Authentication based server side load balancing

[CarsonCook]

As a
Zowe conformant application developer
I can
Call my application's API with Zowe authentication through single instance of API Gateway and always get to the same instance of my service for a given period of time.
So that I can
Protect against additional user-related address spaces spawned by my application without changing its code.

This will mean to implement:
A balancing bean that:
Recognizes requests by Zowe authentication - User level. User has multiple JWT's so we have to understand who is calling.
Unauthenticated requests? - Per Carson's response, unauthenticated requests should be plain round robin
If there is auth and no preference, routes the request to round robin and stores preference.
If there is auth and exists preference, routes the requests to the same instanceId as the preference
Lifecycle: Expiry of preference after configurable time period is exceeded since last request

Tasks

• Create AuthenticationBasedPredicate predicate within org.zowe.apiml.gateway.ribbon.loadbalancer.predicate package - @balhar-jakub
• Create a new PostStoreLoadBalancerCacheFilter that stores the information about the selected instance if the service is configured to keep this information. - @taban03
• Update AuthenticationBasedPredicate to support expiration date - @taban03
• Update org.zowe.apiml.gateway.ribbon.loadbalancer.LoadBalancingPredicatesRibbonConfig to create the predicate if enabled via instance.metadata.apiml.lb.authenticateBased=enabled - @balhar-jakub
• Update org.zowe.apiml.gateway.routing.ApimlRoutingConfig to conditionally create PostStoreLoadBalancerCacheFilter if enabled via instance.metadata.apiml.lb.authenticateBased=enabled - @taban03
• Create LoadBalancerCache in org.zowe.apiml.gateway.cache exposing methods to store combination of username, serviceId and userId - @balhar-jakub
• Create functional test for the whole solution - @balhar-jakub
• Create documentation - @taban03 (waiting for review)

Acceptance Criteria

• When authenticated I end on the same southbound instance if required by service

[balhar-jakub]

AuthenticationBasedPredicate - Figures out whether a user is authenticated. If the user is authenticated look for an instance to use. If there is such an instance, verify whether it's not in the cache for too long. If it isn't verify that this is the selected instance.

PostStoreLoadBalancerCacheFilter - Looks whether the service requires a sticky session. Figures out whether the user is authenticated. If the user is authenticated and there is no instance in the cache stores the selected instance in the cache.

LoadBalancerCache - Provide a method to store instance info and retrieve the instance info.

[jandadav]

The concept of this implementation looks like this: