tresor: the modular cloud - building a domain specific cloud platform with osgi - alexander grzesik
DESCRIPTION
OSGi Community Event 2013 (http://www.osgi.org/CommunityEvent2013/Schedule) ABSTRACT The usage of cloud technologies for data exchange as well as the capability of services to run in the cloud brought this internet-based technology a gain of importance in the last years covering the private customer as well as the industry. This talk will give a practical introduction to an OSGi based architecture for cloud applications and gives an overview to the usage of OSGi Enterprise and Blueprint specifications. It will show some best practices, we established to develop with OSGi in an enterprise cloud environment. With sight on the healthcare sector, the cloud is challenged with special requirements on data security during storage and transfer. Thus leading to the need to address customer concerns respecting privacy in much more detail than in other areas. To advance the research on the usage of cloud technologies in the healthcare sector as well as to enrich discussions on this theme, the German Federal Ministry of Economics and Technology funds 14 research projects as part of the Trusted Cloud initiative [1]. The TRESOR - Trusted Ecosystem for Standardized and Open cloud-based Resources – project as one of these projects has the aim to provide an open platform for cloud applications for the health care sector [2]. In this project, we combine modern cloud technologies and the OSGi service framework to build a modular and scalable PaaS (Platform as a Service) to provide flexible domain specific services for healthcare. Topics covered: Introduction to the TRESOR project Why we decided to use OSGi OSGi based architecture, benefits and pitfalls OSGi Enterprise and Blueprint, What they provide and what is lacking Some Best Practices OSGi & Maven From jar-hell to bundle hell ? Fine grained control with Bundle Security OSGi Bundles & JPA Persistence Transaction management with Blueprint OSGi in the cloud References [1] Trusted Cloud Project, BMWi [2] TRESOR Homepage, BMWi SPEAKER BIO Current employment: Head of development of medisite Systemhaus GmbH responsible for the development of the Patient Data Management System (PDMS) m.life and Software architect for the TRESOR Project. 15 years of work experience in medical Software development, 10 of this as Team leader and Software architect. Expert for Software Architecture, OSGi, Java and Java EETRANSCRIPT
TRESOR – the modular cloud
Building a domain specific cloud
platform with OSGi
OSGi Community Event
Ludwigsburg
Eclipsecon 2013
About myself
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
Alexander
GrzesikHead of Development
medisite Systemhaus
Working 15 years in
software
development
Java
Software Architecture
Medical Software
Cloud – the future ?
By David Fletcher
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
TRESOR Partners
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
TRESOR is funded within the Trusted Cloud project by the Federal Ministry of
Economy on basis of a resolution passed by the German Bundestag
Trusted Ecosystem for Standardized and Open cloud-based
Resources
TRESOR Cloud Ecosystem
TRESOR PaaS
TRESOR UserTRESOR
Ecosystem
TRESOR Service Provider IaaS-Provider
TRESOR Proxy(Client)
TRESOR Proxy(Client)
IDM(i.e. Active Directory)
ClientsTRESOR Proxy
(Client)
Authentication
Service use
Authorization
Marketplace
TRESOR Proxy(Trusted 3rd Party)
TRESOR Billing
TRESOR Broker
Service Profile Repository
Client Profile Repository
TRESOR Proxy(Service)
Search, Maintain, Match
Billing
SLA M
on
itorin
g
MMV
PAI
...
Service use
DynamicServices
Man
age
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
TRESOR Goals
CloudFlexible
SecureOpen
Extensible
OSGi based
Use of Standards
Development tools
Data Security
Encrypted Data
Secure Communication
Certified
Scalable
Reliable
High Availability
Powered by OpenShift
Fast Time-to-Market
No Vendor Lock-In
Flexible deployment
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
TRESOR PaaS at a glance
Strong
Encryption
Powered
by
OpenShift
Open
Platform
Polyglot
Persistence
Modular
Architecture
6dfg4854 fgf72548 151fd545
5454sff5 44485ddf 151538fd
179hg45g 658g54d1 15414gfg
584551gh 11fghf15 154215jh
2152fgh5 14925fg1 15325sgd
78dfd15d 7654fghd 897fg21d
98dfgh2d 874dfg6d 3544sdfg
Domain
specific
API
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
Domain specific API
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
Application
Glassfish Application Server
Plugin repository
Plugin Build Service
TRESOR ProxyServer
Management &Monitoring
Security
JPA/Eclipse LinkApache Felix OSGi Java EE 3rd Party Bundles
Applications & Services
Elastic Search
Integration Engine
Encryption Engine
Enterprise OSGi
Encryption
PersistenceSearch and Index
Terminology
Configuration
Reporting
Process Engine
Business Rules Object MappingUser
Management
OpenAM
Notification
Aries Blueprint
Patient Adminstration
Patient TimelineClinical
DocumentationOrder Entry
Document Management
Radiology Diagnostic
Theraphy Planning
Laboratory Diagnostic
UI Module ManagementVaadin Web Framework UI Components
Healthcare Applications and Services
Cooking in the Cloud with OSGi
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
The Challenges
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
Architecture
ComponentManagement
Dependencies
Java Enterprise Integration
Configuration
Security
Provisioning
Bundle Structure
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
Application
Bundle
Service Bundle
API Impl
Depends on
Straightforward
Tightly coupled API to Implementation
Replacing Implementation with high overhead
Service Impl
Bundle
Better: Bundle Separation
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
Application
Bundle
Service API
Bundle
APIImpl
Depends on Depends on
Separate API from Implementation
Application only depends on API
Implementation may be changed transparently
Managing with Blueprint
• Keeps code clean of OSGi dependencies
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
• Spring-style dependency injection
• Handles Service Lifecycle
• Enterprise Extensions
<service id=“bmiService" ref=“bmiServiceBean"
interface="medisite.eclipsecon.bmi.BmiService“ />
<bean id=“bmiServiceBean"
class="medisite.eclipsecon.bmi.impl.BmiServiceImpl">
<property name=“calculatorBean" ref="bmiCalculatorBean"/>
</bean>
<reference id=“importedService"
interface=" medisite.eclipsecon.bmi.BmiService"
availability="mandatory”/>
Managing Dependencies
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
Manage Dependencies• Maven allows managing dependencies
and versions
• Maven Bundle Plugin creates your
bundles
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
<plugin>
<groupId>org.apache.felix</groupId>
<artifactId>maven-bundle-plugin</artifactId>
<configuration>
<instructions>
<Export-Package>medisite.eclipsecon.bmi.*</Export-Package>
<Import-Package>
org.slf4j;provider=paxlogging,
*
</Import-Package>
</instructions></configuration></plugin>
Non OSGi dependencies• Problem:
A dependency is not an OSGi Bundle
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
• Option 2: Embed dependency
<goals>
<goal>wrap</goal>
</goals>
<configuration>
<wrapImportPackage>;</wrapImportPackage>
</configuration>
• Option 1: Wrap bundle
<Embed-Dependency>
*;scope=compile|runtime;type=!pom;inline=false
</Embed-Dependency>
<Embed-Transitive>false</Embed-Transitive>
<Import-Package>*;resolution:=optional</Import-Package>
Java Enterprise Integration
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
Persistence
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
• JPA Persistence Units as OSGi Bundles
• Create Persistence.xml and include in bundle:
<Meta-Persistence>
META-INF/persistence.xml
</Meta-Persistence>
<Include-Resource>
META-INF/persistence.xml=src/main/resources/META-
INF/persistence.xml
</Include-Resource>
<JPA-PersistenceUnits>
persistence-test
</JPA-PersistenceUnits>
Service Impl
Bundle
Embeded Persitence Unit
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
Application
Bundle
Service API
Bundle
APIImpl
Depends on Depends on
Persist
ence
Service Impl
Bundle
Persistence Service
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
Application
Bundle
Service API
Bundle
Persistence
Bundle
APIImpl
DAO
Persistence Service via Blueprint
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
<bean id=“bmiDAO" class="medisite.eclipsecon.persistence.impl.BmiDAO"
init-method="init">
<jpa:context property="entityManager" unitname="persistence-test" />
<tx:transaction method="*" value="Requires" />
</bean>
• Managed by Blueprint container (Aries)
• Declarative Transaction Management
Web Application Bundle
• Deploy a war as OSGi bundle (wab)
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
BundleContext ctxt = (BundleContext)
servletContext.getAttribute(“osgi-bundlecontext”);
• JNDI IntegrationInitialContext ic = new InitialContext();
IBmiService calculator = (IBmiService)
ic.lookup("osgi:service/" + IBmiService.class.getName());
• Interact with OSGi Services from Servlet
<instructions>
<Web-ContextPath>/bmi</Web-ContextPath>
<_wab>src/main/resources</_wab>
</instructions>
Configuration
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
Configuration Administration Service
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
<cm:property-placeholder id="property-placeholder" persistent-
id=“frameworkConfig" update-strategy="reload">
<cm:default-properties>
<cm:property name=“selfTest" value="false"/>
</cm:default-properties>
</cm:property-placeholder>
<bean id=“testerBean" class="medisite.eclipsecon.bmi.impl.BundleTest>
<property name="selfTest" value="${selfTest}"/>
</bean>
• Managed Properties
• Blueprint integration from Apache Aries
<bean id=“bmiService" class="medisite.eclipsecon.impl.BmiServiceImpl">
<cm:managed-properties persistent-id=“bmiServiceConfig"
update-strategy="container-managed"/>
</bean>
Security
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
ConditionalPermissionAdmin
• Control Permissions
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
ConditionalPermissionAdmin cpa = getConditionalPermissionAdmin(context);
ConditionalPermissionUpdate u = cpa.newConditionalPermissionUpdate();
List infos = u.getConditionalPermissionInfos();
infos.clear();
for (String encodedInfo : encodedInfos)
{
infos.add(cpa.newConditionalPermissionInfo(encodedInfo));
}
if (!u.commit())
throw new ConcurrentModificationException("Permissions changed during
update");
Policy File Reader
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
ACCEPT {
[org.osgi.service.condpermadmin.BundleSignerCondition
"CN=tresor,O=medisite Systemhaus GmbH,C=de"]
( java.security.AllPermission "*" "*")
}
DENY
{
(org.osgi.framework.PackagePermission “medisite.eclipsecon.*" "IMPORT")
}
ALLOW
{
(org.osgi.framework.PackagePermission “*" "IMPORT")
}
More thoughts on Security
• Make sure PolicyManager starts before
custom bundles
• Restrict access to
ConditionalPermissionAdmin
• Application Permissions with blueprint
interceptor (Aries)
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
Provisioning
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
Cloud Provisioning
Application Application Application Application
Cloud Application ManagerRepository
Service Impl
Bundle
Putting it all together
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
Application
Bundle
Service API
Bundle
Persistence
Bundle
APIImpl
DAO
Blueprint
Security
Manager
Protect
Configuration
Admin
Configure
Lessons learned
• Steep learning curve
• Detailed information is often missing
• From jar hell to bundle hell
– Managing dependencies is challenging
– Not all libraries support OSGi
• Difficult to migrate non-OSGi application to
OSGi
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
Benefits of OSGi for Architecture
• Separation of components
• Loose coupling
• Detect dependencies
• Encapsulation
• Versioning
• Integrating Java EE
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
Think about your architecture
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
Useful Resources
• The OSGi Standard
• OSGi Books
– OSGi in Action
– OSGi in Depth
– Enterprise OSGi in Action
• IBM Websphere Documentation
• Pax OSGi Projects
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
Questions ?
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi