Embed Size (px)
Citation preview
4
Azure AppFabric
• Set of services• Service Bus (SB)• Access Control Service (ACS)
• Running in the cloud• Based on Windows Azure Platform
• Providing• SB : Service Connectivity, Addressability and Discoverability• ACS : Service Access Control
Service Bus
6
A Scenario
CloudTrack.
FabrikamContoso
Create/view issuesView/manage issues
• Issue Tracker web app.• Cloud-based• Multi-tenant
7
Connectivity challenges
CloudTrack.Notify new issue
Fetch trace data
FW, NAT, …FW, NAT, …
Create new issue
8
Challenges
• Addressability and discoverability• Private addresses and Network Address Translation (NAT)• Dynamic addresses (e.g. ISP)
• Connectivity• Firewalls (denial of inbound connections)• Event distribution• Transient connectivity
9
Service Bus
outbound inbound
address?
10
Service Bus“All problems in computer science can be solved by another level of indirection”
Butler Lampson
inboundService Busoutbound
11
Connectivity and addressability
outboundService Bus
• Relay• Service “listens” on the SB via outbound connection• Client “sends” to the SB• SB relays between client and service
sendspublic address
listens
12
Naming and discovery
outboundService Bus
• Naming• Service is exposed via a public name• Local DNS binds these public names to IP addresses• Local registry describes available public names
outboundpublic name
RegistryDNS
sends listens
13
Naming and discovery• Naming
• Public service namespaces• One Azure project – multiple service namespaces• {scheme}://{namespace}.servicebus.windows.net/{relpath}
• Registry• Mapping between URIs and services• Readable via HTTP+ATOM
14
Demo
http://demos-pfelix.servicebus.windows.net/techdays
REST-like Services
15
Buffering
outbound
• Buffering• One-way messaging• Temporal decoupling
outboundpublic name
sends listens
16
Eventing (pub-sub)
outboundService Bus
• Eventing – multicast• One-way messages• Multiple listeners• Message distribution - multicast
outbound
outbound
sends listens
listens
17
Demo
http://demos-pfelix.servicebus.windows.net/techdays
Publish-Subscribe
18
Security
outboundService Bus
• Access Control• Both “listen” and “send” subject to access control• Programmable authorization policy, defined by ACS
• Isolation – SB is the DMZ
outbound
ACSsends listens
19
WCF architecture
Transport
Client
User code
EncodingProtocolProtocol
Transport
Dispatcher
Service Impl.
EncodingProtocolProtocol
Binding element
Binding element
Binding element
Binding element
Binding
• Channel stack with transport and protocol channels• Channels described by binding elements• One binding contains several binding elements
20
WCF and SB
Transport
Client
User code
EncodingProtocolProtocol
Transport
Dispatcher
Service Impl.
EncodingProtocolProtocol
Binding element
Binding element
Binding element
Binding element
Binding
ServiceBus
• New bindings• New transport channels and binding elements
• New behaviors
21
Bindings
• WebHttpRelayBinding• HTTP (Web programming model)• Client interoperability
• BasicHttpRelayBinding e WS2007HttpRelayBinding• SOAP over HTTP (basic profile | WS-*)• Client interoperability
• NetTcpRelayBinding• Similar to NetTcpBinding (request-response and duplex)
• NetOnewayRelayBinding e NetEventRelayBinding• One- way w/buffering and multicast
22
Binding elements
• Http(s)RelayTransportBindingElement
• TcpRelayTransportBindingElement
• RelayedOnewayTransportBindingElement
Access Control Service
24
Access Control Service
• Identity and access control• Distributed systems• Decentralized authority• Heterogeneous technologies
• Claims-based model• Service Bus integration
25
Identity and Authorization
creds Contoso::Alice
webapp::IssueView
Contoso::LeadDev
webapp::IssueMgr
26
webapp (IssueTracker)
Centralized Solution
creds Contoso::Alice
webapp::IssueView
Contoso::LeadDev
webapp::IssueMgr
MembershipProvider
RoleProvider IPrincipal.IsInRole(...)
27
webapp (IssueTracker)
Decentralized Authority
creds Contoso::Alice
webapp::IssueView
Contoso::LeadDev
webapp::IssueMgr
Contoso Authority
28
Contoso Identity Provider webapp
Decentralized Authority
creds Contoso::Alice
webapp::IssueView
Contoso::LeadDev
webapp::IssueMgr
Identity Directory
29
Contoso webapp
Decision Enforcement
creds Contoso::Alice
webapp::IssueView
Contoso::LeadDev
webapp::IssueMgr
ServiceBus
webapp::SB.Listen
AuthorizationDecision
AuthorizationEnforcement
IdentityInformation
30
webappAccess Control ServiceContoso
Access Control Service
credsContoso::LeadDev
Alice
webapp::IssueView
SBwebapp::SB.Listen
Identity Provider Authorization DecisionAuthorization Enforcement
31
Demo
MembershipAccess Control
Service
WIF
LeadDevAlice
Listen
WIF
WS-Trust
WRAP
Service Bus
SAML
SWT
username+
password
32
Access Control Service
• Claims-based Identity and Access Control• Claims transformer (“claims in, claims out”)
• Consumes claims from federated issuers• Provides claims to applications and services
• Rule based issuance policy• Rule: If has claim1 then output claim2
• Not an identity provider• Does not manage user’s identities
33
Protocols and technologies
• AppFabric 1.0• OAuth WRAP (Web Resource Authorization Protocol)• Simple Web Token
• Future (and past)?• WS-Federation – “passive” (browser based) federation• WS-Trust – “active” (SOAP based) federation• LiveID integration
34
WRAP
Client Protected Resource
IdentityProvider
Bearer Token with authorization claims API
Authorization Server
Bearer Token with
authorization claims
Identity :
username + shared secret
SWT token
SAML token
35
WRAP and SWT• Simple Web Token (SWT)
• Form encoded name-value pairs• HMAC-SHA-256 symmetric signature
• WRAP token request• HTTP POST• username+password or authentication assertion (e.g. SAML)
• WRAP protected client call• HTTP header (Authorization: WRAP access_token = “…”)• GET or POST parameter (wrap_access_token = “…”)
36
Finally …
• Service Bus• Connectivity• Addressability and discoverability• Eventing• Buffering
• Access Control Service• Authorization Decision Point
• For Service Bus• For other services, both cloud or on-premises
• Flexible claims based policy
Q & A
A sua opinião é importante!Complete o questionário de avaliação e devolva-o à saida.
