You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@servicecomb.apache.org by GitBox <gi...@apache.org> on 2020/06/24 00:46:43 UTC
[GitHub] [servicecomb-service-center] aseTo2016 commented on a change in pull request #649: [WIP]RBAC prototype

aseTo2016 commented on a change in pull request #649:
URL: https://github.com/apache/servicecomb-service-center/pull/649#discussion_r444214464



##########
File path: server/service/kv/store.go
##########
@@ -0,0 +1,74 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//Package kv supplies kv store
+package kv
+
+import (
+	"context"
+	"errors"
+	"github.com/coreos/etcd/mvcc/mvccpb"
+
+	"github.com/apache/servicecomb-service-center/server/core/backend"
+	"github.com/apache/servicecomb-service-center/server/plugin/pkg/registry"
+)
+
+var ErrNotUnique = errors.New("kv result is not unique")
+
+//Put put kv
+func Put(ctx context.Context, key string, value string) error {
+	_, err := backend.Registry().Do(ctx, registry.PUT,
+		registry.WithStrKey(key),
+		registry.WithValue([]byte(value)))
+	return err
+}
+
+//Put put kv
+func PutBytes(ctx context.Context, key string, value []byte) error {
+	_, err := backend.Registry().Do(ctx, registry.PUT,
+		registry.WithStrKey(key),
+		registry.WithValue(value))
+	return err
+}
+
+//Get get one kv
+func Get(ctx context.Context, key string) (*mvccpb.KeyValue, error) {
+	resp, err := backend.Registry().Do(ctx, registry.GET,
+		registry.WithStrKey(key))
+	if err != nil {
+		return nil, err
+	}
+	if resp.Count != 1 {
+		{
+			return nil, ErrNotUnique
+		}
+	}
+	return resp.Kvs[0], err
+}
+
+//Exist get one kv, if can not get return false
+func Exist(ctx context.Context, key string) (bool, error) {
+	resp, err := backend.Registry().Do(ctx, registry.GET,

Review comment:
       建议调用上面声明的Get接口

##########
File path: server/service/kv/store.go
##########
@@ -0,0 +1,74 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//Package kv supplies kv store
+package kv
+
+import (
+	"context"
+	"errors"
+	"github.com/coreos/etcd/mvcc/mvccpb"
+
+	"github.com/apache/servicecomb-service-center/server/core/backend"
+	"github.com/apache/servicecomb-service-center/server/plugin/pkg/registry"
+)
+
+var ErrNotUnique = errors.New("kv result is not unique")
+
+//Put put kv
+func Put(ctx context.Context, key string, value string) error {
+	_, err := backend.Registry().Do(ctx, registry.PUT,
+		registry.WithStrKey(key),
+		registry.WithValue([]byte(value)))
+	return err
+}
+
+//Put put kv
+func PutBytes(ctx context.Context, key string, value []byte) error {
+	_, err := backend.Registry().Do(ctx, registry.PUT,
+		registry.WithStrKey(key),
+		registry.WithValue(value))
+	return err
+}
+
+//Get get one kv
+func Get(ctx context.Context, key string) (*mvccpb.KeyValue, error) {
+	resp, err := backend.Registry().Do(ctx, registry.GET,
+		registry.WithStrKey(key))
+	if err != nil {
+		return nil, err
+	}
+	if resp.Count != 1 {
+		{

Review comment:
       多了括号

##########
File path: server/service/rbac/rbac.go
##########
@@ -0,0 +1,115 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package rbac
+
+import (
+	"context"
+	"github.com/apache/servicecomb-service-center/pkg/log"
+	"github.com/apache/servicecomb-service-center/pkg/model"
+	"github.com/apache/servicecomb-service-center/server/service/cipher"
+	"github.com/apache/servicecomb-service-center/server/service/rbac/dao"
+	"github.com/astaxie/beego"
+	"github.com/go-chassis/go-archaius"
+	"github.com/go-chassis/go-chassis/security/authr"
+)
+
+const (
+	InitRoot     = "SC_INIT_ROOT_USERNAME"
+	InitPassword = "SC_INIT_ROOT_PASSWORD"
+	InitSecret   = "SC_INIT_SECRET"
+)
+
+//Init decide whether enable rbac function and save root account to db
+// if db has root account, abort creating.
+func Init() {
+	if !Enabled() {
+		log.Info("rbac is disabled")
+		return
+	}
+	err := authr.Init()
+	if err != nil {
+		log.Fatal("can not enable auth module", err)
+	}
+	admin := archaius.GetString(InitRoot, "")
+	if admin == "" {
+		log.Fatal("can not enable rbac, root is empty", nil)
+		return
+	}
+	b, err := dao.AccountExist(context.Background(), admin)
+	if err != nil {
+		log.Fatal("can not enable auth module", err)
+	}
+	if b {
+		log.Info("rbac is enabled")
+		return
+	}
+	initFirstTime(admin)
+
+}
+func initFirstTime(admin string) {
+	//handle root account
+	pwd := archaius.GetString(InitPassword, "")
+	if pwd == "" {
+		log.Fatal("can not enable rbac, password is empty", nil)
+	}
+	pwd, err := cipher.Encrypt(pwd)
+	if err != nil {
+		log.Fatal("can not enable rbac, encryption failed", err)
+	}
+	if err := dao.CreateAccount(context.Background(), &model.Account{
+		Name:     admin,
+		Password: pwd,
+	}); err != nil {
+		if err == dao.ErrDuplicated {
+			log.Info("rbac is enabled")
+			return
+		}
+		log.Fatal("can not enable rbac, init root account failed", err)
+	}
+	initSecret()
+	log.Info("rbac init success")
+}
+func initSecret() {
+	secret := archaius.GetString(InitSecret, "")
+	if secret == "" {
+		log.Fatal("can not enable rbac, secret is empty", nil)
+	}
+	es, err := cipher.Encrypt(secret)

Review comment:
       secret配置中是明文的？

##########
File path: server/service/rbac/rbac.go
##########
@@ -0,0 +1,115 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package rbac
+
+import (
+	"context"
+	"github.com/apache/servicecomb-service-center/pkg/log"
+	"github.com/apache/servicecomb-service-center/pkg/model"
+	"github.com/apache/servicecomb-service-center/server/service/cipher"
+	"github.com/apache/servicecomb-service-center/server/service/rbac/dao"
+	"github.com/astaxie/beego"
+	"github.com/go-chassis/go-archaius"
+	"github.com/go-chassis/go-chassis/security/authr"
+)
+
+const (
+	InitRoot     = "SC_INIT_ROOT_USERNAME"
+	InitPassword = "SC_INIT_ROOT_PASSWORD"
+	InitSecret   = "SC_INIT_SECRET"
+)
+
+//Init decide whether enable rbac function and save root account to db
+// if db has root account, abort creating.
+func Init() {
+	if !Enabled() {
+		log.Info("rbac is disabled")
+		return
+	}
+	err := authr.Init()
+	if err != nil {
+		log.Fatal("can not enable auth module", err)
+	}
+	admin := archaius.GetString(InitRoot, "")
+	if admin == "" {
+		log.Fatal("can not enable rbac, root is empty", nil)
+		return
+	}
+	b, err := dao.AccountExist(context.Background(), admin)
+	if err != nil {
+		log.Fatal("can not enable auth module", err)
+	}
+	if b {
+		log.Info("rbac is enabled")
+		return
+	}
+	initFirstTime(admin)
+
+}
+func initFirstTime(admin string) {
+	//handle root account
+	pwd := archaius.GetString(InitPassword, "")
+	if pwd == "" {
+		log.Fatal("can not enable rbac, password is empty", nil)
+	}
+	pwd, err := cipher.Encrypt(pwd)
+	if err != nil {
+		log.Fatal("can not enable rbac, encryption failed", err)
+	}
+	if err := dao.CreateAccount(context.Background(), &model.Account{
+		Name:     admin,
+		Password: pwd,
+	}); err != nil {
+		if err == dao.ErrDuplicated {
+			log.Info("rbac is enabled")
+			return
+		}
+		log.Fatal("can not enable rbac, init root account failed", err)
+	}
+	initSecret()
+	log.Info("rbac init success")
+}
+func initSecret() {
+	secret := archaius.GetString(InitSecret, "")
+	if secret == "" {
+		log.Fatal("can not enable rbac, secret is empty", nil)
+	}
+	es, err := cipher.Encrypt(secret)
+	if err != nil {
+		log.Fatal("can encrypt secret", err)

Review comment:
       can not encrypt secret




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org