Ali Pictures "and cloud-open platform" Make note!

Author | Ali entertainment technology

Zebian | Hu Weiwei

Exhibition | CSDN (ID: CSDNnews)

Foreword

Pictures and cloud-Ali's digital cinema management open platform, is responsible for managing the theater and movie tickets sale of the sale.

In this paper, and cloud-open platform, for example, will uncover your high-performance API Gateway B-side down like the film industry open systems, highly reliable messaging services, data services and other high-security technology insider.

Chile open cloud platform ecosystem

Open platform architecture big picture

1. Open platform technology to enlarge

Open platform technology to enlarge

Consisting of an open platform include: Pan ISV caller, IMIS portals, gateways and business systems, business systems through a gateway open to the ISV business to the caller, the gateway to business systems using generalized calls, including the Integrated Management of API life cycle management.

2. Open platform deployment architecture diagram

Deployment architecture diagram

Deployment architecture includes: a gateway cluster, cluster IMIS platform, and cloud-various business clusters, for an open platform, the core concern gateway and IMIS clusters, high performance gateway for the introduction of distributed caching of data stored in the cloud piece.

How to build a high-performance API Gateway

1. Gateway overall technical architecture diagram

API gateway technology architecture diagram

5-tier architecture diagram is truly the gateway application layer functions, each layer to solve the core issue:

1) protocol layer: problem solving client / caller how to connect to the gateway, the main thing to do, according to some kind of agreement to monitor, data protocol is kind of how, finally converted into a private interior gateway protocol;

2) control layer: after a request came, gateway authentication how this request is legitimate, is the result of a request certification to ensure the security of each request is a request;

3) scheduling layer: for a number of exception handling, processing flow routing, do here is to how to deal with the problem of;

4) scheduling services: mapping and scheduling between the API and the Server, complex scenes are processed in this layer;

5) call execution: get after the request is ultimately a call to an external service, how to call, and in this layer implementation.

2. Gateway cache mode

1) gateway cache mode:

Gateway schematic cache

2) Process Description: When a) gateway will cache storage hierarchy to ensure the fastest access, data access, access to the order

Is a local caching -> Distributed Cache -> Database;

b) to ensure data consistency, because the cache is metadata, metadata characteristics determine its less change, low timeliness required characteristics, therefore, the gateway to take the initiative fails distributed cache, the local cache failure of passive strategy , code complexity has been reduced.

3. Multi-dimensional flow control

Flow Control: Control API allows either by calling a number of times within a unit time, referred to as flow control.

1) Principle of flow control

Flow Control Process

2) Workflow single threshold policy: Total Threshold / machine number * 80%;

Global traffic control policies: the threshold is lower than the stand-alone: take the memory count; higher than the single threshold: walk distributed cache count.

3) flow control type

Flow Control Type

Currently and cloud-open platform provides the following flow control mode, the global flow control within a sliding window of time (1) API's; (2) API supports custom APPKEY for traffic control; (3) based flow control APP dimensions, access to APPKEY flow platform API's control.

Highly reliable messaging service

1. Overall architecture

Message Service architecture diagram

2. Message mode

1) message notification gateway through asynchronous HTTP callbacks + initiative confirmed in two ways to ensure the consumer side up, asynchronous message http push mode callbacks can be understood as a message, and consumer confirm that the initiative can be understood as a message pull mode;

2) the current message mode usage scenario primarily through pull information between members of different industries, such as membership registration information, membership information change, changes and other points, the message will use to synchronize internal and external information systems.

3. How to ensure that messages are not lost?

1) use a retry mechanism messaging middleware itself, ensure that the gateway can correct at least one consumer message (at lease once);

2) After receiving the message, persisted to disk, Review and subsequent retries left;

3) The subscription relationship message delivery to the corresponding subscriber, the update success message status, the timing task scan is left to fail;

4) the message delivery failure, the interval for retry, 20, 40 minutes, after three retries have failed, it is marked as a failure, is no longer actively delivered;

5) messages based on business need regular consumer initiates a query failure message to prevent missed messages.

High data security services

1. API License

Chile open cloud platform OAuth2.0 as a licensing agreement, authorization process can be simply summarized as follows:

1) obtain a temporary token code;

2) long exchange token (refreshtoken) temporary access token and the token code (accessToken); 3) access token expires after a long token (refreshtoken) refresh access token (accessToken). License Authorization and a timing chart is as follows:

API Authorization timing diagram

2. API Access Control

For API access control, to limit API open only part of the business, or do not allow APPKEY across businesses, and other cross-channel access.

Chile open cloud platform, access control consists of: rights group level authentication and access control with the composition of open gateway to increase the level of access control authentication function, to access quarantine control business, data isolation. Access control principle is as follows:

API access control chart

APPKEY set of access control, configuration access policies, access policies can be configured to request parameters API interface, the gateway will be an open platform based on access policies determine the user's request is legitimate, sub-rule throw an error.

Configuration example:

  {"商户":["yunzhi"],"影院":["test1","test2"],"渠道":[H5]}

3. Returns the number of API data control

1) For each APPKEY assigned to which gateway will define a corresponding level of data access, there is now a total of four levels L1 ~ L4, from low to high security level increases from;

2) the need for strict control of the interface risk, at configuration time, requires a clear definition of each field, from low to high respectively, the same L1 ~ L4;

3) the parameters for each filter matching fields, does not meet the level of authority by a plug-in mechanism Senate will be directly removed.

Scalable, maintainable

1. Maintainability -API life cycle

API lifecycle management map

2. Pluggable extensibility mechanism of -API

Protocol snooping layer gateway and analysis, the API logic layer, and perform call protocol layer, as components are pluggable into the gateway kernel.

1) Plug principle - the class loader

Plug-in mechanism to load class diagram

And cloud-new open platform, the movie industry has the characteristics of plug-ins include: API Access Control - the level of authentication, support for cloud efficiency environmental objectives.

to sum up

And cloud-open platform is the integration of https protocol, multi-level cache, messaging middleware technology, specifically for high-performance data access and data security to control and health systems. Reached a speed of access to the full range of data security management and control, review the whole process from the selection of the system to the birth, evolution has gone through the gateway of the following three stages:

Have a basic core competencies, basic core service access + = stable operation;
It includes a platform capabilities, high performance platform = + + API Specification data security and auditing;
Vertical platform features like the ability of vertical class = plug-in customization.

In this process, sediment core technology, in-depth understanding of these technical details and floor, in the evolution of each, are thought to test whether the prior art above, and then further optimized, so that the gateway can not only efficient and safe, and easy to maintain , although the natural process difficult, but as long as the bull by the horns, it should be possible to climb the peak, in the process, the team's technical ideas are constantly changing, the system also developed a new class features vertical platform.

【End】