文件服务器鉴权,服务鉴权

使用kmse实现服务的权限校验

通过一个简单的实例说明开发者如何通过kmse进行服务间的权限校验。

一、准备客户端和服务端两个demo

这里演示如何快速实践服务鉴权功能。假如现在有两个微服务 auth-client 和 auth-server，想实现 auth-client 调用 auth-server 时，auth-server 对请求做鉴权。参考服务开发文档，下载auth-server和auth-client两个demo。

查看依赖，实践服务鉴权只需要依赖以下maven组件，调用端和被调用端都只需要如下依赖。

org.springframework.boot

spring-boot-starter

org.springframework.boot

spring-boot-starter-web

org.springframework.cloud

spring-cloud-starter-openfeign

com.ksyun.kmse

spring-cloud-kmse-starter-authentication

${version}

因为auth-server是被调用方，所以在auth-server的bootstrap.yaml文件中写入鉴权配置，配置中两个版本属性(VERSION，subset)，两个服务名属性(spring.application.name,auth-policy.http[0].route[0].destination.host)必须一致。配置的意思是创建一个名称为auth-rule-1的鉴权规则，该条规则的意思是禁止应用名称前缀为“auth-client”的请求来访问auth-server应用。

VERSION: v1

auth-policy:

http:

- match:

- applicationName:

endUser:

prefix: "auth-client"

name: auth-rule-1

route:

- destination:

host: auth-server

subset: v1

type: black-list

spring:

application:

name: auth-server

server:

port: 8080

在auth-client的yaml中写入鉴权需要的参数，这些参数在系统中会自动注入，现在手工填写，应用名称为auth-client，版本为v1：

VERSION: v1

server:

port: 8081

spring:

application:

name: auth-client

准备测试的java代码，auth-server端提供服务的controller:

package com.ksyun.kmse.controller;

import org.slf4j.Logger;

import org.slf4j.LoggerFactory;

import org.springframework.web.bind.annotation.PathVariable;

import org.springframework.web.bind.annotation.RequestMapping;

import org.springframework.web.bind.annotation.RestController;

@RequestMapping({"/server"})

@RestController

public class AccountController {

private static final Logger log = LoggerFactory.getLogger(AccountController.class);

public AccountController() {

}

@RequestMapping({"/{id}"})

public String account(@PathVariable("id") Integer id) {

log.info("调用server " + id);

return id + "";

}

}

auth-client端提供的远程调用client:

package com.ksyun.kmse.client;

import org.springframework.cloud.openfeign.FeignClient;

import org.springframework.web.bind.annotation.GetMapping;

import org.springframework.web.bind.annotation.PathVariable;

@FeignClient(name = "auth-server", url = "http://127.0.0.1:8080")//如果使用注册中心可以不使用显式的url配置

public interface OrderClient {

@GetMapping("/server/{id}")

String getById(@PathVariable Integer id);

}

auth-client端提供的测试访问入口controller：

package com.ksyun.kmse.controller;

import com.ksyun.kmse.client.OrderClient;

import org.slf4j.Logger;

import org.slf4j.LoggerFactory;

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.web.bind.annotation.GetMapping;

import org.springframework.web.bind.annotation.PathVariable;

import org.springframework.web.bind.annotation.RequestMapping;

import org.springframework.web.bind.annotation.RestController;

@RequestMapping({"/client"})

@RestController

public class AccountController {

private static final Logger log = LoggerFactory.getLogger(AccountController.class);

public AccountController() {

}

@Autowired

private OrderClient server;

@GetMapping({"/{id}"})

public String account(@PathVariable("id") Integer id) {

log.info("调用参数 " + id);

String result = server.getById(id);

log.info("远程调用结果 " + result);

return result;

}

}

至此两个测试应用准备完毕。

二、对服务鉴权进行测试

步骤一中的鉴权配置含义是"不允许applicationname前缀等于’auth-client’的请求访问"。 调用auth-client的测试接口 http://127.0.0.1:8081/client/1。

发现auth-server返回http验证码为403。

将auth-server的配置改为如下：

VERSION: v1

auth-policy:

http:

- match:

- applicationName:

endUser:

prefix: "Aclient"

name: auth-rule-1

route:

- destination:

host: auth-server

subset: v1

type: black-list

spring:

application:

name: auth-server

这个配置的含义是"不允许applicationname前缀等于Aclient的请求访问"。 重启auth-server后，再次调用测试接口，返回http状态码为200。

将auth-server的配置改为如下，测试后缀拦截：

VERSION: v1

auth-policy:

http:

- match:

- applicationName:

endUser:

suffix: "ent"

name: auth-rule-1

route:

- destination:

host: auth-server

subset: v1

type: black-list

spring:

application:

name: auth-server

这个配置的含义是"不允许applicationname后缀等于ent的请求访问"。 重启auth-server后，再次调用测试接口，返回http状态码为403，请求被拦截。

依次类推还有如下的请求场景：

#匹配请求来源url

auth-policy:

http:

- match:

- APIPath: "/auth-server/1"

#匹配请求来源ip

auth-policy:

http:

- match:

- IP: "127.0.0.1"

#匹配请求http方法

auth-policy:

http:

- match:

- Method: "GET"

#匹配应用版本

auth-policy:

http:

- match:

- applicationVersion: "v1"

#前缀匹配

auth-policy:

http:

- match:

- applicationName:

endUser:

prefix: "a"

#后缀匹配

auth-policy:

http:

- match:

- applicationName:

endUser:

suffix: "b"

#精准匹配

auth-policy:

http:

- match:

- applicationName:

endUser:

exact: "c"

#正则匹配，例如正整数

auth-policy:

http:

- match:

- applicationName:

endUser:

regular: "[1-9]\d*"