在Keystone V3基礎上改進的分佈式認證體系
目標
使用java實現keystone v3相關功能與概念:html
- api client authentication
- service discovery
- distributed multi-tenant authorization
架構
服務註冊發現
(圖1)
java
Registerapi
服務中介與權限管理.緩存
Provider架構
服務提供者.dom
Consumercurl
服務消費者.分佈式
分佈式校驗
(圖2)
ide
- Domain: 全局獨立的服務提供者或消費者.
- API: 服務API(若是Domain對外提供服務,例如CDN服務), Domain的endpoint屬性與API的method/path屬性組成完成的服務URL.
- Policy: API策略. 即API與Role的關聯表, 規定不一樣的Role(管理員/普通用戶)可否訪問的API集合.
- User: 子用戶概念. 例如升龍5.0與雲2.0做爲CDN的消費者, 擁有本身獨立的用戶系統. 同時CDN又做爲本身服務的消費者,也會有一套獨立的用戶系統.
- Project: 業務數據的邏輯集合. 例如升龍5.0, 雲2.0以及CDN裏面爲不一樣業務方建立不一樣的項目劃分數據歸屬.
- Principal: 用戶策略. 即User, Project, 和Role的關聯表, 規定User在不一樣Project中的角色, 與Policy配合實現細粒度控制用戶對項目數據的操做.
- Role: 全局唯一的角色. 角色只是一抽象集合, 各個Domain的Policy會關聯具體的API.
關鍵測試
- 域名與角色是全局唯一的. The domain name, role name and service name is globally unique across all domains.
- 用戶名,項目名是域唯一的. The user name and project name are only unique to the owning domain.
用戶類別:
系統管理用戶: ADMIN域ADMIN項目ADMIN角色的用戶. 容許:
- 建立新域.
- 銷燬無用域, 無用域指至多隻包含ADMIN項目的域.
- 建立新角色.
- 銷燬無用角色, 無用角色指不在policy表或principal表出現的角色.
- 更新IP白名單.
- 更新全局域緩存.
系統管理用戶不是超級管理用戶. 系統用戶不能干擾域的平常管理, 例如建立用戶, 建立項目, 加減用戶角色等.
域管理用戶: 特定域ADMIN項目ADMIN角色的用戶. 容許:
- 建立/銷燬用戶
- 建立/銷燬項目
- 發佈/更新服務與策略
- 驗證TOKEN並返回Session信息(發起者domain,user,project,roles,effectMillis等)
項目管理用戶: 特定域特定項目ADMIN角色的用戶. 容許操做由各個域發佈的策略(policy)決定.
項目普通用戶: 除系統管理用戶, 域管理用戶, 項目管理用戶外的其餘用戶.
項目管理用戶與項目普通用戶的容許行爲 由域自己定義.
API類目
系統管理用戶
- 建立新域:
curl -XPOST 'https://oauth.huya.com/v1/domain/createDomain'
-H "X-AUTH-DOMAIN:${domain}" #required
-H "X-AUTH-USER:${user}" #required
-H "X-AUTH-PROJECT:${project}" #optional, maybe null
-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds
-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds
-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"'
-d '{"domain":"my_domain","user":"my_admin","pass":"123","enabled":true}'
response: 200 OK
{"errno":0,"data":{"domain":"my_domain"}}
結果:
- 建立my_domain域
- 在my_domain域建立ADMIN項目
- 在my_domain域建立my_admin管理用戶,其密碼爲123.
- 銷燬無用域:
curl -XDELETE 'https://oauth.huya.com/v1/domain/destroyDomain?domain=my_domain2'
-H "X-AUTH-DOMAIN:${domain}" #required
-H "X-AUTH-USER:${user}" #required
-H "X-AUTH-PROJECT:${project}" #optional, maybe null
-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds
-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds
-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"
response: 200 OK
{"errno":0}
注意:
- 無用域必須沒有項目或僅僅含有ADMIN項目. 刪除域會清除該域下全部用戶,項目,服務,策略等數據.
- 建立新角色:
curl -XPOST 'https://oauth.huya.com/v1/domain/createRole'
-H "X-AUTH-DOMAIN:${domain}" #required
-H "X-AUTH-USER:${user}" #required
-H "X-AUTH-PROJECT:${project}" #optional, maybe null
-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds
-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds
-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"'
-d '{"role":"SERVICE","remark":"服務角色"}'
response: 200 OK
{"errno":0,"data":{"role":"SERVICE","remark":"服務角色"}}
- 銷燬無用角色:
curl -XDELETE 'https://oauth.huya.com/v1/domain/destroyRole?role=SERVICE2'
-H "X-AUTH-DOMAIN:${domain}" #required
-H "X-AUTH-USER:${user}" #required
-H "X-AUTH-PROJECT:${project}" #optional, maybe null
-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds
-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds
-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"
response: 200 OK
{"errno":0}
注意:
- 無用角色必須沒有policy或principal引用.
- 刷新IP白名單:
curl -XPUT 'https://oauth.huya.com/v1/system/updateAllowHosts'
-H "X-AUTH-DOMAIN:${domain}" #required
-H "X-AUTH-USER:${user}" #required
-H "X-AUTH-PROJECT:${project}" #optional, maybe null
-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds
-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds
-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"
response: 200 OK
{"errno":0}
- 刷新所有域緩存:
curl -XPUT 'https://oauth.huya.com/v1/system/updateDomainCache'
-H "X-AUTH-DOMAIN:${domain}" #required
-H "X-AUTH-USER:${user}" #required
-H "X-AUTH-PROJECT:${project}" #optional, maybe null
-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds
-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds
-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"
response: 200 OK
{"errno":0}
域管理用戶
- 建立用戶
curl -XPOST 'https://oauth.huya.com/v1/domain/createUser'
-H "X-AUTH-DOMAIN:${domain}" #required
-H "X-AUTH-USER:${user}" #required
-H "X-AUTH-PROJECT:${project}" #optional, maybe null
-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds
-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds
-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"'
-d '{"user":"my_user","pass":"456","remark":"this is a test user","enabled":true}'
response: 200 OK
{"errno":0,"data":{"domain":"my_domain","user":"my_user","remark":"this is a test user","enabled":true}}
- 禁啓用戶
curl -XPUT 'https://oauth.huya.com/v1/domain/enableUser'
-H "X-AUTH-DOMAIN:${domain}" #required
-H "X-AUTH-USER:${user}" #required
-H "X-AUTH-PROJECT:${project}" #optional, maybe null
-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds
-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds
-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"'
-d '{"user":"my_user","enabled":true}'
response: 200 OK
{"errno":0}
- 銷燬用戶
curl -XDELETE 'https://oauth.huya.com/v1/domain/destroyUser?user=my_user2'
-H "X-AUTH-DOMAIN:${domain}" #required
-H "X-AUTH-USER:${user}" #required
-H "X-AUTH-PROJECT:${project}" #optional, maybe null
-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds
-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds
-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"
response: 200 OK
{"errno":0}
- 建立項目
curl -XPOST 'https://oauth.huya.com/v1/domain/createProject'
-H "X-AUTH-DOMAIN:${domain}" #required
-H "X-AUTH-USER:${user}" #required
-H "X-AUTH-PROJECT:${project}" #optional, maybe null
-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds
-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds
-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"'
-d '{"project":"my_project","remark":"這是個人測試項目!","enabled":true}'
response: 200 OK
{"errno":0,"data":{"domain":"my_domain","project":"my_project","remark":"這是個人測試項目!","enabled":true}}
- 禁啓項目
curl -XPUT 'https://oauth.huya.com/v1/domain/enableProject'
-H "X-AUTH-DOMAIN:${domain}" #required
-H "X-AUTH-USER:${user}" #required
-H "X-AUTH-PROJECT:${project}" #optional, maybe null
-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds
-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds
-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"'
-d '{"project":"my_project2","enabled":true}'
response: 200 OK
{"errno":0}
- 銷燬項目
curl -XDELETE 'https://oauth.huya.com/v1/domain/destroyProject?project=my_project2'
-H "X-AUTH-DOMAIN:${domain}" #required
-H "X-AUTH-USER:${user}" #required
-H "X-AUTH-PROJECT:${project}" #optional, maybe null
-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds
-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds
-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"
response: 200 OK
{"errno":0}
- 添加用戶角色
curl -XPOST 'https://oauth.huya.com/v1/domain/addUserRole'
-H "X-AUTH-DOMAIN:${domain}" #required
-H "X-AUTH-USER:${user}" #required
-H "X-AUTH-PROJECT:${project}" #optional, maybe null
-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds
-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds
-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"'
-d '{"user":"my_user","project":"my_project","role":"SERVICE"}'
response: 200 OK
{"errno":0,"data":{"domain":"my_domain","user":"my_user","project":"my_project","role":"SERVICE"}}
- 查詢用戶角色
curl -XGET 'https://oauth.huya.com/v1/domain/getUserRoles?user=my_user&project=my_project'
-H "X-AUTH-DOMAIN:${domain}" #required
-H "X-AUTH-USER:${user}" #required
-H "X-AUTH-PROJECT:${project}" #optional, maybe null
-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds
-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds
-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"
response: 200 OK
{"errno":0,"data":["ADMIN","SERVICE"]}
- 刪除用戶角色
curl -XDELETE 'https://oauth.huya.com/v1/domain/delUserRole?user=my_user&project=my_project&role=ADMIN'
-H "X-AUTH-DOMAIN:${domain}" #required
-H "X-AUTH-USER:${user}" #required
-H "X-AUTH-PROJECT:${project}" #optional, maybe null
-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds
-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds
-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"
response: 200 OK
{"errno":0}
- 查詢域用戶
curl -XGET 'https://oauth.huya.com/v1/domain/getDomainUser'
-H "X-AUTH-DOMAIN:${domain}" #required
-H "X-AUTH-USER:${user}" #required
-H "X-AUTH-PROJECT:${project}" #optional, maybe null
-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds
-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds
-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"
response: 200 OK
{"errno":0,"data":[{"domain":"my_domain","user":"my_admin","enabled":true},{"domain":"my_domain","user":"my_user","remark":"this is a test user","enabled":true}]}
- 查詢域項目
curl -XGET 'https://oauth.huya.com/v1/domain/getDomainProject'
-H "X-AUTH-DOMAIN:${domain}" #required
-H "X-AUTH-USER:${user}" #required
-H "X-AUTH-PROJECT:${project}" #optional, maybe null
-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds
-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds
-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"
response: 200 OK
{"errno":0,"data":[{"domain":"my_domain","project":"ADMIN","enabled":true},{"domain":"my_domain","project":"my_project","remark":"這是個人測試項目!","enabled":true}]}
- 發佈/更新服務
curl -XPUT 'https://oauth.huya.com/v1/domain/publishService'
-H "X-AUTH-DOMAIN:${domain}" #required
-H "X-AUTH-USER:${user}" #required
-H "X-AUTH-PROJECT:${project}" #optional, maybe null
-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds
-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds
-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"'
-d '{"endpoint":"https://cdn.game.yy.com/v1","apis":[{"api":"api_name_0","method":"GET","path":"/service/action0","category":"test"},{"api":"api_name_1","method":"GET","path":"/service/action1","category":"test"},{"api":"api_name_2","method":"GET","path":"/service/action2","category":"test"},{"api":"api_name_3","method":"GET","path":"/service/action3","category":"test"},{"api":"api_name_4","method":"GET","path":"/service/action4","category":"test"},{"api":"api_name_5","method":"GET","path":"/service/action5","category":"test"},{"api":"api_name_6","method":"GET","path":"/service/action6","category":"test"},{"api":"api_name_7","method":"GET","path":"/service/action7","category":"test"},{"api":"api_name_8","method":"GET","path":"/service/action8","category":"test"},{"api":"api_name_9","method":"GET","path":"/service/action9","category":"test"}],"policies":[{"role":"SERVICE","rules":"test,test:*"}]}'
response: 200 OK
{"errno":0}
注意:
- 發佈服務能夠指定endpoint, apis, policies. 每次發佈這些信息都是全量覆蓋.
- 驗證會話TOKEN
curl -XPOST 'https://oauth.huya.com/v1/domain/verifyRequest'
-H "X-AUTH-DOMAIN:${domain}" #required
-H "X-AUTH-USER:${user}" #required
-H "X-AUTH-PROJECT:${project}" #optional, maybe null
-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds
-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds
-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"'
-d '{"domain":"my_domain","user":"my_user","project":"my_project","expires":"1598b5b3eb7","nonce":"74a465fddab8b","signature":"56f8519d7f31460821e4722de0c77c5f","api":"api_name_0"}'
response: 200 OK
{"errno":0,"data":{"domain":"my_domain","user":"my_user","project":"my_project","expires":"1598b5b3eb7","nonce":"74a465fddab8b","signature":"56f8519d7f31460821e4722de0c77c5f","api":"api_name_0","roles":["SERVICE"]}}
- 若是指定api, 則根據policy規則校驗
- 若是不指定api, 則僅僅驗證簽名
其餘用戶
- 查詢所有域
curl -XGET 'https://oauth.huya.com/v1/domain/lookupService?service=my_domain'
-H "X-AUTH-DOMAIN:${domain}" #required
-H "X-AUTH-USER:${user}" #required
-H "X-AUTH-PROJECT:${project}" #optional, maybe null
-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds
-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds
-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"
response: 200 OK
{"errno":0,"data":{"endpoint":"https://cdn.game.yy.com/v1","apis":[{"api":"api_name_4","method":"GET","path":"/service/action4","category":"test"},{"api":"api_name_3","method":"GET","path":"/service/action3","category":"test"},{"api":"api_name_6","method":"GET","path":"/service/action6","category":"test"},{"api":"api_name_5","method":"GET","path":"/service/action5","category":"test"},{"api":"api_name_0","method":"GET","path":"/service/action0","category":"test"},{"api":"api_name_2","method":"GET","path":"/service/action2","category":"test"},{"api":"api_name_1","method":"GET","path":"/service/action1","category":"test"},{"api":"api_name_8","method":"GET","path":"/service/action8","category":"test"},{"api":"api_name_7","method":"GET","path":"/service/action7","category":"test"},{"api":"api_name_9","method":"GET","path":"/service/action9","category":"test"}]}}
- 查詢所有角色
curl -XGET 'https://oauth.huya.com/v1/domain/getAllRole'
-H "X-AUTH-DOMAIN:${domain}" #required
-H "X-AUTH-USER:${user}" #required
-H "X-AUTH-PROJECT:${project}" #optional, maybe null
-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds
-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds
-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"
response: 200 OK
{"errno":0,"data":[{"role":"ADMIN","remark":"全局管理角色"},{"role":"SERVICE","remark":"服務角色"},{"role":"ut_role_d6a62c98_c243_4fcc_9a61_b732185ffb3d"}]}
- 查詢域服務API
curl -XGET 'https://oauth.huya.com/v1/domain/lookupService?service=my_domain' \
-H "X-AUTH-DOMAIN:${DOMAIN}" \
-H "X-AUTH-USER:${USER}" \
-H "X-AUTH-PASS:${PASS}"
response: 200 OK
{"errno":0,"data":{"endpoint":"","apis":[{"api":"api_name_4","method":"GET","path":"/service/action4"},{"api":"api_name_3","method":"GET","path":"/service/action3"},{"api":"api_name_6","method":"GET","path":"/service/action6"},{"api":"api_name_5","method":"GET","path":"/service/action5"},{"api":"api_name_0","method":"GET","path":"/service/action0"},{"api":"api_name_2","method":"GET","path":"/service/action2"},{"api":"api_name_1","method":"GET","path":"/service/action1"},{"api":"api_name_8","method":"GET","path":"/service/action8"},{"api":"api_name_7","method":"GET","path":"/service/action7"},{"api":"api_name_9","method":"GET","path":"/service/action9"}]}}
請求頭及簽名規則:
請求頭:
X-AUTH-DOMAIN: 域 X-AUTH-USER: 用戶 X-AUTH-PROJECT: 項目,可選 X-AUTH-EXPIRES: 有效時間點毫秒時間戳的16進制 X-AUTH-NONCE: 唯一隨機數值, 通常使用當前納秒時間戳的16進制 X-AUTH-SIGNATURE: 用戶簽名, 規則見下
規則:
-帶項目: signature=md5sum(domain,user,project,sha1sum(pass),hex(expires_millis),hex(current_nanos)) -不帶項目: signature=md5sum(domain,user,sha1sum(pass),hex(expires_millis),hex(current_nanos))
例子:
- 服務請求方:
假設my_domain的my_user的密碼爲456, 其要訪問my_project的數據. 則相應腳本:
expires_millis_hex=$(printf '%x' $(($(date +%s)*1000+5000)))
nonce_nanos_hex=$(printf '%x' $(date +%N))
pass_sha1=$(printf 456 | openssl sha1 | awk '{print $2}')
signature=$(printf '%s%s%s%s%s%s' my_domain my_user $pass_sha1 my_project $expires_millis_hex $nonce_nanos_hex | openssl md5 | awk '{print $2}')
curl -XGET 'https://test.huya.com/v1/api_name_0' \
-H "X-AUTH-DOMAIN:my_domain" \
-H "X-AUTH-USER:my_user" \
-H "X-AUTH-PROJECT:my_project" \
-H "X-AUTH-EXPIRES:${HEX(expires_millis_hex)}" \
-H "X-AUTH-NONCE:nonce_nanos_hex" \
-H "X-AUTH-SIGNATURE:signature" \
- 服務提供方:
提取http request中的X-AUTH-*頭部,發往ikeystone驗證, 成功返回對應用戶的角色等信息:
假設test服務管理員爲test, 密碼也爲456, 驗證請求腳本(與ikeystone交互不須要項目)
expires_millis_hex=$(printf '%x' $(($(date +%s)*1000+5000)))
nonce_nanos_hex=$(printf '%x' $(date +%N))
pass_sha1=$(printf 456 | openssl sha1 | awk '{print $2}')
signature=$(printf '%s%s%s%s%s' test test $pass_sha1 $expires_millis_hex $nonce_nanos_hex | openssl md5 | awk '{print $2}')
curl -XPOST 'https://oauth.huya.com/v1/domain/verifyRequest' \
-H "X-AUTH-DOMAIN:my_domain" \
-H "X-AUTH-USER:my_user" \
-H "X-AUTH-EXPIRES:${HEX(expires_millis_hex)}" \
-H "X-AUTH-NONCE:nonce_nanos_hex" \
-H "X-AUTH-SIGNATURE:signature" \
-d '{"domain":"my_domain","user":"my_user","project":"my_project","expires":"1598b7efac5","nonce":"74c67a48ebe23","signature":"bd99837ae32dcda3f21c91b7f95671cf","api":"api_name_0"}'
response: 200 OK
{"errno":0,"data":{"domain":"my_domain","user":"my_user","project":"my_project","expires":"1598b7efac5","nonce":"74c67a48ebe23","signature":"bd99837ae32dcda3f21c91b7f95671cf","api":"api_name_0","roles":["SERVICE"]}}
參考
相關文章
- 1. Keystone V3 API Examples
- 2. 分佈式系統認證方案
- 3. 構建基於分佈式SOA架構的統一身份認證體系
- 4. 分佈式系統基礎
- 5. OpenStack實踐系列②認證服務Keystone
- 6. 分佈式認證方案
- 7. OpenStack Keystone V3 簡介
- 8. 在Android系統上修改系統默認的字體大小
- 9. OpenStack----keystone 認證服務
- 10. 使用keystone認證swift
- 更多相關文章...
- • 互聯網系統應用架構基礎分析 - 紅包項目實戰
- • 在自己的 PC 上運行 ASP - ASP 教程
- • 常用的分佈式事務解決方案
- • 再有人問你分佈式事務,把這篇扔給他
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
