简体繁体 English

微服务通信

[英]Microservices communication

原文 2015-04-14 19:45:33 7 2 java/ node.js/ apache-zookeeper/ microservices

I'm actually studying microservices and I'm facing a problem. 我正在研究微服务，我正面临着一个问题。

Context 上下文

I m developing two microservices : 我正在开发两个微服务：

User management, Spring Based, with MySQL database 用户管理，基于Spring，带有MySQL数据库
Planning management, ASP.NET based with SQL Server database. 规划管理，基于ASP.NET的SQL Server数据库。 The only access point of this service is an API listing some RESTFUL endpoints like /planning/{day}/{userId} or /planning/{startDate}/{endDate}/{idUser} 此服务的唯一访问点是列出一些RESTFUL端点的API，例如/planning/{day}/{userId} or /planning/{startDate}/{endDate}/{idUser}
Billing management, Node.Js based with MongoDB. 计费管理，Node.Js基于MongoDB。

Problems 问题

What can I do to only permit accessing the planning information through the user service without couple the two services ? 如果只允许通过用户服务访问规划信息而不同时使用这两种服务，我该怎么做？ Knowing that the planning service could be accessed later from somewhere else, but not now. 知道以后可以从其他地方访问计划服务，但现在不能。
How can I do to access billing information from billing service corresponding to a user from the MySQL database? 如何从MySQL数据库中访问与用户对应的计费服务的计费信息？ I know that microservices are not coupled, and this point is killing me, cause it has to be coupled in a way no? 我知道微服务没有耦合，这一点是杀了我，因为它必须以某种方式耦合？ Like referencing idUser in a billing? 就像在计费中引用idUser一样？ Else, how can I know which billing from my API should I expose? 另外，我怎么知道我应该从我的API中公开哪个账单？ More precisely, how do microservices communicate between them, without to be coupled? 更确切地说，微服务如何在它们之间进行通信而不进行耦合？
How to create authentication without duplicating authentication requests to the authentication service, from other services? 如何创建身份验证而不从其他服务复制身份验证服务的身份验证请求？

2 个解决方案

The important thing to recognize here is that, when it comes to implementing user authentication, user authorization, and user session management solutions, there aren't significant conceptual differences between the solutions for micro-service architecture and any other form of distributed systems architecture. 这里要认识到的重要一点是，在实现用户身份验证，用户授权和用户会话管理解决方案时，微服务架构解决方案与任何其他形式的分布式系统架构之间没有明显的概念差异。

Conceptually, the solution will be an implementation of the Kerberos protocol , with the notion of a "ticket" (or "token" as it is more commonly called today) being passed around to establish the identity of users. 从概念上讲，该解决方案将是Kerberos协议的实现，其中传递“票证”（或称为“令牌”，因为它更常见于今天）的概念被传递以建立用户的身份。

So in your case, your user management service will serve as your backend authentication and authorization server, that all other services need to be aware. 因此，在您的情况下，您的用户管理服务将充当您的后端身份验证和授权服务器，所有其他服务都需要注意。 Your user management service will be responsible for issuing and verifying user tokens to establish your users' identity and roles. 您的用户管理服务将负责颁发和验证用户令牌，以确定用户的身份和角色。

What can I do to only permit accessing the planning information through the user service without couple the two services? 如果只允许通过用户服务访问规划信息而不同时使用这两种服务，我该怎么做？

When a user tries to access your .Net service, your service will have to rely on your user management service to establish the user's identity. 当用户尝试访问.Net服务时，您的服务必须依赖您的用户管理服务来建立用户的身份。 In other words, your .Net service will need to know where your user management service is (ie its URL). 换句话说，您的.Net服务需要知道您的用户管理服务在哪里（即其URL）。 You can utilize tools like etcd or nats to propagate the location of your user management service to the rest of your ecosystem, without coupling your microservices to it. 您可以使用一样的工具ETCD或NATS到您的用户管理服务的位置传播到您的生态系统的其余部分，没有你的微服务连接到它。

How can I do to access billing informations from billing service corresponding to a user from the Mysql database? 如何从Mysql数据库中访问与用户对应的计费服务的计费信息？

The simplest solution is to pass in the (single?) key (say user ID) as a query parameter in the URL of the billing service. 最简单的解决方案是将（单个？）密钥（例如用户ID）作为查询服务的URL中的查询参数传递。 Of course, your billing service has to be implemented in such a way to expect the key being appended to the URL. 当然，您的结算服务必须以这样的方式实现，以期将密钥附加到URL。 If you have additional keys that need to be included (say for example, billing dates, order status etc.), maybe you can utilized something like either memcached or redis to store those information at runtime. 如果您需要包含其他密钥（例如，计费日期，订单状态等），您可以使用memcached或redis之类的东西在运行时存储这些信息。 Of course, now you have to consider the trade-offs of adding these single-point-of-failure to your ecosystem :-) 当然，现在您必须考虑将这些单点故障添加到您的生态系统中的权衡:-)

How to create authentication without duplicating authentication requests to the authentication service, from other services? 如何创建身份验证而不从其他服务复制身份验证服务的身份验证请求？

Again, once the user is authenticated, all its identity information can be stored in something like either memcached or redis to avoid repeating the authentication and authorization process. 同样，一旦用户通过身份验证，其所有身份信息都可以存储在memcached或redis之类的内容中，以避免重复身份验证和授权过程。

An alternate approach could be building another microservice that protects access to other services with authentication/authorization. 另一种方法是构建另一个微服务，通过身份验证/授权保护对其他服务的访问。 This relates to the API Gateway pattern, additional info here: http://microservices.io/patterns/apigateway.html . 这与API网关模式有关，此处还有其他信息： http ： //microservices.io/patterns/apigateway.html 。 Basically you'd have a single entry point to your system, and you could use oauth or json web tokens to handle client auth. 基本上，您的系统只有一个入口点，您可以使用oauth或json Web令牌来处理客户端身份验证。

Secure access between microservices could also be achieved using something like additional headers and token on http request (kind of "internal" auth). 微服务之间的安全访问也可以使用诸如http请求上的附加头和令牌之类的东西（一种“内部”auth）来实现。

In my view, microservices shouldn't have this responsibility because you'd probably have to share/duplicate auth logic across your app. 在我看来，微服务不应该承担这个责任，因为你可能不得不在你的应用程序中共享/复制auth逻辑。

On another note, sharing IDs as "foreign key" is a good approach to decouple your related data. 另一方面，将ID作为“外键”共享是解耦相关数据的好方法。