Making Tomcat Multi-tenant, Elastic, Billed and Metered Paul Fremantle CTO and Co-Founder, WSO2 VP, Apache Synapse ASF Member @pzfreo http://pzf.fremantle.org Afhkam Azeez Lead Architect, Stratos Axis2, Synapse PMC ASF Member And also big thanks to Shankar, Amila, Srinath, Isuru, Senaka and the whole team Paul Fremantle • Working in Apache since 2002 • Apache Member • CTO and Co-Founder of WSO2 • VP, Apache Synapse • I play the Tin Whistle (in case you hadn’t noticed yet) @tedleung Ok I lied a bit • This is about “Using Tomcat to run multitenanted, metered, elastic webapps” • We didn’t embed this into Tomcat code • If you want to leave now, I won’t be offended! “Cloud Native” • • • • • • Self-service Distributed and Elastic Multi-tenant Metered and Billed Dynamically wired Versionable, incrementally deployable and testable http://www.flickr.com/photos/ladymaggic/ http://www.flickr.com/photos/jurvetson/ Can I run Tomcat on the Cloud? • Yes of course • There is at least one company selling supported AMI images of Tomcat • What does that get me? – Saves me creating an AMI • Can we do better? Yes! Cloud computing in one page The Big Picture • Infrastructure as a Service – Servers, storage & networking – For infrastructure specialists • Platform as a Service – Middleware and Core Services – For developers, integrators, architects • Software as a Service – Applications – For end-users Enterprise IT in 2010 © WSO2 2010 9 Enterprise IT in 2015+ © WSO2 2010 10 Stratos Application Server What can I do with Stratos App Server? • Deploy WAR files • Manage sessions – Monitor – Expire • Reload / Stop A webapp, running in the cloud Quick demo Not just webapps – services too • Supports deploying code as services – – – – JAX-WS Axis2 services POJO Spring-based POJO services Uses Tomcat • • • • Running on Tomcat under OSGi Multi-tenant Metered Elastic How? • How do we multi-tenant? • How do we meter? • How do we scale (elasticity)? What Multi-tenancy ? Many Parties shared same set of resources, while giving each an his own space Challenges of Multi-tenancy • Security and Data Isolation • Allocation of resources • Configuration, Management • Programming Model Multi-tenanting Tomcat • http://appserver.cloud.wso2.com/t/fremantle.org/webapps /sample/ • Uses a valve to direct the request to the right tenant • WAR files already have separate classloaders – And session isolation • Each tenant can only load code from their tenants deployed WARs • For services we also restrict classloading using Java Security • We apply security policies to stop webapps opening ports, modifying local files, calling OSGi Services – We intend to enhance this to support limited access to services Multi-tenanting Axis2 Every tenant has access to an Identity Service Identity • Every domain/tenant has its own single-sign on and identity manager • Based on LDAP – which is inherently multitenant – Each tenant has their own LDAP partition • Supporting SAML2, OpenId, OAuth, XACML, Infocard, WS-Trust Simply enabling security <security-constraint> <display-name>Example Security Constraint</display-name> <web-resource-collection> <!– some stuff deleted for simplicity--> <login-config> <auth-method>FORM</auth-method> <realm-name>Example Form-Based Authentication Area</realm-name> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/login-error.jsp</form-error-page> </form-login-config> </login-config> <!-- Security roles referenced by this web application --> <security-role> <role-name>admin</role-name> </security-role> Single sign-on • We already support SAML2 based single-sign on for Administration – So if you want, you can use a SAML2 Relying Party in your webapp, that works – We can recommend one too • OpenSAML2 • https://spaces.internet2.edu/display/OpenSAML/Home/ • Not yet automatically supported for webapps – We plan to add this Elasticity • Elastic Load Balancer – Apache Synapse • Always done load balancing • Now has full transparent HTTP support • Has “Autoscale” mediators – Based on Azeez’s Master’s thesis • Priority Execution support and throttling (Business Class) – Underlying Cloud API • We have based on Amazon/Eucalyptus/Ubuntu API • Adding support for vmWare underneath Overall plan Apache Tribes Distributed • Our distribution/clustering model is based on Apache Tribes • Adjusted Tribes to support WKA model • In a large cloud (e.g. Amazon) you cannot rely on subnet communications between nodes • Nominate two Well Known Addresses – Tribes contacts the WKA and uses that the bootstrap the fabric Performance Overhead of Multi-tenancy Metering Super tenant metering Billing and Metering • A generic multi-tenanted metering and billing module • Written as OSGi • Uses Drools to implement service levels – E.g. 10 users, 100Mb transfer/month, 15 deployed services for free level of subscription • Can be used to meter real business events – How many sales transactions / month Programming Model • Sub-tenant programming model – “Normal” – Suited to fit within a tenant • Super-tenant model – How to write one app for all tenants – i.e. how to write multi-tenant apps – Different but similar • Neither is complete yet Data • Is a pain • Most webapps use JDBC-based data sources – Very hard to “multi-tenant” • We are looking at two options: – Multi-tenanted JBDC driver – Multi-tenant NoSQL (e.g. Cassandra) • In Amazon environment you can start up RDS – But you pay for time not usage Cache • Uses JSR107 • cache = CarbonContext.getCurrentContext().getCache(); • cache.put(key, value); • value = cache.get(key); • CarbonContext is our general model for building a sub-tenant multi-tenant programming model – A set of standard stuff that works in an MT environment – Isolation and security What else do you need? • Multi-tenant enabled: – – – – – – – – Log Cache (done) Billing Identity Authorization JMS/Queue/Topics Registry/Repository/Config access Managed Service Requester (HTTP, SOAP) • JAXWS/JAXRS/Commons HTTPClient Summary • Cloud Native attributes distinguish code that just floats on top of the cloud from applications that live in the cloud • Stratos is an example of a making Tomcat Cloud Native • Not complete…. But that would be boring anyway!