Carregar apresentação
A apresentação está carregando. Por favor, espere
PublicouIsabelly Seda Alterado mais de 9 anos atrás
1
Uma introdução ao Azure AppFabric ARC204 Pedro Félix CCISEL pedrofelix@cc.isel.ipl.pt
2
O Windows Azure platform AppFabric é um conjunto de serviços de infra-estrutura para aplicações distribuídas, executadas on-premises ou em clouds. Este conjunto de serviços, albergado na plataforma Azure, é actualmente constituído pelo Service Bus e pelo Access Control Service. O Service Bus tem por objectivo simplificar a exposição e comunicação de serviços na Internet, fornecendo funcionalidades para a conectividade, gestão de nomes e isolamento. O Access Control Service tem como objectivo simplificar o controlo de acesso em sistemas com gestão de identidade descentralizada. A presente sessão tem por objectivo realizar uma breve introdução a estes serviços, caracterizando as suas funcionalidades, apresentando cenários de utilização e demonstrando formas de exploração, nomeadamente através do uso do Windows Communication Foundation (WCF). Uma introdução ao Azure AppFabric
3
Pedro Félix é professor no Instituto Superior de Engenharia de Lisboa (ISEL), onde é responsável por disciplinas nas áreas da segurança informática e da programação. É também membro do Centro de Cálculo do ISEL (CCISEL), onde realiza actividades de desenvolvimento, consultoria e formação avançada para empresas. Em 2008 e 2009 foi-lhe atribuído o título de MVP - Connected Systems Developer pela Microsoft. Pedro Félix Centro de Cálculo do ISEL (CCISEL) Pedro Félix
4
Azure AppFabric Set of services Service Bus (SB) Access Control Service (ACS) Running in the cloud Based on Windows Azure Platform Providing SB : Service Connectivity, Addressability and Discoverability ACS : Service Access Control 4
5
Service Bus
6
A Scenario CloudTrack. FabrikamContoso Create/view issuesView/manage issues 6 Issue Tracker web app. Cloud-based Multi-tenant
7
Connectivity challenges CloudTrack. Notify new issue 7 Fetch trace data FW, NAT, … Create new issue
8
Challenges Addressability and discoverability Private addresses and Network Address Translation (NAT) Dynamic addresses (e.g. ISP) Connectivity Firewalls (denial of inbound connections) Event distribution Transient connectivity 8
9
Service Bus 9 outboundinbound address?
10
Service Bus 10 “All problems in computer science can be solved by another level of indirection” Butler Lampson inbound Service Bus outbound
11
Connectivity and addressability 11 outbound Service Bus Relay Service “listens” on the SB via outbound connection Client “sends” to the SB SB relays between client and service sends public address listens
12
Naming and discovery 12 outbound Service Bus Naming Service is exposed via a public name Local DNS binds these public names to IP addresses Local registry describes available public names outbound public name Registry DNS sendslistens
13
Naming and discovery Naming Public service namespaces One Azure project – multiple service namespaces {scheme}://{namespace}.servicebus.windows.net/{relpath} Registry Mapping between URIs and services Readable via HTTP+ATOM 13
14
Demo http://demos-pfelix.servicebus.windows.net/techdays REST-like Services 14
15
Buffering 15 outbound Buffering One-way messaging Temporal decoupling outbound public name sendslistens
16
Eventing (pub-sub) 16 outbound Service Bus Eventing – multicast One-way messages Multiple listeners Message distribution - multicast outbound sendslistens
17
Demo http://demos-pfelix.servicebus.windows.net/techdays Publish-Subscribe 17
18
Security 18 outbound Service Bus Access Control Both “listen” and “send” subject to access control Programmable authorization policy, defined by ACS Isolation – SB is the DMZ outbound ACS sendslistens
19
WCF architecture 19 Transport Client User code Encoding Protocol Transport Dispatcher Service Impl. Encoding Protocol Binding element Binding Channel stack with transport and protocol channels Channels described by binding elements One binding contains several binding elements
20
WCF and SB 20 Transport Client User code Encoding Protocol Transport Dispatcher Service Impl. Encoding Protocol Binding element Binding Service Bus New bindings New transport channels and binding elements New behaviors
21
Bindings WebHttpRelayBinding HTTP (Web programming model) Client interoperability BasicHttpRelayBinding e WS2007HttpRelayBinding SOAP over HTTP (basic profile | WS-*) Client interoperability NetTcpRelayBinding Similar to NetTcpBinding (request-response and duplex) NetOnewayRelayBinding e NetEventRelayBinding One- way w/buffering and multicast 21
22
Binding elements Http(s)RelayTransportBindingElement TcpRelayTransportBindingElement RelayedOnewayTransportBindingElement 22
23
Access Control Service
24
Identity and access control Distributed systems Decentralized authority Heterogeneous technologies Claims-based model Service Bus integration 24
25
Identity and Authorization creds Contoso:: Alice webapp:: IssueView Contoso:: LeadDev webapp:: IssueMgr 25
26
webapp (IssueTracker) Centralized Solution creds Contoso:: Alice webapp:: IssueView Contoso:: LeadDev webapp:: IssueMgr 26 Membership Provider Membership Provider Role Provider Role Provider IPrincipal.IsInRole(...)
27
webapp (IssueTracker) Decentralized Authority creds Contoso:: Alice webapp:: IssueView Contoso:: LeadDev webapp:: IssueMgr 27 Contoso Authority
28
Contoso Identity Provider webapp Decentralized Authority creds Contoso:: Alice webapp:: IssueView Contoso:: LeadDev webapp:: IssueMgr 28 Identity Directory Identity Directory
29
Contoso webapp Decision Enforcement creds Contoso:: Alice webapp:: IssueView Contoso:: LeadDev webapp:: IssueMgr 29 Service Bus Service Bus webapp:: SB.Listen Authorization Decision Authorization Enforcement Authorization Enforcement Identity Information
30
webapp Access Control Service Contoso Access Control Service creds Contoso:: LeadDev Alice webapp:: IssueView SB webapp:: SB.Listen 30 Identity ProviderAuthorization Decision Authorization Enforcement
31
Demo 31 Membership Access Control Service WIF LeadDev Alice Listen WIF WS-Trust WRAP Service Bus SAML SWT username + password
32
Access Control Service Claims-based Identity and Access Control Claims transformer (“claims in, claims out”) Consumes claims from federated issuers Provides claims to applications and services Rule based issuance policy Rule: If has claim1 then output claim2 Not an identity provider Does not manage user’s identities 32
33
Protocols and technologies AppFabric 1.0 OAuth WRAP (Web Resource Authorization Protocol) Simple Web Token Future (and past)? WS-Federation – “passive” (browser based) federation WS-Trust – “active” (SOAP based) federation LiveID integration 33
34
WRAP 34 Client Protected Resource Identity Provider Bearer Token with authorization claims API Authorization Server Bearer Token with authorization claims Identity : username + shared secret SWT token SAML token Identity : username + shared secret SWT token SAML token
35
WRAP and SWT Simple Web Token (SWT) Form encoded name-value pairs HMAC-SHA-256 symmetric signature WRAP token request HTTP POST username+password or authentication assertion (e.g. SAML) WRAP protected client call HTTP header (Authorization: WRAP access_token = “…”) GET or POST parameter (wrap_access_token = “…”) 35
36
Finally … Service Bus Connectivity Addressability and discoverability Eventing Buffering Access Control Service Authorization Decision Point For Service Bus For other services, both cloud or on-premises Flexible claims based policy 36
37
Q & A
38
A sua opinião é importante! Complete o questionário de avaliação e devolva-o à saida.
Apresentações semelhantes
© 2024 SlidePlayer.com.br Inc.
All rights reserved.