APIStrat Conference Workshop: WSO2 - Best Practices for API Management

Last Updated: March 2014

Director, Product Management, WSO2Isabelle Mauny

Best Prac1ces for API Management

Thursday, March 27, 14

About the speaker...

๏ French na)ve

๏ Living in Spain

๏ Works mostly with Sri Lanka

๏ 18 years of IBM, 4 years in startups

๏ Managing the overall WSO2 porDolio

๏ Linux command line user

2Thursday, March 27, 14

Who is WSO2 ? ๏ Open Source Middleware

Pla2orm Provider

๏ Apache 2.0 License

๏ Provides Integra?on, API Management and Mobile enterprise management products

๏ Main contributor to Apache Stratos PaaS

๏ Creators of DevOps “AppFactory” cloud solu?on


Business Model


Define a Business Model

5

๏ What are the business goals ? ๏ Enable 3rd-‐party Mobile Apps development ?

๏ Increase brand recogni)on ?

๏ Open new revenue channels ?

๏ Define Mone)za)on model ๏ Free ?

๏ Pay per usage ?

๏ Free APIs, but paid via Ads


Development


๏ Service deals with implementa)on

๏ API deals with subscrip)on (consumer)

๏ Two very dis)nct life cycles !

๏ You don’t need the service to create the API...

Services and APIs


Building a Managed API

๏ Crea)ng APIs (interface, docs, samples,etc.)

๏ Adver)sing APIs

๏ Making APIs subscribe-‐able by consumers

๏ Associa)ng SLAs

๏ Securing APIs

๏ Mone)za)on and Analy)cs


API Security


API Security

๏ Security is not an aYer thought !

๏ APIs are part of a much larger enterprise picture

๏ How will consumers request an access token ? ๏ Using a SAML 2.0 asser)on ?

๏ Using client_creden)als ?

๏ Using userid/password ?

๏ Make sure you document thoroughly how developers need to manage tokens:

๏ Tokens are like passwords!

๏ Always use SSL for token transporta)on !

๏ Use Domain restric)ons (WSO2 API Manager)10


Fine-‐grained access to APIs

๏ OAuth2 is all about access control: a token is associated to a scope.

๏ XACML (eXtensible Access Control Markup Language) is the de-‐facto standard for fine-‐grained access control.

๏ OAuth scope can be represented in XACML policies

๏ Provides fine grain control over what a user/applica?on can do ( i.e. you can call GET but not POST on an API)


Passing Auth Informa6on to back-‐end services

๏ Using JSON Web Tokens (JWT) ๏ Lightweight

๏ Can be signed

๏ Easy to parse and consume

๏ Standard

API Gateway

API Management Layer

Services LayerInternal and External Applications

OAuth 2 Access Token

JSON Web Token


Token Format

๏ JWT Structure {token info}.{claims list}.{signature}

๏ Base-‐64 Encoded


What are Claims ?

๏ Claims are a set of aTributes about a user, mapped to the underlying user store.

๏ A set of claims is called a dialect


Publishing


Choosing an API Management Pla=orm

16

๏ What the pla2orm must do, at a minimum:๏ Users Management (self-‐sign up, profile management)

๏ API Publica?on / API Store

๏ API Security

๏ Sta?s?cs

๏ SLA control

๏ ThroTling / Rate Limi?ng

๏ API Versioning

๏ Mone?za?on/Billing

๏ and more !

๏ You could build all of this yourself, but...


Need for API Versioning

๏ Need to support API evolu)on

๏ While Maintaining๏ Backward compa)bility -‐> Func)onality

๏ Rates/Throhling agreements

๏ Different versioning mechanisms


API Versioning Strategies

๏ Version as a query parameter๏ Ne=lix -‐ hTp://api.ne2lix.com/catalog/?tles/series/70023522?v=1.5

๏ Google Data API -‐ “GData-‐Version: X.0″₺ or “v=X.0″₺

๏ Version as part of URI๏ Salesforce -‐ hTps://na1.salesforce.com/services/data/v20.0/sobjects/Account/

๏ TwiDer -‐ hTps://api.twiTer.com/1.1/statuses/men?ons_?meline.json

๏ Version as a date in URI๏ Twilio -‐ /2010-‐04-‐01/Accounts/{AccountSid}/Calls

๏ hTp://www.twilio.com/docs/api/rest/making-‐calls

๏ Version as a ๏ Custom HTTP Header

๏ Accept Header


http://api.netflix.com/catalog/titles/series/70023522?v=1.5

http://api.netflix.com/catalog/titles/series/70023522?v=1.5

https://na1.salesforce.com/services/data/v20.0/sobjects/Account/

https://na1.salesforce.com/services/data/v20.0/sobjects/Account/

https://api.twitter.com/1.1/statuses/mentions_timeline.json

https://api.twitter.com/1.1/statuses/mentions_timeline.json

http://www.twilio.com/docs/api/rest/making-calls




API Lifecycle

๏ An API can pass through mul)ple states

๏ For example:๏ CREATED

๏ PUBLISHED

๏ DEPRECATED

๏ RETIRED

๏ BLOCKED

๏ Should integrate with complete governance lifecycle


Show some developer’s love :)

20

๏ Docs , docs and more docs

๏ API Samples, in many languages

๏ Embedded Tes)ng

๏ Provide sandbox and produc)on run)mes

๏ SDK ๏ Wraps API access, including security


Deployment


Gateway vs. ESB

22

๏ Oh, but I already have an ESB ! Why do I need a gateway ?

๏ API Gateway vs. Media)on Layer (ESB)๏ Gateway = light ESB ?

๏ Think ESB as an architecture pahern, not a product!


Generic Facade PaZern

๏ Pros๏ No addi)onal hop in the network

๏ Single Server to be managed

๏ More suited for internal deployments

๏ Cons๏ Complexity of integra)on at edge of network

๏ API Management layer can’t really scale independently

๏ Not appropriate for DMZ deployments (direct access to backend services)

23

API Gateway


Services Layer

Internal and External Applications


Separated Facade & Media\on

๏ API Gateway Layer acts as simple reverse proxy, enforcing basic policies

๏ Clear separa?on of concern between layers

๏ Media?on layer and API management layer scale independently

๏ Specific security checks/protec?on at edge of the network

๏ Provides protocol transforma?on to the edge of the network

24

API Gateway


Services Layer

Internal and External Applications

API Gateway


Services LayerMediationLayer

Services Composition

Services Orchestration


Specific WSO2 Solu\on

๏ Our API gateway is actually a full-‐blown ESB under the hood, constrained at UI level.

๏ You can install the missing ESB features on top of API manager and combine both architecture layers into a single run)me!

๏ Makes the choice a deployment one.


Typical Deployment

26

Web Tier

BPSServer

API GatewayLoad balancer

API Gateway

External APIs Tier Orchestration Layer

External Web Application

External Mobile Application

Token Validation, Policy Decision Point, Users Store Management

ESBServer

Data Access Layer

ESB

BPM

Data Services Server

Identity Server

Messaging Layer

Message BrokerServer

API Gateway

Load balancer

API Gateway

Internal APIs TierIdentity Server


Users Store

๏ Separate admins / corporate users from the developers users’s store (created via self-‐sign up)


You can’t manage what you can’t measure.


Why Analy6cs and API Management are important together?

๏ Build confidence in the API model

๏ Understand your customer ๏ Not just the developer but also the end-‐user

๏ Help manage services and versions๏ Understand when deprecated services can be re?red

๏ Plan beTer๏ Monitor the growth of aggregated API traffic

๏ Monitor the growth of specific apps

๏ Even if you’re not going to put analy?cs in place, make sure you capture all events right from beginning of project.


Analy\cs 101: Aggrega\on

• How to collect data efficiently

• How to store data effec)vely

• Choose which data to capture


Analy\cs 101 : Analysis• Data opera)ons

• Defining KPIs and analy)cs

• Opera)ng on large amounts of historical or current data

• Crea)ng intelligence


Analy\cs 101 : Presenta\on

• Visualiza)on

• Dashboards

• Reports


Events Collector

EVENTSDATASTORE

3rd party Products

WRITES EVENTS

Report Generator

CEP Engine

FEEDS EVENTS

GENERATE NEW EVENTS

Analytics Engine

Real Time Decision Engine

DEPLOYS LOGIC

ANALYTICSDATASTORE

User Engagement Server

33

Monitor And Analyze๏ Take decisions in real ?me through Complex Event Processing๏ Create dashboards for both technical and business monitoring


Detec\ng Usage PaZerns

๏ My API customer is trying to steal my business : let’s block them.

๏ A customer is at 80% of API plan : let’s warn them

๏ A customer is systema)cally at 120% of the plan : propose an upgrade to the premium plan


Demo


Demo Setup

36

Web Tier

API Gateway

APIs tier Mediation Layer

External Web Application

Token Validation, Policy Decision Point, IdentityProvider, Users Store Manager

ESBServer

Services Layer

ESBApplication

Server

Messaging Layer

Message BrokerServer

Identity Server

Reporting, Logging, Operational Analysis

BAM CEP


References๏ Building an ecosystem for API Security (White Paper)

๏ hhp://wso2.com/whitepapers/wso2-‐whitepaper-‐building-‐an-‐ecosystem-‐for-‐api-‐security/

๏ API Facade Pahern (Webinar)๏ hhp://wso2.com/library/webinars/2014/01/implemen)ng-‐api-‐facade-‐using-‐

wso2-‐api-‐management-‐plaDorm/

๏ API Management: missing link for SOA ๏ hhp://sanjiva.weerawarana.org/2012/08/api-‐management-‐missing-‐link-‐for-‐

soa.html

๏ Promo)ng Service Reuse ๏ hhp://wso2.com/whitepapers/promo)ng-‐service-‐reuse-‐within-‐your-‐enterprise-‐

and-‐maximizing-‐soa-‐success/


http://wso2.com/whitepapers/wso2-whitepaper-building-an-ecosystem-for-api-security/




http://wso2.com/library/webinars/2014/01/implementing-api-facade-using-wso2-api-management-platform/




http://sanjiva.weerawarana.org/2012/08/api-management-missing-link-for-soa.html




http://wso2.com/whitepapers/promoting-service-reuse-within-your-enterprise-and-maximizing-soa-success/




Download API Manager today!

๏ hhp://wso2.com/products/api-‐manager/


http://wso2.com/products/api-manager/

http://wso2.com/products/api-manager/

Contact us !


http://wso2.com/contact

http://wso2.com/contact

https://twitter.com/wso2









https://www.facebook.com/WSO2Inc



Date post:	22-Nov-2014
Category:	Technology
Upload:	isamauny
View:	649 times
Download:	2 times

APIStrat Conference Workshop: WSO2 - Best Practices for API Management

Technology