Successfully reported this slideshow.
Your SlideShare is downloading. ×

Escape the defaults - Configure Sling like AEM as a Cloud Service

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad

Check these out next

1 of 35 Ad

Escape the defaults - Configure Sling like AEM as a Cloud Service

Download to read offline



AEM as a Cloud Service is using the same battle-tested core of Sling, Felix and Jackrabbit Oak that you are used to. Many of the large-scale architectural changes, such as container-based deployments, separation of code and content, horizontal and vertical scaling, etc, are made possible by a host of reimplementations of APIs exposed by the open-source projects that serve as the foundation of AEM.

In this talk we will explore a number of such extensions and their implications, such as Oak's principal-based authorization, getting up and running with the composite node store, or indexing in a separation of content and apps scenario.

After this talk participants will have a better understanding of various under-the-hood changes present in AEM as a Cloud Service and their practical implications for AEM development. They will also be able to set up their own tweaked Sling instance so they can experiment with such a setup.



AEM as a Cloud Service is using the same battle-tested core of Sling, Felix and Jackrabbit Oak that you are used to. Many of the large-scale architectural changes, such as container-based deployments, separation of code and content, horizontal and vertical scaling, etc, are made possible by a host of reimplementations of APIs exposed by the open-source projects that serve as the foundation of AEM.

In this talk we will explore a number of such extensions and their implications, such as Oak's principal-based authorization, getting up and running with the composite node store, or indexing in a separation of content and apps scenario.

After this talk participants will have a better understanding of various under-the-hood changes present in AEM as a Cloud Service and their practical implications for AEM development. They will also be able to set up their own tweaked Sling instance so they can experiment with such a setup.

Advertisement
Advertisement

More Related Content

Slideshows for you (19)

Similar to Escape the defaults - Configure Sling like AEM as a Cloud Service (20)

Advertisement

More from Robert Munteanu (20)

Recently uploaded (20)

Advertisement

Escape the defaults - Configure Sling like AEM as a Cloud Service

  1. 1. EUROPE'S LEADING AEM DEVELOPER CONFERENCE 28th - 30th SEPTEMBER 2020 Escape the defaults Configuring Sling to behave like AEM as a Cloud Service Robert Munteanu, Adobe Slides revision: 20200827-b88ebd4 1
  2. 2. About me 2
  3. 3. Outline Why change the defaults? Separation of content and apps Principal-based authentication Pre-authenticating system users Removing the OSGi installer Demo 3
  4. 4. Why change the defaults? 4
  5. 5. One size does not fit allOne size does not fit allOne size does not fit allOne size does not fit allOne size does not fit all Sling does not prescribe how to deploySling does not prescribe how to deploySling does not prescribe how to deploySling does not prescribe how to deploySling does not prescribe how to deploy configurationsconfigurationsconfigurationsconfigurationsconfigurations Sling does not prescribe how to deploy codeSling does not prescribe how to deploy codeSling does not prescribe how to deploy codeSling does not prescribe how to deploy codeSling does not prescribe how to deploy code Sling does not enforce separation of content andSling does not enforce separation of content andSling does not enforce separation of content andSling does not enforce separation of content andSling does not enforce separation of content and codecodecodecodecode Sling does not choose a persistence mechansimSling does not choose a persistence mechansimSling does not choose a persistence mechansimSling does not choose a persistence mechansimSling does not choose a persistence mechansim for youfor youfor youfor youfor you 5
  6. 6. CRX DE Lite is a development toolCRX DE Lite is a development toolCRX DE Lite is a development toolCRX DE Lite is a development toolCRX DE Lite is a development tool Ask it...Ask it...Ask it...Ask it...Ask it...  What ACEs are defined for this node?What ACEs are defined for this node?What ACEs are defined for this node?What ACEs are defined for this node?What ACEs are defined for this node?  What is content structure of the repository?What is content structure of the repository?What is content structure of the repository?What is content structure of the repository?What is content structure of the repository? But not...But not...But not...But not...But not...  What revision of the code am I running?What revision of the code am I running?What revision of the code am I running?What revision of the code am I running?What revision of the code am I running?  Do I have the same code version on allDo I have the same code version on allDo I have the same code version on allDo I have the same code version on allDo I have the same code version on all instances?instances?instances?instances?instances?  How can I deploy a quick fix in production?How can I deploy a quick fix in production?How can I deploy a quick fix in production?How can I deploy a quick fix in production?How can I deploy a quick fix in production? 6
  7. 7. Better ways of asking ... $ kubectl describe deployment sling-starter Containers: main: Image: apache/sling-starter:1.0-cafebafe $ kubectl apply -f deployments/sling-starter.yaml $ rpm -q sling-starter sling-starter-1.0_cafebabe-1.noarch $ rpm -Uvh sling-start-1.1_sodadude-1.noarch $ curl http://sling-starter.example.org/version 1.0-cafebabe 7
  8. 8. Prevent mistakes 8
  9. 9. Separation of content and apps 9
  10. 10. The composite node store Clear separation of code from content Enforces read-only status of code and (mostly) configuration Allows swapping in a separate node store (with restart) 10
  11. 11. Generating /libs and /apps Must be a NodeStore Must reflect the state of the deployment: Nodes Principals Indexes Access Control entries Coming from: Repoinit Content Packages Sling Content Loader Java code - Bundle Activator, Install Hooks, ... 11
  12. 12. Generating /libs and /appsGenerating /libs and /appsGenerating /libs and /appsGenerating /libs and /appsGenerating /libs and /apps Start SlingStart SlingStart SlingStart SlingStart Sling Wait for it to be (System) ReadyWait for it to be (System) ReadyWait for it to be (System) ReadyWait for it to be (System) ReadyWait for it to be (System) Ready Stop SlingStop SlingStop SlingStop SlingStop Sling Save the repositorySave the repositorySave the repositorySave the repositorySave the repository 12
  13. 13. Principal-based authentication 13
  14. 14. Resource-based authentication 14
  15. 15. Principal-based authentication 15
  16. 16. Benefits Easy to inspect access control entries for a given principal Access control entries independent of the existence of their target Much simpler packaging story in content packages 16
  17. 17. Usage FileVault rep:PrincipalBasedMixin rep:PrincipalPolicy rep:PrincipalEntry Repoinit create service user sling-readall with path system/sling set principal ACL for sling-readall allow jcr:read on / end 17
  18. 18. Pre-authenticating system users 18
  19. 19. Reminder: loginAdministrative 19
  20. 20. Reminder: service user mappings // uses bundle name, no subservice, default workspace slingRepository.loginService(null, null); // uses bundle name, 'scripts' subservice, default workspace slingRepository.loginService("scripts", null); "o.a.s.....ServiceUserMapperImpl.amended~i18n":{ "user.mapping":[ "org.apache.sling.i18n=sling-i18n" ] }, "o.a.s.....ServiceUserMapperImpl.amended~servletsresolver":{ "user.mapping":[ "o.a.s.servlets.resolver:console=sling-readall", "o.a.s.servlets.resolver:scripts=sling-scripting" ] } 20
  21. 21. Duplicated system user privileges set ACL for sling-mapping allow jcr:read on / end set ACL for sling-i18n allow jcr:read on / end set ACL for sling-jcr-install allow jcr:read on / allow rep:write on /apps/sling/install end 21
  22. 22. Pre-authenticated loginPre-authenticated loginPre-authenticated loginPre-authenticated loginPre-authenticated login Supply all principals at login in timeSupply all principals at login in timeSupply all principals at login in timeSupply all principals at login in timeSupply all principals at login in time Faster by skipping authenticationFaster by skipping authenticationFaster by skipping authenticationFaster by skipping authenticationFaster by skipping authentication Allows mapping a service to multiple usersAllows mapping a service to multiple usersAllows mapping a service to multiple usersAllows mapping a service to multiple usersAllows mapping a service to multiple users 22
  23. 23. Pre-authenticated system users create service user sling-readall set ACL for sling-readall allow jcr:read on / end create service user sling-jcr-install set ACL for sling-jcr-install allow rep:write on /apps/sling/install end "o.a.s.....ServiceUserMapperImpl.amended~i18n":{ "user.mapping":[ "org.apache.sling.i18n=[sling-readall]" ] }, "o.a.s.....ServiceUserMapperImpl.amended~~jcr-install":{ "user.mapping":[ "o.a.s.installer.provider.jcr=[sling-jcr-install,⏎ sling-readall]" ] } 23
  24. 24. Removing the OSGi installer 24
  25. 25. The OSGi installer...The OSGi installer...The OSGi installer...The OSGi installer...The OSGi installer... installsinstallsinstallsinstallsinstalls bundlesbundlesbundlesbundlesbundles configurationsconfigurationsconfigurationsconfigurationsconfigurations content packagescontent packagescontent packagescontent packagescontent packages fromfromfromfromfrom filesystemfilesystemfilesystemfilesystemfilesystem launchpadlaunchpadlaunchpadlaunchpadlaunchpad JCR repositoryJCR repositoryJCR repositoryJCR repositoryJCR repository 25
  26. 26. The OSGi installer... is a dynamic component reconciles application state from multiple sources is not needed in a statically defined/immutable application ... we are buiding immutable applications 26
  27. 27. FM: Installing bundles { "bundles":[ { "id":"org.apache.aries:org.apache.aries.util:1.1.3", "start-order":"1" } ] } 27
  28. 28. FM: Installing configurations { "configurations": { "o.a.s.jcr.davex.impl.servlets.SlingDavExServlet":{ "alias":"/server" } } } 28
  29. 29. FM: Installing content packages  content packages are by default forwarded to the OSGi installer { "content-packages:ARTIFACTS|true": [ "o.a.s:sling-slingshot-apps-pkg:zip:1.0-SNAPSHOT", "o.a.s:sling-slingshot-content-pkg:zip:1.0-SNAPSHOT" ] } <workspaceFilter version="1.0"> <filter root="/libs/slingshot/config"/> <filter root="/apps/bundles/install/bundle.jar"/> </workspaceFilter> 29
  30. 30. Content Package to Feature Model Handles nested artifacts inside content packages OSGi bundles OSGi configurations Other content packages Converts access control configurations System Users Access control entries (resource-based) No support for principal-based access control entries 30
  31. 31. Conversion result { "id":"o.a.s:sling-slingshot-apps-pkg:slingosgifeature:1.0", "bundles":[ "o.a.s:o.a.s.sample.slingshot:0.9.1" ], "configurations": { "o.a.s....ServiceUserMapperImpl.amended~slingshot": { "o.a.s.sample.slingshot=[slingshot-service]" } }, "content-packages:ARTIFACTS|true":[ "o.a.s:sling-slingshot-apps-pkg:zip:cp2fm-converted:1.0" ], "repoinit:TEXT|true":[ "create service user slingshot-service" ] } 31
  32. 32. Alternative Package Registry o.a.j.vault....FSPackageRegistry Stores packages in the filesystem Can be assembled without a JCR repository Relies on an existing execution plan Plan prepared by the Sling Content Deployment Extension 32
  33. 33. Demo 33
  34. 34. Demo recap Sling Docker image using the feature model the composite node store Docker updates done with a simple restart preserving the 'content' part of the repository Removing the OSGi installer using the content- package converter 34
  35. 35. Resources (Sling) Content Package to Feature Model Converter (Sling) Content Deployment Extension (Oak) Composite Node Store (Oak) Principal-Based Authentication (Oak) Pre-Authenticated Login 35

×