使用kmse實作服務的權限校驗
通過一個簡單的執行個體說明開發者如何通過kmse進行服務間的權限校驗。
一、準備用戶端和服務端兩個demo
這裡示範如何快速實踐服務鑒權功能。假如現在有兩個微服務 auth-client 和 auth-server,想實作 auth-client 調用 auth-server 時,auth-server 對請求做鑒權。參考服務開發文檔,下載下傳auth-server和auth-client兩個demo。
檢視依賴,實踐服務鑒權隻需要依賴以下maven元件,調用端和被調用端都隻需要如下依賴。
org.springframework.boot
spring-boot-starter
org.springframework.boot
spring-boot-starter-web
org.springframework.cloud
spring-cloud-starter-openfeign
com.ksyun.kmse
spring-cloud-kmse-starter-authentication
${version}
因為auth-server是被調用方,是以在auth-server的bootstrap.yaml檔案中寫入鑒權配置,配置中兩個版本屬性(VERSION,subset),兩個服務名屬性(spring.application.name,auth-policy.http[0].route[0].destination.host)必須一緻。配置的意思是建立一個名稱為auth-rule-1的鑒權規則,該條規則的意思是禁止應用名稱字首為“auth-client”的請求來通路auth-server應用。
VERSION: v1
auth-policy:
http:
- match:
- applicationName:
endUser:
prefix: "auth-client"
name: auth-rule-1
route:
- destination:
host: auth-server
subset: v1
type: black-list
spring:
application:
name: auth-server
server:
port: 8080
在auth-client的yaml中寫入鑒權需要的參數,這些參數在系統中會自動注入,現在手工填寫,應用名稱為auth-client,版本為v1:
VERSION: v1
server:
port: 8081
spring:
application:
name: auth-client
準備測試的java代碼,auth-server端提供服務的controller:
package com.ksyun.kmse.controller;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
@RequestMapping({"/server"})
@RestController
public class AccountController {
private static final Logger log = LoggerFactory.getLogger(AccountController.class);
public AccountController() {
}
@RequestMapping({"/{id}"})
public String account(@PathVariable("id") Integer id) {
log.info("調用server " + id);
return id + "";
}
}
auth-client端提供的遠端調用client:
package com.ksyun.kmse.client;
import org.springframework.cloud.openfeign.FeignClient;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
@FeignClient(name = "auth-server", url = "http://127.0.0.1:8080")//如果使用注冊中心可以不使用顯式的url配置
public interface OrderClient {
@GetMapping("/server/{id}")
String getById(@PathVariable Integer id);
}
auth-client端提供的測試通路入口controller:
package com.ksyun.kmse.controller;
import com.ksyun.kmse.client.OrderClient;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
@RequestMapping({"/client"})
@RestController
public class AccountController {
private static final Logger log = LoggerFactory.getLogger(AccountController.class);
public AccountController() {
}
@Autowired
private OrderClient server;
@GetMapping({"/{id}"})
public String account(@PathVariable("id") Integer id) {
log.info("調用參數 " + id);
String result = server.getById(id);
log.info("遠端調用結果 " + result);
return result;
}
}
至此兩個測試應用準備完畢。
二、對服務鑒權進行測試
步驟一中的鑒權配置含義是"不允許applicationname字首等于’auth-client’的請求通路"。 調用auth-client的測試接口 http://127.0.0.1:8081/client/1。
發現auth-server傳回http驗證碼為403。
将auth-server的配置改為如下:
VERSION: v1
auth-policy:
http:
- match:
- applicationName:
endUser:
prefix: "Aclient"
name: auth-rule-1
route:
- destination:
host: auth-server
subset: v1
type: black-list
spring:
application:
name: auth-server
這個配置的含義是"不允許applicationname字首等于Aclient的請求通路"。 重新開機auth-server後,再次調用測試接口,傳回http狀态碼為200。
将auth-server的配置改為如下,測試字尾攔截:
VERSION: v1
auth-policy:
http:
- match:
- applicationName:
endUser:
suffix: "ent"
name: auth-rule-1
route:
- destination:
host: auth-server
subset: v1
type: black-list
spring:
application:
name: auth-server
這個配置的含義是"不允許applicationname字尾等于ent的請求通路"。 重新開機auth-server後,再次調用測試接口,傳回http狀态碼為403,請求被攔截。
依次類推還有如下的請求場景:
#比對請求來源url
auth-policy:
http:
- match:
- APIPath: "/auth-server/1"
#比對請求來源ip
auth-policy:
http:
- match:
- IP: "127.0.0.1"
#比對請求http方法
auth-policy:
http:
- match:
- Method: "GET"
#比對應用版本
auth-policy:
http:
- match:
- applicationVersion: "v1"
#字首比對
auth-policy:
http:
- match:
- applicationName:
endUser:
prefix: "a"
#字尾比對
auth-policy:
http:
- match:
- applicationName:
endUser:
suffix: "b"
#精準比對
auth-policy:
http:
- match:
- applicationName:
endUser:
exact: "c"
#正則比對,例如正整數
auth-policy:
http:
- match:
- applicationName:
endUser:
regular: "[1-9]\d*"