服务鉴权

使用kmse实现服务的权限校验

通过一个简单的实例说明开发者如何通过kmse进行服务间的权限校验。

一、准备客户端和服务端两个demo

这里演示如何快速实践服务鉴权功能。假如现在有两个微服务 auth-client 和 auth-server，想实现 auth-client 调用 auth-server 时，auth-server 对请求做鉴权。参考服务开发文档，下载auth-server和auth-client两个demo。

查看依赖，实践服务鉴权只需要依赖以下maven组件，调用端和被调用端都只需要如下依赖。

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-starter-openfeign</artifactId>
        </dependency>
        <dependency>
            <groupId>com.ksyun.kmse</groupId>
            <artifactId>spring-cloud-kmse-starter-authentication</artifactId>
            <version>${version}</version>
        </dependency>

因为auth-server是被调用方，所以在auth-server的bootstrap.yaml文件中写入鉴权配置，配置中两个版本属性（VERSION，subset），两个服务名属性（spring.application.name,auth-policy.http[0].route[0].destination.host）必须一致。配置的意思是创建一个名称为auth-rule-1的鉴权规则，该条规则的意思是禁止应用名称前缀为“auth-client”的请求来访问auth-server应用。

VERSION: v1
auth-policy:
  http:
    - match:
      - applicationName:
          endUser:
            prefix: "auth-client"
      name: auth-rule-1
      route:
        - destination:
            host: auth-server
            subset: v1
      type: black-list
spring:
  application:
    name: auth-server
server:
  port: 8080

在auth-client的yaml中写入鉴权需要的参数，这些参数在系统中会自动注入，现在手工填写，应用名称为auth-client，版本为v1：

VERSION: v1
server:
  port: 8081
spring:
  application:
    name: auth-client

准备测试的java代码，auth-server端提供服务的controller:

package com.ksyun.kmse.controller;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

@RequestMapping({"/server"})
@RestController
public class AccountController {

    private static final Logger log = LoggerFactory.getLogger(AccountController.class);

    public AccountController() {
    }

    @RequestMapping({"/{id}"})
    public String account(@PathVariable("id") Integer id) {
        log.info("调用server " + id);
        return id + "";
    }
}

auth-client端提供的远程调用client:

package com.ksyun.kmse.client;

import org.springframework.cloud.openfeign.FeignClient;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;

@FeignClient(name = "auth-server", url = "http://127.0.0.1:8080")//如果使用注册中心可以不使用显式的url配置
public interface OrderClient {

    @GetMapping("/server/{id}")
    String getById(@PathVariable Integer id);

}

auth-client端提供的测试访问入口controller：

package com.ksyun.kmse.controller;

import com.ksyun.kmse.client.OrderClient;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

@RequestMapping({"/client"})
@RestController
public class AccountController {

    private static final Logger log = LoggerFactory.getLogger(AccountController.class);

    public AccountController() {
    }

    @Autowired
    private OrderClient server;

    @GetMapping({"/{id}"})
    public String account(@PathVariable("id") Integer id) {
        log.info("调用参数 " + id);
        String result = server.getById(id);
        log.info("远程调用结果 " + result);
        return result;
    }
}

至此两个测试应用准备完毕。

二、对服务鉴权进行测试

步骤一中的鉴权配置含义是"不允许applicationname前缀等于’auth-client’的请求访问"。 调用auth-client的测试接口 http://127.0.0.1:8081/client/1。

发现auth-server返回http验证码为403。

将auth-server的配置改为如下：

VERSION: v1
auth-policy:
  http:
    - match:
      - applicationName:
          endUser:
            prefix: "Aclient"
      name: auth-rule-1
      route:
        - destination:
            host: auth-server
            subset: v1
      type: black-list
spring:
  application:
    name: auth-server

这个配置的含义是"不允许applicationname前缀等于Aclient的请求访问"。 重启auth-server后，再次调用测试接口，返回http状态码为200。

将auth-server的配置改为如下，测试后缀拦截：

VERSION: v1
auth-policy:
  http:
    - match:
      - applicationName:
          endUser:
            suffix: "ent"
      name: auth-rule-1
      route:
        - destination:
            host: auth-server
            subset: v1
      type: black-list
spring:
  application:
    name: auth-server

这个配置的含义是"不允许applicationname后缀等于ent的请求访问"。 重启auth-server后，再次调用测试接口，返回http状态码为403，请求被拦截。

依次类推还有如下的请求场景：

#匹配请求来源url
auth-policy:
  http:
    - match:
      - APIPath: "/auth-server/1"
#匹配请求来源ip
auth-policy:
  http:
    - match:
      - IP: "127.0.0.1"
#匹配请求http方法
auth-policy:
  http:
    - match:
      - Method: "GET"
#匹配应用版本
auth-policy:
  http:
    - match:
      - applicationVersion: "v1"

#前缀匹配
auth-policy:
  http:
    - match:
      - applicationName:
          endUser:
            prefix: "a"
#后缀匹配
auth-policy:
  http:
    - match:
      - applicationName:
          endUser:
            suffix: "b"

#精准匹配
auth-policy:
  http:
    - match:
      - applicationName:
          endUser:
            exact: "c"

#正则匹配，例如正整数
auth-policy:
  http:
    - match:
      - applicationName:
          endUser:
            regular: "[1-9]\d*"