我最新最全的文章都在 南瓜慢说 www.pkslow.com ,欢送大家来喝茶!
1 前言
对于Spring Cloud Data Flow这里不多介绍,有趣味能够看上面的文章。本文次要介绍如何整合Data Flow和CloudFoundry UAA来做权限管制,而不是任何人都能够间接拜访操作。
Spring Cloud Data Flow相干文章:
Spring Cloud Data Flow初体验,以Local模式运行
把Spring Cloud Data Flow部署在Kubernetes上,再跑个工作试试
Spring Cloud Data Flow用Shell来操作,不便建设CICD
被Spring坑了一把,查看源码终于解决了DataFlow部署K8s利用的问题
UAA,即CloudFoundry User Account and Authentication,一个身份认证和受权服务零碎,次要用于CloudFoundry,也能够作为一个独立的OAuth2服务器,给客户端散发令牌。能够在单点登陆SSO等场景应用到它。
UAA还能够整合LDAP,但为了简化,本文只演示如何最简略的整合。
2 启动UAA服务
官网提供了war包模式的uaa.war,能够间接下载而后部署在Servlet容器上,如Tomcat等。UAA Bundled通过Springboot把war包包装起来,让启动利用像利用springboot一样简略。本文通过这种模式来启动。
通过插件maven-dependency-plugin来下载war包,如下:
<plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-dependency-plugin</artifactId> <executions> <execution> <id>copy</id> <phase>process-resources</phase> <goals> <goal>copy</goal> </goals> </execution> </executions> <configuration> <artifactItems> <!--本地IDE启动时须要--> <artifactItem> <groupId>org.cloudfoundry.identity</groupId> <artifactId>cloudfoundry-identity-uaa</artifactId> <version>4.30.0</version> <type>war</type> <overWrite>true</overWrite> <outputDirectory>${project.basedir}/src/main/resources</outputDirectory> <destFileName>uaa.war</destFileName> </artifactItem> <!--打包成jar须要--> <artifactItem> <groupId>org.cloudfoundry.identity</groupId> <artifactId>cloudfoundry-identity-uaa</artifactId> <version>4.30.0</version> <type>war</type> <overWrite>true</overWrite> <outputDirectory>${project.basedir}/target/classes</outputDirectory> <destFileName>uaa.war</destFileName> </artifactItem> </artifactItems> </configuration></plugin>通过一个Springboot的主函数入口来调用:
@SpringBootApplicationpublic class UaaServer { public static void main(String[] args) { SpringApplication.run(UaaServer.class, args); } @Bean public ServletWebServerFactory servletContainer() throws IOException { final File tempDirectory = Files.createTempDirectory("uaa").toFile(); final File tempUaaYmlFile = new File(tempDirectory, "uaa.yml"); final File tempUaaWarFile = new File(tempDirectory, "uaa.war"); FileCopyUtils.copy( new ClassPathResource("uaa.yml").getInputStream(), new FileOutputStream(tempUaaYmlFile)); FileCopyUtils.copy( new ClassPathResource("uaa.war").getInputStream(), new FileOutputStream(tempUaaWarFile)); System.out.println("uaa.yml: " + tempUaaYmlFile.getAbsolutePath()); System.out.println("uaa.war: " + tempUaaWarFile.getAbsolutePath()); System.setProperty("UAA_CONFIG_FILE", tempUaaYmlFile.getAbsolutePath()); return new TomcatServletWebServerFactory() { protected TomcatWebServer getTomcatWebServer(org.apache.catalina.startup.Tomcat tomcat) { final Server tomcatServer = tomcat.getServer(); final File catalinaBase = new File(tempDirectory, "catalina"); catalinaBase.mkdirs(); tomcatServer.setCatalinaBase(catalinaBase); new File(tomcatServer.getCatalinaBase(), "webapps").mkdirs(); try { Context context = tomcat.addWebapp("/uaa", tempUaaWarFile.toString()); final ClassLoader properClassLoader = UaaServer.class.getClassLoader(); WebappLoader loader = new WebappLoader(properClassLoader); context.setLoader(loader); } catch (Exception ex) { throw new IllegalStateException("Failed to add webapp", ex); } return super.getTomcatWebServer(tomcat); } }; }}配置文件和war包的文件名硬编码了,理论我的项目能够通过配置来实现。
接着要配置uaa.yml文件,具体内容查看代码https://github.com/LarryDpk/p... ,这里不贴出来了。留神须要生成JWT的key:
$ openssl genrsa -out signingkey.pem 2048Generating RSA private key, 2048 bit long modulus........................+++..........................................................................+++e is 65537 (0x10001)$ openssl rsa -in signingkey.pem -pubout -out verificationkey.pemwriting RSA key实现以上步骤后,能够打包启动了,命令如下:
mvn clean packagejava -jar target/cloudfoundry-uaa-server-1.0-SNAPSHOT.jar默认端口为8080。胜利启动后,能够拜访:http://localhost:8080/uaa/login
3 配置账号
为了不便,咱们应用内存数据库来保留账户信息,重启后就会失落。通过uaa提供的命令行工具uaac来创立用户与权限。因为uaac是基于Ruby的,所以还要先装置Ruby,我的电脑曾经自带,这里就不演示了。
为了更快装置命令行工具cf-uaac,批改Ruby包管理工具gem的源:
$ gem sources --add https://gems.ruby-china.comhttps://gems.ruby-china.com added to sources$ gem sources -l*** CURRENT SOURCES ***https://rubygems.org/https://gems.ruby-china.com$ gem sources --remove https://rubygems.org/https://rubygems.org/ removed from sources配置了国内源后,装置:
$ sudo gem install cf-uaac15 gems installed装置实现后,就能够通过上面的命令来创立用户了。
uaac target http://localhost:8080/uaauaac token client get admin -s adminsecretuaac client add dataflow \ --name dataflow \ --secret dataflow \ --scope cloud_controller.read,cloud_controller.write,openid,password.write,scim.userids,sample.create,sample.view,dataflow.create,dataflow.deploy,dataflow.destroy,dataflow.manage,dataflow.modify,dataflow.schedule,dataflow.view \ --authorized_grant_types password,authorization_code,client_credentials,refresh_token \ --authorities uaa.resource,dataflow.create,dataflow.deploy,dataflow.destroy,dataflow.manage,dataflow.modify,dataflow.schedule,dataflow.view,sample.view,sample.create \ --redirect_uri http://localhost:9393/login \ --autoapprove openiduaac group add "sample.view"uaac group add "sample.create"uaac group add "dataflow.view"uaac group add "dataflow.create"uaac group add "dataflow.deploy"uaac group add "dataflow.destroy"uaac group add "dataflow.manage"uaac group add "dataflow.modify"uaac group add "dataflow.schedule"uaac user add larry -p larry --emails larry@pkslow.comuaac member add "dataflow.view" larryuaac member add "dataflow.create" larryuaac member add "dataflow.deploy" larryuaac member add "dataflow.destroy" larryuaac member add "dataflow.manage" larryuaac member add "dataflow.modify" larryuaac member add "dataflow.schedule" larryuaac user add vieweronly -p mysecret --emails vieweronly@pkslow.comuaac member add "dataflow.view" vieweronly这里要害的是用户和群组,即user和group。这里配置的信息,会与Data Flow Server的配置对应上才能够。
4 配置与启动Data Flow Server
Data Flow Server的配置文件十分重要,它是整合UAA的要害。要害是两局部,第一局部是配置UAA各种信息,如clientId,Token的地址,各种鉴权地址等;第二局部是角色映射,Data Flow是基于角色的权限管制,它本人的角色要和UAA的群组映射起来才能够失常应用。
配置如下:
spring: security: oauth2: client: registration: uaa: client-id: dataflow client-secret: dataflow redirect-uri: '{baseUrl}/login/oauth2/code/{registrationId}' authorization-grant-type: authorization_code scope: - openid - dataflow.create - dataflow.deploy - dataflow.destroy - dataflow.manage - dataflow.modify - dataflow.schedule - dataflow.view provider: uaa: jwk-set-uri: http://localhost:8080/uaa/token_keys token-uri: http://localhost:8080/uaa/oauth/token user-info-uri: http://localhost:8080/uaa/userinfo user-name-attribute: user_name authorization-uri: http://localhost:8080/uaa/oauth/authorize resourceserver: opaquetoken: introspection-uri: http://localhost:8080/uaa/introspect client-id: dataflow client-secret: dataflow cloud: dataflow: security: authorization: provider-role-mappings: uaa: map-oauth-scopes: true role-mappings: ROLE_VIEW: dataflow.view ROLE_CREATE: dataflow.create ROLE_MANAGE: dataflow.manage ROLE_DEPLOY: dataflow.create ROLE_DESTROY: dataflow.create ROLE_MODIFY: dataflow.create ROLE_SCHEDULE: dataflow.create能够看出,多个不同角色能够映射同一个群组,非常灵活。
配置实现后,就能够启动Data Flow Server了:
java -jar data-flow-server.jar --spring.config.additional-location=./src/main/resources/application.yaml5 体验成绩的时候到了
胜利启动UAA并配置用户,再启动Data Flow Server后,便能够开始应用了,过程如下:
拜访http://localhost:9393/dashboard/#/apps 会主动跳转到登陆界面,点击uaa:
跳转到uaa的登陆界面:
输出配置的账号密码:larry/larry,下面显示为Email,其实并不是。登陆后就要确认受权:
受权后,会主动跳转回Data Flow的界面,并曾经有权限进行查看操作了:
登出后,又要要求从新登陆。至此,咱们曾经胜利地整合了。
而shell的应用如下:
$ java -jar spring-cloud-dataflow-shell-2.7.0.jar \ --dataflow.uri=http://localhost:9393 \ --dataflow.username=my_username \ --dataflow.password=my_password \ --skip-ssl-validation true 总结
本文通过一步步演示如何整合Data Flow Server和UAA,以实现Data Flow平安要求。理论UAA应该应用其它数据库,如MySQL,或整合LDAP,这样重启账号数据不会失落。后续有空再探讨吧。
代码请查看:https://github.com/LarryDpk/p...
参考文档:
Data Flow官网文档 2.7.0版本
A Quick Guide To Using Cloud Foundry UAA
欢送关注微信公众号<南瓜慢说>,将继续为你更新...
多读书,多分享;多写作,多整顿。