Uma introdução ao Azure AppFabric

ARC204

Pedro FélixCCISELpedrofelix@cc.isel.ipl.pt

4

Azure AppFabric

• Set of services• Service Bus (SB)• Access Control Service (ACS)

• Running in the cloud• Based on Windows Azure Platform

• Providing• SB : Service Connectivity, Addressability and Discoverability• ACS : Service Access Control

Service Bus

6

A Scenario

CloudTrack.

FabrikamContoso

Create/view issuesView/manage issues

• Issue Tracker web app.• Cloud-based• Multi-tenant

7

Connectivity challenges

CloudTrack.Notify new issue

Fetch trace data

FW, NAT, …FW, NAT, …

Create new issue

8

Challenges

• Addressability and discoverability• Private addresses and Network Address Translation (NAT)• Dynamic addresses (e.g. ISP)

• Connectivity• Firewalls (denial of inbound connections)• Event distribution• Transient connectivity

9

Service Bus

outbound inbound

address?

10

Service Bus“All problems in computer science can be solved by another level of indirection”

Butler Lampson

inboundService Busoutbound

11

Connectivity and addressability

outboundService Bus

• Relay• Service “listens” on the SB via outbound connection• Client “sends” to the SB• SB relays between client and service

sendspublic address

listens

12

Naming and discovery

outboundService Bus

• Naming• Service is exposed via a public name• Local DNS binds these public names to IP addresses• Local registry describes available public names

outboundpublic name

RegistryDNS

sends listens

13

Naming and discovery• Naming

• Public service namespaces• One Azure project – multiple service namespaces• {scheme}://{namespace}.servicebus.windows.net/{relpath}

• Registry• Mapping between URIs and services• Readable via HTTP+ATOM

14

Demo

http://demos-pfelix.servicebus.windows.net/techdays

REST-like Services

15

Buffering

outbound

• Buffering• One-way messaging• Temporal decoupling

outboundpublic name

sends listens

16

Eventing (pub-sub)

outboundService Bus

• Eventing – multicast• One-way messages• Multiple listeners• Message distribution - multicast

outbound

outbound

sends listens

listens

17

Demo

http://demos-pfelix.servicebus.windows.net/techdays

Publish-Subscribe

18

Security

outboundService Bus

• Access Control• Both “listen” and “send” subject to access control• Programmable authorization policy, defined by ACS

• Isolation – SB is the DMZ

outbound

ACSsends listens

19

WCF architecture

Transport

Client

User code

EncodingProtocolProtocol

Transport

Dispatcher

Service Impl.

EncodingProtocolProtocol

Binding element

Binding element

Binding element

Binding element

Binding

• Channel stack with transport and protocol channels• Channels described by binding elements• One binding contains several binding elements

20

WCF and SB

Transport

Client

User code

EncodingProtocolProtocol

Transport

Dispatcher

Service Impl.

EncodingProtocolProtocol

Binding element

Binding element

Binding element

Binding element

Binding

ServiceBus

• New bindings• New transport channels and binding elements

• New behaviors

21

Bindings

• WebHttpRelayBinding• HTTP (Web programming model)• Client interoperability

• BasicHttpRelayBinding e WS2007HttpRelayBinding• SOAP over HTTP (basic profile | WS-*)• Client interoperability

• NetTcpRelayBinding• Similar to NetTcpBinding (request-response and duplex)

• NetOnewayRelayBinding e NetEventRelayBinding• One- way w/buffering and multicast

22

Binding elements

• Http(s)RelayTransportBindingElement

• TcpRelayTransportBindingElement

• RelayedOnewayTransportBindingElement

Access Control Service

24

Access Control Service

• Identity and access control• Distributed systems• Decentralized authority• Heterogeneous technologies

• Claims-based model• Service Bus integration

25

Identity and Authorization

creds Contoso::Alice

webapp::IssueView

Contoso::LeadDev

webapp::IssueMgr

26

webapp (IssueTracker)

Centralized Solution

creds Contoso::Alice

webapp::IssueView

Contoso::LeadDev

webapp::IssueMgr

MembershipProvider

RoleProvider IPrincipal.IsInRole(...)

27

webapp (IssueTracker)

Decentralized Authority

creds Contoso::Alice

webapp::IssueView

Contoso::LeadDev

webapp::IssueMgr

Contoso Authority

28

Contoso Identity Provider webapp

Decentralized Authority

creds Contoso::Alice

webapp::IssueView

Contoso::LeadDev

webapp::IssueMgr

Identity Directory

29

Contoso webapp

Decision Enforcement

creds Contoso::Alice

webapp::IssueView

Contoso::LeadDev

webapp::IssueMgr

ServiceBus

webapp::SB.Listen

AuthorizationDecision

AuthorizationEnforcement

IdentityInformation

30

webappAccess Control ServiceContoso

Access Control Service

credsContoso::LeadDev

Alice

webapp::IssueView

SBwebapp::SB.Listen

Identity Provider Authorization DecisionAuthorization Enforcement

31

Demo

MembershipAccess Control

Service

WIF

LeadDevAlice

Listen

WIF

WS-Trust

WRAP

Service Bus

SAML

SWT

username+

password

32

Access Control Service

• Claims-based Identity and Access Control• Claims transformer (“claims in, claims out”)

• Consumes claims from federated issuers• Provides claims to applications and services

• Rule based issuance policy• Rule: If has claim1 then output claim2

• Not an identity provider• Does not manage user’s identities

33

Protocols and technologies

• AppFabric 1.0• OAuth WRAP (Web Resource Authorization Protocol)• Simple Web Token

• Future (and past)?• WS-Federation – “passive” (browser based) federation• WS-Trust – “active” (SOAP based) federation• LiveID integration

34

WRAP

Client Protected Resource

IdentityProvider

Bearer Token with authorization claims API

Authorization Server

Bearer Token with

authorization claims

Identity :

username + shared secret

SWT token

SAML token

35

WRAP and SWT• Simple Web Token (SWT)

• Form encoded name-value pairs• HMAC-SHA-256 symmetric signature

• WRAP token request• HTTP POST• username+password or authentication assertion (e.g. SAML)

• WRAP protected client call• HTTP header (Authorization: WRAP access_token = “…”)• GET or POST parameter (wrap_access_token = “…”)

36

Finally …

• Service Bus• Connectivity• Addressability and discoverability• Eventing• Buffering

• Access Control Service• Authorization Decision Point

• For Service Bus• For other services, both cloud or on-premises

• Flexible claims based policy

Q & A

A sua opinião é importante!Complete o questionário de avaliação e devolva-o à saida.