Embed Size (px)
Citation preview
WSO2 API Manager 2.0.0 Overview
Agenda
o Introduction
o Creating APIs
o Protecting APIs
o APIs Lifecycles
o Developer Portal
o Testing APIs
o API Gateway
o Deployment
o API Analytics
Introduction
APIs for Business Innovation
o API - Business capability offered via a digital channel
o Open internally and/or externally
o Monitored
o In some cases, monetized
o Fuel for rapid innovation, development of new apps
Image: thinkpublic/photopin cc
Image: thinkpublic/photopin cc
API Management Platform
WSO2 API Manager
o The only complete, 100% open source API Management solution
o A cleanly integrated system supporting API publishing, lifecycle management, developer portal, access control and analytics
o Backed by high performance gateway
o A single node supports more than 100 million requests/day
o eBay handles up to 4.6 billion requests per day at peak times (Cyber Monday)
0
7500
15000
22500
30000
June-Dec 2013 Jul-Dec 2014 Jul-Dec 2015
Product Downloads
0 28 55 83
110 138
Dec 2014 June 2015 Dec 2015
Production Customers
WSO2 API Manager cont.
o Includes Social enablement such as ratings and tagging
o Supports single-sign on with Facebook, GoogleApps, etc.
o Named a Strong Performer in this space by Forrester in 2014 and 2015
o Best API Design across all vendors
o Best Solution Cost for on-premise solution
o Extremely Satisfied customers
o Available on-premise, as managed deployment and as SaaS application (API Cloud)
Competitive Advantage
o API Management is part of a complete platform
o Integration
o Security (Identity Management, Federated Identity)
o API Analytics
o Open Architecture
o Custom security tokens and grant types
o Custom store/developer’s portal user interface
o Custom user’s repositories
o Custom transports to back-end
o Available on-premise, as managed offering, as SaaS offering - Same code everywhere
Competitive Advantage cont.
o Scalable Architecture
o Each component (Gateway, Dev Portal, Admin Portal, Key Server) can be deployed and scaled separately
o Over 5000 TPS for a single node
o Business Model
o Subscriptions only for production systems - Makes cost very competitive
o Pricing is adapted to small, medium and enterprises customers
o Cost linked to instances, not to machine power
o No community vs. enterprise distinction
Typical Use Cases
o Expose APIs for internal consumption
o Manage APIs used in internal applications
o Internal Monetization
o Control Access to Cloud Services - Manage and secure access from internal applications to cloud services (e.g. SalesForce and Google Apps)
o APIs for public consumption
o Extend your business through APIs
o Integrate with partners and customers
API Manager Components
Creating APIs
Getting Started
o For REST - Start from existing API definition (Swagger 2.0) or start from scratch
o For SOAP - Start from WSDL and generate default mapping and definition
REST API Editing
o Basic editor to create the API structure
REST API Editing cont.
o Swagger editor (YAML-based) for advanced editing, configuration, etc.
API Documentation
Protecting APIs
API Access Tokens
o OAuth2 standard compliant
o Supports multiple Grant Types o SAML, IWA/NTLM o Client credentials, Implicit,
Password
o Pre-generated Access Token - Mostly used for testing
o On-demand Access Token - Generated via API call to the Gateway, using any of the supported Grant Types
o Tokens can be refreshed/revoked via API calls as well
Pluggable OAuth Authorization Server
o OAuth token management is by default done with WSO2’s Key Server (based on WSO2’s Identity Server)
o Can be replaced by third-party authorization server, capable of creating, refreshing, validating, revoking OAuth tokens
Limiting Access to API Resources
o Achieved through OAuth scopes - Scope defines what can be accessed by a token
o How to request a token
grant_type=password&username=john&password=john123&scope=news_read news_write
Throttling & Rate Limiting
o Throttling o Regulates API traffic o Makes APIs and applications available to consumers at different
service levels o Secures APIs against security attacks (e.g. DoS attacks)
o Throttling is controlled through tiers-based policies - A tier is defined by a time duration and a maximum no of requests during that duration
o Tiers can be applied at application, API and API resource levels
Throttling & Rate Limiting cont.
o At subscription time, API users can choose tiers they can subscribe to - This default behavior can be overridden through usage of workflows
o Throttling policies encompasses: o Standard usage quotas of total subscriptions and resources o Rate limiting based complex, extensible and dynamic rules,
scenarios and events
o Complex throttling policies (with transport headers, IP addresses, etc.) can be created on the fly
o Facilitates blacklisting users/applications abusing rate limits
Throttling & Rate Limiting cont.
JWT Token Creation
o Using JSON Web Tokens (JWT) o Lightweight o Can be signed o Easy to parse and consume o Standard
o JWT Structure {token info}.{claims list}.{signature}
o Base-64 or Base64 URL Encoded
o Contents of JWT are configurable
API Lifecycles
API Lifecycle Management
o Create new APIs from existing versions
o Deploy multiple versions in parallel
o Deprecate versions to remove them from store
o Retire them to un-deploy from gateway
o Keeps audit of lifecycle changes
o Supports custom lifecycles leveraging WSO2 Governance Registry
Developer Portal
Discover APIs
o Users can search APIs by name, provider, version number, context, description, meta-data from docs, etc.
o Tags to easily find all APIs related to a same domain
o Notifications on new API versions
Social Features
o Share with fellow developers via social media or mail
o Embed API link into blogs, Tweets, etc.
Forums
o Rich editor embedded within interface
o Forums are searchable and indexed
Customization
o All API store functionality available through REST API
o Customization through CSS, HTML5, JavaScript
Monetization
o Configurable payment schemes to monetize API usage
o Monetization rules are associated to Tiers
o Supports Free, Paid, Freemium models
o Usually coupled with 3rd party invoice/payment plans software (such as Zuora)
Testing APIs
Embedded API Console
o Part of Swagger tooling suite o Integrates token access for fast testing o Gives direct access to Swagger definition of API o Support Swagger schemas for predefined values
Testing via ReadyAPI’s SOAP UI
API Gateway
API Gateway Processing Workflow
Message Transformation and Mediation
o Custom mediation flows can be created by a developer and just engaged by API Creator
o Mediations flows can be created using Developer Studio and directly published to API Manager o Full power of WSO2 ESB mediation language o Graphical and Source view
o Mediations flows are tenant-specific (not visible/usable across tenants)
Workflows
o Provides extension point to engage custom workflow o Default sample implementation leverages WSO2 Business Process
Server but a simple Java-based implementation or another BPM engine can also be used
o Supports redirecting to third-party entities
o Available for user self-sign up, API subscription and application creation
Deployment
Component Deployment
o Out-of-the-box, all components are packaged together o They can also be deployed separately in an HA scenario – Active/
Active, Active/Passive
Component Deployment cont.
Multi-tenancy
o Creation of multiple domains (tenants)
o Each domain can have their own store or publish APIs to a central store - This is transparent to consumers
o Typical Use Cases
o Segmenting publishers by business unit or partner and restricting editing rights by domain
o Create an API marketplace - one-stop store for domain APIs
o API Cloud heavily leverages this functionality
Recommended Deployment: API Facade Pattern
o API Gateway acts as simple reverse proxy, enforcing policies and collecting monitoring information
o Specific security checks/protection at edge of the network
o Invalid requests are stopped at the edge of the network
o Clear separation of concern between layers
o The mediation and API management layers scale independently
o You can combine the Façade and Mediation layers (if required) and run as a single architecture layer
WSO2 Platform Deployment Options
o Stand-alone servers o Private clouds:
e.g. Stratos, Kubernetes o Public Clouds:
e.g. AWS o Hybrid deployments
o Dedicated hosting of any WSO2-based solutions
o WSO2 operations team is managing the deployment and keeps it running
o 99.99% uptime SLA o Any AWS region of choice o Can be VPNed to local network o Includes monitoring, backups,
patching, updates
o Shared public cloud, o Currently available for application
and API hosting (hosted API Manager and App Factory),
o Preset multitenant deployment in AWS US East run by WSO2,
o Month-to-month credit card payment
API Analytics
Analytics
o WSO2 API Manager out-of-the-box supports Google Analytics and WSO2 Analytics
Importance of API Management & Analytics Combination o Build confidence in the API model
o Understand your customer - Not just the developer but also the end-user of APIs
o Helps manage services and versions - Understand when deprecated services can be retired
o Be notified when abnormal events take place
o Plan better
o Monitor the growth of aggregated API traffic
o Monitor the growth of specific apps
WSO2 Analytics Platform
WSO2 Analytics Platform cont.
o Out-of-the- box reports covering all aspects of
o Subscriber behavior
o API usage
o Performance
o Can publish your own events from any API and build your own dashboards
Reports for API Creators & Publishers
o Stats on APIs o Published APIs Over Time
o API Usage
o API Response Times
o API Last Access Times
o Usage by Resource Path
o Usage by Destination
o API Usage Comparison o API Throttled Requests
o Faulty Invocations
o API Latency
o API Usage Across Geo
Locations
o API Usage Across User Agent
o Stats on Applications o App Throttled Requests o Applications Created Over Time
o Stats on Subscriptions o API Subscriptions
o Developer Signups Over Time
o Subscriptions Created Over
Time
Reports for API Creators & Publishers cont.
Reports for API Subscribers
o API Usage per Application
o Top Users per Application
o API Usage from Resource Path per Application
o Faulty Invocation per Application
Real-time API Behavior Analysis
o Leverages real-time analytics streaming engine o Detects fraudulent token usage - Indication of lost tokens via alerts on
abnormal token renewals and unseen source IP access (abrupt changes to geo-location)
o Supports API product managers to provide better customer service o Alerts when API response time is outside normal parameters, indicating a
potential SLA breach o Alerts when apps/users are throttled out for hitting the current subscription
tier - potential opportunity to proactively propose a tier upgrade or to adjust SLAs
o Detect when APIs are not used as expected
o Identifies erratic behavior and supports capacity planning o Alerts when a sudden spike/drop in the request count in a given duration for
an API resource – Possible indication of a system problem o Determining trends in increased response times – Indication of potential
issues with APIs or backend system capacity
Why Real-time Analytics for APIs ?
o Blacklist & whitelist verifications in real time
o Detect trends
o Detect incoherencies in trends
o Detect API calls sequences that you don’t want to allow
o Detect non-usage scenarios ( raise alerts on poor usage of a
certain API)
Example – Real-time Fraud Detection
Log Analysis
o Log Analysis through reports on low-level system operations: o Log events - Overall statistics of the types of log events created in a given
time period o Application errors - Breakdown of error log events based on exception
category and error message o Artifact deployment stats - Number of artifacts deployed in a given duration o Login failures - No of failed login attempts in a given duration o No of API failures o Access token-related issues
o Ability to view live log events on per-tenant basis
CONTACT US !
