On Tue, Sep 27, 2016 at 12:08 PM, Sanjeewa Malalgoda <[email protected]> wrote:
> Hi, > Before we need to take any decision about moving to pub/sub approach we > need to consider some of the facts. > > As of now token revoke responses carrying revoke token as transport header > and at gateway cache clear handler will remove revoked token from cache. > Then it will replicate to other nodes through clustering. > > If we are planning to have pub/sub solution then either oauth2 > implementation or cache clear handler at gateway should push this event to > topic. > Both cases we need to maintain message broker in gateway or key manager > while all gateway workers subscribe to topic available there. > Then we need to think about how high availability works for this > broker(since we have multiple gateways and key managers in most of the > deployments). IMHO it will add more complexity to deployment. > > My main point is even if we use pub/sub in order to achieve HA we need > multiple broker instances. Then those need to synchup with each other and > we need some sort of group communication for that(again clustering comes to > picture). > > May be we can evaluate some solution like kafka for this. We are > evaluating it for traffic manager update retrieving process(through kafka > event publisher in CEP and extension to subscribe topics to fetch updates). > It will not be a first class support but through extensions we may be able > to do that. Even with that we need to maintain zoo-keeper cluster when we > have multiple brokers(again this make deployment bit complicate). > What if we add this as an deployment option? We can ship it as a component that is switched on with configs. > > If need we can wait 15 minutes for cache timeout rather adding this kind > of feature if users do not like to use gateway clustering. > > And clustering is required to replicate validation information cache > across gateway nodes. Otherwise when LB not routing requests without > session awareness gateways may do same key validation call again and again. > In this case usually cluster communication is cheaper than another key > validation call. So if we remove clustering completely then we need to > think about this as well. > I think the best here is switching on IP hashing at LB. Cos think of a case where we have to support a large TPS. Having this would be so easy. For large TPS (say .. XXXXX TPS range) they wouldn't even mind having a their own broker in HA. thanks, Dimuthu > > Thanks, > sanjeewa. > > > > On Tue, Sep 27, 2016 at 11:31 AM, Dimuthu Leelarathne <[email protected]> > wrote: > >> Hi, >> >> If we publish OAuth key revocation to a topic (we can do so using by >> writing an extension to WSO2IS), we can remove clustering in the APIM >> gateway. Are there better ways for achieving the same? Can we prioratise >> this for next APIM release? >> >> thanks, >> Dimuthu >> >> -- >> Dimuthu Leelarathne >> Director, Solutions Architecture >> >> WSO2, Inc. (http://wso2.com) >> email: [email protected] >> Mobile: +94773661935 >> Blog: http://muthulee.blogspot.com >> >> Lean . Enterprise . Middleware >> > > > > -- > > *Sanjeewa Malalgoda* > WSO2 Inc. > Mobile : +94713068779 > > <http://sanjeewamalalgoda.blogspot.com/>blog :http://sanjeewamalalgoda. > blogspot.com/ <http://sanjeewamalalgoda.blogspot.com/> > > > -- Dimuthu Leelarathne Director, Solutions Architecture WSO2, Inc. (http://wso2.com) email: [email protected] Mobile: +94773661935 Blog: http://muthulee.blogspot.com Lean . Enterprise . Middleware
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
