edgexfoundry

 找回密码
 立即注册
搜索
热搜: meta core rules
查看: 7344|回复: 0

security-api-gateway 模块详解

[复制链接]

10

主题

10

帖子

370

积分

管理员

Rank: 9Rank: 9Rank: 9

积分
370
发表于 2018-10-21 14:11:58 | 显示全部楼层 |阅读模式
一、概述

security-api-gateway模块通过调用 kong api,实现功能有如下:
  • 检测kong 服务器是否正常
  • 检测vault 服务器是否正常(调用vault的v1/sys/health)
  • 将edgexfoundry各微服务注册到kong
  • 设置edgexfoundry各微服务路由
  • 开启edgexfoundry各微服务JWT安全插件
  • 注册admin服务到kong,即8001功能通过8000端访问实现,也需要JWT
  • 启用证书访问(证书存储在vault中,动态获取)
  • 创建用户(消费者),返回JWT字串、删除用户
  • 清空资源(复位),即将kong中初始化的资源全部删除,包括用户、各edgexfoundry的service/routes等所有的资源

二、功能实现过程

2.1 检查kong是正常启动




2.2 检查vault是正常启动


2.3 初始化kong




三、实操示例


3.1 增加用户


3.1.1 首先,看一下镜像


     执行命令:
  1. docker ps -a
复制代码
结果如下,镜像为;edgexfoundry/docker-edgex-proxy-go:security,如下图


3.1.2 查看此docker-compose网络名
执行命令:
  1. docker network ls
复制代码
结果如下,记下网络名:dockercompose_edgex-network,为什么是这样的?是由执行docker-compse命令的当前目录名与docker-compose.yml文件中的networks bridge组成的



3.1.3 查看帮助
      执行如下命令,其中
  • --network所指的是上面查到的网络名:dockercompose_edgex-network
  • edgexfoundry/docker-edgex-proxy-go:security为镜像
  • -h 运行参数为查看帮助,会传入到ENTRYPOINT

  1. docker run --network=dockercompose_edgex-network --rm=true edgexfoundry/docker-edgex-proxy-go:security  -h
复制代码


3.1.4 增加用户


执行如下命令创建用户testuser:

  1. docker run --network=dockercompose_edgex-network --rm=true edgexfoundry/docker-edgex-proxy-go:security  --useradd=testuser
复制代码
返回testuser的JWT字串:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiI0aURyVEJodXFPdURoYnpLaWkwZ1QxMlUxa1IwZ2c3biIsImFjY291bnQiOiJ0ZXN0dXNlciJ9.5eYeOJNN2zbMAlpCV2bvSFR-B4MRS3_EC6bPUHtJDTE
此字串要记下来保留好,以后将用它访问kong,错语的JWT会鉴权失败。

如下图:


3.1.4 通过kong访问edgexfoundry微服

假设我们访问command模块ping功能,执行命令如下:
  1. curl -k -v -H "host: edgex" https://172.21.0.7:8443/command/api/v1/ping?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiI0aURyVEJodXFPdURoYnpLaWkwZ1QxMlUxa1IwZ2c3biIsImFjY291bnQiOiJ0ZXN0dXNlciJ9.5eYeOJNN2zbMAlpCV2bvSFR-B4MRS3_EC6bPUHtJDTE
  2. 或者:
  3. curl -k -v -H "host: edgex" http://172.21.0.7:8000/command/api/v1/ping?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiI0aURyVEJodXFPdURoYnpLaWkwZ1QxMlUxa1IwZ2c3biIsImFjY291bnQiOiJ0ZXN0dXNlciJ9.5eYeOJNN2zbMAlpCV2bvSFR-B4MRS3_EC6bPUHtJDTE
复制代码
说明:上面的172.21.0.7也可改为宿主机的IP
返回结果如下,说明已功访问到command微服务,并返回了预期的 “pong”,如下图:


命令说明如下三点说明:

1) 为什么是https://172.21.0.7:8443

因为hostname :命令行不能访问docker-composep定义的hostname(即"kong"),


可以通过 service docker status 命令,查看到IP是可用的,如下图:



2)host: edgex,为什么是edgex



如果host写错了,会提示:{"message":"no route and no API found with those values"}


3)jwt 是上面创建用户时返回的字串jwt出错会提示:{"message":"Bad token; invalid signature"}




3.1.5 删除用户
  1. pongmyEdgex@instance-nbpv5z80docker run --network=dockercompose_edgex-network --rm=true edgexfoundry/docker-edgex-proxy-go:security  --userdel=testuser
  2. INFO: 2018/10/22 00:41:10 Reverse proxy is up successfully.
  3. INFO: 2018/10/22 00:41:10 Secret management service is up successfully.
  4. INFO: 2018/10/22 00:41:10 Successful to delete testuser at consumers/.
复制代码

用户被删除后,再去访问kong,会提示:{"message":"No credentials found for given 'iss'"}





3.1.6 复位/重置kong

  1. myEdgex@instance-nbpv5z80:~/docker-compose$ docker run --network=dockercompose_edgex-network --rm=true edgexfoundry/docker-edgex-proxy-go:security  --reset=true
  2. INFO: 2018/10/22 00:52:54 Reverse proxy is up successfully.
  3. INFO: 2018/10/22 00:52:54 Secret management service is up successfully.
  4. INFO: 2018/10/22 00:52:54 Successful to delete 054d19da-07c1-48ea-bd5b-4c1acfa761ab at routes/.
  5. INFO: 2018/10/22 00:52:54 Successful to delete 2d5164d1-790b-48b5-91d1-b485e1e0aa4f at routes/.
  6. INFO: 2018/10/22 00:52:54 Successful to delete 427f0acf-16e0-48b9-a616-b7ebfd31f401 at routes/.
  7. INFO: 2018/10/22 00:52:54 Successful to delete 4e05176f-5c49-4ffe-b613-1dca18ef5b68 at routes/.
  8. INFO: 2018/10/22 00:52:54 Successful to delete 673a0f92-ac5e-4920-8719-59d83c614d19 at routes/.
  9. INFO: 2018/10/22 00:52:54 Successful to delete 9efedde9-f005-4852-bca8-e5c6af58aadd at routes/.
  10. INFO: 2018/10/22 00:52:54 Successful to delete a6d32fbc-8c5e-491d-ac7e-cb46c3ac9aef at routes/.
  11. INFO: 2018/10/22 00:52:54 Successful to delete b822fae6-ebc2-490e-802d-24630be81eec at routes/.
  12. INFO: 2018/10/22 00:52:54 Successful to delete d1826d8e-359f-4660-a66b-9fb5cf1b653b at routes/.
  13. INFO: 2018/10/22 00:52:54 Successful to delete f3e29be9-8827-4447-8f6b-0eab062977a8 at routes/.
  14. INFO: 2018/10/22 00:52:54 Successful to delete 060be224-2dd7-4cd7-913e-71dfc78e29e8 at services/.
  15. INFO: 2018/10/22 00:52:54 Successful to delete 06f81d5e-d114-445f-8947-e5b3090f6f8d at services/.
  16. INFO: 2018/10/22 00:52:54 Successful to delete 1e907583-33f8-45f0-b4aa-608fa700d848 at services/.
  17. INFO: 2018/10/22 00:52:54 Successful to delete 39792666-906d-47fc-8814-ff02b060c3af at services/.
  18. INFO: 2018/10/22 00:52:54 Successful to delete 48ec0716-96b3-4198-ba58-437edddf54e7 at services/.
  19. INFO: 2018/10/22 00:52:54 Successful to delete 9d8c21fe-244c-4ada-95dd-ec95f5c5c22b at services/.
  20. INFO: 2018/10/22 00:52:54 Successful to delete a3015780-3d24-4d0b-b0a7-d74cea2032c4 at services/.
  21. INFO: 2018/10/22 00:52:54 Successful to delete ab468f76-44e9-464d-95b7-e8a1bb4537c7 at services/.
  22. INFO: 2018/10/22 00:52:54 Successful to delete ae487501-a655-40ab-903d-a5c5863ffc64 at services/.
  23. INFO: 2018/10/22 00:52:54 Successful to delete eeac3c76-839a-4497-b3c1-6c46204c3c62 at services/.
  24. INFO: 2018/10/22 00:52:54 Successful to delete 30d54bc7-8c17-4c69-9ba7-a1796c832071 at consumers/.
  25. INFO: 2018/10/22 00:52:54 Successful to delete adcd1227-e4c8-4809-932f-ae7956a547dc at certificates/.

复制代码


本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?立即注册

x
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

QQ号:15599633|管理员邮箱:admin@edgexfoundry.net|Archiver|手机版|小黑屋|edgexfoundry ( 赣ICP备19008954号 )

GMT+8, 2020-7-11 02:12 , Processed in 0.027550 second(s), 22 queries .

© 2018-2019 edgexfoundry.net

快速回复 返回顶部 返回列表