在Keystone V3基础上改进的分布式认证体系
目标
使用java实现keystone v3相关功能与概念:html
- api client authentication
- service discovery
- distributed multi-tenant authorization
架构
服务注册发现
(图1)
java
Registerapi
服务中介与权限管理.缓存
Provider架构
服务提供者.dom
Consumercurl
服务消费者.分布式
分布式校验
(图2)
ide
- Domain: 全局独立的服务提供者或消费者.
- API: 服务API(若是Domain对外提供服务,例如CDN服务), Domain的endpoint属性与API的method/path属性组成完成的服务URL.
- Policy: API策略. 即API与Role的关联表, 规定不一样的Role(管理员/普通用户)可否访问的API集合.
- User: 子用户概念. 例如升龙5.0与云2.0做为CDN的消费者, 拥有本身独立的用户系统. 同时CDN又做为本身服务的消费者,也会有一套独立的用户系统.
- Project: 业务数据的逻辑集合. 例如升龙5.0, 云2.0以及CDN里面为不一样业务方建立不一样的项目划分数据归属.
- Principal: 用户策略. 即User, Project, 和Role的关联表, 规定User在不一样Project中的角色, 与Policy配合实现细粒度控制用户对项目数据的操做.
- Role: 全局唯一的角色. 角色只是一抽象集合, 各个Domain的Policy会关联具体的API.
关键测试
- 域名与角色是全局唯一的. The domain name, role name and service name is globally unique across all domains.
- 用户名,项目名是域唯一的. The user name and project name are only unique to the owning domain.
用户类别:
系统管理用户: ADMIN域ADMIN项目ADMIN角色的用户. 容许:
- 建立新域.
- 销毁无用域, 无用域指至多只包含ADMIN项目的域.
- 建立新角色.
- 销毁无用角色, 无用角色指不在policy表或principal表出现的角色.
- 更新IP白名单.
- 更新全局域缓存.
系统管理用户不是超级管理用户. 系统用户不能干扰域的平常管理, 例如建立用户, 建立项目, 加减用户角色等.
域管理用户: 特定域ADMIN项目ADMIN角色的用户. 容许:
- 建立/销毁用户
- 建立/销毁项目
- 发布/更新服务与策略
- 验证TOKEN并返回Session信息(发起者domain,user,project,roles,effectMillis等)
项目管理用户: 特定域特定项目ADMIN角色的用户. 容许操做由各个域发布的策略(policy)决定.
项目普通用户: 除系统管理用户, 域管理用户, 项目管理用户外的其余用户.
项目管理用户与项目普通用户的容许行为 由域自己定义.
API类目
系统管理用户
- 建立新域:
curl -XPOST 'https://oauth.huya.com/v1/domain/createDomain'
-H "X-AUTH-DOMAIN:${domain}" #required
-H "X-AUTH-USER:${user}" #required
-H "X-AUTH-PROJECT:${project}" #optional, maybe null
-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds
-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds
-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"'
-d '{"domain":"my_domain","user":"my_admin","pass":"123","enabled":true}'
response: 200 OK
{"errno":0,"data":{"domain":"my_domain"}}
结果:
- 建立my_domain域
- 在my_domain域建立ADMIN项目
- 在my_domain域建立my_admin管理用户,其密码为123.
- 销毁无用域:
curl -XDELETE 'https://oauth.huya.com/v1/domain/destroyDomain?domain=my_domain2'
-H "X-AUTH-DOMAIN:${domain}" #required
-H "X-AUTH-USER:${user}" #required
-H "X-AUTH-PROJECT:${project}" #optional, maybe null
-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds
-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds
-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"
response: 200 OK
{"errno":0}
注意:
- 无用域必须没有项目或仅仅含有ADMIN项目. 删除域会清除该域下全部用户,项目,服务,策略等数据.
- 建立新角色:
curl -XPOST 'https://oauth.huya.com/v1/domain/createRole'
-H "X-AUTH-DOMAIN:${domain}" #required
-H "X-AUTH-USER:${user}" #required
-H "X-AUTH-PROJECT:${project}" #optional, maybe null
-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds
-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds
-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"'
-d '{"role":"SERVICE","remark":"服务角色"}'
response: 200 OK
{"errno":0,"data":{"role":"SERVICE","remark":"服务角色"}}
- 销毁无用角色:
curl -XDELETE 'https://oauth.huya.com/v1/domain/destroyRole?role=SERVICE2'
-H "X-AUTH-DOMAIN:${domain}" #required
-H "X-AUTH-USER:${user}" #required
-H "X-AUTH-PROJECT:${project}" #optional, maybe null
-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds
-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds
-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"
response: 200 OK
{"errno":0}
注意:
- 无用角色必须没有policy或principal引用.
- 刷新IP白名单:
curl -XPUT 'https://oauth.huya.com/v1/system/updateAllowHosts'
-H "X-AUTH-DOMAIN:${domain}" #required
-H "X-AUTH-USER:${user}" #required
-H "X-AUTH-PROJECT:${project}" #optional, maybe null
-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds
-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds
-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"
response: 200 OK
{"errno":0}
- 刷新所有域缓存:
curl -XPUT 'https://oauth.huya.com/v1/system/updateDomainCache'
-H "X-AUTH-DOMAIN:${domain}" #required
-H "X-AUTH-USER:${user}" #required
-H "X-AUTH-PROJECT:${project}" #optional, maybe null
-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds
-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds
-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"
response: 200 OK
{"errno":0}
域管理用户
- 建立用户
curl -XPOST 'https://oauth.huya.com/v1/domain/createUser'
-H "X-AUTH-DOMAIN:${domain}" #required
-H "X-AUTH-USER:${user}" #required
-H "X-AUTH-PROJECT:${project}" #optional, maybe null
-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds
-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds
-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"'
-d '{"user":"my_user","pass":"456","remark":"this is a test user","enabled":true}'
response: 200 OK
{"errno":0,"data":{"domain":"my_domain","user":"my_user","remark":"this is a test user","enabled":true}}
- 禁启用户
curl -XPUT 'https://oauth.huya.com/v1/domain/enableUser'
-H "X-AUTH-DOMAIN:${domain}" #required
-H "X-AUTH-USER:${user}" #required
-H "X-AUTH-PROJECT:${project}" #optional, maybe null
-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds
-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds
-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"'
-d '{"user":"my_user","enabled":true}'
response: 200 OK
{"errno":0}
- 销毁用户
curl -XDELETE 'https://oauth.huya.com/v1/domain/destroyUser?user=my_user2'
-H "X-AUTH-DOMAIN:${domain}" #required
-H "X-AUTH-USER:${user}" #required
-H "X-AUTH-PROJECT:${project}" #optional, maybe null
-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds
-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds
-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"
response: 200 OK
{"errno":0}
- 建立项目
curl -XPOST 'https://oauth.huya.com/v1/domain/createProject'
-H "X-AUTH-DOMAIN:${domain}" #required
-H "X-AUTH-USER:${user}" #required
-H "X-AUTH-PROJECT:${project}" #optional, maybe null
-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds
-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds
-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"'
-d '{"project":"my_project","remark":"这是个人测试项目!","enabled":true}'
response: 200 OK
{"errno":0,"data":{"domain":"my_domain","project":"my_project","remark":"这是个人测试项目!","enabled":true}}
- 禁启项目
curl -XPUT 'https://oauth.huya.com/v1/domain/enableProject'
-H "X-AUTH-DOMAIN:${domain}" #required
-H "X-AUTH-USER:${user}" #required
-H "X-AUTH-PROJECT:${project}" #optional, maybe null
-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds
-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds
-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"'
-d '{"project":"my_project2","enabled":true}'
response: 200 OK
{"errno":0}
- 销毁项目
curl -XDELETE 'https://oauth.huya.com/v1/domain/destroyProject?project=my_project2'
-H "X-AUTH-DOMAIN:${domain}" #required
-H "X-AUTH-USER:${user}" #required
-H "X-AUTH-PROJECT:${project}" #optional, maybe null
-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds
-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds
-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"
response: 200 OK
{"errno":0}
- 添加用户角色
curl -XPOST 'https://oauth.huya.com/v1/domain/addUserRole'
-H "X-AUTH-DOMAIN:${domain}" #required
-H "X-AUTH-USER:${user}" #required
-H "X-AUTH-PROJECT:${project}" #optional, maybe null
-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds
-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds
-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"'
-d '{"user":"my_user","project":"my_project","role":"SERVICE"}'
response: 200 OK
{"errno":0,"data":{"domain":"my_domain","user":"my_user","project":"my_project","role":"SERVICE"}}
- 查询用户角色
curl -XGET 'https://oauth.huya.com/v1/domain/getUserRoles?user=my_user&project=my_project'
-H "X-AUTH-DOMAIN:${domain}" #required
-H "X-AUTH-USER:${user}" #required
-H "X-AUTH-PROJECT:${project}" #optional, maybe null
-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds
-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds
-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"
response: 200 OK
{"errno":0,"data":["ADMIN","SERVICE"]}
- 删除用户角色
curl -XDELETE 'https://oauth.huya.com/v1/domain/delUserRole?user=my_user&project=my_project&role=ADMIN'
-H "X-AUTH-DOMAIN:${domain}" #required
-H "X-AUTH-USER:${user}" #required
-H "X-AUTH-PROJECT:${project}" #optional, maybe null
-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds
-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds
-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"
response: 200 OK
{"errno":0}
- 查询域用户
curl -XGET 'https://oauth.huya.com/v1/domain/getDomainUser'
-H "X-AUTH-DOMAIN:${domain}" #required
-H "X-AUTH-USER:${user}" #required
-H "X-AUTH-PROJECT:${project}" #optional, maybe null
-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds
-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds
-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"
response: 200 OK
{"errno":0,"data":[{"domain":"my_domain","user":"my_admin","enabled":true},{"domain":"my_domain","user":"my_user","remark":"this is a test user","enabled":true}]}
- 查询域项目
curl -XGET 'https://oauth.huya.com/v1/domain/getDomainProject'
-H "X-AUTH-DOMAIN:${domain}" #required
-H "X-AUTH-USER:${user}" #required
-H "X-AUTH-PROJECT:${project}" #optional, maybe null
-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds
-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds
-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"
response: 200 OK
{"errno":0,"data":[{"domain":"my_domain","project":"ADMIN","enabled":true},{"domain":"my_domain","project":"my_project","remark":"这是个人测试项目!","enabled":true}]}
- 发布/更新服务
curl -XPUT 'https://oauth.huya.com/v1/domain/publishService'
-H "X-AUTH-DOMAIN:${domain}" #required
-H "X-AUTH-USER:${user}" #required
-H "X-AUTH-PROJECT:${project}" #optional, maybe null
-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds
-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds
-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"'
-d '{"endpoint":"https://cdn.game.yy.com/v1","apis":[{"api":"api_name_0","method":"GET","path":"/service/action0","category":"test"},{"api":"api_name_1","method":"GET","path":"/service/action1","category":"test"},{"api":"api_name_2","method":"GET","path":"/service/action2","category":"test"},{"api":"api_name_3","method":"GET","path":"/service/action3","category":"test"},{"api":"api_name_4","method":"GET","path":"/service/action4","category":"test"},{"api":"api_name_5","method":"GET","path":"/service/action5","category":"test"},{"api":"api_name_6","method":"GET","path":"/service/action6","category":"test"},{"api":"api_name_7","method":"GET","path":"/service/action7","category":"test"},{"api":"api_name_8","method":"GET","path":"/service/action8","category":"test"},{"api":"api_name_9","method":"GET","path":"/service/action9","category":"test"}],"policies":[{"role":"SERVICE","rules":"test,test:*"}]}'
response: 200 OK
{"errno":0}
注意:
- 发布服务能够指定endpoint, apis, policies. 每次发布这些信息都是全量覆盖.
- 验证会话TOKEN
curl -XPOST 'https://oauth.huya.com/v1/domain/verifyRequest'
-H "X-AUTH-DOMAIN:${domain}" #required
-H "X-AUTH-USER:${user}" #required
-H "X-AUTH-PROJECT:${project}" #optional, maybe null
-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds
-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds
-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"'
-d '{"domain":"my_domain","user":"my_user","project":"my_project","expires":"1598b5b3eb7","nonce":"74a465fddab8b","signature":"56f8519d7f31460821e4722de0c77c5f","api":"api_name_0"}'
response: 200 OK
{"errno":0,"data":{"domain":"my_domain","user":"my_user","project":"my_project","expires":"1598b5b3eb7","nonce":"74a465fddab8b","signature":"56f8519d7f31460821e4722de0c77c5f","api":"api_name_0","roles":["SERVICE"]}}
- 若是指定api, 则根据policy规则校验
- 若是不指定api, 则仅仅验证签名
其余用户
- 查询所有域
curl -XGET 'https://oauth.huya.com/v1/domain/lookupService?service=my_domain'
-H "X-AUTH-DOMAIN:${domain}" #required
-H "X-AUTH-USER:${user}" #required
-H "X-AUTH-PROJECT:${project}" #optional, maybe null
-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds
-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds
-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"
response: 200 OK
{"errno":0,"data":{"endpoint":"https://cdn.game.yy.com/v1","apis":[{"api":"api_name_4","method":"GET","path":"/service/action4","category":"test"},{"api":"api_name_3","method":"GET","path":"/service/action3","category":"test"},{"api":"api_name_6","method":"GET","path":"/service/action6","category":"test"},{"api":"api_name_5","method":"GET","path":"/service/action5","category":"test"},{"api":"api_name_0","method":"GET","path":"/service/action0","category":"test"},{"api":"api_name_2","method":"GET","path":"/service/action2","category":"test"},{"api":"api_name_1","method":"GET","path":"/service/action1","category":"test"},{"api":"api_name_8","method":"GET","path":"/service/action8","category":"test"},{"api":"api_name_7","method":"GET","path":"/service/action7","category":"test"},{"api":"api_name_9","method":"GET","path":"/service/action9","category":"test"}]}}
- 查询所有角色
curl -XGET 'https://oauth.huya.com/v1/domain/getAllRole'
-H "X-AUTH-DOMAIN:${domain}" #required
-H "X-AUTH-USER:${user}" #required
-H "X-AUTH-PROJECT:${project}" #optional, maybe null
-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds
-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds
-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"
response: 200 OK
{"errno":0,"data":[{"role":"ADMIN","remark":"全局管理角色"},{"role":"SERVICE","remark":"服务角色"},{"role":"ut_role_d6a62c98_c243_4fcc_9a61_b732185ffb3d"}]}
- 查询域服务API
curl -XGET 'https://oauth.huya.com/v1/domain/lookupService?service=my_domain' \
-H "X-AUTH-DOMAIN:${DOMAIN}" \
-H "X-AUTH-USER:${USER}" \
-H "X-AUTH-PASS:${PASS}"
response: 200 OK
{"errno":0,"data":{"endpoint":"","apis":[{"api":"api_name_4","method":"GET","path":"/service/action4"},{"api":"api_name_3","method":"GET","path":"/service/action3"},{"api":"api_name_6","method":"GET","path":"/service/action6"},{"api":"api_name_5","method":"GET","path":"/service/action5"},{"api":"api_name_0","method":"GET","path":"/service/action0"},{"api":"api_name_2","method":"GET","path":"/service/action2"},{"api":"api_name_1","method":"GET","path":"/service/action1"},{"api":"api_name_8","method":"GET","path":"/service/action8"},{"api":"api_name_7","method":"GET","path":"/service/action7"},{"api":"api_name_9","method":"GET","path":"/service/action9"}]}}
请求头及签名规则:
请求头:
X-AUTH-DOMAIN: 域 X-AUTH-USER: 用户 X-AUTH-PROJECT: 项目,可选 X-AUTH-EXPIRES: 有效时间点毫秒时间戳的16进制 X-AUTH-NONCE: 唯一随机数值, 通常使用当前纳秒时间戳的16进制 X-AUTH-SIGNATURE: 用户签名, 规则见下
规则:
-带项目: signature=md5sum(domain,user,project,sha1sum(pass),hex(expires_millis),hex(current_nanos)) -不带项目: signature=md5sum(domain,user,sha1sum(pass),hex(expires_millis),hex(current_nanos))
例子:
- 服务请求方:
假设my_domain的my_user的密码为456, 其要访问my_project的数据. 则相应脚本:
expires_millis_hex=$(printf '%x' $(($(date +%s)*1000+5000)))
nonce_nanos_hex=$(printf '%x' $(date +%N))
pass_sha1=$(printf 456 | openssl sha1 | awk '{print $2}')
signature=$(printf '%s%s%s%s%s%s' my_domain my_user $pass_sha1 my_project $expires_millis_hex $nonce_nanos_hex | openssl md5 | awk '{print $2}')
curl -XGET 'https://test.huya.com/v1/api_name_0' \
-H "X-AUTH-DOMAIN:my_domain" \
-H "X-AUTH-USER:my_user" \
-H "X-AUTH-PROJECT:my_project" \
-H "X-AUTH-EXPIRES:${HEX(expires_millis_hex)}" \
-H "X-AUTH-NONCE:nonce_nanos_hex" \
-H "X-AUTH-SIGNATURE:signature" \
- 服务提供方:
提取http request中的X-AUTH-*头部,发往ikeystone验证, 成功返回对应用户的角色等信息:
假设test服务管理员为test, 密码也为456, 验证请求脚本(与ikeystone交互不须要项目)
expires_millis_hex=$(printf '%x' $(($(date +%s)*1000+5000)))
nonce_nanos_hex=$(printf '%x' $(date +%N))
pass_sha1=$(printf 456 | openssl sha1 | awk '{print $2}')
signature=$(printf '%s%s%s%s%s' test test $pass_sha1 $expires_millis_hex $nonce_nanos_hex | openssl md5 | awk '{print $2}')
curl -XPOST 'https://oauth.huya.com/v1/domain/verifyRequest' \
-H "X-AUTH-DOMAIN:my_domain" \
-H "X-AUTH-USER:my_user" \
-H "X-AUTH-EXPIRES:${HEX(expires_millis_hex)}" \
-H "X-AUTH-NONCE:nonce_nanos_hex" \
-H "X-AUTH-SIGNATURE:signature" \
-d '{"domain":"my_domain","user":"my_user","project":"my_project","expires":"1598b7efac5","nonce":"74c67a48ebe23","signature":"bd99837ae32dcda3f21c91b7f95671cf","api":"api_name_0"}'
response: 200 OK
{"errno":0,"data":{"domain":"my_domain","user":"my_user","project":"my_project","expires":"1598b7efac5","nonce":"74c67a48ebe23","signature":"bd99837ae32dcda3f21c91b7f95671cf","api":"api_name_0","roles":["SERVICE"]}}
参考
相关文章
- 1. Keystone V3 API Examples
- 2. 分布式系统认证方案
- 3. 构建基于分布式SOA架构的统一身份认证体系
- 4. 分布式系统基础
- 5. OpenStack实践系列②认证服务Keystone
- 6. 分布式认证方案
- 7. OpenStack Keystone V3 简介
- 8. 在Android系统上修改系统默认的字体大小
- 9. OpenStack----keystone 认证服务
- 10. 使用keystone认证swift
- 更多相关文章...
- • 互联网系统应用架构基础分析 - 红包项目实战
- • 在自己的 PC 上运行 ASP - ASP 教程
- • 常用的分布式事务解决方案
- • 再有人问你分布式事务,把这篇扔给他
相关标签/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
欢迎关注本站公众号,获取更多信息
