unary /ˈjuːnəri/ adj. [数] 一元的
unary or streaming
Nameko 滑子菇,python rpc框架 mushroom蘑菇
Nameko takes its name from the Japanese mushroom, which grows in clusters.
it’s limited to what is useful in the realm of microservices
Anatomy /əˈnætəmi/ n. 解剖;解剖学;剖析;骨骼
Anatomy of a Service
Entrypoints are gateways into the service methods they decorate. They normally monitor an external entity, for example a message queue. On a relevant event, the entrypoint may “fire” and the decorated method would be executed by a service worker.
Nameko is built on top of the eventlet library, which provides concurrency via “greenthreads”. The concurrency model is co-routines with implicit yielding.
Tweak 拧,调整
Each worker executes in its own greenthread. The maximum number of concurrent workers can be tweaked based on the amount of time each worker will spend waiting on I/O.
Inherently adv. 内在地;固有地;天性地
Workers are stateless so are inherently thread safe, but dependencies should ensure they are unique per worker or otherwise safe to be accessed concurrently by multiple workers.
enclose vt. 围绕;装入;放入封套
Each service class is delegated to a ServiceContainer. The container encapsulates all the functionality required to run a service, and also encloses any extensions on the service class.
Simultaneously /ˌsɪmlˈteɪniəsli/ adv. 同时地
ServiceRunner is a thin wrapper around multiple containers, exposing methods for starting and stopping all the wrapped containers simultaneously.
ship with包含、附带
Nameko ships with a command line interface to make hosting and interacting with services as easy as possible.
The HTTP entrypoint is built on top of werkzeug, and supports all the standard HTTP methods (GET/POST/DELETE/PUT etc)
Slack松弛的
Nameko extension for interaction with Slack APIs. Uses Slack Developer Kit for Python.
Agnostic /æɡˈnɒstɪk/ adj. 不可知论的;怀疑的 n. 不可知论者
The examples below use pytest, which is what Nameko’s own test suite uses, but the helpers are test framework agnostic.
circumstance n. 环境;状况; shim薄垫片
In some circumstances it’s helpful to provide an alternative dependency, rather than use a mock. This may be a fully functioning replacement (e.g. a test database session) or a lightweight shim that provides partial functionality.
Monolith ˈmɒnəlɪθ n. 整块石料;庞然大物
Microservices are usually described in contrast to a “monolith” – an application built as a single unit where changes to any part of it require building and deploying the whole thing.
Eloquently ˈeləkwəntli adv. 善辩地;富于表现力地
There are many benefits as well as drawbacks to using microservices, eloquently explained in Martin Fowler’s paper. Not all of them always apply, so below we’ll outline some that are relevant to Nameko.
Mitigate vi. 减轻,缓和下来
RPC calls are more expensive than in-process method calls. Processes will spend a lot of time waiting on I/O. Nameko mitigates wastage of CPU cycles with concurrency and eventlet, but the latency of each call will be longer than in a monolithic application.
oarse-grained APIs
coarse /kɔːs/ adj. 粗糙的;粗俗的;下等的
The overhead and lack of transactions between service calls encourages coarser APIs. Crossing service boundaries is expensive and non-atomic.
in isolation 孤立地
Separating these concerns makes it easier to test service code in isolation. That means you don’t need to have a memcached cluster available when you test your caching service. Furthermore it’s easy to specify mock responses from the memcached cluster to test invalidation edge cases.
glitch 小故障;失灵
Separation also stops test scopes bleeding into one another. Without a clear interface between the caching service and the machinery it uses to communicate with memcached, it would be tempting to cover network-glitch edge cases as part of the caching service test suite. In fact the tests for this scenario should be as part of the test suite for the memcached dependency. This becomes obvious when dependencies are used by more than one service – without a separation you would have to duplicate the network-glitch tests or seem to have holes in your test coverage.
subtle /ˈsʌtl/ 微妙的;精细的;敏感的;thorny /ˈθɔːni/ 多刺的 棘手的 痛苦的;令人苦恼的 bespoke /bɪˈspəʊk/ 定做的,定制的
A more subtle benefit manifests in larger teams. Dependencies tend to encapsulate the thorniest and most complex aspects of an application. Whereas service code is stateless and single-threaded, dependencies must deal with concurrency and thread-safety. This can be a helpful division of labour between junior and senior developers.
Dependencies separate common functionality away from bespoke application logic. They can be written once and re-used by many services. Nameko’s community extensions aims to promote sharing even between teams.
Eventlet is a Python library that provides concurrency via “greenthreads”. You can check more details on how it’s used by Nameko in the Concurrency section.
interoperability 互操作性;互用性
Language interoperability can also be achieved exposing an HTTP endpoint and having a task that requests it (webhooks).
Celery /ˈseləri/ 芹菜 myriad /ˈmɪriəd/ 无数的;种种的
Celery requires a message transport to send and receive messages. The RabbitMQ and Redis broker transports are feature complete, but there’s also support for a myriad of other experimental solutions, including using SQLite for local development.
cryptography /krɪpˈtɒɡrəfi/ n. 密码学;密码使用法
Apache Shiro™ is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. With Shiro’s easy-to-understand API, you can quickly and easily secure any application – from the smallest mobile applications to the largest web and enterprise applications.
Shiro provides the application security API to perform the following aspects (I like to call these the 4 cornerstones of application security):
Authentication - proving user identity, often called user ‘login’.
Authorization - access control
Cryptography - protecting or hiding data from prying eyes
Session Management - per-user time-sensitive state
auxiliary /ɔːɡˈzɪliəri/ 辅助的;副的;附加的;(发动机、设备等)备用的
Shiro also supports some auxiliary features, such as web application security, unit testing, and multithreading support, but these exist to reinforce the above four primary concerns.
obtuse /əbˈtjuːs/ 迟钝的;圆头的;不锋利的
we were pretty much stuck with the Java Authentication and Authorization Service, otherwise known as JAAS. There were a lot of shortcomings with JAAS - while its authentication capabilities were somewhat tolerable, the authorization aspects were obtuse and frustrating to use. Also, JAAS was heavily tied to Virtual Machine-level security concerns, for example, determining if a class should be allowed to be loaded in the JVM. As an application developer, I cared more about what an application end-user could do rather than what my code could do inside the JVM.
landscape 风景 cohesive /kəʊˈhiːsɪv/ 凝聚的;有结合力的;紧密结合的;有粘着力的
So looking at the security landscape of early 2003, you can quickly realize that there was nothing that could satisfy all of those requirements in a single, cohesive framework. Because of that, JSecurity, and then later, Apache Shiro, was born.
compelling adj. 引人注目的;令人信服的;非常强烈的;不可抗拒的
The framework landscape has changed quite a bit since 2003, so there should still be a compelling reason to use Shiro today.
novice /ˈnɒvɪs/ 初学者,新手
Easy To Use - Ease of use is the project’s ultimate goal. Application security can be extremely confusing and frustrating and thought of as a ‘necessary evil’. If you make it so easy to use that novice programmers can start using it, it doesn’t have to be painful anymore.
breadth /bredθ/ 宽度,幅度;宽宏
Comprehensive - There is no other security framework with the breadth of scope that Apache Shiro claims, so it can likely be your ‘one stop shop’ for your security needs.
mandate 授权;托管 predecessor /ˈpriːdəsesə(r)/ 前任,前辈
Flexible - Apache Shiro can work in any application environment. While it works in web, EJB, and IoC environments it does not require them. Nor does Shiro mandate any specification or even have many dependencies.
Shiro and its predecessor JSecurity has been in use for years in projects for companies of all sizes and across industries.
Realm /relm/ 领域,范围;王国
Core Concepts: Subject, SecurityManager, and Realms
the word Subject is a security term that basically means "the currently executing user". It's just not called a 'User' because the word 'User' is usually associated with a human being. In the security world, the term 'Subject' can mean a human being, but also a 3rd party process, daemon account, or anything similar. It simply means 'the thing that is currently interacting with the software'. For most intents and purposes though, you can think of this as Shiro’s ‘User’ concept.
counterpart 副本;配对物;极相似的人或物 counterparty (合同或金融交易中)对方;合约对方;交易对方
The Subject’s ‘behind the scenes’ counterpart is the SecurityManager.
While the Subject represents security operations for the current user, the SecurityManager manages security operations for all users. It is the heart of Shiro’s architecture and acts as a sort of ‘umbrella’ object that references many internally nested security components that form an object graph. However, once the SecurityManager and its internal object graph is configured, it is usually left alone and application developers spend almost all of their time with the Subject API.
To that end 为了那个目的 denominator /dɪˈnɒmɪneɪtə(r)/ [数] 分母;命名者;共同特征或共同性质;平均水平或标准
To that end, Shiro provides a default ‘common denominator’ solution via text-based INI configuration. INI is easy to read, simple to use, and requires very few dependencies.
intricacy /ˈɪntrɪkəsi/ 错综,复杂;难以理解
For the purposes of this introduction, it is not important to understand the intricacies of each section, but rather to see that INI configuration is one simple way of configuring Shiro.
constituent 成分
Load the INI configuration that will configure the SecurityManager and its constituent components.
The third and final core concept in Shiro is that of a Realm. A Realm acts as the ‘bridge’ or ‘connector’ between Shiro and your application’s security data. That is, when it comes time to actually interact with security-related data like user accounts to perform authentication (login) and authorization (access control), Shiro looks up many of these things from one or more Realms configured for an application.
The third and final core concept in Shiro is that of a Realm. A Realm acts as the ‘bridge’ or ‘connector’ between Shiro and your application’s security data. That is, when it comes time to actually interact with security-related data like user accounts to perform authentication (login) and authorization (access control), Shiro looks up many of these things from one or more Realms configured for an application.
principal adj. 主要的;资本的 n. 首长;校长;资本;当事人 credential n. 证书;凭据;国书
A common example of this process that everyone is familiar with is that of the username/password combination. When most users login to a software application, they usually provide their username (the principal) and their supporting password (the credential). If the password (or representation of it) stored in the system matches what the user specifies, they are considered authenticated.
beg 乞讨;恳求;回避正题
That begs the next question, “how do I control what the user is allowed to do or not?” Deciding what users are allowed to do is called authorization. We’ll cover how Shiro enables authorization next.
flaw 缺点 瑕疵
Permission checks are another way to perform authorization. Checking for roles as in the example above suffers from one significant flaw: you can’t add or delete roles at runtime. Your code is hard-coded with role names, so if you changed the role names and/or configuration, your code would be broken! If you need to be able to change a role’s meaning at runtime, or add or delete roles as desired, you have to rely on something else.
adhere to 坚持;粘附;拥护,追随 paradigm /ˈpærədaɪm/ n. 范例;词形变化表
The “user:create” string is an example of a permission string that adheres to certain parsing conventions.
Shiro enables a Session programming paradigm for any application - from small daemon standalone applications to the largest clustered web applications. This means that application developers who wish to use sessions are no longer forced to use Servlet or EJB containers if they don’t need them otherwise. Or, if using these containers, developers now have the option of using a unified and consistent session API in any tier, instead of servlet or EJB-specific mechanisms.
implication n. 含义;暗示;牵连,卷入;可能的结果,影响
But perhaps one of the most important benefits of Shiro’s sessions is that they are container-independent. This has subtle but extremely powerful implications.
obfuscate /ˈɒbfʌskeɪt/ vt. 使模糊;使迷乱;弄暗 pry 刺探,探查
Cryptography is the process of hiding or obfuscating data so prying eyes can’t understand it. Shiro’s goal in cryptography is to simplify and make usable the JDK’s cryptography support.
tamper /ˈtæmpə(r)/ 做手脚,破坏 transit /ˈtrænzɪt; ˈtrænsɪt/ 运输;经过
For example, let’s consider the relatively common case of MD5-hashing a file and determining the hex value of that hash. Called a ‘checksum’, this is used regularly when providing file downloads - users can perform their own MD5 hash on the downloaded file and assert that their checksum matches the one on the download site. If they match, the user can sufficiently assume that the file hasn’t been tampered with in transit.
Cipher 密码;暗号 reversible 可逆的;可撤消的;可反转的 susceptible /səˈseptəbl/ 易受影响的;易感动的;容许……的
beast 野兽 tame /teɪm/ 驯服
Ciphers are cryptographic algorithms that can reversibly transform data using a key. We use them to keep data safe, especially when transferring or storing data, times when data is particularly susceptible to prying eyes.
If you’ve ever used the JDK Cryptography APIs, and in particular the javax.crypto.Cipher class, you know that it can be an incredibly complex beast to tame.
aforementioned 上述的;前面提及的
This filter can read the aforementioned shiro.ini config so you have a consistent configuration experience regardless of deployment environment.
succinct /səkˈsɪŋkt/ 简洁的;简明的;紧身的 backed adj. 有背的;有财力支持的
If you wanted to, you could define only the Shiro Filter in web.xml and define all of your other filters and filter chains in shiro.ini for a much more succinct and easy to understand filter chain definition mechanism than web.xml.
That is, when you call the methods subject.getSession() and subject.getSession(boolean) Shiro will return Session instances backed by the Servlet Container’s HttpSession instance.
harness /ˈhɑːnɪs/ 日常工作
Test harness support, making it very easy to have full testing of Shiro secured-code in unit and integration tests
As much as we might like it to be, Apache Shiro is not a ‘silver bullet’ - it won’t solve every security problem effortlessly. There are things that Shiro does not address that might be worth knowing
Captcha /ˈkæptʃə/ 验证码 support
Coarse /kɔːs/ 粗糙的;粗俗的;下等的
Coarse-grained authorization via an AuthorizationRequest.
** round out 完成**
Additional web support and auxiliary features like multithreading and test support round out the framework to provide what could be your ‘one stop shop’ for application security.
Apache Shiro is a powerful and easy to use Java security framework that offers developers an intuitive yet comprehensive solution to authentication, authorization, cryptography, and session management.
facet /ˈfæsɪt/ 方面 keeping out of the way 不碍事 hands off不干涉的;请勿动手;别动
In practical terms,实际上;在实践中 it achieves to manage all facets of your application’s security, while keeping out of the way as much as possible. It is built on sound interface-driven design and OO principles, enabling custom behavior wherever you can imagine it. But with sensible defaults for everything, it is as “hands off” as application security can be. At least that’s what we strive for.
What can Apache Shiro do?
bloat /bləʊt/ 使膨胀
A lot . But we don’t want to bloat the QuickStart.
Also, if you’re curious on how we got started and why we exist, please see the Shiro History and Mission page.
nomenclature /nəˈmeŋklətʃə(r)/ 命名法;术语
Also, in the security world, the term Subject is actually the recognized nomenclature.