tresor: the modular cloud - building a domain specific cloud platform with osgi - alexander grzesik
DESCRIPTION
OSGi Community Event 2013 (http://www.osgi.org/CommunityEvent2013/Schedule) ABSTRACT The usage of cloud technologies for data exchange as well as the capability of services to run in the cloud brought this internet-based technology a gain of importance in the last years covering the private customer as well as the industry. This talk will give a practical introduction to an OSGi based architecture for cloud applications and gives an overview to the usage of OSGi Enterprise and Blueprint specifications. It will show some best practices, we established to develop with OSGi in an enterprise cloud environment. With sight on the healthcare sector, the cloud is challenged with special requirements on data security during storage and transfer. Thus leading to the need to address customer concerns respecting privacy in much more detail than in other areas. To advance the research on the usage of cloud technologies in the healthcare sector as well as to enrich discussions on this theme, the German Federal Ministry of Economics and Technology funds 14 research projects as part of the Trusted Cloud initiative [1]. The TRESOR - Trusted Ecosystem for Standardized and Open cloud-based Resources – project as one of these projects has the aim to provide an open platform for cloud applications for the health care sector [2]. In this project, we combine modern cloud technologies and the OSGi service framework to build a modular and scalable PaaS (Platform as a Service) to provide flexible domain specific services for healthcare. Topics covered: Introduction to the TRESOR project Why we decided to use OSGi OSGi based architecture, benefits and pitfalls OSGi Enterprise and Blueprint, What they provide and what is lacking Some Best Practices OSGi & Maven From jar-hell to bundle hell ? Fine grained control with Bundle Security OSGi Bundles & JPA Persistence Transaction management with Blueprint OSGi in the cloud References [1] Trusted Cloud Project, BMWi [2] TRESOR Homepage, BMWi SPEAKER BIO Current employment: Head of development of medisite Systemhaus GmbH responsible for the development of the Patient Data Management System (PDMS) m.life and Software architect for the TRESOR Project. 15 years of work experience in medical Software development, 10 of this as Team leader and Software architect. Expert for Software Architecture, OSGi, Java and Java EETRANSCRIPT
![Page 1: TRESOR: The modular cloud - Building a domain specific cloud platform with OSGi - Alexander Grzesik](https://reader036.vdocuments.us/reader036/viewer/2022081400/554f5232b4c905524c8b4f3b/html5/thumbnails/1.jpg)
TRESOR – the modular cloud
Building a domain specific cloud
platform with OSGi
OSGi Community Event
Ludwigsburg
Eclipsecon 2013
![Page 2: TRESOR: The modular cloud - Building a domain specific cloud platform with OSGi - Alexander Grzesik](https://reader036.vdocuments.us/reader036/viewer/2022081400/554f5232b4c905524c8b4f3b/html5/thumbnails/2.jpg)
About myself
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
Alexander
GrzesikHead of Development
medisite Systemhaus
Working 15 years in
software
development
Java
Software Architecture
Medical Software
![Page 3: TRESOR: The modular cloud - Building a domain specific cloud platform with OSGi - Alexander Grzesik](https://reader036.vdocuments.us/reader036/viewer/2022081400/554f5232b4c905524c8b4f3b/html5/thumbnails/3.jpg)
Cloud – the future ?
By David Fletcher
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
![Page 4: TRESOR: The modular cloud - Building a domain specific cloud platform with OSGi - Alexander Grzesik](https://reader036.vdocuments.us/reader036/viewer/2022081400/554f5232b4c905524c8b4f3b/html5/thumbnails/4.jpg)
TRESOR Partners
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
TRESOR is funded within the Trusted Cloud project by the Federal Ministry of
Economy on basis of a resolution passed by the German Bundestag
Trusted Ecosystem for Standardized and Open cloud-based
Resources
![Page 5: TRESOR: The modular cloud - Building a domain specific cloud platform with OSGi - Alexander Grzesik](https://reader036.vdocuments.us/reader036/viewer/2022081400/554f5232b4c905524c8b4f3b/html5/thumbnails/5.jpg)
TRESOR Cloud Ecosystem
TRESOR PaaS
TRESOR UserTRESOR
Ecosystem
TRESOR Service Provider IaaS-Provider
TRESOR Proxy(Client)
TRESOR Proxy(Client)
IDM(i.e. Active Directory)
ClientsTRESOR Proxy
(Client)
Authentication
Service use
Authorization
Marketplace
TRESOR Proxy(Trusted 3rd Party)
TRESOR Billing
TRESOR Broker
Service Profile Repository
Client Profile Repository
TRESOR Proxy(Service)
Search, Maintain, Match
Billing
SLA M
on
itorin
g
MMV
PAI
...
Service use
DynamicServices
Man
age
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
![Page 6: TRESOR: The modular cloud - Building a domain specific cloud platform with OSGi - Alexander Grzesik](https://reader036.vdocuments.us/reader036/viewer/2022081400/554f5232b4c905524c8b4f3b/html5/thumbnails/6.jpg)
TRESOR Goals
CloudFlexible
SecureOpen
Extensible
OSGi based
Use of Standards
Development tools
Data Security
Encrypted Data
Secure Communication
Certified
Scalable
Reliable
High Availability
Powered by OpenShift
Fast Time-to-Market
No Vendor Lock-In
Flexible deployment
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
![Page 7: TRESOR: The modular cloud - Building a domain specific cloud platform with OSGi - Alexander Grzesik](https://reader036.vdocuments.us/reader036/viewer/2022081400/554f5232b4c905524c8b4f3b/html5/thumbnails/7.jpg)
TRESOR PaaS at a glance
Strong
Encryption
Powered
by
OpenShift
Open
Platform
Polyglot
Persistence
Modular
Architecture
6dfg4854 fgf72548 151fd545
5454sff5 44485ddf 151538fd
179hg45g 658g54d1 15414gfg
584551gh 11fghf15 154215jh
2152fgh5 14925fg1 15325sgd
78dfd15d 7654fghd 897fg21d
98dfgh2d 874dfg6d 3544sdfg
Domain
specific
API
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
![Page 8: TRESOR: The modular cloud - Building a domain specific cloud platform with OSGi - Alexander Grzesik](https://reader036.vdocuments.us/reader036/viewer/2022081400/554f5232b4c905524c8b4f3b/html5/thumbnails/8.jpg)
Domain specific API
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
Application
Glassfish Application Server
Plugin repository
Plugin Build Service
TRESOR ProxyServer
Management &Monitoring
Security
JPA/Eclipse LinkApache Felix OSGi Java EE 3rd Party Bundles
Applications & Services
Elastic Search
Integration Engine
Encryption Engine
Enterprise OSGi
Encryption
PersistenceSearch and Index
Terminology
Configuration
Reporting
Process Engine
Business Rules Object MappingUser
Management
OpenAM
Notification
Aries Blueprint
Patient Adminstration
Patient TimelineClinical
DocumentationOrder Entry
Document Management
Radiology Diagnostic
Theraphy Planning
Laboratory Diagnostic
UI Module ManagementVaadin Web Framework UI Components
Healthcare Applications and Services
![Page 9: TRESOR: The modular cloud - Building a domain specific cloud platform with OSGi - Alexander Grzesik](https://reader036.vdocuments.us/reader036/viewer/2022081400/554f5232b4c905524c8b4f3b/html5/thumbnails/9.jpg)
Cooking in the Cloud with OSGi
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
![Page 10: TRESOR: The modular cloud - Building a domain specific cloud platform with OSGi - Alexander Grzesik](https://reader036.vdocuments.us/reader036/viewer/2022081400/554f5232b4c905524c8b4f3b/html5/thumbnails/10.jpg)
The Challenges
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
Architecture
ComponentManagement
Dependencies
Java Enterprise Integration
Configuration
Security
Provisioning
![Page 11: TRESOR: The modular cloud - Building a domain specific cloud platform with OSGi - Alexander Grzesik](https://reader036.vdocuments.us/reader036/viewer/2022081400/554f5232b4c905524c8b4f3b/html5/thumbnails/11.jpg)
Bundle Structure
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
Application
Bundle
Service Bundle
API Impl
Depends on
Straightforward
Tightly coupled API to Implementation
Replacing Implementation with high overhead
![Page 12: TRESOR: The modular cloud - Building a domain specific cloud platform with OSGi - Alexander Grzesik](https://reader036.vdocuments.us/reader036/viewer/2022081400/554f5232b4c905524c8b4f3b/html5/thumbnails/12.jpg)
Service Impl
Bundle
Better: Bundle Separation
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
Application
Bundle
Service API
Bundle
APIImpl
Depends on Depends on
Separate API from Implementation
Application only depends on API
Implementation may be changed transparently
![Page 13: TRESOR: The modular cloud - Building a domain specific cloud platform with OSGi - Alexander Grzesik](https://reader036.vdocuments.us/reader036/viewer/2022081400/554f5232b4c905524c8b4f3b/html5/thumbnails/13.jpg)
Managing with Blueprint
• Keeps code clean of OSGi dependencies
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
• Spring-style dependency injection
• Handles Service Lifecycle
• Enterprise Extensions
<service id=“bmiService" ref=“bmiServiceBean"
interface="medisite.eclipsecon.bmi.BmiService“ />
<bean id=“bmiServiceBean"
class="medisite.eclipsecon.bmi.impl.BmiServiceImpl">
<property name=“calculatorBean" ref="bmiCalculatorBean"/>
</bean>
<reference id=“importedService"
interface=" medisite.eclipsecon.bmi.BmiService"
availability="mandatory”/>
![Page 14: TRESOR: The modular cloud - Building a domain specific cloud platform with OSGi - Alexander Grzesik](https://reader036.vdocuments.us/reader036/viewer/2022081400/554f5232b4c905524c8b4f3b/html5/thumbnails/14.jpg)
Managing Dependencies
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
![Page 15: TRESOR: The modular cloud - Building a domain specific cloud platform with OSGi - Alexander Grzesik](https://reader036.vdocuments.us/reader036/viewer/2022081400/554f5232b4c905524c8b4f3b/html5/thumbnails/15.jpg)
Manage Dependencies• Maven allows managing dependencies
and versions
• Maven Bundle Plugin creates your
bundles
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
<plugin>
<groupId>org.apache.felix</groupId>
<artifactId>maven-bundle-plugin</artifactId>
<configuration>
<instructions>
<Export-Package>medisite.eclipsecon.bmi.*</Export-Package>
<Import-Package>
org.slf4j;provider=paxlogging,
*
</Import-Package>
</instructions></configuration></plugin>
![Page 16: TRESOR: The modular cloud - Building a domain specific cloud platform with OSGi - Alexander Grzesik](https://reader036.vdocuments.us/reader036/viewer/2022081400/554f5232b4c905524c8b4f3b/html5/thumbnails/16.jpg)
Non OSGi dependencies• Problem:
A dependency is not an OSGi Bundle
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
• Option 2: Embed dependency
<goals>
<goal>wrap</goal>
</goals>
<configuration>
<wrapImportPackage>;</wrapImportPackage>
</configuration>
• Option 1: Wrap bundle
<Embed-Dependency>
*;scope=compile|runtime;type=!pom;inline=false
</Embed-Dependency>
<Embed-Transitive>false</Embed-Transitive>
<Import-Package>*;resolution:=optional</Import-Package>
![Page 17: TRESOR: The modular cloud - Building a domain specific cloud platform with OSGi - Alexander Grzesik](https://reader036.vdocuments.us/reader036/viewer/2022081400/554f5232b4c905524c8b4f3b/html5/thumbnails/17.jpg)
Java Enterprise Integration
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
![Page 18: TRESOR: The modular cloud - Building a domain specific cloud platform with OSGi - Alexander Grzesik](https://reader036.vdocuments.us/reader036/viewer/2022081400/554f5232b4c905524c8b4f3b/html5/thumbnails/18.jpg)
Persistence
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
• JPA Persistence Units as OSGi Bundles
• Create Persistence.xml and include in bundle:
<Meta-Persistence>
META-INF/persistence.xml
</Meta-Persistence>
<Include-Resource>
META-INF/persistence.xml=src/main/resources/META-
INF/persistence.xml
</Include-Resource>
<JPA-PersistenceUnits>
persistence-test
</JPA-PersistenceUnits>
![Page 19: TRESOR: The modular cloud - Building a domain specific cloud platform with OSGi - Alexander Grzesik](https://reader036.vdocuments.us/reader036/viewer/2022081400/554f5232b4c905524c8b4f3b/html5/thumbnails/19.jpg)
Service Impl
Bundle
Embeded Persitence Unit
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
Application
Bundle
Service API
Bundle
APIImpl
Depends on Depends on
Persist
ence
![Page 20: TRESOR: The modular cloud - Building a domain specific cloud platform with OSGi - Alexander Grzesik](https://reader036.vdocuments.us/reader036/viewer/2022081400/554f5232b4c905524c8b4f3b/html5/thumbnails/20.jpg)
Service Impl
Bundle
Persistence Service
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
Application
Bundle
Service API
Bundle
Persistence
Bundle
APIImpl
DAO
![Page 21: TRESOR: The modular cloud - Building a domain specific cloud platform with OSGi - Alexander Grzesik](https://reader036.vdocuments.us/reader036/viewer/2022081400/554f5232b4c905524c8b4f3b/html5/thumbnails/21.jpg)
Persistence Service via Blueprint
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
<bean id=“bmiDAO" class="medisite.eclipsecon.persistence.impl.BmiDAO"
init-method="init">
<jpa:context property="entityManager" unitname="persistence-test" />
<tx:transaction method="*" value="Requires" />
</bean>
• Managed by Blueprint container (Aries)
• Declarative Transaction Management
![Page 22: TRESOR: The modular cloud - Building a domain specific cloud platform with OSGi - Alexander Grzesik](https://reader036.vdocuments.us/reader036/viewer/2022081400/554f5232b4c905524c8b4f3b/html5/thumbnails/22.jpg)
Web Application Bundle
• Deploy a war as OSGi bundle (wab)
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
BundleContext ctxt = (BundleContext)
servletContext.getAttribute(“osgi-bundlecontext”);
• JNDI IntegrationInitialContext ic = new InitialContext();
IBmiService calculator = (IBmiService)
ic.lookup("osgi:service/" + IBmiService.class.getName());
• Interact with OSGi Services from Servlet
<instructions>
<Web-ContextPath>/bmi</Web-ContextPath>
<_wab>src/main/resources</_wab>
</instructions>
![Page 23: TRESOR: The modular cloud - Building a domain specific cloud platform with OSGi - Alexander Grzesik](https://reader036.vdocuments.us/reader036/viewer/2022081400/554f5232b4c905524c8b4f3b/html5/thumbnails/23.jpg)
Configuration
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
![Page 24: TRESOR: The modular cloud - Building a domain specific cloud platform with OSGi - Alexander Grzesik](https://reader036.vdocuments.us/reader036/viewer/2022081400/554f5232b4c905524c8b4f3b/html5/thumbnails/24.jpg)
Configuration Administration Service
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
<cm:property-placeholder id="property-placeholder" persistent-
id=“frameworkConfig" update-strategy="reload">
<cm:default-properties>
<cm:property name=“selfTest" value="false"/>
</cm:default-properties>
</cm:property-placeholder>
<bean id=“testerBean" class="medisite.eclipsecon.bmi.impl.BundleTest>
<property name="selfTest" value="${selfTest}"/>
</bean>
• Managed Properties
• Blueprint integration from Apache Aries
<bean id=“bmiService" class="medisite.eclipsecon.impl.BmiServiceImpl">
<cm:managed-properties persistent-id=“bmiServiceConfig"
update-strategy="container-managed"/>
</bean>
![Page 25: TRESOR: The modular cloud - Building a domain specific cloud platform with OSGi - Alexander Grzesik](https://reader036.vdocuments.us/reader036/viewer/2022081400/554f5232b4c905524c8b4f3b/html5/thumbnails/25.jpg)
Security
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
![Page 26: TRESOR: The modular cloud - Building a domain specific cloud platform with OSGi - Alexander Grzesik](https://reader036.vdocuments.us/reader036/viewer/2022081400/554f5232b4c905524c8b4f3b/html5/thumbnails/26.jpg)
ConditionalPermissionAdmin
• Control Permissions
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
ConditionalPermissionAdmin cpa = getConditionalPermissionAdmin(context);
ConditionalPermissionUpdate u = cpa.newConditionalPermissionUpdate();
List infos = u.getConditionalPermissionInfos();
infos.clear();
for (String encodedInfo : encodedInfos)
{
infos.add(cpa.newConditionalPermissionInfo(encodedInfo));
}
if (!u.commit())
throw new ConcurrentModificationException("Permissions changed during
update");
![Page 27: TRESOR: The modular cloud - Building a domain specific cloud platform with OSGi - Alexander Grzesik](https://reader036.vdocuments.us/reader036/viewer/2022081400/554f5232b4c905524c8b4f3b/html5/thumbnails/27.jpg)
Policy File Reader
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
ACCEPT {
[org.osgi.service.condpermadmin.BundleSignerCondition
"CN=tresor,O=medisite Systemhaus GmbH,C=de"]
( java.security.AllPermission "*" "*")
}
DENY
{
(org.osgi.framework.PackagePermission “medisite.eclipsecon.*" "IMPORT")
}
ALLOW
{
(org.osgi.framework.PackagePermission “*" "IMPORT")
}
![Page 28: TRESOR: The modular cloud - Building a domain specific cloud platform with OSGi - Alexander Grzesik](https://reader036.vdocuments.us/reader036/viewer/2022081400/554f5232b4c905524c8b4f3b/html5/thumbnails/28.jpg)
More thoughts on Security
• Make sure PolicyManager starts before
custom bundles
• Restrict access to
ConditionalPermissionAdmin
• Application Permissions with blueprint
interceptor (Aries)
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
![Page 29: TRESOR: The modular cloud - Building a domain specific cloud platform with OSGi - Alexander Grzesik](https://reader036.vdocuments.us/reader036/viewer/2022081400/554f5232b4c905524c8b4f3b/html5/thumbnails/29.jpg)
Provisioning
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
![Page 30: TRESOR: The modular cloud - Building a domain specific cloud platform with OSGi - Alexander Grzesik](https://reader036.vdocuments.us/reader036/viewer/2022081400/554f5232b4c905524c8b4f3b/html5/thumbnails/30.jpg)
Cloud Provisioning
Application Application Application Application
Cloud Application ManagerRepository
![Page 31: TRESOR: The modular cloud - Building a domain specific cloud platform with OSGi - Alexander Grzesik](https://reader036.vdocuments.us/reader036/viewer/2022081400/554f5232b4c905524c8b4f3b/html5/thumbnails/31.jpg)
Service Impl
Bundle
Putting it all together
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
Application
Bundle
Service API
Bundle
Persistence
Bundle
APIImpl
DAO
Blueprint
Security
Manager
Protect
Configuration
Admin
Configure
![Page 32: TRESOR: The modular cloud - Building a domain specific cloud platform with OSGi - Alexander Grzesik](https://reader036.vdocuments.us/reader036/viewer/2022081400/554f5232b4c905524c8b4f3b/html5/thumbnails/32.jpg)
Lessons learned
• Steep learning curve
• Detailed information is often missing
• From jar hell to bundle hell
– Managing dependencies is challenging
– Not all libraries support OSGi
• Difficult to migrate non-OSGi application to
OSGi
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
![Page 33: TRESOR: The modular cloud - Building a domain specific cloud platform with OSGi - Alexander Grzesik](https://reader036.vdocuments.us/reader036/viewer/2022081400/554f5232b4c905524c8b4f3b/html5/thumbnails/33.jpg)
Benefits of OSGi for Architecture
• Separation of components
• Loose coupling
• Detect dependencies
• Encapsulation
• Versioning
• Integrating Java EE
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
![Page 34: TRESOR: The modular cloud - Building a domain specific cloud platform with OSGi - Alexander Grzesik](https://reader036.vdocuments.us/reader036/viewer/2022081400/554f5232b4c905524c8b4f3b/html5/thumbnails/34.jpg)
Think about your architecture
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
![Page 35: TRESOR: The modular cloud - Building a domain specific cloud platform with OSGi - Alexander Grzesik](https://reader036.vdocuments.us/reader036/viewer/2022081400/554f5232b4c905524c8b4f3b/html5/thumbnails/35.jpg)
Useful Resources
• The OSGi Standard
• OSGi Books
– OSGi in Action
– OSGi in Depth
– Enterprise OSGi in Action
• IBM Websphere Documentation
• Pax OSGi Projects
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi
![Page 36: TRESOR: The modular cloud - Building a domain specific cloud platform with OSGi - Alexander Grzesik](https://reader036.vdocuments.us/reader036/viewer/2022081400/554f5232b4c905524c8b4f3b/html5/thumbnails/36.jpg)
Questions ?
Eclipsecon 2013 Building a domain specific cloud
platform with OSGi