problems you’ll face in the microservice world: configuration, authentication... - devoxx france...
Post on 13-Apr-2017
480 Views
Preview:
TRANSCRIPT
Les problmes que lon rencontre en microservice : configuration, authentification et autre joyeusets
Les problmes que lon rencontre en microservice : configuration, authentification et autre joyeusets
Quentin ADAM - @waxzce
Who am I ?
Quentin ADAM from the Clever Cloud@waxzce on twitter github- soundcloud instagram .
My day to day work : Clever Cloud, the IT automation company
Keep your apps online. made with node.js, scala, java, ruby, php, python, go
Cloud & on premise
And learn a lot of things about your code, apps, and good/bad design
Give back to the community
NEVER GONNA LET YOU DOWNclever-cloud.com
The beginning How Clever Cloud start?How the roadmap was define.
Remote CodeExecutionas a Service
Dog container
We are happy
Multiple stacks
Scaling
Evolution
Team management
Architecture as a playgroundLego FTW
Microservice communication
NO TRUSTED NETWORK
https://www.clever-cloud.com/blog/guests/2015/06/16/the-end-of-the-fortress-metaphor/
Server -> ServerAuthenticatedEncryptedAuditable/logged
Loosely coupled
Routing is a problem
Message box
Duplicate messages
Analytic and audit
HTTP for all?
Messages brokersRabbitMQFR: https://www.youtube.com/watch?v=VBUQXM96hpwEN: https://www.youtube.com/watch?v=15mzY2MfDgMKafkaRedis?0MQ?
Warp10 / time series DB
The right size?What is the boundaries of a microservice
Noisy Microworker army
Beware of (massive) RPC (Remote Procedure Call)
Network is two problems: Fragile and Slow
Micro services is not Workload Distribution akka, project avalon, Erlang OTP, hadoop
One service do have to actually provide a service by itself
Fat monoliths
Micro service creating too much lib?
Why theses two functions are in the same services?Or can I it?
Does we have a common data store?
Does this features need the same scaling agenda?
Example Clever Cloud
Exemple Clever Cloud38
Configuration on multiple spots
Configuration != Code
Zk, etcd, consul So many possibilities
Simpler way, never change on runtime
Immutable infrastructure (FR) https://www.youtube.com/watch?v=WrZCbgQsPVU
Agnostic solution: Environment variable
Clever Cloud service dependencies
https://www.clever-cloud.com/blog/features/2016/06/23/introducing-service-dependencies/
No over engineering on configuration, when you need to configure the configuration injector, you are too far
Who the hell are you?Distribute Authentication
Distribute Identity and ACL
Common solutions (or not)
Shared data repository
The first idea to many developer is to share the access to a database with the session data (memcached or redis), and read access to the ACL database (SQL or something)Issues on this :- change to the data model require to edit all the series- impose rude connection and pooling to the databases, which is an OPS problem- creating a SPOF- impose lots of code rewriting in each micro service
49
Authentication using a proxy
RequestReverse Proxy+Database call+Business code+AuthenticationService AService BService CAuthenticated request with user identity data
Good part is :- centralisation of authentication and code related to itIssues :- Very complicated to mock on developer laptop : you need to launch the proxy on dev computer- Security vision is optimistic- The user infos add by the proxys arent requested by service, so its standard or convention between proxy and service- proxy is a spotmix several mission on the proxy : routing, load balancing, authentication, session hydratation
PERFORMANCES
50
Central API call to authenticate request
RequestVia reverse proxyService AService BService CSerialized request + identity needsAuthentification APIGo/no go + identity data
Central authentication API called by servicesIn this architecture, service take request directly and call an API to authenticate the request, serializing verb, resources and headers and asking for extra info they will need (user infos), the authentication API respond authentication and user info requested by the service.Good parts :- easy to mock and work on developer part, no need to start on developer computer- centralisation of the authentication- security is better handled and there is less possibility to breach the system spoofing requests- services request additional infos, more simple to doIssues :- authentication API is a spof
51
We need more tools
JWT
Signature 53
Macaroons
Keep hackable and pluggable playground to enforce innovations
Maintenance
Clean legacy code on regular basisWhy and how bookkeepers f***d up IT FR https://www.youtube.com/watch?v=0ip1FoBsLB4EN https://www.youtube.com/watch?v=OngWRJ8txps
Deployment agility
No dogma, full developer hapiness oriented architecture
Thank you
find me on twitter @waxzce
Gift coupon for clever-cloud.com:
microdevoxx
top related