At Adobe APIs are powering the next generation of Creative applications.
Mesos makes it very easy and fun to deploy and run Robust and Scalable Microservices in the Cloud. Today's technologies offer simple solutions to create RESTfull services while Mesos brings them to life faster.
As the number of microservices increase and the inter communication between them becomes more complicated, we soon realize we have new questions awaiting our answers: how do microservices authenticate ? how do we monitor who's using the APIs they expose ? How do we protect them from attacks ? How do we set throttling and rate limiting rules across a cluster of microservices ? How do we control which service allows public access and which one we want to keep private ? How about Mesos APIs and its frameworks ? Can they benefit from these features as well ?
Come and learn a scalable architecture to manage microservices in Mesos by integrating an API Management layer inside your Mesos clusters. This presentation will show you what an API Management layer is, what it's composed of and how it can help you expose microservices in a secure,managed and highly-available way, even in multi-Mesos cluster setups.
During this session you will also have the opportunity to learn how Adobe's API Platform solved this problem, where it is today and what it envisions do to with Mesos further.
If you're working with microservices already or you're creating new ones then this presentation is for you. Come and learn how Mesos together with an API management layer will make you a microservices hero in your organisation. At Adobe APIs are powering the next generation of Creative applications.
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
MesosCon - Be a microservices hero
1. Be a Microservices Hero | MesosCon’16
Dragos Dascalita Haut | Project Lead | Adobe I/O
2. Adobe I/O provides the definitive destination for Developers looking to
learn about, engage with and integrate Adobe cloud, mobile, and web
technologies.
20. Fill the API Management gap in Apache Mesos
by sharing the technology behind Adobe I/O
and develop it further with the community.
21. GOAL
§ Make it simple and consistent for developers to consume APIs
§ … and straight forward to publish APIs
22. API GATEWAY : The Adobe I/O Engine
• OPEN SOURCE:
• https://github.com/adobe-apiplatform/apigateway
• FEATURES:
• API Façade - to build a unified API from mutiple microservices
• Controls Access by validating requests
• Prevents Attacks through Throttling and Rate Limiting rules
• Provides Analytics based on usage data
• OOTB Service Discovery using Marathon and Mesos
• With hooks for other service discovery implementations
23. API GATEWAY : The Adobe I/O Engine
• FEATURES THE API GATEWAY SHOULD AVOID:
• Payload transformation
• Any other business logic particular to the domain of an API
25. OPENRESTY
• Nginx Lua Module
• Nginx Redis
• Headers more
• Set misc
• LuaJIT
• ….
API Gateway Modules
• Request Validation
• Throttling & Rate Limiting
• HTTP Logger
NGINX
• Upstream
• HTTP Proxy
• PCRE
• SSL
• ….
API GATEWAY : " …TAKE ONE OF THE MOST POPULAR WEB SERVER AND
ADD API GATEWAY CAPABILITIES TO IT…"
28. server {
listen 80;
server_name hello-world.gw.mesosconference.org;
location / {
# -------------------------------------------------
# Specify what to validate for this location
# -------------------------------------------------
set $validate_api_key on;
set $validate_oauth_token on;
set $validate_user_profile on;
set $validate_service_plan on;
...
access_by_lua "ngx.apiGateway.validation.validateRequest()";
# -------------------------------------------------
# Proxy the request to the actual microservice
# -------------------------------------------------
proxy_pass http://hello-world;
}
}
API GATEWAY : Simple Service Definition to validate requests
29. server {
listen 80;
server_name hello-world.api.mesoscon.org;
location / {
# -------------------------------------------------
# Specify what to validate for this location
# -------------------------------------------------
set $validate_api_key on;
set $validate_oauth_token on;
set $validate_user_profile on;
set $validate_service_plan on;
...
access_by_lua "ngx.apiGateway.validation.validateRequest()";
# -------------------------------------------------
# Proxy the request to the actual microservice
# -------------------------------------------------
proxy_pass http://hello-world;
}
}
API GATEWAY : Routing is done based on Service Discovery
...
upstream hello-world {
# --------------------------------
# Specify the list of backends
# where hello-world microservice
# is running
# --------------------------------
server 10.0.0.7:13780;
server 10.0.0.8:11900;
...
}
30. server {
listen 80;
server_name hello-world.api.mesoscon.org;
location / {
# -------------------------------------------------
# Specify what to validate for this location
# -------------------------------------------------
set $validate_api_key on;
set $validate_oauth_token on;
set $validate_user_profile on;
set $validate_service_plan on;
...
access_by_lua "ngx.apiGateway.validation.validateRequest()";
# -------------------------------------------------
# Proxy the request to the actual microservice
# -------------------------------------------------
proxy_pass http://hello-world;
}
}
...
upstream hello-world {
# --------------------------------
# Specify the list of backends
# where hello-world microservice
# is running
# --------------------------------
server 10.0.0.7:13780;
server 10.0.0.8:11900;
...
}
SERVICE DEFINITION vs SERVICE DISCOVERY
31. server {
listen 80;
server_name hello-world.api.mesoscon.org;
location / {
# -------------------------------------------------
# Specify what to validate for this location
# -------------------------------------------------
set $validate_api_key on;
set $validate_oauth_token on;
set $validate_user_profile on;
set $validate_service_plan on;
...
access_by_lua "ngx.apiGateway.validation.validateRequest()";
# -------------------------------------------------
# Proxy the request to the actual microservice
# -------------------------------------------------
proxy_pass http://hello-world;
}
}
...
upstream hello-world {
# --------------------------------
# Specify the list of backends
# where hello-world microservice
# is running
# --------------------------------
server 10.0.0.7:13780;
server 10.0.0.8:11900;
...
}
SERVICE DEFINITION vs SERVICE DISCOVERY
36. set $marathon_app_name hello-world;
location / {
…
# identify the service
set $service_id $marathon_app_name;
# READ THE API KEY
# either from the query string or from the "X-Api-Key" header
set $api_key $arg_api_key;
set_if_empty $api_key $http_x_api_key;
# add the api-key validator
set $validate_api_key on;
# validate request
access_by_lua "ngx.apiGateway.validation.validateRequest()";
proxy_pass http://$marathon_app_name;
Create a new Vhost for server_name ~hello-world.api.(?<domain>.+);
API GATEWAY : API KEY Management with Redis
Protecting a service with API-KEY Validation
37. # ADD an API-KEY for the HELLO-WORLD service
# NOTE: this API SHOULD not be exposed publicly
curl -X POST "http://api-gateway.${API_DOMAIN}/cache/api_key?key=key-1&
app_name=demo-app&
service_id=hello-world&
service_name=hello-world&
consumer_org_name=demo-consumer"
# update hello-world microservice to require an API-KEY
curl "http://hello-world.${API_DOMAIN}/hello"
# {"error_code":"403000","message":"Api Key is required"}
# make another call including the api-key
curl "http://hello-world.${API_DOMAIN}/hello" -H "X-Api-Key:key-1"
API GATEWAY : API KEY Management with Redis
Create a new API-KEY and save it into Redis cache
40. API GATEWAY : Adding a new throttling policy
curl -i -X POST "http://cell-os_gateway-tracking-service.<domain>/api/policies/throttling"
-H "Content-Type:application/json" -H "X-AMS-Policy-Type:THROTTLING_POLICY" --data '
[{
"id": "2",
"softLimit": 3,
"maxDelayPeriod": 4,
"hardLimit": 5,
"timeUnit": "SECONDS",
"span": 30,
"lastModified": 1438019079000,
"domain": {
"$api_key": "key-1"
}
}]'
A Low Water Mark after which the Gateway DELAYS requests
A High Water Mark after which the Gateway BLOCKS requests
Limits are enforced on a 30s time window
This policy is enforced only on requests with api_key=key-1
45. Key Takeaways
1. Think holistically at microservices
2. "Less is more." "Does my microservice really need to care about ..."
• Identify Provider, Access Control, Throttling
3. Think about integrating a microservice API Gateway into your
Mesos clusters
• Consider using a proven solution used by Adobe I/O
https://github.com/adobe-apiplatform/apigateway