Skip to Content
Last modified by Erik Bakker on 2024/09/05 14:00
From version 15.1
edited by Erik Bakker
on 2022/07/28 10:48
Change comment: There is no comment for this version
To version 11.2
edited by Erik Bakker
on 2022/07/28 08:47
Change comment: Update document after refactoring.

Summary

Details

Page properties
Title
... ... @@ -1,1 +1,1 @@
1 -Communication between models
1 +expert-data-handling-groovy-script
Content
... ... @@ -1,5 +1,5 @@
1 1  {{container}}{{container layoutStyle="columns"}}(((
2 -When your integration landscape grows through time, you might decide to split functional business processes into multiple eMagiz models. In those cases, the question of connecting these models easily, stable, and securely could arise. This microlearning will focus on that question and provide an answer based on our vision and best practices when dealing with the platform.
2 +In the crash course on the API Gateway we discussed the various options available to [[secure>>doc:Main.eMagiz Academy.Microlearnings.Crash Course.Crash Course API Gateway.crashcourse-api-gateway-security.WebHome||target="blank"]] your API Gateway properly. In this microlearning, we will expand our knowledge on that topic by looking at a special case of securing your API Gateway. That case is special as you use an external identity provider (IDP) to govern the roles and users that have rights on your API Gateway.
3 3  
4 4  Should you have any questions, please get in touch with [[academy@emagiz.com>>mailto:academy@emagiz.com]].
5 5  
... ... @@ -9,49 +9,50 @@
9 9  
10 10  == 2. Key concepts ==
11 11  
12 -This microlearning focuses on communication between two eMagiz models. When communicating to any external party (from the view of a certain model) you should always consider the following:
12 +This microlearning focuses on using an external IDP to validate whether a user is authorized to execute a certain action on your API Gateway and what configuration is needed in eMagiz to make this work.
13 13  
14 -* Security
15 -* Loose coupling
16 -* Maintainability
17 -* Clarity
14 +* The Token and Issuer URL of the external IDP need to be known
15 +* Users and Roles under User Management need to be manually configured and maintained to keep them in sync with the external IDP
18 18  
19 -== 3. Communication between models ==
17 +== 3. External IDP ==
20 20  
21 -In a low-code platform like eMagiz, you want to prevent using custom scripting as much as possible. However, sometimes in practice, you encounter situations that cannot be realized with the standard toolbox provided within the platform. As a result, we offer the option to use a Groovy script in these situations to achieve the desired solution. In this microlearning, we will look at where you can use a Groovy script and discuss the key considerations when implementing a Groovy script within your model.
19 +In the crash course on the API Gateway we discussed the various options available to [[secure>>doc:Main.eMagiz Academy.Microlearnings.Crash Course.Crash Course API Gateway.crashcourse-api-gateway-security.WebHome||target="blank"]] your API Gateway properly. In this microlearning, we will expand our knowledge on that topic by looking at a special case of securing your API Gateway. That case is special as you use an external identity provider (IDP) to govern the roles and users that have rights on your API Gateway.
22 22  
23 -Most users would think that communication via queues to connect two separate eMagiz models is a smart idea. However, this is something that we do not encourage. We discourage this for several practical and technical reasons alike.
21 +When selecting the option OAuth2.0 (or OpenID Connect) you have the option to use the IDP provided by eMagiz which makes the configuration easy or you could use an external IDP which you have control over and want to use for this purposes.
24 24  
25 -When looking at the practical side of things getting it configured correctly is time-consuming and an error-prone action (as is evident by the question). Furthermore, it can lead to unexpected situations in which you make a typo to listen to a queue on which no messages are provided. This queue will however be registered on the JMS level (when you activate the flow in question with the custom configuration) which can lead to confusing queue statistics and even more troublesome false-positive alerting based on missing queue metrics or missing consumers.
23 +In this microlearning we will highlight what you need to configure in Design and Deploy to make this work within the tooling of eMagiz.
26 26  
27 -On top of that because you basically allow one model to write and read from queues registered in another model maintaining both models will become very confusing for the ones working on the project at the moment but also for those working on it at a later stage and does that need to provide (incidental) support on the environments.
25 +=== 3.1 Design ===
28 28  
29 -Another practical reason for not wanting this is that we do not actively support this use case from eMagiz. This means that when we do updates to our technical infrastructure we will not take this scenario into account. This could lead to additional work on your part in the future and reduced stability of your solution.
27 +On the security level of the API Gateway in Design you need to select the desired option, for example OAuth2.0. Instead of not filling in the token and issuer URL, indicating that you want to use the eMagiz IDP, you need to fill these in to reference the IDP of your choice. Below you see an example of how this could be configured.
30 30  
31 -From the technical point of view, the consequence of this construction is that both models need to know each other certificates and credentials which are not considered secure. On top of that because you, theoretically, can exchange data from any queue to any queue you could create a situation in which updates in one model trigger changes in the other model (i.e. when using the same data model) that are unexpected (and frankly unwanted).
29 +[[image:Main.Images.Microlearning.WebHome@expert-securing-data-traffic-api-gw-security-external-idp-security-config-design.png]]
32 32  
33 -We advise using functionality that makes it explicit that both models function independently of each other. From eMagiz we consider two valid alternatives for this:
34 -- Using a web service as a layer of communication between the two models. This web service can be REST or SOAP and has been implemented before
35 -- Using the Event Streaming functionality of eMagiz to write and read from topics.
31 +Note that the environmentID in this example should be replaced with an actual environmentID that references your environment.
36 36  
37 -Both alternatives have the benefit that the security can be tight and explicit (i.e. only model A can write/post data to model B). Furthermore managing the solution becomes a lot easier as it makes use of the standard functionality within the platform. We have no plans to support this approach in the product.
33 +=== 3.2 Deploy ===
38 38  
35 +Normally, eMagiz will automatically update the User Management information based on the configuration in Design. However, because the identity check is not done by eMagiz but by an external party you need to manually enter the roles and users and configure the scope correctly on role level.
36 +
37 +To do so navigate to User Management in Deploy and add the users you want manually by pressing the New button and providing them with a name. Do subsequently the same for the roles. On role level do not forget to correctly enter the scope to make the call work. Note that the help text on the scope level gently reminds you what you need to do to make this work.
38 +
39 +[[image:Main.Images.Microlearning.WebHome@expert-securing-data-traffic-api-gw-security-external-idp-scope-configuration.png]]
40 +
41 +{{warning}}When implementing this you would be the first to do so with this setup. This means there might be some unexpected behavior when configuring this.{{/warning}}
42 +
39 39  == 4. Assignment ==
40 40  
41 -Consider what your criteria are when communicate between models and compare them to our criteria.
42 -This assignment can be completed with the help of the (Academy) project you created/used in the previous assignment.
45 +No assignment
43 43  
44 44  == 5. Key takeaways ==
45 45  
46 -* Consider the following when communication between two models
47 -** Security
48 -** Loose coupling
49 -** Maintainability
50 -** Clarity
49 +* The Token and Issuer URL of the external IDP need to be known
50 +* Users and Roles under User Management need to be manually configured and maintained to keep them in sync with the external IDP
51 +* When implementing this you would be the first to do so with this setup.
51 51  
52 52  == 6. Suggested Additional Readings ==
53 53  
54 -If you are interested in this topic and want more information, please consult us at [[productmanagement@emagiz.com>>mailto:productmanagement@emagiz.com]]
55 +If you are interested in this topic and want more information, please read the help text provided by eMagiz.
55 55  
56 56  == 7. Silent demonstration video ==
57 57