Duco Dokter - Plone for the enterprise market: technical musing on caching, Clustering and Single Sign-On

  • 2,192 views
Uploaded on

This technical presentation will cover many aspects of what one might encounter when a plone site is to be deployed in a highly demanding environment. And for what it's worth, these are not only …

This technical presentation will cover many aspects of what one might encounter when a plone site is to be deployed in a highly demanding environment. And for what it's worth, these are not only theoretical examples, but they have also been proven to work in real life. The following items will be presented: * High Availability architecture * Clustering with ZEO * Synchronizing Data.fs * Load Balancing * Sticky Sessions * Caching * Single Sign-On

More in: Business , Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
2,192
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
56
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Enterprise Plone: (Rather) Complex Infrastructures October 11, 2007, Plone Conference, Napoli Duco Dokter dokter@goldmund-wyldebeast-wunderliebe.com 1
  • 2. Contents • Existential affairs; • High Availability; • More existentialism; • Single Sign-On; • Load-balancing; • Caching... GOTO [other talks]. Duco Dokter, Goldmund, Wyldebeast & Wunderliebe, 11 october 2007 2
  • 3. A not so complex setup Duco Dokter, Goldmund, Wyldebeast & Wunderliebe, 11 october 2007 3
  • 4. You wanted it more fancy? Duco Dokter, Goldmund, Wyldebeast & Wunderliebe, 11 october 2007 4
  • 5. The enterprise market • Usually highly demanding in terms of availability; • not necessarily because they actually need it though...; • mission critical applications; • complex existing infrastructure; • lots of (web)services, legacy. Duco Dokter, Goldmund, Wyldebeast & Wunderliebe, 11 october 2007 5
  • 6. What is High Availability? The myth of the (five) nine’s (99.999) Your system is delivering its service to the user 99.999% of the time it is needed. (Myth: so the downtime of your actual ‘service’ is negligable...) Does anyone know how much time that leaves for breakdowns? Duco Dokter, Goldmund, Wyldebeast & Wunderliebe, 11 october 2007 6
  • 7. About this much uptime downtime/yr downtime/mnth downtime/wk 99.99% 52.6 min 4.32 min 1.01 min 99.999% 5.26 min 25.9 sec 6.05 sec So one broken disk in your data center: • that takes 5 minutes to replace: 1 year used; • sadly the data center is ten minutes away by bike: three years worth; • and you have no spare disk and need to go to the shop first: 12 years gone; • ... but the shop needs to order that at Fujitsu... Duco Dokter, Goldmund, Wyldebeast & Wunderliebe, 11 october 2007 7
  • 8. How? • assert risk for components, both hardware and software; • remove ’single-point-of-failure’ spots, id; • calculate possibility of system failure; • avoid complexity! Duco Dokter, Goldmund, Wyldebeast & Wunderliebe, 11 october 2007 8
  • 9. HA Cluster setup • throw in more machines; • throw in more Zope instances (servers); • use heartbeat; floating IP, and other services can be transported across nodes connect over two interfaces: i.e. serial and ethernet Syncing: drbd, syncpozo, zeoraid, fs solutions Duco Dokter, Goldmund, Wyldebeast & Wunderliebe, 11 october 2007 9
  • 10. New setup, as HA cluster Do we still have a problem? Yep: no global redundancy Duco Dokter, Goldmund, Wyldebeast & Wunderliebe, 11 october 2007 10
  • 11. Why leave your slave whithering away? Adding LB and ZEO. Duco Dokter, Goldmund, Wyldebeast & Wunderliebe, 11 october 2007 11
  • 12. And what about caching? Are we happy yet? Duco Dokter, Goldmund, Wyldebeast & Wunderliebe, 11 october 2007 12
  • 13. Single Sign-On Single Sign-On is: • authentication process where a user presents credentials once and gets authenticated for more than one application; • a ‘meta’ session is created. Web SSO: the same story, but only for web applications Duco Dokter, Goldmund, Wyldebeast & Wunderliebe, 11 october 2007 13
  • 14. Why Single Sign-On? • user experience; • less user separate user accounts; • focal point in security administration. Duco Dokter, Goldmund, Wyldebeast & Wunderliebe, 11 october 2007 14
  • 15. How? • One trusted source; • a trust relationship between the source and ‘clients’; • a trusted & clear protocol for authentication. Duco Dokter, Goldmund, Wyldebeast & Wunderliebe, 11 october 2007 15
  • 16. Plone SSO • More plone sites within same user session; • Plone as front-end for other apps; • other (non-Plone) web apps in same session; • non-web apps in same session; • Plone login based on machine login (not in scope, but think NTLM). Duco Dokter, Goldmund, Wyldebeast & Wunderliebe, 11 october 2007 16
  • 17. CAS • SSO server built at Yale university; • Java Servlet/JSP technology; • (reasonably) well documented; • source code available; • free licence; • open and clear protocol. Duco Dokter, Goldmund, Wyldebeast & Wunderliebe, 11 october 2007 17
  • 18. Plone & CAS Prerequisites: • CAS4PAS; • PlonePAS. Optional: PloneCASLogin Duco Dokter, Goldmund, Wyldebeast & Wunderliebe, 11 october 2007 18
  • 19. Steps: Session 1 1. http request to Plone site A; 2. inlog link kiezen naar CAS server of authenticatie redirect (CAS4PAS) over HTTPS; 3. login on CAS server; 4. CAS sets cookie; 5. redirect back to callback service with ticket; 6. validation ticket to CAS server; 7. CAS server removes ticket and gives ’ok’ + netID; 8. response (with Plone cookie). Duco Dokter, Goldmund, Wyldebeast & Wunderliebe, 11 october 2007 19
  • 20. Why the validate step? Because of redirect to service: might not be secured. So: a token is given, and Plone uses this to actually validate. CAS generates this token, and receives it to give back the user id. Duco Dokter, Goldmund, Wyldebeast & Wunderliebe, 11 october 2007 20
  • 21. Steps: Session 2 1. http request to Plone site B; 2. click on login link to CAS server or receive authenticatie redirect (CAS4PAS); 3. CAS service recognizes existing session (based on cookie); 4. redirect back to service with new ticket; 5. validation with ticket; 6. CAS removes ticket, and says ’ok’ + Net ID; 7. response. Duco Dokter, Goldmund, Wyldebeast & Wunderliebe, 11 october 2007 21
  • 22. Architectuur Duco Dokter, Goldmund, Wyldebeast & Wunderliebe, 11 october 2007 22
  • 23. Back end • LDAP • SQL ... but fully pluggable. Duco Dokter, Goldmund, Wyldebeast & Wunderliebe, 11 october 2007 23
  • 24. So... • more Plone sites, 1 account; • Plone site as front end for other sites; • Mix of Plone and other web systems; • Mix of Plone and non web systems. Duco Dokter, Goldmund, Wyldebeast & Wunderliebe, 11 october 2007 24
  • 25. The final result What was that again on complexity? Duco Dokter, Goldmund, Wyldebeast & Wunderliebe, 11 october 2007 25
  • 26. Issues • Loosing sessions: sticky sessions? • We haven’t really finished: monitoring. Duco Dokter, Goldmund, Wyldebeast & Wunderliebe, 11 october 2007 26
  • 27. Ceterum censeo MicroSoftem esse delendam Duco Dokter, Goldmund, Wyldebeast & Wunderliebe, 11 october 2007 27