使用Token控制Service访问列表
翻译自: Secure Consul with Access Control Lists (ACLs)
在一些ToB场景中, 这个问题可能是大家最常问的— 如何实现服务安全的、保护我的数据安全?
特别是我的服务与其他业务服务同处于一个服务注册中心,但是我的服务是敏感服务(如银行场景),虽然我的服务内置了鉴权逻辑, 但是我不想暴露我的节点信息。
针对这个问题,Consul是如何处理的呢?
转载请注明🙂,喜欢请一键三连哦 😊
一、自定义Service Token
假设存在dashboard Service
要增加授权。
curl -X PUT \
'http://127.0.0.1:8500/v1/agent/service/register?replace-existing-checks=true' \
-H 'Content-Type: application/json' \
-H 'Postman-Token: 5a3a1b88-8dbe-4d82-bacd-57ce48fcf0d1' \
-H 'X-Consul-Token: 498b2322-f2c9-45c0-1d8b-daf8dcd1c710' \
-H 'cache-control: no-cache' \
-d '{
"ID": "dashboard-1",
"Name": "dashboard",
"Tags": ["primary", "v1"],
"Address": "127.0.0.1",
"Port": 8500,
"Meta": {
"web_version": "4.0"
},
"EnableTagOverride": false,
"Check": {
"DeregisterCriticalServiceAfter": "5m",
"http": "http://127.0.0.1:8500/v1/agent/members",
"Interval": "10s",
"Timeout": "5s"
},
"Weights": {
"Passing": 10,
"Warning": 1
}
}'
与创建和应用Agent Policy是相似的。 先创建策略,用策略去创建一个令牌, 最后讲令牌应用至Service.
规则编写可以参考:Service Rules
service
和 service_prefix
资源控制的是服务级别的注册、CataLog API的访问、通过 Health API 服务发现访问。
1.1 创建Service Policy
以, 创建dashboard
Service的注册(写)权限为例。
Request:
curl -X PUT \
http://127.0.0.1:8500/v1/acl/policy \
-H 'X-Consul-Token: e5beb23c-a6f5-e2d0-144c-8b9bee87398a' \
-d '{
"Name": "dashboard-policy",
"Description": "Grants write access to dashboard service information",
"Rules": "service \"dashboard\" {policy = \"write\"}",
"Datacenters": ["dc1"]
}'
Response:
{
"ID": "8d35d70f-5a4c-5799-db32-d9b6138a0db4",
"Name": "dashboard-policy",
"Description": "Grants write access to dashboard service information",
"Rules": "service \"dashboard\" {policy = \"write\"}",
"Datacenters": [
"dc1"
],
"Hash": "htiP/DxtVLH28eSuExBpLbfIadj14CUywBl4cWgovoE=",
"CreateIndex": 1760,
"ModifyIndex": 1760
}
1.2 创建Policy对应的Token
创建dashboard-policy
对应的Token:
Request:
curl -X PUT \
http://127.0.0.1:8500/v1/acl/token \
-H 'X-Consul-Token: e5beb23c-a6f5-e2d0-144c-8b9bee87398a' \
-d '{
"Description": "Write token for '\''dashboard'\'' Service",
"Policies": [
{
"ID": "8d35d70f-5a4c-5799-db32-d9b6138a0db4"
},
{
"Name": "dashboard-policy"
}
],
"Local": false
}
Response:
{
"AccessorID": "11434213-cc50-7f2e-f273-32a54dfbc55f",
"SecretID": "fcf5875c-de3f-2a24-3c28-e0fa6564c97a",
"Description": "Write token for 'dashboard' Service",
"Policies": [
{
"ID": "8d35d70f-5a4c-5799-db32-d9b6138a0db4",
"Name": "dashboard-policy"
}
],
"Local": false,
"CreateTime": "2020-12-11T13:36:04.828902208Z",
"Hash": "3SOLFkcmgrL+2wZMnqqIUf7m9UyBSrsUtN03ck6XUIs=",
"CreateIndex": 1778,
"ModifyIndex": 1778
}
1.3 验证
此时, 我们可以是用所有读权限(service_prefix “” {policy = “read”})的Token无法完成注册。
返回状态码 403, 且提示信息为: Permission denied: Missing service:write on dashboard
更换Token ,更换成我们上面创建的写权限Token, 注册成功 !!