API网关在微服务架构中的应用

1.

2.

3. S2 7 1 A 5 P I I 0

4. 演讲大纲

5. )( ( ( )

6.

7. ) B ( ( ( ( (

8.

9. ☺ " ☺ " ☺ " "

10.

11. A D )( A B D B D B D B + + + + api.yourcompany.com C + + + +

12. ü ü ü ü ü

13.

14.

15. - O . . - F API网关 - § § § IP IP AM O . - CK A

16. / https://api.your-company.com API网关 / § § Provider 2

17. J / CI H A2 /

18. KEY/SECRET 摘要签名鉴权 K N POST /users HTTP/1.1 Host: api.foo.com Content-Type: application/json { "userId“: 101, "userName": "Jack" } POST 2019-06-02T23:22:33Z AeWvOOgP7Gg7Ydd23 123432 F41CAA3A-A096-48CD-AD53-BA5430D30C94 1474274624962 /users POST /users HTTP/1.1 Host: api.foo.com Content-Type: application/json X-Ca-Key: 1234328892 Date: 2019-06-02T23:22:33Z X-Ca-Nonce: F41CAA3A-A096-48CD-AD53- BA5430D30C94 X-Ca-Timestamp:1474274624962 Content-MD5: AeWvOOgP7Gg7Ydd23 X-Ca-Signature-Headers: X-Ca-Key,X-Ca- Nonce,X-Ca-Timestamp X-Ca-Signature:2WvOOgP7Gg7Yd9879832dsdfsdf= API网关 { "userId“: 101, "userName": "Jack" } signature = HmacSHA256(stringToSign, secret) HmacSHA1 HmacSHA256 HmacMD5 SHA256withRSA … K

19. C ey1234abcdefegJIUzI1NiIsInR5cCI6Ikp1234 56.JzdWIiOiIxkwIiwibm1234563ODFtZSI6Ikp vaG4gR1234abcdedfgjoxNTE2XYUSDFGMDIyfQ. Abcdefgjijkl12345T4fwpMeJf36POk6yJV_adQ ssw5c API网关 GET /orders X-JWT-Token: ey1234abcdefegJIUzI1NiIsInR5cCI6Ikp1234 56.JzdWIiOiIxkwIiwibm1234563ODFtZSI6IkpvaG 4gR1234abcdedfgjoxNTE2XYUSDFGMDIyfQ.Abcdef gjijkl12345T4fwpMeJf36POk6yJV_adQssw5c GET /orders X-UserName: Jack X-UserId: 10001 A + + { "alg": "HS256", "typ": "JWT" } { "userId": "10001", "userName": "Jack", "userRole": "User", "iat": 1516239022 } E § B A + +

20. /+ { GET /orders/10002 X-JWT-Token: ey1234abcdefegJIUzI1NiIs InR5cCI6Ikp123456.JzdWIiO iIxkwIiwibm1234563ODFtZSI6I kpvaG4gR1234abcdedfgjoxNTE2 XYUSDFGMDIyfQ.Abcdefgjijk l12345T4fwpMeJf36POk6yJV _adQssw5c "alg": "HS256", "typ": "JWT" } { "userId": "10001", "userName": "Jack", "userRole": "User", "iat": 1516239022 } allowPolicies: - name: userId condition: "$userId = $JwtClaims.userId" API网关 + HTTP/1.1 403 Access Denied

21. 参数的校验与映射 GET /users/1002 HTTP/1.1 Host: api.foo.com "/users/{userId}": GET: x-aliyun-apigateway-mapping-mode: mapping x-aliyun-apigateway-backend: address: http://100.67.8.10:18088 method: POST path: getUserInfo parameters: - name: userId in: path name: integer required: true x-aliyun-apigateway-backend-location: formData - name: filter in: query required: false default: summary type: string x-aliyun-apigateway-backend-location: formData API网关 § § § POST /getUserInfo HTTP/1.1 userId=1002&filter=summary

22. 常量参数与系统参数 GET /users/1002 HTTP/1.1 Host: api.foo.com ... x-aliyun-apigateway-constant-parameters: - name: version location: formData value: 1.0 x-aliyun-apigateway-system-parameters: - systemName: CaClientIp location: header name: X-ClientIp API网关 § § POST /getUserInfo HTTP/1.1 X-ClientIp: 63.232.33.3 userId=1002&filter=summary&versi on=1.0

23. 处理CORS跨域资源访问 OPTIONS /cors HTTP/1.1 Origin: http://api.bob.com Access-Control-Request-Method: PUT Access-Control-Request-Headers: X-Custom-Header Host: api.alice.com Accept-Language: en-US Connection: keep-alive User-Agent: Mozilla/5.0... allowOrigins: api.bob.com allowMethods: GET,POST,PUT,PATCH allowHeaders: X-Custom-Header allowCredentials: true API网关 § § HTTP/1.1 200 OK Date: Mon, 01 Dec 2008 01:15:39 GMT Server: Apache/2.0.61 (Unix) Access-Control-Allow-Origin: http://api.bob.com Access-Control-Allow-Methods: GET, POST, PUT, PATCH Access-Control-Allow-Headers: X-Custom-Header Content-Type: text/html; charset=utf-8 Content-Encoding: gzip Content-Length: 0 Keep-Alive: timeout=2, max=100 Connection: Keep-Alive Content-Type: text/plain

24. API缓存 varyByParameters: - userId varyByHeaders: - Accept - Accept-Language GET /users/1002 HTTP/1.1 Host: api.foo.com API网关 HTTP/1.1 200 Cache-Control: duration=900 § § { “name”: “Jack”, “age”: 24 ”role”: user }

25. 参数路由 VIP routes: - name: vipService backend: address: 172.16.0.11 condition: "$CaAppKey = ‘100666’” - name: experienceService backend: address: 172.16.0.15 condition: "$CaUserAgent = '2.0.0'" .. & 0 1 § § A2 & :=2 6 A 2

26. 蓝绿发布(灰度发布) routes: - name: blueGreen1 backend: address: 172.16.0.24 condition: "Random() < 0.05" 5 § § 5 % %

27. 流量复制 . replicates: - name: alphaTest backend: address: 172.16.0.17 condition: "Random() < 0.10" % § § 1A 0 .

28. 流量控制 § § § §

29. ( ( ) )

30. 断路器与服务降级 § § §

31. entry: if (not expired) { return CIRCUIT_BREAKER_OPEN } state = HALF_OPEN leave: entry: if (over max concurrent) { return BUSY; } leave: if (too many timeouts) { state = OPEN expired = now + OPEN_EXPIRES } entry: if (over half_open concurrent) { return CIRCUIT_BREAKER_OPEN } leave: if (success over threshold) { state = CLOSE } if (failed over threshold) { state = OPEN expired = now + HALF_OPEN_EXPIRES }

32. HTTP 404 X-Ca-Error-Message: Role Not Exist mapping HTTP 200 OK Content-Type:applica6on/json { "req_msg_id":"d02afa56394f458e1772", "result_code":"ROLE_NOT_EXISTS” }

33.

34. API元数据定义与管理 I O P / / > § § EA N

35.

36. 管理API的整个生命周期

37. R • • • • • • • • c T t b o A • • • • • • • W / D r S CP • • • • • • O Ma J k w • • • • • • K IH e t tg

38. 1

39. : A ., . // ., . ,

40. API市场

41. PK PK C7 I 6 9 8 23 1 5 A 1 4 1

42. API Gateway

43. 关注msup微信公众账号关注高可用架构公众账号获取更多技术实践干货改变互联网的构建方式