TIPS AND TRICKS FOR YOUR
SERVICE ORIENTED
ARCHITECTURE
CakeFest, San Francisco, Sep 2013

WARNING

NO
CAKEPHP
AHEAD

This talk is for those...

Stuck with the legacy

dealing with CRONs

in the need of a solid foundation

rely on web services

need a pluggable software architecture

SOA

Agenda
1. Service Oriented WHAT?!?!
2. Tips, Tricks and lessons learned (the hard way)
3. Conclusion

1

SO(A) WHAT?

A software design based on discrete software
components, "services", that collectively
provide the functionalities of the larger
software application

You typically start with the
infamous web application
which does everything on its own

Then you realize that to provide
a chat system to your users
PHP might not be the best...

And soon you also decide,
to improve performances,
that your frontend should have its own
in-memory persistence, to be faster
and you put it into another service

Then, as always...

SCALE.

And eventually, your lead architect
will come up and tell you
that your Java-based chat
sucks and should be
replaced with...

NODEJS

In human-understandable words, SOA is a software design which
embraces splitting a monolithic, totalitarian software
architecture into smaller pieces, thus making them independent,
loosely coupled and more maintainable

Ok, but in the real world?

A few points...

DATA

each service might have its own data-layer, but nothing
prevents you from sharing data across the services

reads: abstract the data

WEBSERVICES

Services can request data to other services,
usually through WSs

POX

SOAP

HTTP

REST

Note to self:
check the difference
between HTTP and
REST APIs

Note to self:
check the difference
between HTTP and
REST APIs
(HATEOAS)

Note to self:
check the difference
between HTTP and
REST APIs
(HATEOAS)

EVENTS

services notify the architecture that an event has happened

asynchronous messaging queues

2

TIPS AND
TRICKS

LEARNT THE
HARD WAY

2.1 AVOID SOA

DIFFICULT TO TEST

COMPLEX

SOA would be
overkill for most
of the common
scenarios

But if you're handling
a product or a
monolithic software
stack, the added
complexity pays off
on the long run

2.2 FREE
THE DATA

CONSIDER ELIMINATING FK CONSTRAINTS

A service might need to handle data with
another DBMS, so FKs are virtually impossible

ABSTRACT THE DATA

You might think in "rows" but the architecture
thinks in "resources"

No more FKs and
the ability of
JOINing to retrieve
some related data

But you choose
what perfectly fits
each service:
your transactions
over a RDBMS and
your community
over a graph DB

2.3 Standardize

Build a vast suite of E2E tests

and give your developer a way to easily test

EVERY DEVELOPER NEEDS
THE ENTIRE ARCHITECTURE ON LOCAL

The architecture needs
to be installed in
~1 hour

Setting up VMs
is an hassle and
they are so slow!

go #vagrant

2.4 IDENTIFY
WISELY

AUTHENTICATION IS KING

Centralized authentication = identity service

NEVER HANDLE CREDENTIALS IN CLEAR

NEVER.
man in the middle

NEVER.
man in the middle
SSL

NEVER.
man in the middle
SSL
tokenize

OAuth

OpenID

JWS

JSON WEB SIGNATURE

JSON WEB TOKEN

JSON WEB SIGNATURE

JAVASCRIPT OBJECT
SIGNING & ENCRYPTION

JOSE
http://www.thread-safe.com/2012/03/json-object-signing-and-encryption-jose.html

1. The user enters the
credentials once in your
frontend
JS APP
AUTH
SERVICE
2. The JS app will forward them
to your Auth webservice
3. The Auth webservice will
then generate the encrypted
JWS and set a cookie with
its value
JS APP
4. The JS app can now just
execute calls using
that cookie

1. The user enters the credentials
once in your frontend
JS APP

AUTH
SERVICE
2. The JS app will forward them
to your Auth webservice
JS APP

AUTH
SERVICE
3. The Auth webservice will then generate the
encrypted JWS and set a cookie with its value

JS APP
AUTH
SERVICE
4. The JS app can now just execute
calls using that cookie

1. The user enters the
credentials once in your
frontend
JS APP
AUTH
SERVICE
2. The JS app will forward them
to your Auth webservice
3. The Auth webservice will
then generate the encrypted
JWS and set a cookie with
its value
JS APP
4. The JS app can now just
execute calls using
that cookie

setcookie($name, $jws,$ttl, $path, $domain, true);

setcookie($name, $jws,$ttl, $path, $domain, true);
HTTPS

JWS in PHP?

namshi/jose

use NamshiJOSEJWS;
$jws = new JWS('RS256');
$jws->setPayload(array(
'uid' => $user->getid(),
));
$privateKey = openssl_get_privatekey("file://path/to/private.
key");
$jws->sign($privateKey);
setcookie('identity', $jws->getTokenString());
use NamshiJOSEJWS;
$jws = JWS::load($_COOKIE['identity']);
$public_key = openssl_pkey_get_public("/path/to/public.key");
if ($jws->verify($public_key)) {
echo "EUREKA!;
}

use NamshiJOSEJWS;
$jws = new JWS('RS256');
$jws->setPayload(array(
'uid' => $user->getid(),
));
$privateKey = openssl_get_privatekey("file://path/to/private.
key");
$jws->sign($privateKey);
setcookie('identity', $jws->getTokenString());
use NamshiJOSEJWS;
$jws = JWS::load($_COOKIE['identity']);
$public_key = openssl_pkey_get_public("/path/to/public.key");
if ($jws->verify($public_key)) {
echo "EUREKA!;
}

use NamshiJOSEJWS;
$jws = new JWS('RS256');
$jws->setPayload(array(
'uid' => $user->getid(),
));
$privateKey = openssl_get_privatekey("file://path/to/private.
key");
$jws->sign($privateKey);
setcookie('identity', $jws->getTokenString());
use NamshiJOSEJWS;
$jws = JWS::load($_COOKIE['identity']);
$public_key = openssl_pkey_get_public("/path/to/public.key");
if ($jws->verify($public_key)) {
echo "EUREKA!;
}

use NamshiJOSEJWS;
$jws = new JWS('RS256');
$jws->setPayload(array(
'uid' => $user->getid(),
));
$privateKey = openssl_get_privatekey("file://path/to/private.
key");
$jws->sign($privateKey);
setcookie('identity', $jws->getTokenString(), ...);
use NamshiJOSEJWS;
$jws = JWS::load($_COOKIE['identity']);
$public_key = openssl_pkey_get_public("/path/to/public.key");
if ($jws->verify($public_key)) {
echo "EUREKA!;
}

use NamshiJOSEJWS;
$jws = new JWS('RS256');
$jws->setPayload(array(
'uid' => $user->getid(),
));
$privateKey = openssl_get_privatekey("file://path/to/private.
key");
$jws->sign($privateKey);
setcookie('identity', $jws->getTokenString());
use NamshiJOSEJWS;
$jws = JWS::load($_COOKIE['identity']);
$public_key = openssl_pkey_get_public("/path/to/public.key");
if ($jws->verify($public_key)) {
echo "EUREKA!;
}

use NamshiJOSEJWS;
$jws = new JWS('RS256');
$jws->setPayload(array(
'uid' => $user->getid(),
));
$privateKey = openssl_get_privatekey("file://path/to/private.
key");
$jws->sign($privateKey);
setcookie('identity', $jws->getTokenString());
use NamshiJOSEJWS;
$jws = JWS::load($_COOKIE['identity']);
$public_key = openssl_pkey_get_public("/path/to/public.key");
if ($jws->verify($public_key)) {
echo "EUREKA!;
}

I can't simply
use the HTTP
basic authentication,
it was so
convenient!

...and flawed.
Modern apps,
modern tech.

All my
authenticated
traffic needs to go
through HTTPS:
it will be so
SLOW!

Only if you
don't know
about...

WebP

WebP
lossless compression

WebP
lossless compression
30% smaller than PNG

And if you don't
know about...

SPDY

HTTP on steroids

(come to my next talk)

(that one won't suck)

2.5 EMBRACE
MESSAGING

Don't wait, notify instead

Different services can intercept an even, separately

If one is down, the others keep working

Who cares about milliseconds for notifications?

The human body is the bottleneck

Email?

SMS?

Be reliable

“Daemons are great”

“Daemons are great”
- No PHP developer ever

SUPERVISOR
http://supervisord.org/

SUPERVISE
http://cr.yp.to/daemontools/supervise.html

use python ;-)

It doesn’t matter...

if you talk ‫اﻟﻌﺮﺑﯿﺔ‬ ‫اﻟﺤﺮوف‬

Rabbit makes everyone talk the same language

chat
Batch processing
frontend
sync daemons
transcoding
agony
ERP
telcom

But I PHP

Monogamy
is so ‘90
“given a hammer,
everything
becomes a nail”

One size doesn’t fit all

2.5 ALWAYS
SUNDAY?

Monitor in real time

and do retrospectives

Talking about retrospectives?

Logs are first-class citizens

Sharpen as
much as possible

Assume things
will break

All in all...

SOA is complex

A puzzle with more pieces

More things to keep in mind

COMPLEX
IS NOT
COMPLICATED

Loose coupling

every service is independent, not forced to the
constraints of a monolithic block

you have the freedom of changing or replacing services
without the hassle of touching an entire system

State-of-the-art defense against outages

Fault tolerance

if one of the services has an outage, the rest
of the architecture still works

if a service, listening for messages, is down,
the publisher doesn't get stuck

Cleaner architecture

SoC happens at architectural, not application, level and you can perform large-scale
refactorings without the fear of destroying the entire system

Perfect ground for advanced tooling

...yawn...

Alessandro Nadalin

Alessandro Nadalin
@_odino_

Alessandro Nadalin
@_odino_
Namshi | Rocket Internet

Alessandro Nadalin
@_odino_
Namshi | Rocket Internet
VP Technology

Alessandro Nadalin
@_odino_
Namshi | Rocket Internet
VP Technology
odino.org

Thanks!
Alessandro Nadalin
@_odino_
Namshi | Rocket Internet
VP Technology
odino.org

Image credits
http://www.flickr.com/photos/randystiefer/6998037429/sizes/h/in/photostream/
http://www.flickr.com/photos/55432818@N02/5500963965/
http://www.flickr.com/photos/pamhule/4503305775/
http://www.flickr.com/photos/wili/1427890704/
http://www.flickr.com/photos/nickpiggott/5212959770/sizes/l/in/photostream/
http://www.flickr.com/photos/nomad9491/2549965427/sizes/l/in/photostream/
http://www.flickr.com/photos/amyvdh/95764607/sizes/l/in/photostream/
http://www.flickr.com/photos/matthoult/4524176654/
http://www.flickr.com/photos/kittyeden/2416355396/sizes/l/in/photostream/
http://www.flickr.com/photos/jpverkamp/3078094381/
http://www.flickr.com/photos/madpoet_one/5554416836/
http://www.flickr.com/photos/87792096@N00/2732978107/
http://www.flickr.com/photos/petriv/4787037035/
http://www.flickr.com/photos/51035796522@N01/111091247/sizes/l/in/photostream/
http://www.flickr.com/photos/m-i-k-e/6366787693/sizes/l/in/photostream/
http://www.flickr.com/photos/39065466@N04/9111005211/
http://www.flickr.com/photos/marchorowitz/5449945176/sizes/l/in/photolist-9iAoQ1-8s4ueH-bCWef9-bCWdPh-e48XUm-
bu67nh-a7xaEr-8wLiNh-9aYU1k-9F4VUN-dYqzr1-9vosHb-8BtFuw-8P3h2e-9tqc6M-82qpt4-7UgkBJ-dgSnfS-aJiubZ-9Xji2U-9UVpkC-
7BSh7Y-8GE54k-91GHtB-8VMHJ2-8wiwvo-aCmPCg-925Tg8-bcBv9T-dGUseY/
http://www.flickr.com/photos/blegg/745322703/sizes/l/in/photostream/
http://www.flickr.com/photos/centralasian/4649550142/sizes/l/in/photostream/
http://www.flickr.com/photos/pennstatelive/4947279459/sizes/l/in/photostream/
http://www.flickr.com/photos/tjblackwell/7819341478/
http://www.flickr.com/photos/brainbitch/6066375386/
http://www.flickr.com/photos/nnova/4215594009/
http://www.flickr.com/photos/publicenergy/2246574379/
http://www.flickr.com/photos/andrewteman/4592833017/sizes/o/in/photostream/
http://www.flickr.com/photos/beautifulrevelry/8548004964/sizes/o/in/photostream/
http://www.flickr.com/photos/denaldo/5066810104/sizes/l/in/photostream/
http://www.flickr.com/photos/picturewendy/8365723674/sizes/l/in/photostream/
http://www.flickr.com/photos/danielygo/6644679037/sizes/l/in/photostream/
http://www.flickr.com/photos/ross/7614352/sizes/l/in/photostream/
http://www.flickr.com/photos/75932013@N02/6874087329/sizes/l/in/photostream/
http://crucifixjel.deviantart.com/art/300-Wallpaper-03-66516887