SlideShare a Scribd company logo

Rest api design by george reese

B
buildacloud

As you go into the cloud, the applications you are building will often be built on service-oriented architectures that communicate through RESTful APIs. Where API design and development used to be an uncommon thing, today it has become a basic application requirement. George Reese will cover the basic considerations in designing and implementing an API for your applications. George Reese is the author of a number of technology books and a regular speaker on RESTful APIs, cloud computing, Java, and database systems. His most recent books are The REST API Design Handbook and O’Reilly’s Cloud Application Architectures. Professionally, he is the Executive Director of Cloud Computing at Dell as a result of Dell's recent acquisition of Enstratius, a company George co-founded. George has also led a number of Open Source projects, including several MUD libraries and the Imaginary Home home automation libraries for Java. He is also the primary maintainer of Dasein Cloud, a cloud abstraction API for Java. George holds a BA from Bates College in Maine and an MBA from the Kellogg School of Management at Northwestern University.

1 of 24
Download to read offline
RESTful API Design George Reese, Senior Distinguished Engineer! 3 December 2013
My Background • Co-founder of Enstratius! – Acquired by Dell in May 2013! • Creator of Dasein Cloud! • Open Source Java cloud abstraction API 
 (https://github.com/greese/dasein-cloud)! • Interacts with nearly 2 dozen cloud APIs! • Author of The Rest API Design Handbook 2 Copyright (c) 2013 Dell, Inc. Dell Software
Historically, REST APIs suck • Rarely a core focus of effort in a system! • SOAP has been the more common web services choice! – Very little design thought put into SOAP APIs! – WSDL is evil (so is WADL)! • Often a task pawned off on some unsuspecting junior programmer! – Often following everyone else’s bad examples 3 Copyright (c) 2013 Dell, Inc. Dell Software
So you want to write an API? • Start with the API as your primary interface! – User interfaces and language bindings come later! – Any other approach for a cloudy system is doing it wrong! • HTTP is the specification! – Don’t get creative on verbs, verb usage, or HTTP status codes! – Authentication is the only valid point of deviation! – You worry about: transactions, query parameters, headers, and payloads 4 Copyright (c) 2013 Dell, Inc. Dell Software
You are not the judge of use cases • A REST API enables…! – …people who are not you! – …to enhance the system you have built! – …in ways you cannot imagine! – …or in ways for which you lack resources! • Unlike SOAP and language bindings, REST APIs are not judgmental!! – So don’t insert your judgment into the process 5 Copyright (c) 2013 Dell, Inc. Dell Software
The domain model • HTTP is a resource-focused transport protocol! – A RESTful approach thus models resources first! • Identify the things that make up your system and their relationships! – Use a UML tool if you want; I use a white board! • Relationships should be loosely coupled 6 Copyright (c) 2013 Dell, Inc. Dell Software
A sample domain model 7 Copyright (c) 2013 Dell, Inc. Dell Software
Mapping to endpoints • /Region/<rid>/Zone/<zid>Server/<sd>! – Easiest approach for auto-discovery of API! – Implies a very rigid hierarchy! • /Server/<sid>! – Requires a higher level mechanism for autodiscovery! – Allows for a flexible, changeable set of resource relationships! • I prefer /Server/<sid> 8 Copyright (c) 2013 Dell, Inc. Dell Software
Many to many relationships • In this example, Server <-> User is m2m! • Who owns the relationship?! – Server? ! – User?! – Both?! • Sometimes relationships have their own attributes (for example, User role)! • A change to one part of the relationship may need reflecting in the other part 9 Copyright (c) 2013 Dell, Inc. Dell Software
Use cases • Given the resources that exist in the domain, what use cases will you support?! • Focus on CRUD operations, not transactions! – You likely modeled transactions for your underlying system! – But, your objective here is to support use cases not currently implemented in your underlying system! • Functionality first, optimize later 10 Copyright (c) 2013 Dell, Inc. Dell Software
Example use cases for Server • List servers with or without search criteria! • Get the details for a specific server! • Provision a new server in a target zone! • Terminate an existing server! • Stop an existing server! • Add user shell access to a server! • Remove user shell access to a server 11 Copyright (c) 2013 Dell, Inc. Dell Software
Authentication model • There are dozens of authentication models for REST APIs! • George’s REST authentication principles! – Must support authentication over plaintext! – Must easy to use across a number of programming languages! – Should support the common interaction models for your target client bases! – Must support credentials specific to each distinct application consuming the API (revokable) 12 Copyright (c) 2013 Dell, Inc. Dell Software
Authentication options • HTTP! – HTTP Basic and HTTP Digest! – Digital certificates! • Non-HTTP! – Credentials in payload! – Secure token service! – Request signing! • Recommendation! – OAuth 2 or request signing, depending on API 13 Copyright (c) 2013 Dell, Inc. Dell Software
Error model • Use HTTP error codes only! – HTTP allows customized error codes within the specified error classes! – But I’ve never seen that add any value! – Mostly I’ve seen people get the error classes wrong! – 2xx -> it’s all good! – 3xx -> do something else! – 4xx -> client messed up! – 5xx -> server messed up 14 Copyright (c) 2013 Dell, Inc. Dell Software
Resource modeling • XML vs JSON! – Don’t pick sides, support both! – HTTP is built around the idea that a single resource has multiple possible representations, take advantage of that feature! • Marshaling! – Do not tightly bind the RESTful resources to underlying objects! • Pick your identifier scheme carefully 15 Copyright (c) 2013 Dell, Inc. Dell Software
Read operations • GET (Always GET) (I mean it, always)! • Challenge with READs:! – Different use cases require different levels of detail about a resource! – Different levels of detail have different impacts on system performance! • Enable the client to specify the level of detail in which it is interested! – ID+status, one level, or deep 16 Copyright (c) 2013 Dell, Inc. Dell Software
Caching • Caching can help API performance, but it comes with a price! • Caching can be a really good idea or a really bad idea depending on your problem domain! – Caching server state -> bad idea! – Caching region state -> good idea! • Clients get very angry when they regularly receive cached results that are wrong 17 Copyright (c) 2013 Dell, Inc. Dell Software
Paging • HTTP is not the best protocol for very large data sets! • Paging enables you to split results across multiple GET requests! – because of the raw size of the response body! – or the amount of time the server takes to assemble the results! • Design pagination in a manner transparent to the client (via header directives) 18 Copyright (c) 2013 Dell, Inc. Dell Software
Write operations • POST, DELETE, PUT! – POST -> new resource is created! – DELETE -> existing resource is deleted! – PUT -> an existing resource is changed! • What about PATCH?! • Payloads! – Update directive + data matching GET format! • Nonces recommended 19 Copyright (c) 2013 Dell, Inc. Dell Software
Asynchronous operations • Sometimes an action takes a long time to process and will potentially time out for a given HTTP call! • An asynchronous approach enables your API call to return immediately and have the client track the process of the operation 20 Copyright (c) 2013 Dell, Inc. Dell Software
Asynchronous operations (cont) • An operation is neither synchronous or asynchronous ! • This is an implementation decision! • Use status codes to indicate what happened! • 201 Created (synchronous)! • Body: at least an ID for a newly created object ! • 202 Accepted (asynchronous)! • Body: identifying information for a job/task to track! • 204 No Content (synchronous) 21 Copyright (c) 2013 Dell, Inc. Dell Software
Resource limiting • Throttling is generally a terrible idea! – Remember, your job is not to sit in judgment over a customer’s use cases! • The primary job of throttling is to identify and mitigate denial of service attacks or broken client code! • Avoid unilateral throttling! • Tell the client explicitly in the error response! • Give the client retry directives 22 Copyright (c) 2013 Dell, Inc. Dell Software
Documentation • A REST API should be auto-discoverable! – I should be able to point my browser at your API URL and start discovering it! – An HTTP request at an endpoint with a desire for HTML content should be treated as a documentation request! • Document authentication, query parameters, headers, and payload formats! • Provide functional examples with real data 23 Copyright (c) 2013 Dell, Inc. Dell Software
Questions? Twitter: 
 @GeorgeReese ! Email:
 George_Reese@dell.com 24 Copyright (c) 2013 Dell, Inc. Dell Software

Recommended

The never-ending REST API design debate
The never-ending REST API design debateThe never-ending REST API design debate
The never-ending REST API design debateRestlet
 
Best Practices in Web Service Design
Best Practices in Web Service DesignBest Practices in Web Service Design
Best Practices in Web Service DesignLorna Mitchell
 
Best Practices for Architecting a Pragmatic Web API.
Best Practices for Architecting a Pragmatic Web API.Best Practices for Architecting a Pragmatic Web API.
Best Practices for Architecting a Pragmatic Web API.Mario Cardinal
 
Web API Basics
Web API BasicsWeb API Basics
Web API BasicsLearnNowOnline
 
RESTful modules in zf2
RESTful modules in zf2RESTful modules in zf2
RESTful modules in zf2Corley S.r.l.
 
The never-ending REST API design debate -- Devoxx France 2016
The never-ending REST API design debate -- Devoxx France 2016The never-ending REST API design debate -- Devoxx France 2016
The never-ending REST API design debate -- Devoxx France 2016Restlet
 
Rest api standards and best practices
Rest api standards and best practicesRest api standards and best practices
Rest api standards and best practicesAnkita Mahajan
 
REST full API Design
REST full API DesignREST full API Design
REST full API DesignChristian Guenther
 

Recommended

The never-ending REST API design debate
The never-ending REST API design debateThe never-ending REST API design debate
The never-ending REST API design debateRestlet
 
Best Practices in Web Service Design
Best Practices in Web Service DesignBest Practices in Web Service Design
Best Practices in Web Service DesignLorna Mitchell
 
Best Practices for Architecting a Pragmatic Web API.
Best Practices for Architecting a Pragmatic Web API.Best Practices for Architecting a Pragmatic Web API.
Best Practices for Architecting a Pragmatic Web API.Mario Cardinal
 
Web API Basics
Web API BasicsWeb API Basics
Web API BasicsLearnNowOnline
 
RESTful modules in zf2
RESTful modules in zf2RESTful modules in zf2
RESTful modules in zf2Corley S.r.l.
 
The never-ending REST API design debate -- Devoxx France 2016
The never-ending REST API design debate -- Devoxx France 2016The never-ending REST API design debate -- Devoxx France 2016
The never-ending REST API design debate -- Devoxx France 2016Restlet
 
Rest api standards and best practices
Rest api standards and best practicesRest api standards and best practices
Rest api standards and best practicesAnkita Mahajan
 
REST full API Design
REST full API DesignREST full API Design
REST full API DesignChristian Guenther
 
Learn REST in 18 Slides
Learn REST in 18 SlidesLearn REST in 18 Slides
Learn REST in 18 SlidesSuraj Gupta
 
The ASP.NET Web API for Beginners
The ASP.NET Web API for BeginnersThe ASP.NET Web API for Beginners
The ASP.NET Web API for BeginnersKevin Hazzard
 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & DevelopmentAshok Pundit
 
The Internet as Web Services: introduction to ReST
The Internet as Web Services: introduction to ReSTThe Internet as Web Services: introduction to ReST
The Internet as Web Services: introduction to ReSTBruno Kessler Foundation
 
Introduction to the Web API
Introduction to the Web APIIntroduction to the Web API
Introduction to the Web APIBrad Genereaux
 
RESTful services
RESTful servicesRESTful services
RESTful servicesgouthamrv
 
ASP.NET Mvc 4 web api
ASP.NET Mvc 4 web apiASP.NET Mvc 4 web api
ASP.NET Mvc 4 web apiTiago Knoch
 
ASP.NET WEB API Training
ASP.NET WEB API TrainingASP.NET WEB API Training
ASP.NET WEB API TrainingChalermpon Areepong
 
REST and ASP.NET Web API (Tunisia)
REST and ASP.NET Web API (Tunisia)REST and ASP.NET Web API (Tunisia)
REST and ASP.NET Web API (Tunisia)Jef Claes
 
REST API Design for JAX-RS And Jersey
REST API Design for JAX-RS And JerseyREST API Design for JAX-RS And Jersey
REST API Design for JAX-RS And JerseyStormpath
 
Understanding REST
Understanding RESTUnderstanding REST
Understanding RESTNitin Pande
 
Design Beautiful REST + JSON APIs
Design Beautiful REST + JSON APIsDesign Beautiful REST + JSON APIs
Design Beautiful REST + JSON APIsStormpath
 
REST and ASP.NET Web API (Milan)
REST and ASP.NET Web API (Milan)REST and ASP.NET Web API (Milan)
REST and ASP.NET Web API (Milan)Jef Claes
 
Doing REST Right
Doing REST RightDoing REST Right
Doing REST RightKerry Buckley
 
REST & RESTful Web Services
REST & RESTful Web ServicesREST & RESTful Web Services
REST & RESTful Web ServicesHalil Burak Cetinkaya
 
Elegant Rest Design Webinar
Elegant Rest Design WebinarElegant Rest Design Webinar
Elegant Rest Design WebinarStormpath
 
REST-API introduction for developers
REST-API introduction for developersREST-API introduction for developers
REST-API introduction for developersPatrick Savalle
 
Best practices for RESTful web service design
Best practices for RESTful web service designBest practices for RESTful web service design
Best practices for RESTful web service designRamin Orujov
 
Build a Node.js Client for Your REST+JSON API
Build a Node.js Client for Your REST+JSON APIBuild a Node.js Client for Your REST+JSON API
Build a Node.js Client for Your REST+JSON APIStormpath
 
Rest & RESTful WebServices
Rest & RESTful WebServicesRest & RESTful WebServices
Rest & RESTful WebServicesPrateek Tandon
 
API Description Languages
API Description LanguagesAPI Description Languages
API Description LanguagesAkana
 
API Description Languages
API Description LanguagesAPI Description Languages
API Description LanguagesAkana
 

More Related Content

What's hot

Learn REST in 18 Slides
Learn REST in 18 SlidesLearn REST in 18 Slides
Learn REST in 18 SlidesSuraj Gupta
 
The ASP.NET Web API for Beginners
The ASP.NET Web API for BeginnersThe ASP.NET Web API for Beginners
The ASP.NET Web API for BeginnersKevin Hazzard
 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & DevelopmentAshok Pundit
 
The Internet as Web Services: introduction to ReST
The Internet as Web Services: introduction to ReSTThe Internet as Web Services: introduction to ReST
The Internet as Web Services: introduction to ReSTBruno Kessler Foundation
 
Introduction to the Web API
Introduction to the Web APIIntroduction to the Web API
Introduction to the Web APIBrad Genereaux
 
RESTful services
RESTful servicesRESTful services
RESTful servicesgouthamrv
 
ASP.NET Mvc 4 web api
ASP.NET Mvc 4 web apiASP.NET Mvc 4 web api
ASP.NET Mvc 4 web apiTiago Knoch
 
REST and ASP.NET Web API (Tunisia)
REST and ASP.NET Web API (Tunisia)REST and ASP.NET Web API (Tunisia)
REST and ASP.NET Web API (Tunisia)Jef Claes
 
REST API Design for JAX-RS And Jersey
REST API Design for JAX-RS And JerseyREST API Design for JAX-RS And Jersey
REST API Design for JAX-RS And JerseyStormpath
 
Understanding REST
Understanding RESTUnderstanding REST
Understanding RESTNitin Pande
 
Design Beautiful REST + JSON APIs
Design Beautiful REST + JSON APIsDesign Beautiful REST + JSON APIs
Design Beautiful REST + JSON APIsStormpath
 
REST and ASP.NET Web API (Milan)
REST and ASP.NET Web API (Milan)REST and ASP.NET Web API (Milan)
REST and ASP.NET Web API (Milan)Jef Claes
 
Elegant Rest Design Webinar
Elegant Rest Design WebinarElegant Rest Design Webinar
Elegant Rest Design WebinarStormpath
 
REST-API introduction for developers
REST-API introduction for developersREST-API introduction for developers
REST-API introduction for developersPatrick Savalle
 
Best practices for RESTful web service design
Best practices for RESTful web service designBest practices for RESTful web service design
Best practices for RESTful web service designRamin Orujov
 
Build a Node.js Client for Your REST+JSON API
Build a Node.js Client for Your REST+JSON APIBuild a Node.js Client for Your REST+JSON API
Build a Node.js Client for Your REST+JSON APIStormpath
 
Rest & RESTful WebServices
Rest & RESTful WebServicesRest & RESTful WebServices
Rest & RESTful WebServicesPrateek Tandon
 

What's hot (20)

Learn REST in 18 Slides
Learn REST in 18 SlidesLearn REST in 18 Slides
Learn REST in 18 Slides
 
The ASP.NET Web API for Beginners
The ASP.NET Web API for BeginnersThe ASP.NET Web API for Beginners
The ASP.NET Web API for Beginners
 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & Development
 
The Internet as Web Services: introduction to ReST
The Internet as Web Services: introduction to ReSTThe Internet as Web Services: introduction to ReST
The Internet as Web Services: introduction to ReST
 
Introduction to the Web API
Introduction to the Web APIIntroduction to the Web API
Introduction to the Web API
 
RESTful services
RESTful servicesRESTful services
RESTful services
 
ASP.NET Mvc 4 web api
ASP.NET Mvc 4 web apiASP.NET Mvc 4 web api
ASP.NET Mvc 4 web api
 
ASP.NET WEB API Training
ASP.NET WEB API TrainingASP.NET WEB API Training
ASP.NET WEB API Training
 
REST and ASP.NET Web API (Tunisia)
REST and ASP.NET Web API (Tunisia)REST and ASP.NET Web API (Tunisia)
REST and ASP.NET Web API (Tunisia)
 
REST API Design for JAX-RS And Jersey
REST API Design for JAX-RS And JerseyREST API Design for JAX-RS And Jersey
REST API Design for JAX-RS And Jersey
 
Understanding REST
Understanding RESTUnderstanding REST
Understanding REST
 
Design Beautiful REST + JSON APIs
Design Beautiful REST + JSON APIsDesign Beautiful REST + JSON APIs
Design Beautiful REST + JSON APIs
 
REST and ASP.NET Web API (Milan)
REST and ASP.NET Web API (Milan)REST and ASP.NET Web API (Milan)
REST and ASP.NET Web API (Milan)
 
Doing REST Right
Doing REST RightDoing REST Right
Doing REST Right
 
REST & RESTful Web Services
REST & RESTful Web ServicesREST & RESTful Web Services
REST & RESTful Web Services
 
Elegant Rest Design Webinar
Elegant Rest Design WebinarElegant Rest Design Webinar
Elegant Rest Design Webinar
 
REST-API introduction for developers
REST-API introduction for developersREST-API introduction for developers
REST-API introduction for developers
 
Best practices for RESTful web service design
Best practices for RESTful web service designBest practices for RESTful web service design
Best practices for RESTful web service design
 
Build a Node.js Client for Your REST+JSON API
Build a Node.js Client for Your REST+JSON APIBuild a Node.js Client for Your REST+JSON API
Build a Node.js Client for Your REST+JSON API
 
Rest & RESTful WebServices
Rest & RESTful WebServicesRest & RESTful WebServices
Rest & RESTful WebServices
 

Similar to Rest api design by george reese

API Description Languages
API Description LanguagesAPI Description Languages
API Description LanguagesAkana
 
API Description Languages
API Description LanguagesAPI Description Languages
API Description LanguagesAkana
 
API Description Languages: Which Is The Right One For Me?
API Description Languages: Which Is The Right One For Me? API Description Languages: Which Is The Right One For Me?
API Description Languages: Which Is The Right One For Me? ProgrammableWeb
 
Workshop 04 android-development
Workshop 04 android-developmentWorkshop 04 android-development
Workshop 04 android-developmentAravindharamanan S
 
Starting from scratch in 2017
Starting from scratch in 2017Starting from scratch in 2017
Starting from scratch in 2017Stefano Bonetta
 
Ria Applications And PHP
Ria Applications And PHPRia Applications And PHP
Ria Applications And PHPJohn Coggeshall
 
SAP on Azure Web Dispatcher High Availability
SAP on Azure Web Dispatcher High AvailabilitySAP on Azure Web Dispatcher High Availability
SAP on Azure Web Dispatcher High AvailabilityGary Jackson MBCS
 
REST and REST-fulness
REST and REST-fulnessREST and REST-fulness
REST and REST-fulnessDavid Waite
 
Serverless: The future of application delivery
Serverless: The future of application deliveryServerless: The future of application delivery
Serverless: The future of application deliveryDoug Vanderweide
 
Sahi Principles and Architecture
Sahi Principles and ArchitectureSahi Principles and Architecture
Sahi Principles and ArchitectureTyto Software
 
Punta Dreamin 17 Generic Apex and Tooling Api
Punta Dreamin 17 Generic Apex and Tooling ApiPunta Dreamin 17 Generic Apex and Tooling Api
Punta Dreamin 17 Generic Apex and Tooling ApiAdam Olshansky
 
AIR - Framework ( Cairngorm and Parsley )
AIR - Framework ( Cairngorm and Parsley )AIR - Framework ( Cairngorm and Parsley )
AIR - Framework ( Cairngorm and Parsley )senthil0809
 
Code for Startup MVP (Ruby on Rails) Session 1
Code for Startup MVP (Ruby on Rails) Session 1Code for Startup MVP (Ruby on Rails) Session 1
Code for Startup MVP (Ruby on Rails) Session 1Henry S
 
Lessons learned on the Azure API Stewardship Journey.pptx
Lessons learned on the Azure API Stewardship Journey.pptxLessons learned on the Azure API Stewardship Journey.pptx
Lessons learned on the Azure API Stewardship Journey.pptxapidays
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseNetSPI
 
Real world cloud formation feb 2014 final
Real world cloud formation feb 2014 finalReal world cloud formation feb 2014 final
Real world cloud formation feb 2014 finalHoward Glynn
 
APIs distribuidos con alta escalabilidad
APIs distribuidos con alta escalabilidadAPIs distribuidos con alta escalabilidad
APIs distribuidos con alta escalabilidadSoftware Guru
 

Similar to Rest api design by george reese (20)

API Description Languages
API Description LanguagesAPI Description Languages
API Description Languages
 
API Description Languages
API Description LanguagesAPI Description Languages
API Description Languages
 
API Description Languages: Which Is The Right One For Me?
API Description Languages: Which Is The Right One For Me? API Description Languages: Which Is The Right One For Me?
API Description Languages: Which Is The Right One For Me?
 
Workshop 04 android-development
Workshop 04 android-developmentWorkshop 04 android-development
Workshop 04 android-development
 
Starting from scratch in 2017
Starting from scratch in 2017Starting from scratch in 2017
Starting from scratch in 2017
 
Apache Drill (ver. 0.2)
Apache Drill (ver. 0.2)Apache Drill (ver. 0.2)
Apache Drill (ver. 0.2)
 
Ria Applications And PHP
Ria Applications And PHPRia Applications And PHP
Ria Applications And PHP
 
SAP on Azure Web Dispatcher High Availability
SAP on Azure Web Dispatcher High AvailabilitySAP on Azure Web Dispatcher High Availability
SAP on Azure Web Dispatcher High Availability
 
REST and REST-fulness
REST and REST-fulnessREST and REST-fulness
REST and REST-fulness
 
Apache Cordova 4.x
Apache Cordova 4.xApache Cordova 4.x
Apache Cordova 4.x
 
Serverless: The future of application delivery
Serverless: The future of application deliveryServerless: The future of application delivery
Serverless: The future of application delivery
 
Sahi Principles and Architecture
Sahi Principles and ArchitectureSahi Principles and Architecture
Sahi Principles and Architecture
 
Punta Dreamin 17 Generic Apex and Tooling Api
Punta Dreamin 17 Generic Apex and Tooling ApiPunta Dreamin 17 Generic Apex and Tooling Api
Punta Dreamin 17 Generic Apex and Tooling Api
 
AIR - Framework ( Cairngorm and Parsley )
AIR - Framework ( Cairngorm and Parsley )AIR - Framework ( Cairngorm and Parsley )
AIR - Framework ( Cairngorm and Parsley )
 
Code for Startup MVP (Ruby on Rails) Session 1
Code for Startup MVP (Ruby on Rails) Session 1Code for Startup MVP (Ruby on Rails) Session 1
Code for Startup MVP (Ruby on Rails) Session 1
 
Lessons learned on the Azure API Stewardship Journey.pptx
Lessons learned on the Azure API Stewardship Journey.pptxLessons learned on the Azure API Stewardship Journey.pptx
Lessons learned on the Azure API Stewardship Journey.pptx
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
 
Real world cloud formation feb 2014 final
Real world cloud formation feb 2014 finalReal world cloud formation feb 2014 final
Real world cloud formation feb 2014 final
 
APIs distribuidos con alta escalabilidad
APIs distribuidos con alta escalabilidadAPIs distribuidos con alta escalabilidad
APIs distribuidos con alta escalabilidad
 
SGCE 2015 REST APIs
SGCE 2015 REST APIsSGCE 2015 REST APIs
SGCE 2015 REST APIs
 

More from buildacloud

The Future of SDN in CloudStack by Chiradeep Vittal
The Future of SDN in CloudStack by Chiradeep VittalThe Future of SDN in CloudStack by Chiradeep Vittal
The Future of SDN in CloudStack by Chiradeep Vittalbuildacloud
 
Policy Based SDN Solution for DC and Branch Office by Suresh Boddapati
Policy Based SDN Solution for DC and Branch Office by Suresh BoddapatiPolicy Based SDN Solution for DC and Branch Office by Suresh Boddapati
Policy Based SDN Solution for DC and Branch Office by Suresh Boddapatibuildacloud
 
L4-L7 services for SDN and NVF by Youcef Laribi
L4-L7 services for SDN and NVF by Youcef LaribiL4-L7 services for SDN and NVF by Youcef Laribi
L4-L7 services for SDN and NVF by Youcef Laribibuildacloud
 
Jenkins, jclouds, CloudStack, and CentOS by David Nalley
Jenkins, jclouds, CloudStack, and CentOS by David NalleyJenkins, jclouds, CloudStack, and CentOS by David Nalley
Jenkins, jclouds, CloudStack, and CentOS by David Nalleybuildacloud
 
Intro to Zenoss by Andrew Kirch
Intro to Zenoss by Andrew KirchIntro to Zenoss by Andrew Kirch
Intro to Zenoss by Andrew Kirchbuildacloud
 
Guaranteeing Storage Performance by Mike Tutkowski
Guaranteeing Storage Performance by Mike TutkowskiGuaranteeing Storage Performance by Mike Tutkowski
Guaranteeing Storage Performance by Mike Tutkowskibuildacloud
 
Cloud Application Blueprints with Apache Brooklyn by Alex Henevald
Cloud Application Blueprints with Apache Brooklyn by Alex HenevaldCloud Application Blueprints with Apache Brooklyn by Alex Henevald
Cloud Application Blueprints with Apache Brooklyn by Alex Henevaldbuildacloud
 
Introduction to Apache CloudStack by David Nalley
Introduction to Apache CloudStack by David NalleyIntroduction to Apache CloudStack by David Nalley
Introduction to Apache CloudStack by David Nalleybuildacloud
 
Managing infrastructure with Application Policy by Mike Cohen
Managing infrastructure with Application Policy by Mike CohenManaging infrastructure with Application Policy by Mike Cohen
Managing infrastructure with Application Policy by Mike Cohenbuildacloud
 
Intro to Zenoss by Andrew Kirch
Intro to Zenoss by Andrew KirchIntro to Zenoss by Andrew Kirch
Intro to Zenoss by Andrew Kirchbuildacloud
 
Monitoring CloudStack in context with Converged Infrastructure by Mike Turnlund
Monitoring CloudStack in context with Converged Infrastructure by Mike TurnlundMonitoring CloudStack in context with Converged Infrastructure by Mike Turnlund
Monitoring CloudStack in context with Converged Infrastructure by Mike Turnlundbuildacloud
 
Enterprise grade firewall and ssl termination to ac by will stevens
Enterprise grade firewall and ssl termination to ac by will stevensEnterprise grade firewall and ssl termination to ac by will stevens
Enterprise grade firewall and ssl termination to ac by will stevensbuildacloud
 
State of the cloud by reuven cohen
State of the cloud by reuven cohenState of the cloud by reuven cohen
State of the cloud by reuven cohenbuildacloud
 
Securing Your Cloud With the Xen Hypervisor by Russell Pavlicek
Securing Your Cloud With the Xen Hypervisor by Russell PavlicekSecuring Your Cloud With the Xen Hypervisor by Russell Pavlicek
Securing Your Cloud With the Xen Hypervisor by Russell Pavlicekbuildacloud
 
DevCloud - Setup and Demo on Apache CloudStack
DevCloud - Setup and Demo on Apache CloudStack DevCloud - Setup and Demo on Apache CloudStack
DevCloud - Setup and Demo on Apache CloudStack buildacloud
 
Cloud Network Virtualization with Juniper Contrail
Cloud Network Virtualization with Juniper ContrailCloud Network Virtualization with Juniper Contrail
Cloud Network Virtualization with Juniper Contrailbuildacloud
 
Ian rae panel cloud stack & cloud storage where are we at, and where do we ne...
Ian rae panel cloud stack & cloud storage where are we at, and where do we ne...Ian rae panel cloud stack & cloud storage where are we at, and where do we ne...
Ian rae panel cloud stack & cloud storage where are we at, and where do we ne...buildacloud
 
Troubleshooting Strategies for CloudStack Installations by Kirk Kosinski
Troubleshooting Strategies for CloudStack Installations by Kirk Kosinski Troubleshooting Strategies for CloudStack Installations by Kirk Kosinski
Troubleshooting Strategies for CloudStack Installations by Kirk Kosinski buildacloud
 
CloudStack University by Sebastien Goasguen
CloudStack University by Sebastien GoasguenCloudStack University by Sebastien Goasguen
CloudStack University by Sebastien Goasguenbuildacloud
 
Building Scalable, Resilient Infrastructure on CloudStack by Sebastian Stadil
Building Scalable, Resilient Infrastructure on CloudStack by Sebastian StadilBuilding Scalable, Resilient Infrastructure on CloudStack by Sebastian Stadil
Building Scalable, Resilient Infrastructure on CloudStack by Sebastian Stadilbuildacloud
 

More from buildacloud (20)

The Future of SDN in CloudStack by Chiradeep Vittal
The Future of SDN in CloudStack by Chiradeep VittalThe Future of SDN in CloudStack by Chiradeep Vittal
The Future of SDN in CloudStack by Chiradeep Vittal
 
Policy Based SDN Solution for DC and Branch Office by Suresh Boddapati
Policy Based SDN Solution for DC and Branch Office by Suresh BoddapatiPolicy Based SDN Solution for DC and Branch Office by Suresh Boddapati
Policy Based SDN Solution for DC and Branch Office by Suresh Boddapati
 
L4-L7 services for SDN and NVF by Youcef Laribi
L4-L7 services for SDN and NVF by Youcef LaribiL4-L7 services for SDN and NVF by Youcef Laribi
L4-L7 services for SDN and NVF by Youcef Laribi
 
Jenkins, jclouds, CloudStack, and CentOS by David Nalley
Jenkins, jclouds, CloudStack, and CentOS by David NalleyJenkins, jclouds, CloudStack, and CentOS by David Nalley
Jenkins, jclouds, CloudStack, and CentOS by David Nalley
 
Intro to Zenoss by Andrew Kirch
Intro to Zenoss by Andrew KirchIntro to Zenoss by Andrew Kirch
Intro to Zenoss by Andrew Kirch
 
Guaranteeing Storage Performance by Mike Tutkowski
Guaranteeing Storage Performance by Mike TutkowskiGuaranteeing Storage Performance by Mike Tutkowski
Guaranteeing Storage Performance by Mike Tutkowski
 
Cloud Application Blueprints with Apache Brooklyn by Alex Henevald
Cloud Application Blueprints with Apache Brooklyn by Alex HenevaldCloud Application Blueprints with Apache Brooklyn by Alex Henevald
Cloud Application Blueprints with Apache Brooklyn by Alex Henevald
 
Introduction to Apache CloudStack by David Nalley
Introduction to Apache CloudStack by David NalleyIntroduction to Apache CloudStack by David Nalley
Introduction to Apache CloudStack by David Nalley
 
Managing infrastructure with Application Policy by Mike Cohen
Managing infrastructure with Application Policy by Mike CohenManaging infrastructure with Application Policy by Mike Cohen
Managing infrastructure with Application Policy by Mike Cohen
 
Intro to Zenoss by Andrew Kirch
Intro to Zenoss by Andrew KirchIntro to Zenoss by Andrew Kirch
Intro to Zenoss by Andrew Kirch
 
Monitoring CloudStack in context with Converged Infrastructure by Mike Turnlund
Monitoring CloudStack in context with Converged Infrastructure by Mike TurnlundMonitoring CloudStack in context with Converged Infrastructure by Mike Turnlund
Monitoring CloudStack in context with Converged Infrastructure by Mike Turnlund
 
Enterprise grade firewall and ssl termination to ac by will stevens
Enterprise grade firewall and ssl termination to ac by will stevensEnterprise grade firewall and ssl termination to ac by will stevens
Enterprise grade firewall and ssl termination to ac by will stevens
 
State of the cloud by reuven cohen
State of the cloud by reuven cohenState of the cloud by reuven cohen
State of the cloud by reuven cohen
 
Securing Your Cloud With the Xen Hypervisor by Russell Pavlicek
Securing Your Cloud With the Xen Hypervisor by Russell PavlicekSecuring Your Cloud With the Xen Hypervisor by Russell Pavlicek
Securing Your Cloud With the Xen Hypervisor by Russell Pavlicek
 
DevCloud - Setup and Demo on Apache CloudStack
DevCloud - Setup and Demo on Apache CloudStack DevCloud - Setup and Demo on Apache CloudStack
DevCloud - Setup and Demo on Apache CloudStack
 
Cloud Network Virtualization with Juniper Contrail
Cloud Network Virtualization with Juniper ContrailCloud Network Virtualization with Juniper Contrail
Cloud Network Virtualization with Juniper Contrail
 
Ian rae panel cloud stack & cloud storage where are we at, and where do we ne...
Ian rae panel cloud stack & cloud storage where are we at, and where do we ne...Ian rae panel cloud stack & cloud storage where are we at, and where do we ne...
Ian rae panel cloud stack & cloud storage where are we at, and where do we ne...
 
Troubleshooting Strategies for CloudStack Installations by Kirk Kosinski
Troubleshooting Strategies for CloudStack Installations by Kirk Kosinski Troubleshooting Strategies for CloudStack Installations by Kirk Kosinski
Troubleshooting Strategies for CloudStack Installations by Kirk Kosinski
 
CloudStack University by Sebastien Goasguen
CloudStack University by Sebastien GoasguenCloudStack University by Sebastien Goasguen
CloudStack University by Sebastien Goasguen
 
Building Scalable, Resilient Infrastructure on CloudStack by Sebastian Stadil
Building Scalable, Resilient Infrastructure on CloudStack by Sebastian StadilBuilding Scalable, Resilient Infrastructure on CloudStack by Sebastian Stadil
Building Scalable, Resilient Infrastructure on CloudStack by Sebastian Stadil
 

Rest api design by george reese

  • 1. RESTful API Design George Reese, Senior Distinguished Engineer! 3 December 2013
  • 2. My Background • Co-founder of Enstratius! – Acquired by Dell in May 2013! • Creator of Dasein Cloud! • Open Source Java cloud abstraction API 
 (https://github.com/greese/dasein-cloud)! • Interacts with nearly 2 dozen cloud APIs! • Author of The Rest API Design Handbook 2 Copyright (c) 2013 Dell, Inc. Dell Software
  • 3. Historically, REST APIs suck • Rarely a core focus of effort in a system! • SOAP has been the more common web services choice! – Very little design thought put into SOAP APIs! – WSDL is evil (so is WADL)! • Often a task pawned off on some unsuspecting junior programmer! – Often following everyone else’s bad examples 3 Copyright (c) 2013 Dell, Inc. Dell Software
  • 4. So you want to write an API? • Start with the API as your primary interface! – User interfaces and language bindings come later! – Any other approach for a cloudy system is doing it wrong! • HTTP is the specification! – Don’t get creative on verbs, verb usage, or HTTP status codes! – Authentication is the only valid point of deviation! – You worry about: transactions, query parameters, headers, and payloads 4 Copyright (c) 2013 Dell, Inc. Dell Software
  • 5. You are not the judge of use cases • A REST API enables…! – …people who are not you! – …to enhance the system you have built! – …in ways you cannot imagine! – …or in ways for which you lack resources! • Unlike SOAP and language bindings, REST APIs are not judgmental!! – So don’t insert your judgment into the process 5 Copyright (c) 2013 Dell, Inc. Dell Software
  • 6. The domain model • HTTP is a resource-focused transport protocol! – A RESTful approach thus models resources first! • Identify the things that make up your system and their relationships! – Use a UML tool if you want; I use a white board! • Relationships should be loosely coupled 6 Copyright (c) 2013 Dell, Inc. Dell Software
  • 7. A sample domain model 7 Copyright (c) 2013 Dell, Inc. Dell Software
  • 8. Mapping to endpoints • /Region/<rid>/Zone/<zid>Server/<sd>! – Easiest approach for auto-discovery of API! – Implies a very rigid hierarchy! • /Server/<sid>! – Requires a higher level mechanism for autodiscovery! – Allows for a flexible, changeable set of resource relationships! • I prefer /Server/<sid> 8 Copyright (c) 2013 Dell, Inc. Dell Software
  • 9. Many to many relationships • In this example, Server <-> User is m2m! • Who owns the relationship?! – Server? ! – User?! – Both?! • Sometimes relationships have their own attributes (for example, User role)! • A change to one part of the relationship may need reflecting in the other part 9 Copyright (c) 2013 Dell, Inc. Dell Software
  • 10. Use cases • Given the resources that exist in the domain, what use cases will you support?! • Focus on CRUD operations, not transactions! – You likely modeled transactions for your underlying system! – But, your objective here is to support use cases not currently implemented in your underlying system! • Functionality first, optimize later 10 Copyright (c) 2013 Dell, Inc. Dell Software
  • 11. Example use cases for Server • List servers with or without search criteria! • Get the details for a specific server! • Provision a new server in a target zone! • Terminate an existing server! • Stop an existing server! • Add user shell access to a server! • Remove user shell access to a server 11 Copyright (c) 2013 Dell, Inc. Dell Software
  • 12. Authentication model • There are dozens of authentication models for REST APIs! • George’s REST authentication principles! – Must support authentication over plaintext! – Must easy to use across a number of programming languages! – Should support the common interaction models for your target client bases! – Must support credentials specific to each distinct application consuming the API (revokable) 12 Copyright (c) 2013 Dell, Inc. Dell Software
  • 13. Authentication options • HTTP! – HTTP Basic and HTTP Digest! – Digital certificates! • Non-HTTP! – Credentials in payload! – Secure token service! – Request signing! • Recommendation! – OAuth 2 or request signing, depending on API 13 Copyright (c) 2013 Dell, Inc. Dell Software
  • 14. Error model • Use HTTP error codes only! – HTTP allows customized error codes within the specified error classes! – But I’ve never seen that add any value! – Mostly I’ve seen people get the error classes wrong! – 2xx -> it’s all good! – 3xx -> do something else! – 4xx -> client messed up! – 5xx -> server messed up 14 Copyright (c) 2013 Dell, Inc. Dell Software
  • 15. Resource modeling • XML vs JSON! – Don’t pick sides, support both! – HTTP is built around the idea that a single resource has multiple possible representations, take advantage of that feature! • Marshaling! – Do not tightly bind the RESTful resources to underlying objects! • Pick your identifier scheme carefully 15 Copyright (c) 2013 Dell, Inc. Dell Software
  • 16. Read operations • GET (Always GET) (I mean it, always)! • Challenge with READs:! – Different use cases require different levels of detail about a resource! – Different levels of detail have different impacts on system performance! • Enable the client to specify the level of detail in which it is interested! – ID+status, one level, or deep 16 Copyright (c) 2013 Dell, Inc. Dell Software
  • 17. Caching • Caching can help API performance, but it comes with a price! • Caching can be a really good idea or a really bad idea depending on your problem domain! – Caching server state -> bad idea! – Caching region state -> good idea! • Clients get very angry when they regularly receive cached results that are wrong 17 Copyright (c) 2013 Dell, Inc. Dell Software
  • 18. Paging • HTTP is not the best protocol for very large data sets! • Paging enables you to split results across multiple GET requests! – because of the raw size of the response body! – or the amount of time the server takes to assemble the results! • Design pagination in a manner transparent to the client (via header directives) 18 Copyright (c) 2013 Dell, Inc. Dell Software
  • 19. Write operations • POST, DELETE, PUT! – POST -> new resource is created! – DELETE -> existing resource is deleted! – PUT -> an existing resource is changed! • What about PATCH?! • Payloads! – Update directive + data matching GET format! • Nonces recommended 19 Copyright (c) 2013 Dell, Inc. Dell Software
  • 20. Asynchronous operations • Sometimes an action takes a long time to process and will potentially time out for a given HTTP call! • An asynchronous approach enables your API call to return immediately and have the client track the process of the operation 20 Copyright (c) 2013 Dell, Inc. Dell Software
  • 21. Asynchronous operations (cont) • An operation is neither synchronous or asynchronous ! • This is an implementation decision! • Use status codes to indicate what happened! • 201 Created (synchronous)! • Body: at least an ID for a newly created object ! • 202 Accepted (asynchronous)! • Body: identifying information for a job/task to track! • 204 No Content (synchronous) 21 Copyright (c) 2013 Dell, Inc. Dell Software
  • 22. Resource limiting • Throttling is generally a terrible idea! – Remember, your job is not to sit in judgment over a customer’s use cases! • The primary job of throttling is to identify and mitigate denial of service attacks or broken client code! • Avoid unilateral throttling! • Tell the client explicitly in the error response! • Give the client retry directives 22 Copyright (c) 2013 Dell, Inc. Dell Software
  • 23. Documentation • A REST API should be auto-discoverable! – I should be able to point my browser at your API URL and start discovering it! – An HTTP request at an endpoint with a desire for HTML content should be treated as a documentation request! • Document authentication, query parameters, headers, and payload formats! • Provide functional examples with real data 23 Copyright (c) 2013 Dell, Inc. Dell Software