManager starts before custom bundles • Restrict access to ConditionalPermissionAdmin • Application Permissions with blueprint interceptor (Aries) Eclipsecon 2013 Building a domain specific cloud platform with OSGi
  29. 29. Provisioning Eclipsecon 2013 Building a domain specific cloud platform with OSGi
  30. 30. Cloud Provisioning Repository Cloud Application Manager Application Application Application Application
  31. 31. Putting it all together Blueprint Configuration Admin Configure Application Bundle Service API Bundle Service Impl Bundle API Impl Protect Security Manager Eclipsecon 2013 Building a domain specific cloud platform with OSGi Persistence Bundle DAO
  32. 32. Lessons learned • Steep learning curve • Detailed information is often missing • From jar hell to bundle hell – Managing dependencies is challenging – Not all libraries support OSGi • Difficult to migrate non-OSGi application to OSGi Eclipsecon 2013 Building a domain specific cloud platform with OSGi
  33. 33. Benefits of OSGi for Architecture • • • • • • Separation of components Loose coupling Detect dependencies Encapsulation Versioning Integrating Java EE Eclipsecon 2013 Building a domain specific cloud platform with OSGi
  34. 34. Think about your architecture Eclipsecon 2013 Building a domain specific cloud platform with OSGi
  35. 35. Useful Resources • The OSGi Standard • OSGi Books – OSGi in Action – OSGi in Depth – Enterprise OSGi in Action • IBM Websphere Documentation • Pax OSGi Projects Eclipsecon 2013 Building a domain specific cloud platform with OSGi
  36. 36. Questions ? Eclipsecon 2013 Building a domain specific cloud platform with OSGi
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×