Driven, detail-oriented, but pragmatic self-motivated engineer with extensive experience building highly scaled distributed Java applications. Relentlessly innovating and aggressively pursuing quality in my and my team's deliverables. Open minded and active mentor for my peers. Always striving for the best customer experience and success.View the profile
About the talk
When building mobile or web apps, developers have two options to interact with APIs: rest and GraphQL.
Hear the advantages and disadvantages of both approaches. The session also articulates how Google Cloud, with Apigee API management, supports the growing community of GraphQL developers set to leverage the technology in an enterprise setting.
Speakers: David Feuer, Miguel Mendoza
Google Cloud Next ’20: OnAir → https://goo.gle/next2020
Subscribe to the GCP Channel → https://goo.gle/GCP
product: Apigee; fullname: David Feuer, Miguel Mendoza;
event: Google Cloud Next 2020; re_ty: Publish;
Hello and welcome to apis. 302 graphql building a consistent approach for the API consumer. My name is Dave for the head of global platform strategy at apogee, a part of Google Cloud platform and I'm joined today by Miguel Mendoza, Elite architect, Today, we're going to go over. What is graphql, what it's good for and what are the symbol? The expected features that are missing from graphql. Secondly, we're going to go over consistency. What's the point of consistency and walk through? And then translating got two graphs you out last
night? How we would Implement for this on top of apogee benefits. These benefits I would bring them down to three key areas. The fact that there's a single endpoints. The granularity. Planning all that is super straight. Boarding route to El II is an incredibly powerful query language that prevent overfishing and undercutting of data as opposed to a say in rest, when I need therapy after me sequential, to a client Library, no longer only the domain of the reaction UI
framework, but it's also available for other client Library, other languages, compared to most developers today. So why is it everywhere? I think developer program are frequently separated from API program, developer program, external facing or interfacing between business unit. So that the Author of the server and client or different in a p is the author of the client-server people or the same person I would be part of that has to do with your API as opposed to API program which are typically in infrastructure strategy driving in Chopper building and decomposition of your internal
infrastructure. So what are the benefits of God? Has multiple different endpoints and then you are also used as a logical resource manager for different types of API endpoint and longer and larger screws for customer data and calculate. All the different value in different type of the dishes that you would normally see in the stupid. You are all the rest and interactions rescues in hdb verbs than generally uses Json XML in order to not be. So, there's no first written language language on which makes it much
easier for client. What does a significant difference in the interaction mechanism, documentation frequently graphical a playground in order to interact with schema based on actual endpoints? And then of course, my Discovery perspective, the portal is the playground in rest where I customer would normally go a developer would normally go to discover and interact with Rest apis. North understand how they work in Grass. To all the portal. Actually is a built-in playground that accommodates development almost like a built-in ID and so is what it is for new
prison and you think like a position in order to discover this place in order to learn how to use them better. And so we're not here to talk about whether you use grab to arrest and I think one of the best ways to do that In the market, this is something that we really see working really well as a number of customers. And so we wanted to bring those to you so that you could leverage them and understand what those are. The basis of his philosophy is that apis of digital products. Apis are away for Enterprise to take
it out. That's and put it in the hands of developers. Weather of the developers are internal employees Partners or external customers in order to grow the company's leverage of those assets because if you thought we were lying developers, having a consistent experience in order to understand how to use and build a compelling experiences, they need in order to bring your assets to Market. And so consistency is incredibly important because developer Fortune is a it is a huge Alan in adoption of digital.
Consistency and gravity, well, really starts with well, phone's back to Al and I think we can learn a lot about that from the rest. You never expected to be complete by Department. That sounds like it would be a resource, right? Until that is what we can go look like the job functions with your books and titles, and authors and treatments graphical. The way it should be treated as opposed to treating it as a functional hierarchy. And so the first recommendation we have is that you should be dead
or answered a graph hierarchy is fun. Second-round condition has to do submitting and retrieving data. Those are not always weird operations. We frequently see in the wrestler that you are ass, right? We see retrieving data from multiple services and service architecture, being completely separate from how to submit that died. And so we think about how to do things can get very complex and very quickly especially when there's a lot of different types and especially when submitting very little. And so, don't be afraid of cgrs. Many of you have heard of speech, you'll have to just
come in here, sponsibilities segregation. It's a design pattern that was first identified by Martin Fowler and it fundamentally. It's just a different model to update information to a program. Especially in large Enterprises, especially those Enterprises that already have rest, is that you get the advantage of using arrest based running better at reading that I was going to hell. Leveraging existing rest API in order to submit that data to your backup. Duster pad on. I'd like to talk about is optimizing for usability, you know, interests. We think a lot about our
nation, still touring and creating consistently, posting them predict with the behavior will be up and I know how they interact with this. Well, in graft you out we should be doing the same thing. The challenge in large Enterprise, deployments is that when it comes to schema stitching frequently different business units, different lines of business are developing different outfits, the schema and then stitching that together in order to look like one comprehensive representation of the behavior that
prevent it was built as an eternal API and input in all the uniform behavior that you would expect. And avoiding situations where the developer. Refused. Why is the behavior of different in one part of the schema? There is another part of the scheme up and take it to court in one way, you don't always realize that when you submitted in and look for the email, it got recorded another way. So we are even a larger surface area of challenges optimizing for usability and API proposition to be particularly afraid, they're conscientious, of the
way. You develop into a mutation in dropped you off last week because this is something that Miguel and I have experienced, personally feel banks with the same name in different parts of the schema. So if there is a name field in one part of the scheme, has the last name, Laughing. First name that is developer hostile. You are not treating your developers the way they expect to be requested it the way they expect to be treated and your developers will freak
you frequently experience developer because your developers will struggle to adopt where and when it makes sense, unless we optimized for use ability as a customer, they are because you want your crap to really see I use. And you wanted to get the market There are challenges and crafts. You add appointment. And I'm going to go over these challenges very quickly because I think we're all still here with them often. See authorization authentications, a huge challenge. As you know, the
graph to affect delegates, often be to the business logic layer, which means that is typically not handled by the graph to a server. Throttling at the challenge, there's no standard like we seeing if you have product division for treating different levels, in different years of service, a different access to different API. Developer is analytics, which means leveraging its product is the level of business, analytics, as opposed to just operational metrics is not something that possible. And we don't understand how a person works and grab ql and
how particularly to address the needs of clients using different versions of different emails in order to implement their application. so now you know what to do, have you do it for that like to introduce Miguel How much is a highly extensible? A customizable platform is grayed out of the box features but they're always do other things for their support for Health Care is open. Bacon support for financial services companies and much more. I'd like to head over to Miguel Miguel take it away
on the last site would have the app developer portal. And indeed, we have the graphical playground embedded within the app and Isabella purple. Next, we have the app which is fronting, Apollo graphql, the Apollo graphql server, it's running in car run with in the Apollo graphql server there. Also a couple of IBD plugins that send log in and threatened data to TCP. We're going to dive into each of these components let the right one at a time. Let's go ahead and get started. First, let's go
and take a look at the developer portal. I already have navigated to develop report also going to go to that that here in a little bit portal. This is a photo that has negro field playground in bed as you can see here, the plague has already been loaded with any point in point is the IBM point that prompts the Apollo graphql server. We can take a quick look at the dogs time and we'll see the scheme of that has been loaded into the playground, right? But take a look at it. So this key battery percents, a company that Aggregates Trail and lift data for ski resorts.
You can see the top level, we have a ski resort and within the ski resort type, we have different formation and some of the information needs trails and live data. Let me show you a quick diagram that shows this is Kemah. You can see here at the resort type and then over that, we have to do something to you. That this is the reading or the credits, there's also a mutation schema, but I want you like that will do that later. So let's head back into the water bottle. Let's run a query that lists all the resources are available. So, we do a query list. All
resorts and 43 sword. Let's just pull the name of the resort and we can run this query. And you can see that we have three resource Kirkwood Sierra inherently. Now, if I keep trying to describe a multiple times to see what happens, Is he and we are never. So we have a real emulator. This is a pudgy that has detected that the client has sent too many requests over a certain. Of time today, quarter policy and apology rejected, a cold. So how do we get around this way to get around? This is to actually get an API key and maybe make a call using a specific API key that has a
higher entire entitlement in terms of cost per minute. A PG-13 rating from that address. So let's go ahead and log in, so we can create I already have an account that I created earlier, so I'm just looking for that count. Now, let's go ahead and create an app. And I'm going to call my app eater, a nap. And for this app, I'm going to select a drafty old Braum's API product. This product has a higher entitlement, so that I will be able to make calls without being worried so much
about the number of calls per minute. Now, I should be able to get the API key from this app app. Right? So here we have the new house that was created and we'll grab the API key for the customer and the customer Secrets. I got to go open the Dracula Play on YouTube that way I can just copy places by me over there. So let me call you later because my key. So this is a widget that we have added expressly for this purpose. So let's get down here and let's have the Atlantic So, we're not going to be next week
in secret secret. And it's go back in here and faced a customer secret and you can also see the schools are going to be requested. So basically we're going to be doing and we're going to be requesting a token that has introspection and reading or radar Scopes. Look at it looking I was talking to this talk and came from a BJ's self and we can take a look at it and we have the reader scope. Now, we should be able to run this query. Multiple times with this token, that we just got you some day. And you can see now
that we're not hitting this me a limit that we were hitting earlier. So we're not getting that are anymore so you can see that since we got a PhD and we were able to get that there is going to wait what if we want to do something else. And I would say we wanted to add a resort today into the current data set for the mutations. So if you look at mutations, we have a resort mutation. And if you want to create a resort, in this case, this file is more like eight year olds like, addressed crawled example.
And you can see the greatest art, mutation kid, takes any Curry Resort and this is, this is. So, let's go ahead and do this. One more thing noticed that it's the command to hear that in order to your round a resource mutation, you need this site at metokote. You'll see how that comes into play in a second. Let's try to run imitation for creating a resort. Create new resort. And this is going to be that sort of mutation and under the resort mutation. We're going to go on create.
And for create, we're going to pass an input. And this impose we going to give the name of the resort that say, this is going to be North Star. Andy base elevation that says 6300 feet. And if Summit elevation 8500 feet, and after we created a new resort, let's let's pull up the name of the resort. Best Buy around this now. And hopefully. So again this is a PG returning there. This is not coming from the back end. Black girl server happy. Do you say hey, you're not authorized to create a resort, you don't have access to this feels. So you don't you can't access
de resource, mutations and the resource mutation create. So the fields are not authorized with the current Nakia that I have. How to make this work, obviously the Duncan that we have, right now. Let's take a look at it again, this broken. It only has disney-owned to school to inspection and radar Scopes and in order to be able to run this irritation, according to date invitation, we need is your side at my scalp. So, in order to get a token to have to have access to a product that offers that the oversoul Scopes products.
So, if you go back into the after we create earlier this apples to scratch to a gas grill, brussel sprouts, Brown product does not offer for it to have access to another. And this gives us a higher level of access in terms of different part of the scheme of the witching access and this has already been approved and is unable to use the key and secret for you. How do you spell rap? I just got the consumer key and bring it over here. Thank look at the secret.
And finally listening to scope to side admin. So this scope will give us access to a different part of the schema. How to get a token and we have a new hopefully now we just need to talk and we should be able to make the call to create a new resort. That's great. And you can see the color successful and we can verify that it was successful bikes listing all their resources and let's do that. So we can all resorts in the name of all the resorts and you can see here. All right, so you have seen important
that the top of the existing of geotagging first use of throttling and then you saw fuel level of the recession. Now let's tend to see how that is done within a penis. Let me bring up the architecture diagram, just to remind me why we are. So we're looking so far at the developer portal. Next, we're going to look at the, a p. A p. I day, wait to see how those situations were actually happening. Let's head over to the a p e r y. It's so here. This is the property that was driving the entire experience you, but you seem so far. The first policy
that you can see here, these are coerced level authorization positive. It's just saying Hey do you even have a token that allows you to call me ASAP? I then we have the policy that check whether or not the current year, has the correct level of access for the field within the specific query. Or the specific mutation that's being sent to the graphql server. You can see this, policy has been configured with a default value of 5 goals per minute. This is, in fact, the behavior. So initially when I was
making those first goals together is a resource later. Once I get in and subscribe, my app to the Browns or the Garfield Bronx, a bi-product. I was able to make more calls and that's Define outside, that's if I need the product yourself. So you can look at the Garfield bronze product, you can see that the Garfield bronze product has to find a quota of 30 requests for me. Next. Let's look at how they find granite rotation was working here, you can see in the field bronze product that I have to find a set of alarm or Scopes this or introspection and reader scope.
I also have the other part of which was the executive Platinum, which has an even bigger set of all Scopes. In addition to introspection and reader scope is Gap. Resort at me and Resort phone number. We used site admin when we went, we went to create then you'll Resort So this is great. You can see how you're able to manage both the SLA, they throttled level, and the finder, another addition to the grassy Land Point, always using the concept of API products. Now, you may be asking yourself how hard this is. Close to being translated to individual feels in the backyard,
let's take a look at that next to an actual setup. Feels when I meant to do that, we have a mapping of Scopes to feels in your pjs self and let's take a look at that KVM. So this is starting here and let me open it so you can see For each scope, I have listed here, the entitlement or the set of feels that this is Kobe's allowed to access. And in the case of her earlier, we were using the site at my school and you can see the site. I mean, has access to mutation Resorts and vacation
resorts Wild Card, which means that if you had the assignment scope, you're talking is allowed to access any of this. Type winning the Orioles game. Alright, so let's go back to the proxy and put it all together. The first policy around since the operation policy, this is course. Level 3 station, it just checked. Hey, do you have a token and and once you have that strikes, the feel so bad. If I said this token is allowed to access the proxy itself. It doesn't check individual field but he extracts the East Coast. Then you had the quote, a policy that are you still within
your walls limits and then you have Define grains of research and policy for this fine grain of the research and policy. You basically takes the scope that was associated with a token that came in and Converse that scope to a set of entitlement or a set of wheels. And it checked that the entitlements for the set of fields that are allowed for this token satisfy, all the feels that came in a specific specific mutations. And if that's the case, then I will go ahead and let it go through and go to the Garfield I can. And if not, then after you return scenera next. Cycle over to the
actual Dracula back in Silver Spring update architecture diagram. So, the call came in from the developer portal. How do I get the app for security course, level and fine, grain field, level 3 station, it also totally checks and then it sent to call over to the actual Apollo graphql server in TCP intolerant. And waiting here, I have a whole server. I have had a couple that you plug in that allow you to send data over to gcp Cloud, login and also to Cloud pricing and this
does not affect the runtime of the main call itself. Here I have the gcp log viewer and I'm showing the create new resort mutation that we're on earlier. You can see the actual payload for a limitation on his Big. Lots. That's what does The X stand for this mutation? So, here is this. 3% and individual query or mutation that has been sent to day Apollo graphql server. And I haven't said, I could already hear the mutation that was wrong to create the Northstar. So you can see the
threads information shows how long it took to fetch each individual field in that mutation. This is all day. That is produced by Apollo itself, and is being shipped off to Google cloud and Sean here in the face. So this gives you a good view of the individual timing and Trace information for specific queries. What if you want more information or overtime formation of the data itself, happy Jeep collects information for every request that comes through the system. So let's go over and take a look at some of that. Give me some sloppy. Joe here. I have created a custom reporting
apogee. That takes a look at the individual feels that were fetched for queries overtime. And also mutation pass through the apogee, Gateway with the time information provided by a police off, you can see that it shows different feels how many times each of those fields have been benched and retrieve, those fields client know which kinds of requests, what kind of pills if I could drill down into one of this, so you can see here that the different apps, for example, afraid to taking
app is requesting, you know, some traffic over here and then the traffic for David. Hopefully, this gives you an idea of how powerful both combining a PG and rated 12 for the traffic going to regret Fuel Center. That's it for now, thank you. If you use apogee, the manager, if you are, you're one step closer to your destination. Go download, the graphql, get up there, and play with it. We love to hear feedback. If you're not an Apple user go to apple.com, try out the free version of apogee, use dropped you earlier, don't and do cool stuff. We love
to hear about that as well. And last week, if you're a gradual user, I want to learn about the best place to build apis. Google, cloud, cloud run is an awesome back in a few craft to a service application, definitely check it out. Thank you so much for your time today. I will look forward to seeing you and hearing for you throughout the week.
Buy this talk
Buy this video
With ConferenceCast.tv, you get access to our library of the world's best conference talks.