33
Arkitektur, sikkerhet og skalering av ArcGIS for Server Ottar Viken Valvåg Thor Morten Kopaas

BK2015 Arkitektur sikkerhet og skalering

Embed Size (px)

Citation preview

Arkitektur, sikkerhet og skalering av ArcGIS for Server

Ottar Viken Valvåg

Thor Morten Kopaas

Enterprise GIS i praksis

• Mulige deploymentscenarioer for ArcGIS for Server

• Hvordan ivareta sikkerhet

• Brukere, roller, pålogging (autentisering og autorisering)

• Skaleringsmekanismer

• Verktøy for å overvåke status og identifisere flaskehalser

ArcGIS Server Site

Single machine deployment

• Advantages• Straightforward to install, maintain, and upgrade.• High performance because local paths are used

to access resources; this is ideal for hosting cached map and image services.

• Disadvantages• May not fit your security requirements, since

ArcGIS Server Manager and ArcGIS Server Administrator Directory are exposed through the same port (6080) that everyone else uses to access the services.

• Nonstandard HTTP ports (6080 and 6443 if using HTTPS) are used to expose services to clients.

• Web tier authentication is not available without ArcGIS Web Adaptor.

• Not highly available; the GIS server is a single point of failure.

Konfigurasjon av brukere og roller i AGS

• Brukere og roller hentes fra en user store.

• Autorisering skjer i ArcGIS Manager• Tjenester og mapper gjøres tilgjengelige for Public eller

for et utvalg roller• Brukere og roller administreres også i Manager når man

bruker built-in user store

• Autentisering skjer i ArcGIS Server eller i Web Tier

• ArcGIS Server authentication• Built-in users and roles• Users in Active Directory and roles in either Active

Directory or the built-in store• Users in LDAP and roles in either LDAP or the built-in

store• Users in a custom store and roles in the custom or the

built-in store

• Web Tier authentication• Any user store for which the web server has built-in or

extensible support• For example, if your web server has built-in support for

Active Directory, LDAP, and custom identity stores, you may use one of the following configurations:

• Users in Active Directory and roles in either Active Directory or the built-in store

• Users in LDAP and roles in either LDAP or the built-in store

• Users in a custom store and roles in the custom or the built-in store

Single machine med reverse proxy

• Advantages

• Complements the single-machine deployment with an extra level of security.

• Disadvantages

• The use of a reverse proxy server can potentially add an overhead to requests to your ArcGIS Server services. This is especially true when leveraging web tier authentication for very large and complex (nested groups or federated) enterprise identity stores.

• Not highly available; the GIS server and reverse proxy server are single points of failure if either go offline.

Single-machine high-availability (active-passive)

• Advantages• The active-passive failover

configuration allows you to build a redundant GIS server tier without incurring additional licensing fees. Standby servers can be licensed at no additional cost.

• Oppgraderinger/endringer utennedetid

• Disadvantages• Hver site må administreres uavhengig

og manuelt holdes i "synk".• When switching to the standby site,

any active requests in the primary site are lost

Single-machine high-availability (active-active)

• Advantages• Conceptually straightforward. Minimal

interdependencies between GIS servers make it easy to replace stale or faulty machines, apply upgrades, or add and remove machines from the pool of GIS servers as needed without interrupting services or aborting requests.

• If map tiles are stored locally on every machine, this configuration provides significant performance advantages as compared to multiple-machine sites. In fact, this configuration is ideal if your objective is to increase the capacity of cached map services.

• Disadvantages• It is your responsibility to keep all sites in sync. This

adds an administrative overhead that can make this deployment pattern impractical for cases where you have many machines or services/caches that change frequently.

• Requires knowledge of third-party load balancers.• Asynkrone GP-tjenester krever sticky sessions i

lastbalansereren

Multiple machine deployment with Web Adaptor

• Advantages• A single ArcGIS Server site provides the

means to easily administer ArcGIS Server and its services across a number of machines.

• Easy to adjust the capacity of your site by adding and removing GIS server machines.

• Load balancing is handled among GIS servers.

• Integrate standard organization authentication by using web tier authentication through ArcGIS Web Adaptor.

• Disadvantages• Use of server directories and data in shared

network locations can negatively affect performance of services under heavy load.

• Config store er SPOF

Multiple machine deployment with Web Adaptors

• High availability versjon avforrige oppsett

Multiple machine deployment with third party load balancer

• Advantages• A single ArcGIS Server site provides the means to

easily administer ArcGIS Server and its services across a number of machines.

• Easy to adjust the capacity of your site by adding and removing GIS server machines.

• Load balancing is handled among GIS servers.• Kan benytte avansert tredjeparts funksjonalitet I

reverse proxy – f.eks. IP-filtrert tilgang til WMS-tjenester

• Disadvantages• Use of ArcGIS Server directories and data in

shared network locations can negatively affect performance of services under heavy load.

• Requires understanding of third party load balancers.

• Does not support web tier authentication. Brukforrige oppsett for å støtte dette.

Multiple machine deployment with GIS server clusters

• Advantages• Integrates with your organization's network load balancer (NLB) and web server

through ArcGIS Web Adaptor.

• More secure as administrative URLs to the site can be blocked with ArcGIS Web Adaptor.

• Load balancing is handled at NLB and among GIS servers.

• Single sign on (SSO) can be set up using web-tier authentication on the web server hosting ArcGIS Web Adaptor.

• GIS server machines can be configured to run dedicated subsets of services.

• Disadvantages• Administrators need to install, set up, and maintain multiple GIS server machines.

• Not ideal for hosting cached map and image services, because the cache is on a shared network directory or duplicated on each machine.

• A cluster can be a single point of failure if it's configured to run on a single GIS server. If the machine goes offline, the services running on the cluster will be unavailable.

• Depending on the number of machines within a site and within a cluster, network bandwidth, and shared network drive performance (where the configuration store and other server directories may be located), this architecture is subject to scalability restrictions. It's recommended that you create single cluster sites (which can have multiple machines) whenever possible.

• Scalability• A multiple machine site with clusters is subject to scalability restrictions, introduces

challenges in isolating issues and troubleshooting, and increases overall network communication. As mentioned above, it's recommended that you create single cluster sites (which can have multiple machines) whenever possible.

Skalering av ArcGIS Server

• Skalering av tjenesteinstanser• AGS skalerer opp og ned

tjenesteinstanser (arcsoc-prosesser)

• Skalere flere maskiner inn i en site

• Skalere flere sites inn i en lastbalansert konfigurasjon

Livssyklus for tjenesteinstanser

• Hver tjeneste i AGS konfigureres til å ha fra min til max antall kjørende instanser (arcsoc-prosesser)

• Ved oppstart startes min antall instanser

• Når en request til tjenesten skal håndteres:• En ledig, kjørende instans får jobben. Hvis ingen

er ledige, og det ikke kjører max antall instanser, startes en ny instans som så får jobben.

• Hvis max antall instanser allerede kjører, settes requesten i kø helt til en instans blir ledig.

• Requester kan time ut• Fordi instansen som gjør jobben bruker for lang

tid• Fordi det tar for lang tid å starte en ny instans• Fordi man må vente for lenge på en ledig instans

• Hvis en instans er ledig over lengre tid kan den stanses av AGS for å spare ressurser

Hastighet/Responstid

Hvor lang tid tar det å utføre en operasjon i klienten

Skalerbarhet

Kunne opprettholde samme responstid selv om flere/mange bruker løsningen samtidig

Skalerbarhet

Vi ønsker ikke dette!

Responstid

ArcMap/

Web

ArcGIS

Server

EnterpriseGeodatabase

Intra/Internet Resources

Network

I/O

Disk I/OSQL

ArcMap/

Web

Response

time

Cloud Resources

Tilgjengelige verktøy

• Mxdperfstat

• System Monitor

• ArcGIS for server statistics

• System Test

• PerfQAnalyzer

• SQL-Trace

• Rapporterer for hvert layer• Opptegningstider

• DBMS statistikk

• Anbefalinger

mxdperfstat

mxdperfstat Demo

mxdperfstat -mxd <DocumentName.mxd>

[-scale scale1;scale2;...]

[-xy <x;y>]

[-width <screen width> -height <screen height>]

Et verktøy for å samle inn statistikk fra ArcGIS og underliggende servere

• Requests/sec

• Free instances

• Busy time/request

• Cpu/memory

• database

• +++

System Monitor

System Monitor Demo

• Demo

• Nytt i 10.3

• Analysere bruken over tid• Responstid

• Totalt antall requests

• Antall instanser

ArcGIS for server statistics

ArcGIS for server statistics Demo

• Demo

• Verktøy for å teste GIS-løsninger basert på ArcGIS for server

• Brukes til å• Lage realistiske tester

• Kjøre tester

• Samler inn testresultater og lager en rapport

System Test

System Test Demo

• Demo

• Verktøy for å ytelsesteste ArcMapbasert løsninger

• Måler• Opptegningstider

• Redigering

• Databaseaktivitet

PerfQAnalyzer

PerfQAnalyzer Demo

• Demo

SQL Trace

• Kan logge alle SQL’er og gi • Eksekveringstid

• Antall rader lest

• ++++

• SQLServer (SQL Profiler)

• PostgreSQL (postgresql.conf)

• Oracle (dbms_system.set_ev)

SQL Trace

SELECT 1 SHAPE, Element, N5_OSLO_TEKST5000TEKST.OBJECTID,

..

..

FROM

GEONIS.N5_OSLO_TEKST5000TEKST N5_OSLO_TEKST5000TEKST WHERE

SDE.ST_EnvIntersects(N5_OSLO_TEKST5000TEKST.SHAPE,:1,:2,:3,:4) = 1 AND

((NOT Status = 1 OR Status is NULL))

call count cpu elapsed disk query current rows

------- ------ -------- ---------- ---------- ---------- ---------- ----------

Parse 0 0.00 0.00 0 0 0 0

Execute 1 0.00 0.00 0 0 0 0

Fetch 3 0.01 0.07 0 280 0 289

------- ------ -------- ---------- ---------- ---------- ---------- ----------

total 4 0.01 0.08 0 280 0 289

Hvor ligger verktøyene?

• http://www.arcgis.com/home/item.html?id=a269d03aa1c840638680e2902dadecac (mxdperfstat)

• http://www.arcgis.com/home/item.html?id=848f48b0f88e4de7a036377197453efe (System Monitor)

• http://www.arcgis.com/home/item.html?id=e8bac3559fd64352b799b6adf5721d81 (System Test)

• http://blogs.esri.com/esri/supportcenter/2014/02/03/calibrating-arcgis-performance-with-perfqanalyzer-new-build-available-for-download/ (PerfQAnalyzer)

Takk for oss!