Apply API Governance

to RESTful Service APIs

using WSO2 Governance Registry

and WSO2 API Manager

© WSO2 2011. Not for redistribution. Commercial in Confidence.

lean . enterprise . middleware

Chris Haddad Technology evangelism, strategy, and roadmaps

Follow me @cobiacomm on Twitter

Read more about our API Story at

blog.cobia.net/cobiacomm

http://wso2.com/products/api-manager

WSO2 Carbon Enterprise Middleware Platform

*

Business APIs

“APIs provide a way to make resources

available for internal and external partners

to access information and services.”

APIs All the Way…

API Architecture

An API is a business capability delivered over the Internet to

internal or external consumers • Network accessible function

• Available using standard web protocols

• With well-defined interfaces

• Designed for access by third-parties

A Managed API is: • Actively advertised and subscribe-able

• Exhibits high Quality of Service (QoS)

• Available with Service Level Agreements (SLAs)

• Secured, authenticated, authorized and protected

• Monitored and monetized with analytics

Resources

• Addressable Resources: • Every “object” on your network should have a unique ID.

• An important aspect is that each “object” or resource has its

own specific URI where it can be addressed

• A Uniform, Constrained Interface. • When applying REST over HTTP, stick to the methods

provided by the protocol • GET, POST, PUT, and DELETE.

• These should be used properly • GET should have no side effects or change on state

• PUT should update the resource “in-place”

• The content-type of the resource should be useful and

meaningful

REST is full of subtleties

• Method Safety • GET, HEAD, OPTIONS, TRACE will not modify

anything

• Idempotency • PUT, DELETE, GET, HEAD can be repeated and

the side-effects remain the same

• Caching • Correct use of Last-Modified and ETag headers

• Content-negotiation

The benefits of a well-designed REST app

• Bookmarkability • Each URI really points to a unique entity • Every entity can be referenced

• Multiple representations are powerful • Allowing one view of a resource for users and one

for systems makes application development simpler and more logical

• Having well defined links • Does improve the semantic richness of an

application • By comparison WSDL is very flat and doesn’t show

the links between operations and services

Hypertext as the Engine of Application State

Resources are identified by URIs

↓

Clients communicate with resources via requests using a

standard set of methods

↓

Requests and responses contain resource representations

in formats identified by media types

↓

Responses contain URIs that link to further resources

Heavy weight Governance

The REST Way

How to be successful?

Business Design of the APIs

• Know the consumer

• Who will use the APIs (both developers and final end-user)?

• What type of applications will use the APIs?

• What business assets will be delivered?

• Maintain Operational Control

• What Quality of Service is expected?

• Who can access the assets?

• Remember Usability and Monetization

• How will the API expose business assets?

• How will you demonstrate business value via direct revenue,

chargeback, or showback?

API Challenges

Often difficult to offer your business capabilities as an API

• Potential consumers do not trust API stability, reliability,

availability, or performance

• Providers have scalability concerns and lack an ability to

manage consumption

• Security risks prevent publishing and offering open access

• Difficult to manage requirements from multiple consumers and

coordinate release schedule

• Inability to configure API per consumer

• Business return requires API metering usage rates, and billing

Use of Registries in RestFul Architecture

• Registry/Repository Aspects: • Structured Organization of Data

• Dependencies – Dependency Analysis

• Versioning of Assets (WADL/WSDL, Schema, Policies)

• Extensible meta-model (especially your custom configurations)

• Custom Properties/Meta-information

• Integration/Governance Aspects: • Impact, Notification, and Change Management

• Broader Lifecycle Integration

• API-access to resources

• Endpoint discovery

Building an Approval Model: SCXML

• State Chart XML: State Machine Notation for Control

Abstraction

• An OASIS Standard

• Embedded Apache Commons SCXML library

• GUI/Tooling • IBM Rational Software Architect

• SCXMLgui

• WSO2 Carbon Studio – Future

API Governance Roadmap

• Design Time Governance

• Run-time Operational Governance

API Design Time Governance Roadmap

REST Design Contract Review

• Stateless

• Resource-oriented URL Convention

• Xlinks

• Security

API Design Time Governance Roadmap

Consumer / Subscriber Relationships

• API Manager • Promotes available APIs

• Tracks subscriptions

API Design Time Governance Roadmap

API Versioning

• REST URL convention

• API Payload versioning

• Associating API to Service

21

Operational Governance

22

Operational Governance

23

Operational Governance

24

Operational Governance

25

Operational Governance

26

Operational Governance

27

Operational Governance

28

Operational Governance

29

Operational Governance

30

Operational Governance

Contact us:

http://wso2.com/contact/

Follow us:

http://twitter.com/#!/wso2

Follow us:

http://twitter.com/#!/wso2

lean . enterprise . middleware