Gateway cache in APIM all in one active/active deployment without clustering

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Gateway cache in APIM all in one active/active deployment without clustering

Susankha Nirmala
Hi All,

When we using APIM all in one active/active deployment pattern, by default gateway caching enabled and clustering disable according to the document [1], Due to that
distributed caching is not use with this deployment pattern. With this deployment pattern, If we revoke a token, it will not update in both APIM nodes and in one APIM node same token will be available as a valid token. Due to that can we recommend this deployment architecture pattern in production environments?
 

Thanks,
/Susankha.



--
Susankha Nirmala
Senior Software Engineer
WSO2, Inc.: http://wso2.com
lean.enterprise.middleware

Mobile : +94 77 593 2146

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: Gateway cache in APIM all in one active/active deployment without clustering

lakmal Warusawithana
Hi Susanka,

On Fri, Dec 15, 2017 at 9:18 AM, Susankha Nirmala <[hidden email]> wrote:
Hi All,

When we using APIM all in one active/active deployment pattern, by default gateway caching enabled and clustering disable according to the document [1], Due to that
distributed caching is not use with this deployment pattern. With this deployment pattern, If we revoke a token, it will not update in both APIM nodes and in one APIM node same token will be available as a valid token. Due to that can we recommend this deployment architecture pattern in production environments?

Its depends on customers requirement. Many cases, token revocation does not need to revoke immediately (realtime). It will automatically revoke when cache is expires. (eg 15 min)
 
 

Thanks,
/Susankha.



--
Susankha Nirmala
Senior Software Engineer
WSO2, Inc.: http://wso2.com
lean.enterprise.middleware

Mobile : <a href="tel:+94%2077%20593%202146" value="+94775932146" target="_blank">+94 77 593 2146



--
Lakmal Warusawithana
Senior Director - Cloud Architecture; WSO2 Inc.
Mobile : +94714289692



_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: Gateway cache in APIM all in one active/active deployment without clustering

Pubudu Gunatilaka-2
Hi Susankha,

We have a guide which explains when to use hazelcast clustering in [1].

If you don't have clustering enabled, the following are expected.

1. Immediate revocation of tokens among the gateways
2. Backend service throttling - The endpoint throttling limits and the spike arrest throttling limits will not be shared

The customer can decide based on their use case.


Thank you!

On Fri, Dec 15, 2017 at 3:04 PM, Lakmal Warusawithana <[hidden email]> wrote:
Hi Susanka,

On Fri, Dec 15, 2017 at 9:18 AM, Susankha Nirmala <[hidden email]> wrote:
Hi All,

When we using APIM all in one active/active deployment pattern, by default gateway caching enabled and clustering disable according to the document [1], Due to that
distributed caching is not use with this deployment pattern. With this deployment pattern, If we revoke a token, it will not update in both APIM nodes and in one APIM node same token will be available as a valid token. Due to that can we recommend this deployment architecture pattern in production environments?

Its depends on customers requirement. Many cases, token revocation does not need to revoke immediately (realtime). It will automatically revoke when cache is expires. (eg 15 min)
 
 

Thanks,
/Susankha.



--
Susankha Nirmala
Senior Software Engineer
WSO2, Inc.: http://wso2.com
lean.enterprise.middleware

Mobile : <a href="tel:+94%2077%20593%202146" value="+94775932146" target="_blank">+94 77 593 2146



--
Lakmal Warusawithana
Senior Director - Cloud Architecture; WSO2 Inc.
Mobile : <a href="tel:+94%2071%20428%209692" value="+94714289692" target="_blank">+94714289692



_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--
Pubudu Gunatilaka
Committer and PMC Member - Apache Stratos
Senior Software Engineer 
WSO2, Inc.: http://wso2.com
mobile : <a href="tel:%2B94772207163" value="+94772207163" style="font-size:x-small;color:rgb(17,85,204)" target="_blank">+94774078049


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: Gateway cache in APIM all in one active/active deployment without clustering

Susankha Nirmala


On Fri, Dec 15, 2017 at 3:14 PM, Pubudu Gunatilaka <[hidden email]> wrote:
Hi Susankha,

We have a guide which explains when to use hazelcast clustering in [1].

If you don't have clustering enabled, the following are expected.

1. Immediate revocation of tokens among the gateways

How this happen when clustering disable?
 
2. Backend service throttling - The endpoint throttling limits and the spike arrest throttling limits will not be shared

The customer can decide based on their use case.


Thank you!

On Fri, Dec 15, 2017 at 3:04 PM, Lakmal Warusawithana <[hidden email]> wrote:
Hi Susanka,

On Fri, Dec 15, 2017 at 9:18 AM, Susankha Nirmala <[hidden email]> wrote:
Hi All,

When we using APIM all in one active/active deployment pattern, by default gateway caching enabled and clustering disable according to the document [1], Due to that
distributed caching is not use with this deployment pattern. With this deployment pattern, If we revoke a token, it will not update in both APIM nodes and in one APIM node same token will be available as a valid token. Due to that can we recommend this deployment architecture pattern in production environments?

Its depends on customers requirement. Many cases, token revocation does not need to revoke immediately (realtime). It will automatically revoke when cache is expires. (eg 15 min)
 
 

Thanks,
/Susankha.



--
Susankha Nirmala
Senior Software Engineer
WSO2, Inc.: http://wso2.com
lean.enterprise.middleware

Mobile : <a href="tel:+94%2077%20593%202146" value="+94775932146" target="_blank">+94 77 593 2146



--
Lakmal Warusawithana
Senior Director - Cloud Architecture; WSO2 Inc.
Mobile : <a href="tel:+94%2071%20428%209692" value="+94714289692" target="_blank">+94714289692



_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--
Pubudu Gunatilaka
Committer and PMC Member - Apache Stratos
Senior Software Engineer 
WSO2, Inc.: http://wso2.com
mobile : <a href="tel:%2B94772207163" value="+94772207163" style="font-size:x-small;color:rgb(17,85,204)" target="_blank">+94774078049




--
Susankha Nirmala
Senior Software Engineer
WSO2, Inc.: http://wso2.com
lean.enterprise.middleware

Mobile : +94 77 593 2146

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: Gateway cache in APIM all in one active/active deployment without clustering

Susankha Nirmala
In reply to this post by lakmal Warusawithana


On Fri, Dec 15, 2017 at 3:04 PM, Lakmal Warusawithana <[hidden email]> wrote:
Hi Susanka,

On Fri, Dec 15, 2017 at 9:18 AM, Susankha Nirmala <[hidden email]> wrote:
Hi All,

When we using APIM all in one active/active deployment pattern, by default gateway caching enabled and clustering disable according to the document [1], Due to that
distributed caching is not use with this deployment pattern. With this deployment pattern, If we revoke a token, it will not update in both APIM nodes and in one APIM node same token will be available as a valid token. Due to that can we recommend this deployment architecture pattern in production environments?

Its depends on customers requirement. Many cases, token revocation does not need to revoke immediately (realtime). It will automatically revoke when cache is expires. (eg 15 min)

With the default cache expiry time (15 minue) also we can access the API using revoked token until cache expire in other node.AFAIU onece we revoke a token, that token should be invalidate from the cache in all nodes.
 
 
 

Thanks,
/Susankha.



--
Susankha Nirmala
Senior Software Engineer
WSO2, Inc.: http://wso2.com
lean.enterprise.middleware

Mobile : <a href="tel:+94%2077%20593%202146" value="+94775932146" target="_blank">+94 77 593 2146



--
Lakmal Warusawithana
Senior Director - Cloud Architecture; WSO2 Inc.
Mobile : <a href="tel:+94%2071%20428%209692" value="+94714289692" target="_blank">+94714289692





--
Susankha Nirmala
Senior Software Engineer
WSO2, Inc.: http://wso2.com
lean.enterprise.middleware

Mobile : +94 77 593 2146

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: Gateway cache in APIM all in one active/active deployment without clustering

lakmal Warusawithana


On Fri, Dec 15, 2017 at 10:05 AM, Susankha Nirmala <[hidden email]> wrote:


On Fri, Dec 15, 2017 at 3:04 PM, Lakmal Warusawithana <[hidden email]> wrote:
Hi Susanka,

On Fri, Dec 15, 2017 at 9:18 AM, Susankha Nirmala <[hidden email]> wrote:
Hi All,

When we using APIM all in one active/active deployment pattern, by default gateway caching enabled and clustering disable according to the document [1], Due to that
distributed caching is not use with this deployment pattern. With this deployment pattern, If we revoke a token, it will not update in both APIM nodes and in one APIM node same token will be available as a valid token. Due to that can we recommend this deployment architecture pattern in production environments?

Its depends on customers requirement. Many cases, token revocation does not need to revoke immediately (realtime). It will automatically revoke when cache is expires. (eg 15 min)

With the default cache expiry time (15 minue) also we can access the API using revoked token until cache expire in other node.AFAIU onece we revoke a token, that token should be invalidate from the cache in all nodes.
 

Thats why I said it depends on customer requirement :) . With our experience very few customers wanted these kind of behavior. They have to use clustering to achieve this. Majority is OK with expiring after 15 min. 

 
 
 

Thanks,
/Susankha.



--
Susankha Nirmala
Senior Software Engineer
WSO2, Inc.: http://wso2.com
lean.enterprise.middleware

Mobile : <a href="tel:+94%2077%20593%202146" value="+94775932146" target="_blank">+94 77 593 2146



--
Lakmal Warusawithana
Senior Director - Cloud Architecture; WSO2 Inc.
Mobile : <a href="tel:+94%2071%20428%209692" value="+94714289692" target="_blank">+94714289692





--
Susankha Nirmala
Senior Software Engineer
WSO2, Inc.: http://wso2.com
lean.enterprise.middleware

Mobile : <a href="tel:+94%2077%20593%202146" value="+94775932146" target="_blank">+94 77 593 2146



--
Lakmal Warusawithana
Senior Director - Cloud Architecture; WSO2 Inc.
Mobile : +94714289692



_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: Gateway cache in APIM all in one active/active deployment without clustering

Pubudu Gunatilaka-2
In reply to this post by Susankha Nirmala
Hi Susankha,

On Fri, Dec 15, 2017 at 3:26 PM, Susankha Nirmala <[hidden email]> wrote:


On Fri, Dec 15, 2017 at 3:14 PM, Pubudu Gunatilaka <[hidden email]> wrote:
Hi Susankha,

We have a guide which explains when to use hazelcast clustering in [1].

If you don't have clustering enabled, the following are expected.

1. Immediate revocation of tokens among the gateways

How this happen when clustering disable?
 

Sorry about the wording. I meant those will not work without clustering. Let me rephrase this again. 

1. Token revoke -  You need to have clustering enabled. Otherwise, from the other node gateway node you can access the API until cache timeout happens.
2. Backend service throttling - As we are not sharing throttling limits within the gateway nodes, backend service throttling will not work. 

Thank you!
--
Pubudu Gunatilaka
Committer and PMC Member - Apache Stratos
Senior Software Engineer 
WSO2, Inc.: http://wso2.com
mobile : <a href="tel:%2B94772207163" value="+94772207163" style="font-size:x-small;color:rgb(17,85,204)" target="_blank">+94774078049


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: Gateway cache in APIM all in one active/active deployment without clustering

Susankha Nirmala


On Fri, Dec 15, 2017 at 3:56 PM, Pubudu Gunatilaka <[hidden email]> wrote:
Hi Susankha,

On Fri, Dec 15, 2017 at 3:26 PM, Susankha Nirmala <[hidden email]> wrote:


On Fri, Dec 15, 2017 at 3:14 PM, Pubudu Gunatilaka <[hidden email]> wrote:
Hi Susankha,

We have a guide which explains when to use hazelcast clustering in [1].

If you don't have clustering enabled, the following are expected.

1. Immediate revocation of tokens among the gateways

How this happen when clustering disable?
 

Sorry about the wording. I meant those will not work without clustering. Let me rephrase this again. 

1. Token revoke -  You need to have clustering enabled. Otherwise, from the other node gateway node you can access the API until cache timeout happens.

Yes, this is a known behavior and for that reason I have initiated this mail thread.
 
2. Backend service throttling - As we are not sharing throttling limits within the gateway nodes, backend service throttling will not work. 

Thank you!
--
Pubudu Gunatilaka
Committer and PMC Member - Apache Stratos
Senior Software Engineer 
WSO2, Inc.: http://wso2.com
mobile : <a href="tel:%2B94772207163" value="+94772207163" style="font-size:x-small;color:rgb(17,85,204)" target="_blank">+94774078049




--
Susankha Nirmala
Senior Software Engineer
WSO2, Inc.: http://wso2.com
lean.enterprise.middleware

Mobile : +94 77 593 2146

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: Gateway cache in APIM all in one active/active deployment without clustering

Sanjeewa Malalgoda
Yes we have to handle this case by case. If reaction time is important we have to bear the cost of having smaller cache duration.
If performance is important we have to bear large reaction time. 

Thanks.
sanjeewa.

On Fri, Dec 15, 2017 at 4:33 PM, Susankha Nirmala <[hidden email]> wrote:


On Fri, Dec 15, 2017 at 3:56 PM, Pubudu Gunatilaka <[hidden email]> wrote:
Hi Susankha,

On Fri, Dec 15, 2017 at 3:26 PM, Susankha Nirmala <[hidden email]> wrote:


On Fri, Dec 15, 2017 at 3:14 PM, Pubudu Gunatilaka <[hidden email]> wrote:
Hi Susankha,

We have a guide which explains when to use hazelcast clustering in [1].

If you don't have clustering enabled, the following are expected.

1. Immediate revocation of tokens among the gateways

How this happen when clustering disable?
 

Sorry about the wording. I meant those will not work without clustering. Let me rephrase this again. 

1. Token revoke -  You need to have clustering enabled. Otherwise, from the other node gateway node you can access the API until cache timeout happens.

Yes, this is a known behavior and for that reason I have initiated this mail thread.
 
2. Backend service throttling - As we are not sharing throttling limits within the gateway nodes, backend service throttling will not work. 

Thank you!
--
Pubudu Gunatilaka
Committer and PMC Member - Apache Stratos
Senior Software Engineer 
WSO2, Inc.: http://wso2.com
mobile : <a href="tel:%2B94772207163" value="+94772207163" style="font-size:x-small;color:rgb(17,85,204)" target="_blank">+94774078049




--
Susankha Nirmala
Senior Software Engineer
WSO2, Inc.: http://wso2.com
lean.enterprise.middleware

Mobile : <a href="tel:077%20593%202146" value="+94775932146" target="_blank">+94 77 593 2146

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--

Sanjeewa Malalgoda
WSO2 Inc.
Mobile : +94713068779

blog :http://sanjeewamalalgoda.blogspot.com/



_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture