Best Practices for API Management
 

Best Practices for API Management

on

  • 804 views

Successful development and deployment best practices of WSO2 customers to secure, monitor, and manage APIs

Successful development and deployment best practices of WSO2 customers to secure, monitor, and manage APIs

Statistics

Views

Total Views
804
Views on SlideShare
712
Embed Views
92

Actions

Likes
5
Downloads
58
Comments
0

2 Embeds 92

http://node1.wso2.com 67
http://wso2.com 25

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Best Practices for API Management Best Practices for API Management Presentation Transcript

  • Last Updated: March 2014 Director,  Product  Management,  WSO2 Isabelle  Mauny Best  Prac1ces   for  API  Management Thursday, March 27, 14
  • About  the  speaker... ๏ French  na)ve ๏ Living  in  Spain ๏ Works  mostly  with  Sri  Lanka ๏ 18  years  of  IBM,  4  years  in  startups ๏ Managing  the  overall  WSO2  porDolio ๏ Linux  command  line  user 2 Thursday, March 27, 14
  • Who  is  WSO2  ?   ๏ Open  Source  Middleware   Pla2orm  Provider ๏ Apache  2.0  License ๏ Provides  Integra?on,  API   Management  and  Mobile   enterprise  management   products ๏ Main  contributor  to  Apache   Stratos  PaaS ๏ Creators  of  DevOps   “AppFactory”  cloud  solu?on 3 Thursday, March 27, 14
  • Business  Model 4 Thursday, March 27, 14
  • Define  a  Business  Model 5 ๏ What  are  the  business  goals  ?   ๏ Enable  3rd-­‐party  Mobile  Apps  development  ?   ๏ Increase  brand  recogni)on  ? ๏ Open  new  revenue  channels  ? ๏ Define  Mone)za)on  model   ๏ Free  ?   ๏ Pay  per  usage  ? ๏ Free  APIs,  but  paid  via  Ads Thursday, March 27, 14
  • Development 6 Thursday, March 27, 14
  • ๏ Service  deals  with  implementa)on ๏ API  deals  with  subscrip)on  (consumer) ๏ Two  very  dis)nct  life  cycles  ! ๏ You  don’t  need  the  service  to  create  the  API... Services  and  APIs 7 Thursday, March 27, 14
  • Building  a  Managed  API ๏ Crea)ng  APIs  (interface,  docs,  samples,etc.) ๏ Adver)sing  APIs ๏ Making  APIs  subscribe-­‐able  by  consumers ๏ Associa)ng  SLAs ๏ Securing  APIs ๏ Mone)za)on  and  Analy)cs 8 Thursday, March 27, 14
  • API  Security 9 Thursday, March 27, 14
  • API  Security   ๏ Security  is  not  an  aYer  thought  !   ๏ APIs  are  part  of  a  much  larger  enterprise  picture ๏ How  will  consumers  request  an  access  token  ?   ๏ Using  a  SAML  2.0  asser)on  ?   ๏ Using  client_creden)als  ?   ๏ Using  userid/password  ?   ๏ Make  sure  you  document  thoroughly  how  developers   need  to  manage  tokens: ๏ Tokens  are  like  passwords! ๏ Always  use  SSL  for  token  transporta)on  ! ๏ Use  Domain  restric)ons  (WSO2  API  Manager) 10 Thursday, March 27, 14
  • Fine-­‐grained  access  to  APIs ๏ OAuth2  is  all  about  access  control:  a  token  is  associated  to  a  scope. ๏ XACML  (eXtensible  Access  Control  Markup  Language)  is  the  de-­‐ facto  standard  for  fine-­‐grained  access  control. ๏ OAuth  scope  can  be  represented  in  XACML  policies ๏ Provides  fine  grain  control  over  what  a  user/applica?on  can  do   (  i.e.  you  can  call  GET  but  not  POST  on  an  API)   11 Thursday, March 27, 14
  • Passing  Auth  Informa6on  to  back-­‐end  services ๏ Using  JSON  Web  Tokens  (JWT)   ๏ Lightweight ๏ Can  be  signed ๏ Easy  to  parse  and  consume ๏ Standard API Gateway API Management Layer Services Layer Internal and External Applications OAuth 2 Access Token JSON Web Token 12 Thursday, March 27, 14
  • Token  Format ๏ JWT  Structure   {token  info}.{claims  list}.{signature}   ๏ Base-­‐64  Encoded   13 Thursday, March 27, 14
  • What  are  Claims  ?   ๏ Claims  are  a  set  of   aTributes  about  a   user,  mapped  to  the   underlying  user   store. ๏ A  set  of  claims  is   called  a  dialect 14 Thursday, March 27, 14
  • Publishing 15 Thursday, March 27, 14
  • Choosing  an  API  Management  Pla=orm 16 ๏ What  the  pla2orm  must  do,  at  a  minimum: ๏ Users  Management  (self-­‐sign  up,  profile  management) ๏ API  Publica?on  /  API  Store ๏ API  Security ๏ Sta?s?cs ๏ SLA  control ๏ ThroTling  /  Rate  Limi?ng ๏ API  Versioning ๏ Mone?za?on/Billing ๏ and  more  ! ๏ You  could  build  all  of  this  yourself,  but... Thursday, March 27, 14
  • Need  for  API  Versioning ๏ Need  to  support  API  evolu)on ๏ While  Maintaining ๏ Backward  compa)bility  -­‐>  Func)onality ๏ Rates/Throhling  agreements ๏ Different  versioning  mechanisms 17 Thursday, March 27, 14
  • API  Versioning  Strategies ๏ Version  as  a  query  parameter ๏ Ne=lix  -­‐  hTp://api.ne2lix.com/catalog/?tles/series/70023522?v=1.5 ๏ Google  Data  API  -­‐  “GData-­‐Version:  X.0″₺  or  “v=X.0″₺ ๏ Version  as  part  of  URI ๏ Salesforce  -­‐  hTps://na1.salesforce.com/services/data/v20.0/sobjects/Account/ ๏ TwiDer  -­‐  hTps://api.twiTer.com/1.1/statuses/men?ons_?meline.json ๏ Version  as  a  date  in  URI ๏ Twilio  -­‐  /2010-­‐04-­‐01/Accounts/{AccountSid}/Calls ๏ hTp://www.twilio.com/docs/api/rest/making-­‐calls ๏ Version  as  a   ๏ Custom  HTTP  Header ๏ Accept  Header 18 Thursday, March 27, 14
  • API  Lifecycle ๏ An  API  can  pass  through  mul)ple  states ๏ For  example: ๏ CREATED ๏ PUBLISHED ๏ DEPRECATED ๏ RETIRED ๏ BLOCKED ๏ Should  integrate  with  complete  governance  lifecycle 19 Thursday, March 27, 14
  • Show  some  developer’s  love  :) 20 ๏ Docs  ,  docs  and  more  docs ๏ API  Samples,  in  many  languages ๏ Embedded  Tes)ng ๏ Provide  sandbox  and  produc)on  run)mes ๏ SDK   ๏ Wraps  API  access,  including  security Thursday, March 27, 14
  • Deployment 21 Thursday, March 27, 14
  • Gateway  vs.  ESB 22 ๏ Oh,  but  I  already  have  an  ESB  !  Why  do  I  need  a   gateway  ? ๏ API  Gateway  vs.  Media)on  Layer  (ESB) ๏ Gateway  =  light  ESB  ?   ๏ Think  ESB  as  an  architecture  pahern,  not  a  product! Thursday, March 27, 14
  • Generic  Facade  PaZern ๏ Pros ๏ No  addi)onal  hop  in  the  network ๏ Single  Server  to  be  managed ๏ More  suited  for  internal  deployments ๏ Cons ๏ Complexity  of  integra)on  at  edge  of  network ๏ API  Management  layer  can’t  really  scale  independently   ๏ Not  appropriate  for  DMZ  deployments  (direct  access  to  backend  services) 23 API Gateway API Management Layer Services Layer Internal and External Applications Thursday, March 27, 14
  • Separated  Facade  &  Mediaon ๏ API  Gateway  Layer  acts  as  simple  reverse  proxy,  enforcing  basic  policies ๏ Clear  separa?on  of  concern  between  layers ๏ Media?on  layer  and  API  management  layer  scale  independently ๏ Specific  security  checks/protec?on  at  edge  of  the  network ๏ Provides  protocol  transforma?on  to  the  edge  of  the  network 24 API Gateway API Management Layer Services Layer Internal and External Applications API Gateway API Management Layer Services LayerMediation Layer Services Composition Services Orchestration Thursday, March 27, 14
  • Specific  WSO2  Soluon ๏ Our  API  gateway  is  actually  a  full-­‐blown  ESB  under  the   hood,  constrained  at  UI  level.   ๏ You  can  install  the  missing  ESB  features  on  top  of  API   manager  and  combine  both  architecture  layers  into  a   single  run)me! ๏ Makes  the  choice  a  deployment  one. 25 Thursday, March 27, 14
  • Typical  Deployment 26 Web Tier BPS Server API GatewayLoad balancer API Gateway External APIs Tier Orchestration Layer External Web Application External Mobile Application Token Validation, Policy Decision Point, Users Store Management ESB Server Data Access Layer ESB BPM Data Services Server Identity Server Messaging Layer Message Broker Server API Gateway Load balancer API Gateway Internal APIs Tier Identity Server Thursday, March 27, 14
  • Users  Store ๏ Separate  admins  /  corporate  users  from  the  developers   users’s  store  (created  via  self-­‐sign  up) 27 Thursday, March 27, 14
  • You  can’t  manage   what  you  can’t  measure. 28 Thursday, March 27, 14
  • Why  Analy6cs  and  API  Management  are  important  together? ๏ Build  confidence  in  the  API  model ๏ Understand  your  customer   ๏ Not  just  the  developer  but  also  the  end-­‐user ๏ Help  manage  services  and  versions ๏ Understand  when  deprecated  services  can  be  re?red ๏ Plan  beTer ๏ Monitor  the  growth  of  aggregated  API  traffic ๏ Monitor  the  growth  of  specific  apps ๏ Even  if  you’re  not  going  to  put  analy?cs  in  place,  make  sure   you  capture  all  events  right  from  beginning  of  project. 29 Thursday, March 27, 14
  • Analycs  101:  Aggregaon • How  to  collect  data   efficiently • How  to  store  data   effec)vely • Choose  which  data  to   capture 30 Thursday, March 27, 14
  • Analycs  101  :  Analysis • Data  opera)ons • Defining  KPIs  and  analy)cs • Opera)ng  on  large  amounts   of  historical  or  current  data • Crea)ng  intelligence   31 Thursday, March 27, 14
  • Analycs  101  :  Presentaon • Visualiza)on • Dashboards • Reports 32 Thursday, March 27, 14
  • Events Collector EVENTS DATASTORE 3rd party Products WRITES EVENTS Report Generator CEP Engine FEEDS EVENTS GENERATE NEW EVENTS Analytics Engine Real Time Decision Engine DEPLOYS LOGIC ANALYTICS DATASTORE User Engagement Server 33 Monitor  And  Analyze ๏ Take  decisions  in  real  ?me  through  Complex  Event  Processing ๏ Create  dashboards  for  both  technical  and  business  monitoring Thursday, March 27, 14
  • Detecng  Usage  PaZerns ๏ My  API  customer  is  trying  to  steal  my  business  :  let’s   block  them. ๏ A  customer  is  at  80%  of  API  plan  :  let’s  warn  them   ๏ A  customer  is  systema)cally  at  120%  of  the  plan  :   propose  an  upgrade  to  the  premium  plan 34 Thursday, March 27, 14
  • Demo 35 Thursday, March 27, 14
  • Demo  Setup 36 Web Tier API Gateway APIs tier Mediation Layer External Web Application Token Validation, Policy Decision Point, IdentityProvider, Users Store Manager ESB Server Services Layer ESB Application Server Messaging Layer Message Broker Server Identity Server Reporting, Logging, Operational Analysis BAM CEP Thursday, March 27, 14
  • References ๏ Building  an  ecosystem  for  API  Security  (White  Paper) ๏ hhp://wso2.com/whitepapers/wso2-­‐whitepaper-­‐building-­‐an-­‐ecosystem-­‐for-­‐api-­‐ security/ ๏ API  Facade  Pahern  (Webinar) ๏ hhp://wso2.com/library/webinars/2014/01/implemen)ng-­‐api-­‐facade-­‐using-­‐ wso2-­‐api-­‐management-­‐plaDorm/ ๏ API  Management:  missing  link  for  SOA   ๏ hhp://sanjiva.weerawarana.org/2012/08/api-­‐management-­‐missing-­‐link-­‐for-­‐ soa.html ๏ Promo)ng  Service  Reuse   ๏ hhp://wso2.com/whitepapers/promo)ng-­‐service-­‐reuse-­‐within-­‐your-­‐enterprise-­‐ and-­‐maximizing-­‐soa-­‐success/ 37 Thursday, March 27, 14
  • Download  API  Manager  today! ๏ hhp://wso2.com/products/api-­‐manager/ 38 Thursday, March 27, 14
  • Contact  us  ! Thursday, March 27, 14