For example I have a post service. At UI I need to show post and userinfo (username and id for redirect to user page)
Options:
Should I store username and id in post service. (When every user register to system I will send subset detail to post service via RabbitMQ). (Total Request from UI= 1)
I will store only Id of user(AR). And at UI component fetch user with id(Total Request from UI=2)
Both of them are OK. The decision is based on how you map the concepts between different boundary contexts. The patterns are:
Anticorruption Layer
Shared Kernel
Open Host Service(option 2)
Separate Ways
Customer Supplier
Conformist
Partenership
Published Language
...
It is not only the personal preference, but also about the organization structure(The Conway's Law).
If both the two contexts(post and user) are controlled by your team, you could choose either of them. Considering the complexity of the option 1, I prefer option 2 since it's very straight. Start from the easier one then involve your architecture is always a good idea.
Related
In my microservices architecture, I have a bunch of services A, B, C, D etc.
For ex: Service A is responsible for managing students. Service B is responsible for managing assessments, the student take.
Service B stores the studentid in the tables for reference. However when I have to query for all the assessments taken in a given time period, Service B has to call Service A to get the student name. Because the client app wants the name. not the id.
I see a lot of network calls among services because of this. So I was thinking Service A could raise an event whenever a new student is registering. Service B will consume the event and stores student info in its db. (same for student name update as well).
Questions:
Is this a bad practice? What are the pros and cons of this approach?
Feel free to suggest any alternatives.
It is good to allow some data duplication across the services and you can do it many many different ways.
One option is to having Service A publishing an event when a new student is registered.
One alternative (That might be simpler) is that when you create a new assessment against Service B, then you provide the username as part of the CreateAssessment command. In this way you don't need to publish any events between the two services when a new user is created.
Publishing events and replicating data into each service's database is a totally reasonable approach to minimizing network calls. I think you might find my answer to a similar question helpful as well (option 1 is the same as what you described):
https://stackoverflow.com/a/57791951/1563240
I am investigating options to build a system to provide "Entity Access Control" across a microservices based architecture to restrict access to certain data based on the requesting user. A full Role Based Access Control (RBAC) system has already been implemented to restrict certain actions (based on API endpoints), however nothing has been implemented to restrict those actions against one data entity over another. Hence a desire for an Attribute Based Access Control (ABAC) system.
Given the requirements of the system to be fit-for-purpose and my own priorities to follow best practices for implementations of security logic to remain in a single location I devised to creation of an externalised "Entity Access Control" API.
The end result of my design was something similar to the following image I have seen floating around (I think from axiomatics.com)
The problem is that the whole thing falls over the moment you start talking about an API that responds with a list of results.
Eg. A /api/customers endpoint on a Customers API that takes in parameters such as a query filter, sort, order, and limit/offset values to facilitate pagination, and returns a list of customers to a front end. How do you then also provide ABAC on each of these entities in a microservices landscape?
Terrible solutions to the above problem tested so far:
Get the first page of results, send all of those to the EAC API, get the responses, drop the ones that are rejected from the response, get more customers from the DB, check those... and repeat until either you get a page of results or run out of customers in the DB. Tested that for 14,000 records (which is absolutely within reason in my situation) would take 30 seconds to get an API response for someone who had zero permission to view any customers.
On every request to the all customers endpoint, a request would be sent to the EAC API for every customer available to the original requesting user. Tested that for 14,000 records the response payload would be over half a megabyte for someone who had permission to view all customers. I could split it into multiple requests, but then you are just balancing payload size with request spam and the performance penalty doesn't go anywhere.
Give up on the ability to view multiple records in a list. This totally breaks the APIs use for customer needs.
Store all the data and logic required to perform the ABAC controls in each API. This is fraught with danger and basically guaranteed to fail in a way that is beyond my risk appetite considering the domain I am working within.
Note: I tested with 14,000 records just because its a benchmark of our current state of data. It is entirely feasible that a single API could serve 100,000 or 1m records, so anything that involves iterating over the whole data set or transferring the whole data set over the wire is entirely unsustainable.
So, here lies the question... How do you implement an externalised ABAC system in a microservices architecture (as per the diagram) whilst also being able to service requests that respond with multiple entities with a query filter, sort, order, and limit/offset values to facilitate pagination.
After dozens of hours of research, it was decided that this is an entirely unsolvable problem and is simply a side effect of microservices (and more importantly, segregated entity storage).
If you want the benefits of a maintainable (as in single piece of externalised infrastructure) entity level attribute access control system, a monolithic approach to entity storage is required. You cannot simultaneously reap the benefits of microservices.
I am learning to develop microservices using DDD, CQRS, and ES. It is HTTP RESTful service. The microservices is about online shop. There are several domains like products, orders, suppliers, customers, and so on. The domains built in separate services. How to do the validation if the command payload relates to other domains?
For example, here is the addOrderItemCommand payload in the order service (command-side).
{
"customerId": "CUST111",
"productId": "SKU222",
"orderId":"SO333"
}
How to validate the command above? How to know that the customer is really exists in database (query-side customer service) and still active? How to know that the product is exists in database and the status of the product is published? How to know whether the customer eligible to get the promo price from the related product?
Is it ok to call API directly (like point-to-point / ajax / request promise) to validate this payload in order command-side service? But I think, the performance will get worse if the API called directly just for validation. Because, we have developed an event processor outside the command-service that listen from the event and apply the event to the materalized view.
Thank you.
As there are more than one bounded contexts that need to be queried for the validation to pass you need to consider eventual consistency. That being said, there is always a chance that the process as a whole can be in an invalid state for a "small" amount of time. For example, the user could be deactivated after the command is accepted and before the order is shipped. An online shop is a complex system and exceptions could appear in any of its subsystems. However, being implemented as an event-driven system helps; every time the ordering process enters an invalid state you can take compensatory actions/commands. For example, if the user is deactivated in the meantime you can cancel all its standing orders, release the reserved products, announce the potential customers that have those products in the wishlist that they are not available and so on.
There are many kinds of validation in DDD but I follow the general rule that the validation should be done as early as possible but without compromising data consistency. So, in order to be early you could query the readmodel to reject the commands that couldn't possible be valid and in order for the system to be consistent you need to make another check just before the order is shipped.
Now let's talk about your specific questions:
How to know that the customer is really exists in database (query-side customer service) and still active?
You can query the readmodel to verify that the user exists and it is still active. You should do this as a command that comes from an invalid user is a strong indication of some kind of attack and you don't want those kind of commands passing through your system. However, even if a command passes this check, it does not necessarily mean that the order will be shipped as other exceptions could be raised in between.
How to know that the product is exists in database and the status of the product is published?
Again, you can query the readmodel in order to notify the user that the product is not available at the moment. Or, depending on your business, you could allow the command to pass if you know that those products will be available in less than 24 hours based on some previous statistics (for example you know that TV sets arrive daily in your stock). Or you could let the customer choose whether it waits or not. In this case, if the products are not in stock at the final phase of the ordering (the shipping) you notify the customer that the products are not in stock anymore.
How to know whether the customer eligible to get the promo price from the related product?
You will probably have to query another bounded context like Promotions BC to check this. This depends on how promotions are validated/used.
Is it ok to call API directly (like point-to-point / ajax / request promise) to validate this payload in order command-side service? But I think, the performance will get worse if the API called directly just for validation.
This depends on how resilient you want your system to be and how fast you want to reject invalid commands.
Synchronous call are simpler to implement but they lead to a less resilient system (you should be aware of cascade failures and use technics like circuit breaker to stop them).
Asynchronous (i.e. using events) calls are harder to implement but make you system more resilient. In order to have async calls, the ordering system can subscribe to other systems for events and maintain a private state that can be queried for validation purposes as the commands arrive. In this way, the ordering system continues to work even of the link to inventory or customer management systems are down.
In any case, it really depends on your business and none of us can tell you exaclty what to do.
As always everything depends on the specifics of the domain but as a general principle cross domain validation should be done via the read model.
In this case, I would maintain a read model within each microservice for use in validation. Of course, that brings with it the question of eventual consistency.
How you handle that should come from your understanding of the domain. Factors such as the length of the eventual consistency compared to the frequency of updates should be considered. The cost of getting it wrong for the business compared to the cost of development to minimise the problem. In many cases, just recording the fact there has been a problem is more than adequate for the business.
I have a blog post dedicated to validation which you can find here: How To Validate Commands in a CQRS Application
This is more of an architectural question. Let's assume we have different types of users logging into a system, and we have a 'customer' entity. Depending on the permissions of the user, I may want to return different sub-sets of 'customer' properties. I also might want to allow edits to only certain properties.
Any suggestions on what path to go down? Here are the options I've thought of thusfar:
For each permission level, extend the model - and return the furthest descendant based upon the user permissions. On the input side, accept the furthest descendant and only cast it to the correct descendant. (Seems like a lot of implicit logic - doesn't seem very elegant)
Create different methods (cluttered API, implies more functionality than I might want to expose)
Any other suggestions?
Thanks
What you're describing is a clear-cut use case for XACML. XACML is the eXtensible Access Control Markup Language. It lets you define fine-grained access control using attributes (about the user, the resource, the environment...).
It's policy-based which means you can write things like:
users can view customer records that are in the same region as the user
users can edit customer records they are directly assigned to
auditors can view customer records for the entire business unit except for sensitive fields
There are several XACML engines out there (WSO2, Heras AF for Java; Axiomatics for .NET).
I've developed quite a few ASP .NET web apps in the .NET 4.0 framework and managed to apply authorization at the presentation tier, the WCF tier, and the data tier. Feel free to ping me for additional information.
I'm thinking how and when a DCI context can be used in a Web application. I'm considering this high-level use case:
User enters city, arrival, departure, room type and clicks "Search".
System displays a list of hotels
User clicks on a Hotel logo to read its details
System displays hotel details
User clicks "Book now"
System displays payment form
User enter customer details, billing information and clicks "Submit".
System validates billing information and displays a booking confirmation.
This is very high-level and surely needs to be broken down. The first steps (1-2, 3-4, 5-6) feels like simple resource requests that could be handled with some search- and REST-architecture. So my first question is, is there a need for a DCI-context in those cases, isn't plain MVC enough? Of course a "Hotel" data entity could play a role, but would you consider it feasible, especially if it's the only actor?
The last step is where I see that DCI could be very useful, for now there is work to do in a procedural fashion. (Creating a Customer, adding a Booking to the Hotel, sending confirmation mail...)
What are your thoughts on this? Am I on the right track?
I think I would say that a context starts at step 2.
You have a list of offers that plays a part. Currently those offers are hotel offers but what's a hotel offer? they might be different things. Some might be from brokers and some might be directly from hotels those are two different types of entities but they play the same part in this context, you might have many more types some which might be contexts the self. E.g. flight and hotel combined to an offer, where in that context a hotel/broker offer and a cheap flight offer plays each a role but the the listed use case you shouldn't have to worry about this but simply make it possible for the domain to evolve independently of the use case and though the use case is book cheap hotel I'd say that the form which we are trying to capture can be expressed better (though not exact) with "find best offer"
Then when picking a specific offer I'd agree that you start a new context