RESTful APIs with Tastypie

...or...

How I learned to stop worrying and love the JSON

Who am I? • Daniel Lindsley

Who am I? • Daniel Lindsley • Consulting & OSS
as Toast Driven

Who am I? • Daniel Lindsley • Consulting & OSS
as Toast Driven • Primary author of Tastypie

What is Tastypie? • A REST framework for Django

What is Tastypie? • A REST framework for Django •
Designed for extension

Designed for extension • Supports both Model & non-Model data

Designed for extension • Supports both Model & non-Model data • http://tastypieapi.org/

Philosophy

Make good use of HTTP

Make good use of HTTP Try to be “of the
internet” & use the REST methods/status codes properly

Graceful Degradation

Graceful Degradation Try to keep backward compatibility & give users
a gradual upgrade path

Flexible serialization

Flexible serialization Not everyone wants JSON

Wait. Scratch that.

Flexible serialization Not everyone wants JSON

Flexible EVERYTHING

Flexible EVERYTHING Customizability is a core feature

Data can round-trip

Data can round-trip Anything you can GET, you should be
able to POST/PUT

Reasonable defaults

Reasonable defaults But easy to extend

URIs everywhere!

URIs everywhere! Make HATEOAS a reality

HATEOAS?

Gesundheit!

HATEOAS • “Hypermedia As The Engine Of Application State” •
Basically, the user shouldn’t have to know anything in advance • All about explore-ability • Deep linking • http://en.wikipedia.org/wiki/HATEOAS

So what about Tastypie?

Pie? Pie? Pie? Pie? Pie? Pie? Pie? Pie?

He can’t haz.

He can’t haz. But you can!

Tastypie • Builds on top of Django & plays nicely
with other apps • Full GET/POST/PUT/DELETE/PATCH • Any data source (not just Models) • Designed to be extended

Tastypie (cont.) • Supports a variety of serialization formats •
JSON • XML • YAML • bplist • Easy to add more

Tastypie (cont.) • HATEOAS by default (you’ll see soon) •
Lots of hooks for customization • Well-tested • Decently documented

The Setup

Installation pip install django-tastypie

Installation (cont.) INSTALLED_APPS += [‘tastypie’]

Installation (cont.) $ ./manage.py syncdb

Let’s add an API for django.contrib.auth

High-Level 1. Code goes in our apps, not Django

High-Level 1. Code goes in our apps, not Django 2.
Deﬁne the resource for User

High-Level 1. Code goes in our apps, not Django 2.
Deﬁne the resource for User 3. Hook up that resource in your URLconf

1. Don’t fork Django! No, seriously. You don’t need to.
Done.

2a. Setup # Assuming we’re in your project directory... $
cd <myapp> # Substitute your app_name here. $ mkdir api $ touch api/__init__.py $ touch api/resources.py # Done!

2b. User Resource from django.contrib.auth.models import User from tastypie.resources import
ModelResource class UserResource(ModelResource): class Meta: queryset = User.objects.all()

3. URLconf # In your ``ROOT_URLCONF``... # Stuff then... from
tastypie.api import Api from <myapp>.api.resources import UserResource v1_api = Api() v1_api.register(UserResource()) urlpatterns = patterns(‘’, (r’^api/’, include(v1_api.urls), # Then the usual... )

HTTP 201

Hit your new API. Curl: http://localhost:8000/api/v1/ Browser: http://localhost:8000/api/v1/?format=json

Demo-time.

What’s there? • /api/v1/ - A list of all available
resources • /api/v1/user/ - A list of all users • /api/v1/user/2/ - A speciﬁc user • /api/v1/user/schema/ - A deﬁnition of what an individual user consists of • /api/v1/user/multiple/1;4;5/ - Get those three users as one request

What’s there? (cont.) • All serialization formats available* • curl
-H “Accept: application/xml” http://localhost:8000/api/v1/ user/ • http://localhost:8000/api/v1/user/2/? format=yaml * Provided lxml, PyYAML, biplist are installed.

What’s there? (cont.) • Serialization format negotiated by either Accepts
header or the ”? format=json” GET param • Pagination by default • Everyone has full read-only GET access

What’s not there? (Yet) • Leaking sensitive information! • email/password/is_staff/is_superuser

• Ability to ﬁlter

• Ability to ﬁlter • Authentication / Authorization

• Ability to ﬁlter • Authentication / Authorization • Caching (disabled by default)

• Ability to ﬁlter • Authentication / Authorization • Caching (disabled by default) • Throttling (disabled by default)

Fix data leaks from django.contrib.auth.models import User from tastypie.resources import
ModelResource class UserResource(ModelResource): class Meta: queryset = User.objects.all() excludes = [‘email’, ‘password’, ‘is_staff’, ‘is_superuser’]

Authentication “Are you a recognized user?”

Add BASIC Auth from django.contrib.auth.models import User from tastypie.authentication import
BasicAuthentication from tastypie.resources import ModelResource class UserResource(ModelResource): class Meta: # What was there before... authentication = BasicAuthentication()

Add filtering from django.contrib.auth.models import User from tastypie.authentication import BasicAuthentication
from tastypie.resources import ModelResource, ALL class UserResource(ModelResource): class Meta: # What was there before... filtering = { ‘username’: ALL, ‘date_joined’: [‘range’, ‘gt’, ‘gte’, ‘lt’, ‘lte’], }

Filtering • Using GET params, we can now ﬁlter out
what we want. • Examples: • curl http://localhost:8000/api/v1/user/? username__startswith=a • curl http://localhost:8000/api/v1/user/? date_joined__gte=2011-12-01

Authorization “Are you allowed to perform that action?”

Add authorization from django.contrib.auth.models import User from tastypie.authentication import BasicAuthentication
from tastypie.authorization import DjangoAuthorization from tastypie.resources import ModelResource class UserResource(ModelResource): class Meta: # What was there before... authorization = DjangoAuthorization()

Add caching* from django.contrib.auth.models import User from tastypie.authentication import BasicAuthentication
from tastypie.authorization import DjangoAuthorization from tastypie.cache import SimpleCache from tastypie.resources import ModelResource class UserResource(ModelResource): class Meta: # What was there before... cache = SimpleCache() * We’ll talk more about caching later.

Add throttling from django.contrib.auth.models import User from tastypie.authentication import BasicAuthentication
from tastypie.authorization import DjangoAuthorization from tastypie.cache import SimpleCache from tastypie.resources import ModelResource from tastypie.throttle import CacheDBThrottle class UserResource(ModelResource): class Meta: # What was there before... throttle = CacheDBThrottle()

What’s there now? • Everything we had before

What’s there now? • Everything we had before • Full
GET/POST/PUT/DELETE/PATCH access

What’s there now? • Everything we had before • Full
GET/POST/PUT/DELETE/PATCH access • Only registered users can use the API & only perform actions on objects they’re allowed to

What’s there now? (cont.) • Object-level caching (GET detail)

What’s there now? (cont.) • Object-level caching (GET detail) •
Logged throttling that limits users to 150 reqs per hour

What’s there now? (cont.) • Object-level caching (GET detail) •
Logged throttling that limits users to 150 reqs per hour • The ability to ﬁlter the content

HTTP 302

Extensibility

Why classes?

Why classes? Not because I’m OO-crazy. It makes extending behavior
trivial.

Why so many classes?

Why so many classes? Composition > Inheritance

Why so many methods?

Why so many methods? Hooks, hooks, hooks. Also makes delegating
to composition behaviors easy.

Extensibility • Tastypie tries to use reasonable defaults: • You
probably want JSON • You probably want full POST/PUT/ DELETE by default • You probably want to use the Model’s default manager unﬁltered

YMMV, so let’s make that possible.

Extensibility • Plug in custom classes/instances for things like: •
Serialization

Serialization • Authentication

Serialization • Authentication • Authorization

Serialization • Authentication • Authorization • Pagination

Serialization • Authentication • Authorization • Pagination • Caching

Serialization • Authentication • Authorization • Pagination • Caching • Throttling

Extensibility • Resource has lots of methods, many of which
are pretty granular • Override or extend as meets your needs

Customize serialization • As an example, let’s customize serialization

Customize serialization • As an example, let’s customize serialization •
Supports JSON, XML, YAML, bplist by default

Customize serialization • As an example, let’s customize serialization •
Supports JSON, XML, YAML, bplist by default • Let’s disable everything but JSON & XML, then add a custom type

Just JSON & XML, please from django.contrib.auth.models import User from
tastypie.resources import ModelResource from tastypie.serialization import Serializer class UserResource(ModelResource): class Meta: queryset = User.objects.all() excludes = [‘email’, ‘password’, ‘is_staff’, ‘is_superuser’] serializer = Serializer(formats=[‘json’, ‘xml’])

Hm, now what format is missing?

HTML serialization from django.shortcuts import render_to_response from tastypie.serialization import Serializer
class TemplateSerializer(Serializer): formats = Serializer.formats + [‘html’] def to_html(self, data): template_name = ‘api/api_detail.html’ if ‘objects’ in data: template_name = ‘api/api_list.html’ return render_to_response(template_name, data)

HTML serialization (cont.) # ಠ_ಠ import cgi from stringio import
StringIO class TemplateSerializer(Serializer): # ... def from_html(self, content): form = cgi.FieldStorage(fp=StringIO(content)) data = {} for key in form: data[key] = form[key].value return data

Now use it from django.contrib.auth.models import User from tastypie.resources import
ModelResource from myapp.api.serializers import TemplateSerializer class UserResource(ModelResource): class Meta: queryset = User.objects.all() excludes = [‘email’, ‘password’, ‘is_staff’, ‘is_superuser’] serializer = TemplateSerializer(formats=[‘json’, ‘xml’, ‘html’])

Fields

Fields • You haven’t seen it yet, but just like
a ModelForm, you can control all the exposed ﬁelds on a Resource/ ModelResource

Fields • You haven’t seen it yet, but just like
a ModelForm, you can control all the exposed ﬁelds on a Resource/ ModelResource • Just like Django, you use a declarative syntax

Fields from django.contrib.auth.models import User from tastypie import fields from
tastypie.resources import ModelResource class UserResource(ModelResource): # Provided they take no args, even callables work! full_name = fields.CharField(‘get_full_name’, blank=True) class Meta: queryset = User.objects.all() excludes = [‘email’, ‘password’, ‘is_staff’, ‘is_superuser’]

Fields (cont.) • Also like ModelForm, you can control how
data gets prepared for presentation (dehydrate) or accepted from the user (hydrate)

data gets prepared for presentation (dehydrate) or accepted from the user (hydrate) • Happens automatically on ﬁelds with attribute=... set

data gets prepared for presentation (dehydrate) or accepted from the user (hydrate) • Happens automatically on ﬁelds with attribute=... set • Can provide methods for non-simple access

Fields (cont.) class UserResource(ModelResource): # Assuming all the same bits
as before. full_name = fields.CharField(blank=True) def dehydrate_full_name(self, bundle): return bundle.obj.get_full_name() def hydrate_full_name(self, bundle): name_bits = bundle.data.get(‘full_name’,’’).split() bundle.obj.first_name = name_bits[0] bundle.obj.last_name = ‘ ‘.join(name_bits[1:]) return bundle

Fields (cont.) • This just scratches the surface of what
dehydrate/hydrate can do • ModelResource uses introspection & just creates the ﬁelds for you

Caching

Caching • The SimpleCache combined with Resource.cached_obj_get caches SINGLE objects
only!

only! • Doesn’t cache the serialized output

only! • Doesn’t cache the serialized output • Doesn’t cache the list view

Why? • More complex behaviors get opinionated fast

Why? • More complex behaviors get opinionated fast • Tastypie
would rather be general & give you the tools to build what you need

would rather be general & give you the tools to build what you need • Filters & serialization formats make it complex

would rather be general & give you the tools to build what you need • Filters & serialization formats make it complex • Besides...

What you actually want is Varnish.

Varnish! • https://www.varnish-cache.org/

Varnish! • https://www.varnish-cache.org/ • Super-fast caching reverse proxy in C

• Already caches by URI/headers

• Already caches by URI/headers • Way faster than the Django request/ response cycle

• Already caches by URI/headers • Way faster than the Django request/ response cycle • POST/PUT/DELETE just pass through

Varnish! (cont.) • So put Varnish in front of your
API (& perhaps the rest of your site) & win in the general case

API (& perhaps the rest of your site) & win in the general case • Additionally, use Tastypie’s internal caching to further speed up Varnish cache-misses

API (& perhaps the rest of your site) & win in the general case • Additionally, use Tastypie’s internal caching to further speed up Varnish cache-misses • Easy to extend Resource to add in more caching

API (& perhaps the rest of your site) & win in the general case • Additionally, use Tastypie’s internal caching to further speed up Varnish cache-misses • Easy to extend Resource to add in more caching • If you get to that point, you’re already serving way more load than I ever have

Long story short: You should be using Varnish.

Data source Not Just Models!

Source dive? • If you hit up tastypie/resources.py, you’ll ﬁnd
something interesting

something interesting • ModelResource is just a relatively thin (~300 lines) wrapper on top of Resource (~1200 lines)

something interesting • ModelResource is just a relatively thin (~300 lines) wrapper on top of Resource (~1200 lines) • Just the ORM/Model bits

That’s right, virtually everything in Tastypie is available to non-ORM
setups.

The Mighty Resource • By subclassing from Resource & overriding
at least 3 (up to 9 for CRUD) methods, you can hook up any data source • For giggles, let’s hook up Solr! • For brevity, we’ll do GET-only

SolrResource import pysolr from tastypie import fields from tastypie.resources import
Resource # Wrap the response dict to be object-like. class SolrObject(object): def __init__(self, initial=None): self.__dict__[‘_data’] = initial or {} def __getattr__(self, key): return self._data.get(key, None)

SolrResource (cont.) class SolrResource(Resource): id = fields.CharField(attribute=’id’) title = fields.CharField(attribute=‘text’)
class Meta: resource_name = ‘solr’ object_class = SolrObject

SolrResource (cont.) class SolrResource(Resource): # ... def get_resource_uri(self, bundle_or_obj): #
Super-naïve. return ‘/’.join([self._meta.api_name, self._meta.resource_name, bundle_or_obj.id]) def get_object_list(self, request, **kwargs): query = kwargs.get(‘query’, None) or request.GET.get(‘q’, ‘*:*’) solr = pysolr.Solr(‘http://localhost:8963/solr’) return [SolrObject(initial=res) for res in solr.search(query)])

SolrResource (cont.) class SolrResource(Resource): # ... def obj_get_list(self, request=None, **kwargs):
return self.get_object_list(request) def obj_get(self, request=None, **kwargs): return self.get_object_list(request, {‘query’: ‘id:%s’ % kwargs[‘pk’])

The Mighty Resource • Takes some work but still does
a lot for you • Docs have a more complete example based on Riak • See also django-tastypie-nonrel

HTTP 418

Now, let’s talk about a personal failure.

Man, this seems super-useful. Wish I could use it with...

Flask

Flask Pyramid

Flask Pyramid Itty

Flask Pyramid Itty Straight WSGI

Piecrust The extraction that failed

Piecrust • Seems like an awesome, helpful idea. Let’s do
it! • Late 2011, I tried extracting Tastypie to work everywhere • Tastypie would just become a light shim on top with Django conveniences • https://github.com/toastdriven/piecrust

Piecrust • Finished the extraction, not the tests/ docs

Piecrust • Finished the extraction, not the tests/ docs •
Close to functional, but...

Piecrust • Finished the extraction, not the tests/ docs •
Close to functional, but... • Failed in terms of complexity & lack of standardization

Piecrust • Complex areas: • Non-standard request/response objects • Non-standard
URL setups • Data storage layer • Relying on Django makes these easy(- ier)

Piecrust • Just implementing for Flask took a couple hundred
lines alone & it was incomplete • Paradox of choice • Code is there if you want to play

Thanks!

Images in main theme by Julia Elman @juliaelman http://juliaelman.com/

I’m Daniel Lindsley of Toast Driven @toastdriven http://toastdriven.com/

RESTful APIs with Tastypie

RESTful APIs with Tastypie

More Decks by daniellindsley

Other Decks in Technology

Featured

Transcript