Okay, Microservices are cool. But, as all the new trendy buzzword, it’s not a silver bullet, and there are several problems to manage. One is the authentication, distributed authentication is hard, and there is many ways to achieve it. Configuration is the second issue to be managed when dealing with distributed micro application strategy. This talk is a concrete return of experience to build a strategy on microservice and problems we will have to deal on this occasion.
43. Reconfigure at runtime?
Hot reloading or live configuration? https://www.clever-cloud.com/blog/engineering/2017/07/24/hot-
reloading-configuration-why-and-how/
44. Simpler way, never change on
runtime
Immutable infrastructure (FR) https://www.youtube.com/watch?v=WrZCbgQsPVU
52. Authentication using a proxy
Request
Reverse Proxy
+
Database call
+
Business code
+
Authentication
Service A
Service B
Service C
Authenticated
request with
user identity
data
53. Central API call to authenticate request
Request
Via
reverse
proxy
Service A
Service B
Service C
Authentification
API
60. Clean legacy code on regular
basis
Why and how bookkeepers f***d up IT
FR https://www.youtube.com/watch?v=0ip1FoBsLB4
EN https://www.youtube.com/watch?v=OngWRJ8txps
63. Thank you
find me on twitter
@waxzce
Gift coupon for
clever-cloud.com:
devopsCon17
Editor's Notes
Exemple à Clever Cloud
The first idea to many developer is to share the access to a database with the session data (memcached or redis), and read access to the ACL database (SQL or something)
Issues on this :
- change to the data model require to edit all the series
- impose rude connection and pooling to the databases, which is an OPS problem
- creating a SPOF
- impose lots of code rewriting in each micro service
Good part is :
- centralisation of authentication and code related to it
Issues :
- Very complicated to mock on developer laptop : you need to launch the proxy on dev computer
- Security vision is optimistic
- The user infos add by the proxys aren’t requested by service, so it’s standard or convention between proxy and service
- proxy is a spot
mix several mission on the proxy : routing, load balancing, authentication, session hydratation…
PERFORMANCES
Central authentication API called by services
In this architecture, service take request directly and call an API to authenticate the request, serializing verb, resources and headers and asking for extra info they will need (user infos), the authentication API respond authentication and user info requested by the service.
Good parts :
- easy to mock and work on developer part, no need to start on developer computer
- centralisation of the authentication
- security is better handled and there is less possibility to breach the system spoofing requests
- services request additional infos, more simple to do
Issues :
- authentication API is a spof