服务鉴权

最近更新时间:2020-08-06 15:14:52

使用kmse实现服务的权限校验
通过一个简单的实例说明开发者如何通过kmse进行服务间的权限校验。

一、准备客户端和服务端两个demo
这里演示如何快速实践服务鉴权功能。假如现在有两个微服务 auth-client 和 auth-server,想实现 auth-client 调用 auth-server 时,auth-server 对请求做鉴权。参考服务开发文档,下载auth-server和auth-client两个demo。

服务鉴权

服务鉴权

查看依赖,实践服务鉴权只需要依赖以下maven组件,调用端和被调用端都只需要如下依赖。

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-starter-openfeign</artifactId>
        </dependency>
        <dependency>
            <groupId>com.ksyun.kmse</groupId>
            <artifactId>spring-cloud-kmse-starter-authentication</artifactId>
            <version>${version}</version>
        </dependency>

因为auth-server是被调用方,所以在auth-server的bootstrap.yaml文件中写入鉴权配置,配置中两个版本属性(VERSION,subset),两个服务名属性(spring.application.name,auth-policy.http[0].route[0].destination.host)必须一致。配置的意思是创建一个名称为auth-rule-1的鉴权规则,该条规则的意思是禁止应用名称前缀为“auth-client”的请求来访问auth-server应用。

VERSION: v1
auth-policy:
  http:
    - match:
      - applicationName:
          endUser:
            prefix: "auth-client"
      name: auth-rule-1
      route:
        - destination:
            host: auth-server
            subset: v1
      type: black-list
spring:
  application:
    name: auth-server
server:
  port: 8080

在auth-client的yaml中写入鉴权需要的参数,这些参数在系统中会自动注入,现在手工填写,应用名称为auth-client,版本为v1:

VERSION: v1
server:
  port: 8081
spring:
  application:
    name: auth-client

准备测试的java代码,auth-server端提供服务的controller:

package com.ksyun.kmse.controller;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

@RequestMapping({"/server"})
@RestController
public class AccountController {

    private static final Logger log = LoggerFactory.getLogger(AccountController.class);

    public AccountController() {
    }

    @RequestMapping({"/{id}"})
    public String account(@PathVariable("id") Integer id) {
        log.info("调用server " + id);
        return id + "";
    }
}

auth-client端提供的远程调用client:

package com.ksyun.kmse.client;

import org.springframework.cloud.openfeign.FeignClient;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;

@FeignClient(name = "auth-server", url = "http://127.0.0.1:8080")//如果使用注册中心可以不使用显式的url配置
public interface OrderClient {

    @GetMapping("/server/{id}")
    String getById(@PathVariable Integer id);

}

auth-client端提供的测试访问入口controller:

package com.ksyun.kmse.controller;

import com.ksyun.kmse.client.OrderClient;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

@RequestMapping({"/client"})
@RestController
public class AccountController {

    private static final Logger log = LoggerFactory.getLogger(AccountController.class);

    public AccountController() {
    }

    @Autowired
    private OrderClient server;

    @GetMapping({"/{id}"})
    public String account(@PathVariable("id") Integer id) {
        log.info("调用参数 " + id);
        String result = server.getById(id);
        log.info("远程调用结果 " + result);
        return result;
    }
}

至此两个测试应用准备完毕。

二、对服务鉴权进行测试
步骤一中的鉴权配置含义是"不允许applicationname前缀等于'auth-client'的请求访问"。 调用auth-client的测试接口 http://127.0.0.1:8081/client/1

服务鉴权

发现auth-server返回http验证码为403。
将auth-server的配置改为如下:

VERSION: v1
auth-policy:
  http:
    - match:
      - applicationName:
          endUser:
            prefix: "Aclient"
      name: auth-rule-1
      route:
        - destination:
            host: auth-server
            subset: v1
      type: black-list
spring:
  application:
    name: auth-server

这个配置的含义是"不允许applicationname前缀等于Aclient的请求访问"。 重启auth-server后,再次调用测试接口,返回http状态码为200。

服务鉴权

将auth-server的配置改为如下,测试后缀拦截:

VERSION: v1
auth-policy:
  http:
    - match:
      - applicationName:
          endUser:
            suffix: "ent"
      name: auth-rule-1
      route:
        - destination:
            host: auth-server
            subset: v1
      type: black-list
spring:
  application:
    name: auth-server

这个配置的含义是"不允许applicationname后缀等于ent的请求访问"。 重启auth-server后,再次调用测试接口,返回http状态码为403,请求被拦截。

服务鉴权

依次类推还有如下的请求场景:

#匹配请求来源url
auth-policy:
  http:
    - match:
      - APIPath: "/auth-server/1"
#匹配请求来源ip
auth-policy:
  http:
    - match:
      - IP: "127.0.0.1"
#匹配请求http方法
auth-policy:
  http:
    - match:
      - Method: "GET"
#匹配应用版本
auth-policy:
  http:
    - match:
      - applicationVersion: "v1"
#前缀匹配
auth-policy:
  http:
    - match:
      - applicationName:
          endUser:
            prefix: "a"
#后缀匹配
auth-policy:
  http:
    - match:
      - applicationName:
          endUser:
            suffix: "b"

#精准匹配
auth-policy:
  http:
    - match:
      - applicationName:
          endUser:
            exact: "c"

#正则匹配,例如正整数
auth-policy:
  http:
    - match:
      - applicationName:
          endUser:
            regular: "[1-9]\d*"

金山云,开启您的云计算之旅

免费注册