Azure AppFabric WebDay, Porto, Feb. 2, 2010 Pedro Flix ( pedrofelix - - PowerPoint PPT Presentation

azure appfabric
SMART_READER_LITE
LIVE PREVIEW

Azure AppFabric WebDay, Porto, Feb. 2, 2010 Pedro Flix ( pedrofelix - - PowerPoint PPT Presentation

Dec 16, 2022 307 likes •624 views

An introduction to the Azure AppFabric WebDay, Porto, Feb. 2, 2010 Pedro Flix ( pedrofelix em cc.isel .ipl.pt) Azure AppFabric Set of services Service Bus (SB) Access Control Service (ACS) Running in the cloud Based on

slide-1
SLIDE 1

An introduction to the

Azure AppFabric

WebDay, Porto, Feb. 2, 2010

Pedro Félix (pedrofelix em cc.isel.ipl.pt)

slide-2
SLIDE 2

Azure AppFabric

  • Set of services

– Service Bus (SB) – Access Control Service (ACS)

  • Running in the cloud

– Based on Windows Azure Platform

  • Providing

– SB : Service Connectivity, Addressability and Discoverability – ACS : Service Access Control

2

slide-3
SLIDE 3

A Motivating Scenario

CloudTrack . Fabrikam Contoso

Create/view issues View/manage issues

3

  • Issue Tracker web app.
  • Cloud-based
  • Multi-tenant
slide-4
SLIDE 4

Connectivity challenges

CloudTrack .

Notify new issue

4

Fetch trace data

FW, NAT, … FW, NAT, …

Create new issue

slide-5
SLIDE 5

Challenges

  • Addressability and discoverability

– Private addresses and Network Address Translation (NAT) – Dynamic addresses (e.g. ISP)

  • Connectivity

– Firewalls (denial of inbound connections) – Event distribution – Transient connectivity

5

slide-6
SLIDE 6

Service Bus

6

  • utbound

inbound address?

slide-7
SLIDE 7

Service Bus

7

“All problems in computer science can be solved by another level of indirection” Butler Lampson

inbound

Service Bus

  • utbound
slide-8
SLIDE 8

Connectivity and addressability

8

  • utbound

Service Bus

  • Relay

– Service “listens” on the SB via outbound connection – Client “sends” to the SB – SB relays between client and service

sends

public address

listens

slide-9
SLIDE 9

Naming and discovery

9

  • utbound

Service Bus

  • Naming

– Service is exposed via a public name – Local DNS binds these public names to IP addresses – Local registry describes available public names

  • utbound

public name Registry DNS

sends listens

slide-10
SLIDE 10

Naming and discovery

  • Naming

– Public service namespaces – One Azure project – multiple service namespaces – {scheme}://{namespace}.servicebus.windows.net/{relpath}

  • Registry

– Mapping between URIs and services – Readable via HTTP+ATOM

10

slide-11
SLIDE 11

Buffering

11

  • utbound
  • Buffering

– One-way messaging – Temporal decoupling

  • utbound

public name

sends listens

slide-12
SLIDE 12

Eventing (pub-sub)

12

  • utbound

Service Bus

  • Eventing – multicast

– One-way messages – Multiple listeners – Message distribution - multicast

  • utbound
  • utbound

sends listens listens

slide-13
SLIDE 13

Security

13

  • utbound

Service Bus

  • Access Control

– Both “listen” and “send” subject to access control – Programmable authorization policy, defined by ACS

  • Isolation – SB is the DMZ
  • utbound

ACS

sends listens

slide-14
SLIDE 14

WCF architecture

14

Transport Client User code Encoding Protocol Protocol Transport Dispatcher Service Impl. Encoding Protocol Protocol

Binding element Binding element Binding element Binding element

Binding

  • Channel stack with transport and protocol channels
  • Channels described by binding elements
  • One binding contains several binding elements
slide-15
SLIDE 15

WCF and SB

15

Transport Client User code Encoding Protocol Protocol Transport Dispatcher Service Impl. Encoding Protocol Protocol

Binding element Binding element Binding element Binding element

Binding

Service Bus

  • New bindings

– New transport channels and binding elements

  • New behaviors
slide-16
SLIDE 16

Bindings

  • WebHttpRelayBinding

– HTTP (Web programming model) – Client interoperability

  • BasicHttpRelayBinding e WS2007HttpRelayBinding

– SOAP over HTTP (basic profile | WS-*) – Client interoperability

  • NetTcpRelayBinding

– Similar to NetTcpBinding (request-response and duplex)

  • NetOnewayRelayBinding e NetEventRelayBinding

– One- way w/buffering and multicast

16

slide-17
SLIDE 17

Binding elements

  • Http(s)RelayTransportBindingElement
  • TcpRelayTransportBindingElement
  • RelayedOnewayTransportBindingElement

17

slide-18
SLIDE 18

Demo

http://demos-pfelix.servicebus.windows.net/webday

18

slide-19
SLIDE 19

Access Control Service

  • Identity and access control
  • Distributed systems

– Decentralized authority – Heterogeneous technologies

  • Claims-based model
  • SB integration

19

slide-20
SLIDE 20

Identity and Authorization

creds Contoso:: Alice webapp:: IssueView Contoso:: LeadDev webapp:: IssueMgr

20

slide-21
SLIDE 21

webapp (IssueTracker)

Centralized Solution

creds Contoso:: Alice webapp:: IssueView Contoso:: LeadDev webapp:: IssueMgr

21

Membership Provider Role Provider IPrincipal.IsInRole(...)

slide-22
SLIDE 22

webapp (IssueTracker)

Decentralized Authority

creds Contoso:: Alice webapp:: IssueView Contoso:: LeadDev webapp:: IssueMgr

22

Contoso Authority

slide-23
SLIDE 23

Contoso Identity Provider Contoso Identity Provider webapp

Decentralized Authority

creds Contoso:: Alice webapp:: IssueView Contoso:: LeadDev webapp:: IssueMgr

23

Identity Directory

slide-24
SLIDE 24

Contoso webapp

Decision  Enforcement

creds Contoso:: Alice webapp:: IssueView Contoso:: LeadDev webapp:: IssueMgr

24

Service Service Bus

webapp:: SB.Listen

Authorization Decision Authorization Enforcement Authorization Enforcement Identity Information

slide-25
SLIDE 25

webapp webapp Access Control Service Access Control Service Contoso

Access Control Service

creds Contoso:: LeadDev Alice webapp:: IssueView

SB

webapp:: SB.Listen

25

Identity Provider Authorization Decision Authorization Enforcement

slide-26
SLIDE 26

Access Control Service

  • Claims-based Identity and Access Control
  • Claims transformer (“claims in, claims out”)

– Consumes claims from federated issuers – Provides claims to applications and services

  • Rule based issuance policy

– Rule: If has claim1 then output claim2

  • Not an identity provider

– Does not manage user’s identities

26

slide-27
SLIDE 27

Protocols and technologies

  • AppFabric 1.0

– OAuth WRAP (Web Resource Authorization Protocol) – Simple Web Token

  • Future (and past)?

– WS-Federation – “passive” (browser based) federation – WS-Trust – “active” (SOAP based) federation – LiveID integration

27

slide-28
SLIDE 28

WRAP

28

Client Protected Resource Identity Provider

Bearer Token with Bearer Token with authorization claims

API Authorization Server

slide-29
SLIDE 29

WRAP and SWT

  • Simple Web Token (SWT)

– Form encoded name-value pairs – HMAC-SHA-256 symmetric signature

  • WRAP token request

– HTTP POST – username+password or authentication assertion (e.g. SAML)

  • WRAP protected client call

– HTTP header (Authorization: WRAP access_token = “…”) – GET or POST parameter (wrap_access_token = “…”)

29

slide-30
SLIDE 30

Demo

30

Membership Access Control Service WIF

LeadDev Alice Listen

WIF

WS-Trust WRAP

Service Bus

SAML SWT

username + password

slide-31
SLIDE 31

Finally …

  • Service Bus

– Connectivity – Addressability and discoverability – Eventing – Buffering

  • Access Control Service

– Authorization Decision Point

  • For Service Bus
  • For other services, both cloud or on-premises

– Flexible claims based policy

31