Load balancing WSO2 Admin Services

If you are familiar with WSO2 product… You may have heard the word WSO2 Admin services…. In typical Identity Server deployment, there are clients (web applications, mobile clients and so on) that talk to these admin services. If you want to achieve high availability and load distribution, you need to load balance the client requests with multiple admin services (clustered Identity server instance) To understand this well, lets takes some sample use case…

EntitlementService (which exposes XACML PDP ) is an admin service of WSO2 Identity Server… Say, you have deployed web applications which are querying this entitlement service for authorization decisions.. There can be multiple Identity Server instances, deployed in a cluster to achieve high availability… Therefore you may need to load balancer requests between web applications and entitlement services… We can just represent this as following diagrams

Challenge

As admin service, you must authenticate to access this service…. You can create a user with privileges to access entitlement service (or let say default user, “admin”). Then you need to configure this user’s credentials in each web application. Web application must authenticate to identity server using this credentials to access the entitlement service.  Unfortunately WSO2 Identity Server does not support for user session replication across cluster nodes. Therefore load balancing must be done in a proper way…

Solutions

1. Sending Authentication credentials in each request

Web applications can send credentials in the Basic Auth header in every requests. Then every time credentials are needed to be validated in the server side. This would cause for performance bottlenecks. But load balancer does not want to worry about any thing, It can easily route message to any node in the Identity Server cluster..

2. Load Balancing with Sticky Session

Web application can send both session information (Cookie values) and credentials in the Basic Auth header. If valid session information (Cookie) is the request, Server would validate the request using Cookie value… If there is no valid Cookie , then validation is failed.. But server can still authenticate using Basic Auth credentials.

Please find simple java client that has been written for entitlement service from here

Lets assuming LB works with session affinity

a). Web application sends 1st request to LB, (node1), as there are no any Cookie in the request, node1 authenticates request using Basic Auth credentials and sends a Cookie in the response.

b). Web application adds received Cookie in to its Cookie list and sends next request to LB. As there is session affinity, LB sends request to node1.  There is one valid Cookie for node1 in the request, node1 validates the request using cookie…

c). If there is any issue with node1 (node1 has been down or session failure), then LB sends request to node2. As there is no any valid Cookie for node2, node2 authenticates using Basic Auth credentials and sends a Cookie in the response.

3. Load Balancing without Sticky Session

With sticky session, there can be two problems….  One problem is  LB must support for sticky session. other one is,  If LB only consider the sticky session as the only metric for load balancing,  All request would be received to an one node of the cluster…  It means we loss the load distribution.  Therefore it is better, if we can do load balancing with out sticky session… We can do it by having some modifications in web application (client side)..

Let me explain this further by taking two nodes of cluster… and assuming LB works round robin manner without session affinity

a).Web application send 1st request to LB, (node1), as there are no any Cookie, node1 authenticates using Basic Auth credentials and send a Cookie back.

b). Web application add received Cookie in to its Cookie list and send next request to LB (node2).. as there are no any valid Cookie for node2, node2 authenticates using Basic Auth credentials and send a Cookie back.

c). Web application add received Cookie in to its Cookie list (no there are two Cookies) and send next request to LB (node1).. as there are is one valid Cookie for node1, node1 validates the request using cookie…

d). If there is any issue with node1 (node1 has been down or session failure), then LB sends all requests to node2. as there are is one valid Cookie for node2, node2 validates the request using cookie…

Here, you may need to do some more stuff to send add Cookies in to request and remove expire d Cookie.. Please find simple java client that has been written for entitlement service from here

4. Client side load balancing.

You need to implement a web application, that can send requests in to different nodes.  Then web applicationx need to handle session information (Cookie) received by each nodes