You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/01/17 05:59:43 UTC
[GitHub] [apisix] guoqqqi opened a new pull request #6127: docs: update the jwt-auth zh version
guoqqqi opened a new pull request #6127:
URL: https://github.com/apache/apisix/pull/6127
### What this PR does / why we need it:
related https://github.com/apache/apisix/issues/6118#issuecomment-1014061896
I do :
1. Updated the vault section in the Chinese version of jwt-auth as well
* [x] Did you explain what problem does this PR solve? Or what new features have been added?
* [ ] Have you added corresponding test cases?
* [x] Have you modified the corresponding document?
* [x] Is this PR backward compatible? **If it is not backward compatible, please discuss on the [mailing list](https://github.com/apache/apisix/tree/master#community) first**
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] juzhiyuan commented on pull request #6127: docs: update the jwt-auth zh version
Posted by GitBox <gi...@apache.org>.
juzhiyuan commented on pull request #6127:
URL: https://github.com/apache/apisix/pull/6127#issuecomment-1015018948
cc @yzeng25 to have a review :)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tzssangglass commented on a change in pull request #6127: docs: update the jwt-auth zh version
Posted by GitBox <gi...@apache.org>.
tzssangglass commented on a change in pull request #6127:
URL: https://github.com/apache/apisix/pull/6127#discussion_r821271804
##########
File path: docs/zh/latest/plugins/jwt-auth.md
##########
@@ -98,6 +114,76 @@ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f13
}'
```
+### Vault 与 APISIX jwt-auth 插件集成的不同用例
+
+Apache APISIX `jwt-auth` 插件可以被配置为从 Vault 存储中获取简单的文本密钥以及 RS256 公私密钥对。
+
+**注意**:对于该集成支持的早期版本,该插件期望存储在 Vault 路径中的密钥名称为「`secret`,`public_key`,`private_key`」其中之一。在未来的版本中,我们将支持引用自定义命名键。
+
+要启用 Vault 的兼容性,只需要在 `jwt-auth` 插件内添加空的 Vault 对象。
+
+1. 用在 Vault 储存的 HS256 签名密钥来进行 jwt 签名和认证。
+
+```shell
+curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+ "username": "jack",
+ "plugins": {
+ "jwt-auth": {
+ "key": "key-1",
+ "vault": {}
+ }
+ }
+}'
+```
+
+在这里,插件在 Consumer 配置中提到的 Consumer 用户 `jack` 的 Vault 路径(`<vault.prefix from conf.yaml>/consumer/jack/jwt-auth`)中查找密钥 `secret`,并使用它进行后续的签名和 JWT 验证。如果在该路径中没有找到密钥,该插件将记录一个错误,并且无法执行 JWT 验证。
+
+2. RS256 rsa 密钥对, 包括公钥和私钥都存粗在 Vault 中。
+
+```shell
+curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+ "username": "kowalski",
+ "plugins": {
+ "jwt-auth": {
+ "key": "rsa-keypair",
+ "algorithm": "RS256",
+ "vault": {}
+ }
+ }
+}'
+```
+
+该插件在 Vault 键值对路径(`<vault.prefix from conf.yaml>/consumer/jim/jwt-auth`)中为插件 Vault 配置中提到的用户 `jim` 查找 `public_key` 和 `private_key`。如果没有找到,认证失败。
+
+如果你不确定如何将公钥和私钥存储到 Vault 键值对中,请使用这个命令。
+
+```shell
+# provided, your current directory contains the files named "public.pem" and "private.pem"
Review comment:
Since this is a Chinese document, the comments here is better to be translated into Chinese
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] starsz commented on a change in pull request #6127: docs: update the jwt-auth zh version
Posted by GitBox <gi...@apache.org>.
starsz commented on a change in pull request #6127:
URL: https://github.com/apache/apisix/pull/6127#discussion_r790801984
##########
File path: docs/zh/latest/plugins/jwt-auth.md
##########
@@ -107,6 +115,68 @@ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f13
}'
```
+### 启用具有 Vault 兼容性的 jwt-auth
+
+有时候在生产中拥有一个集中式密钥管理解决方案,如 `Vault` 是很自然的。您不必每次在您的组织更改部分签署密钥(HS256/HS512 的密钥或 RS256 的 public_key 和 private_key)时更新 APISIX Consumer。或者出于隐私考虑,您不想通过 APISIX admin APIs 使用密钥。APISIX 在这里为您提供了保障,`jwt-auth` 能够引用 Vault 的密钥。
+
+**注意**:对于该集成支持的早期版本,该插件期望存储在 Vault 路径中的密钥名称为「`secret`,`public_key`,`private_key`」其中之一,方可成功使用该密钥。
+
+要启用 Vault 的兼容性,只需要在 `jwt-auth` 插件内添加空的 Vault 对象。
+
+1. 用在 Vault 储存的 HS256 签名密钥来进行 jwt 签名和认证。
+
+```shell
+curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+ "username": "jack",
+ "plugins": {
+ "jwt-auth": {
+ "key": "key-1",
+ "vault": {}
+ }
+ }
+}'
+```
+
+这里插件在 Vault 路径(`<vault.prefix from conf.yaml>/consumer/jack/jwt-auth`)中为 Consumer 配置的用户名 `jack` 查找密钥 `secret`,并将其用于后续签名和 `jwt` 验证。如果在同一路径中没有找到密钥,该插件就会记录错误,无法执行 `jwt` 验证。
Review comment:
I think the statement is not so casual also.
##########
File path: docs/zh/latest/plugins/jwt-auth.md
##########
@@ -107,6 +115,68 @@ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f13
}'
```
+### 启用具有 Vault 兼容性的 jwt-auth
+
+有时候在生产中拥有一个集中式密钥管理解决方案,如 `Vault` 是很自然的。您不必每次在您的组织更改部分签署密钥(HS256/HS512 的密钥或 RS256 的 public_key 和 private_key)时更新 APISIX Consumer。或者出于隐私考虑,您不想通过 APISIX admin APIs 使用密钥。APISIX 在这里为您提供了保障,`jwt-auth` 能够引用 Vault 的密钥。
+
+**注意**:对于该集成支持的早期版本,该插件期望存储在 Vault 路径中的密钥名称为「`secret`,`public_key`,`private_key`」其中之一,方可成功使用该密钥。
+
+要启用 Vault 的兼容性,只需要在 `jwt-auth` 插件内添加空的 Vault 对象。
+
+1. 用在 Vault 储存的 HS256 签名密钥来进行 jwt 签名和认证。
+
+```shell
+curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+ "username": "jack",
+ "plugins": {
+ "jwt-auth": {
+ "key": "key-1",
+ "vault": {}
+ }
+ }
+}'
+```
+
+这里插件在 Vault 路径(`<vault.prefix from conf.yaml>/consumer/jack/jwt-auth`)中为 Consumer 配置的用户名 `jack` 查找密钥 `secret`,并将其用于后续签名和 `jwt` 验证。如果在同一路径中没有找到密钥,该插件就会记录错误,无法执行 `jwt` 验证。
+
+2. RS256 rsa 密钥对, 包括公钥和私钥都存粗在 Vault 中。
+
+```shell
+curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+ "username": "kowalski",
+ "plugins": {
+ "jwt-auth": {
+ "key": "rsa-keypair",
+ "algorithm": "RS256",
+ "vault": {}
+ }
+ }
+}'
+```
+
+该插件在 Vault kv 路径(`<vault.prefix from conf.yaml>/consumer/kowalski/jwt-auth`)中为插件 Vault 配置中提到的用户名 `kowalski` 查询 `public_key` 和 `private_key` 密钥。如果没有找到,认证失败。
Review comment:
Ditto.
##########
File path: docs/zh/latest/plugins/jwt-auth.md
##########
@@ -107,6 +115,68 @@ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f13
}'
```
+### 启用具有 Vault 兼容性的 jwt-auth
+
+有时候在生产中拥有一个集中式密钥管理解决方案,如 `Vault` 是很自然的。您不必每次在您的组织更改部分签署密钥(HS256/HS512 的密钥或 RS256 的 public_key 和 private_key)时更新 APISIX Consumer。或者出于隐私考虑,您不想通过 APISIX admin APIs 使用密钥。APISIX 在这里为您提供了保障,`jwt-auth` 能够引用 Vault 的密钥。
+
+**注意**:对于该集成支持的早期版本,该插件期望存储在 Vault 路径中的密钥名称为「`secret`,`public_key`,`private_key`」其中之一,方可成功使用该密钥。
+
+要启用 Vault 的兼容性,只需要在 `jwt-auth` 插件内添加空的 Vault 对象。
+
+1. 用在 Vault 储存的 HS256 签名密钥来进行 jwt 签名和认证。
+
+```shell
+curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+ "username": "jack",
+ "plugins": {
+ "jwt-auth": {
+ "key": "key-1",
+ "vault": {}
+ }
+ }
+}'
+```
+
+这里插件在 Vault 路径(`<vault.prefix from conf.yaml>/consumer/jack/jwt-auth`)中为 Consumer 配置的用户名 `jack` 查找密钥 `secret`,并将其用于后续签名和 `jwt` 验证。如果在同一路径中没有找到密钥,该插件就会记录错误,无法执行 `jwt` 验证。
+
+2. RS256 rsa 密钥对, 包括公钥和私钥都存粗在 Vault 中。
+
+```shell
+curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+ "username": "kowalski",
+ "plugins": {
+ "jwt-auth": {
+ "key": "rsa-keypair",
+ "algorithm": "RS256",
+ "vault": {}
+ }
+ }
+}'
+```
+
+该插件在 Vault kv 路径(`<vault.prefix from conf.yaml>/consumer/kowalski/jwt-auth`)中为插件 Vault 配置中提到的用户名 `kowalski` 查询 `public_key` 和 `private_key` 密钥。如果没有找到,认证失败。
+
+3. 公钥在 Consumer 配置中,而私钥在 Vault 中。
+
+```shell
+curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+ "username": "rico",
+ "plugins": {
+ "jwt-auth": {
+ "key": "user-key",
+ "algorithm": "RS256",
+ "public_key": "-----BEGIN PUBLIC KEY-----\n……\n-----END PUBLIC KEY-----"
+ "vault": {}
+ }
+ }
+}'
+```
+
+这个插件使用 Consumer 配置中的 rsa 公钥,并直接使用从 Vault 中获取的私钥。
Review comment:
Better to add more descriptions of this way.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zaunist commented on a change in pull request #6127: docs: update the jwt-auth zh version
Posted by GitBox <gi...@apache.org>.
zaunist commented on a change in pull request #6127:
URL: https://github.com/apache/apisix/pull/6127#discussion_r790795814
##########
File path: docs/zh/latest/plugins/jwt-auth.md
##########
@@ -107,6 +115,68 @@ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f13
}'
```
+### 启用具有 Vault 兼容性的 jwt-auth
+
+有时候在生产中拥有一个集中式密钥管理解决方案,如 `Vault` 是很自然的。您不必每次在您的组织更改部分签署密钥(HS256/HS512 的密钥或 RS256 的 public_key 和 private_key)时更新 APISIX Consumer。或者出于隐私考虑,您不想通过 APISIX admin APIs 使用密钥。APISIX 在这里为您提供了保障,`jwt-auth` 能够引用 Vault 的密钥。
Review comment:
We need more colloquial expressions instead of directly using machine translated sentences.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tzssangglass commented on a change in pull request #6127: docs: update the jwt-auth zh version
Posted by GitBox <gi...@apache.org>.
tzssangglass commented on a change in pull request #6127:
URL: https://github.com/apache/apisix/pull/6127#discussion_r790765095
##########
File path: docs/zh/latest/plugins/jwt-auth.md
##########
@@ -48,6 +53,9 @@ title: jwt-auth
| algorithm | string | 可选 | "HS256" | ["HS256", "HS512", "RS256"] | 加密算法 |
| exp | integer | 可选 | 86400 | [1,...] | token 的超时时间 |
| base64_secret | boolean | 可选 | false | | 密钥是否为 base64 编码 |
+| vault | object | 可选 | | | 是否使用 Vault 作为存储和检索密钥(HS256/HS512 的密钥或 RS256 的公钥和私钥)的方式。该插件默认使用 `kv/apisix/consumer/<consumer name>/jwt-auth` 路径进行密钥检索 |
Review comment:
better to make `|` align with above
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tzssangglass commented on pull request #6127: docs: update the jwt-auth zh version
Posted by GitBox <gi...@apache.org>.
tzssangglass commented on pull request #6127:
URL: https://github.com/apache/apisix/pull/6127#issuecomment-1020127084
LGTM
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] juzhiyuan edited a comment on pull request #6127: docs: update the jwt-auth zh version
Posted by GitBox <gi...@apache.org>.
juzhiyuan edited a comment on pull request #6127:
URL: https://github.com/apache/apisix/pull/6127#issuecomment-1015018948
cc @yzeng25 @oil-oil to have a review :)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] starsz commented on a change in pull request #6127: docs: update the jwt-auth zh version
Posted by GitBox <gi...@apache.org>.
starsz commented on a change in pull request #6127:
URL: https://github.com/apache/apisix/pull/6127#discussion_r820579384
##########
File path: docs/zh/latest/plugins/jwt-auth.md
##########
@@ -107,6 +115,76 @@ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f13
}'
```
+### Vault 与 APISIX jwt-auth 插件集成的不同用例
+
+Apache APISIX `jwt-auth` 插件可以被配置为从 Vault 存储中获取简单的文本密钥以及 RS256 公私密钥对。
+
+**注意**:对于该集成支持的早期版本,该插件期望存储在 Vault 路径中的密钥名称为「`secret`,`public_key`,`private_key`」其中之一,方可成功使用该密钥。
+
+要启用 Vault 的兼容性,只需要在 `jwt-auth` 插件内添加空的 Vault 对象。
+
+1. 用在 Vault 储存的 HS256 签名密钥来进行 jwt 签名和认证。
+
+```shell
+curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+ "username": "jack",
+ "plugins": {
+ "jwt-auth": {
+ "key": "key-1",
+ "vault": {}
+ }
+ }
+}'
+```
+
+在这里,插件在 Consumer 配置中提到的 Consumer 用户 `jack` 的 Vault 路径(`<vault.prefix from conf.yaml>/consumer/jack/jwt-auth`)中查找密钥 `secret`,并使用它进行后续的签名和 jwt 验证。如果在同一路径中没有找到密钥,该插件将记录一个错误,并且无法执行 JWT 验证。
Review comment:
```suggestion
在这里,插件在 Consumer 配置中提到的 Consumer 用户 `jack` 的 Vault 路径(`<vault.prefix from conf.yaml>/consumer/jack/jwt-auth`)中查找密钥 `secret`,并使用它进行后续的签名和 jwt 验证。如果在该路径中没有找到密钥,该插件将记录一个错误,并且无法执行 JWT 验证。
```
##########
File path: docs/zh/latest/plugins/jwt-auth.md
##########
@@ -107,6 +115,76 @@ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f13
}'
```
+### Vault 与 APISIX jwt-auth 插件集成的不同用例
+
+Apache APISIX `jwt-auth` 插件可以被配置为从 Vault 存储中获取简单的文本密钥以及 RS256 公私密钥对。
+
+**注意**:对于该集成支持的早期版本,该插件期望存储在 Vault 路径中的密钥名称为「`secret`,`public_key`,`private_key`」其中之一,方可成功使用该密钥。
Review comment:
```suggestion
**注意**:对于该集成支持的早期版本,该插件期望存储在 Vault 路径中的密钥名称为「`secret`,`public_key`,`private_key`」其中之一。
```
Looks missing some details, the EN doc has follow:
> In future releases, we are going to add the support of referencing custom named keys.
##########
File path: docs/zh/latest/plugins/jwt-auth.md
##########
@@ -48,6 +53,9 @@ title: jwt-auth
| algorithm | string | 可选 | "HS256" | ["HS256", "HS512", "RS256"] | 加密算法 |
| exp | integer | 可选 | 86400 | [1,...] | token 的超时时间 |
| base64_secret | boolean | 可选 | false | | 密钥是否为 base64 编码 |
+| vault | object | 可选 | | | 是否使用 Vault 作为存储和检索密钥(HS256/HS512 的密钥或 RS256 的公钥和私钥)的方式。该插件默认使用 `kv/apisix/consumer/<consumer name>/jwt-auth` 路径进行密钥检索 |
+
+**注意**: 要启用 Vault 集成,首先访问 [config.yaml](https://github.com/apache/apisix/blob/master/conf/config.yaml),更新您的 Vault 服务器配置、主机地址和访问令牌。您可以在 vault 属性下的 [config-default.yaml](https://github.com/apache/apisix/blob/master/conf/config-default.yaml) 中查看 APISIX 的预期配置。
Review comment:
```suggestion
**注意**: 要启用 Vault 集成,首先访问 [config.yaml](https://github.com/apache/apisix/blob/master/conf/config.yaml),更新您的 Vault 服务器配置、主机地址和访问令牌。您可以在 [config-default.yaml](https://github.com/apache/apisix/blob/master/conf/config-default.yaml) 中 vault 属性下查看 APISIX 的默认配置。
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tokers commented on a change in pull request #6127: docs: update the jwt-auth zh version
Posted by GitBox <gi...@apache.org>.
tokers commented on a change in pull request #6127:
URL: https://github.com/apache/apisix/pull/6127#discussion_r787603505
##########
File path: docs/zh/latest/plugins/jwt-auth.md
##########
@@ -107,6 +115,68 @@ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f13
}'
```
+### 启用具有 Vault 兼容性的 jwt-auth
+
+有时候在生产中拥有一个集中式密钥管理解决方案,如 `Vault` 是很自然的。您不必每次在您的组织更改部分签署密钥(HS256/HS512 的密钥或 RS256 的 public_key 和 private_key)时更新 APISIX 消费者。或者出于隐私考虑,您不想通过 APISIX admin APIs 使用密钥。APISIX 在这里为您提供了保障,`jwt-auth` 能够引用 Vault 的密钥。
+
+**注意**:对于该集成支持的早期版本,该插件期望存储在 Vault 路径中的密钥名称为「`secret`,`public_key`,`private_key`」其中之一,方可成功使用该密钥。在未来的版本中,我们将添加对引用自定义命名键的支持。
+
+要启用 Vault 的兼容性,只需要在 `jwt-auth` 插件内添加空的 Vault 对象。
Review comment:
The statement is not so casual.
##########
File path: docs/zh/latest/plugins/jwt-auth.md
##########
@@ -107,6 +115,68 @@ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f13
}'
```
+### 启用具有 Vault 兼容性的 jwt-auth
+
+有时候在生产中拥有一个集中式密钥管理解决方案,如 `Vault` 是很自然的。您不必每次在您的组织更改部分签署密钥(HS256/HS512 的密钥或 RS256 的 public_key 和 private_key)时更新 APISIX 消费者。或者出于隐私考虑,您不想通过 APISIX admin APIs 使用密钥。APISIX 在这里为您提供了保障,`jwt-auth` 能够引用 Vault 的密钥。
Review comment:
```suggestion
有时候在生产中拥有一个集中式密钥管理解决方案,如 `Vault` 是很自然的。您不必每次在您的组织更改部分签署密钥(HS256/HS512 的密钥或 RS256 的 public_key 和 private_key)时更新 APISIX Consumer。或者出于隐私考虑,您不想通过 APISIX admin APIs 使用密钥。APISIX 在这里为您提供了保障,`jwt-auth` 能够引用 Vault 的密钥。
```
Basically we don't translate the term `Consumer` in APISIX.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] yzeng25 commented on a change in pull request #6127: docs: update the jwt-auth zh version
Posted by GitBox <gi...@apache.org>.
yzeng25 commented on a change in pull request #6127:
URL: https://github.com/apache/apisix/pull/6127#discussion_r786789832
##########
File path: docs/zh/latest/plugins/jwt-auth.md
##########
@@ -48,6 +53,9 @@ title: jwt-auth
| algorithm | string | 可选 | "HS256" | ["HS256", "HS512", "RS256"] | 加密算法 |
| exp | integer | 可选 | 86400 | [1,...] | token 的超时时间 |
| base64_secret | boolean | 可选 | false | | 密钥是否为 base64 编码 |
+| vault | object | 可选 | | | Vault 是否用于密钥(HS256/HS512 的密钥或 RS256 的公钥和私钥)的存储和检索。该插件默认使用的 Vault 路径为 `kv/apisix/consumer/<consumer name>/jwt-auth` 用于检索密钥 |
Review comment:
```suggestion
| vault | object | 可选 | | | Vault 是否用于密钥(HS256/HS512 的密钥或 RS256 的公钥和私钥)的存储和检索。该插件默认使用 vault 路径为 `kv/apisix/consumer/<consumer name>/jwt-auth` 进行密钥检索。 |
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] leslie-tsang commented on a change in pull request #6127: docs: update the jwt-auth zh version
Posted by GitBox <gi...@apache.org>.
leslie-tsang commented on a change in pull request #6127:
URL: https://github.com/apache/apisix/pull/6127#discussion_r821275195
##########
File path: docs/zh/latest/plugins/jwt-auth.md
##########
@@ -29,6 +40,8 @@ title: jwt-auth
有关 JWT 的更多信息,可参考 [JWT](https://jwt.io/) 查看更多信息。
+`jwt-auth` 插件可以与 HashiCorp Vault 集成,用于存储和获取密钥,从其加密的 kv 引擎获取 RSA 密钥对。 阅读下面的 [例子](#enable-jwt-auth-with-vault-compatibility) 来了解它如何工作。
Review comment:
```suggestion
`jwt-auth` 插件可以与 HashiCorp Vault 集成,用于存储和获取密钥,从其加密的 KV 引擎获取 RSA 密钥对。 阅读下面的 [例子](#enable-jwt-auth-with-vault-compatibility) 来了解它如何工作。
```
##########
File path: docs/zh/latest/plugins/jwt-auth.md
##########
@@ -98,6 +114,76 @@ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f13
}'
```
+### Vault 与 APISIX jwt-auth 插件集成的不同用例
+
+Apache APISIX `jwt-auth` 插件可以被配置为从 Vault 存储中获取简单的文本密钥以及 RS256 公私密钥对。
+
+**注意**:对于该集成支持的早期版本,该插件期望存储在 Vault 路径中的密钥名称为「`secret`,`public_key`,`private_key`」其中之一。在未来的版本中,我们将支持引用自定义命名键。
+
+要启用 Vault 的兼容性,只需要在 `jwt-auth` 插件内添加空的 Vault 对象。
+
+1. 用在 Vault 储存的 HS256 签名密钥来进行 jwt 签名和认证。
+
+```shell
+curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+ "username": "jack",
+ "plugins": {
+ "jwt-auth": {
+ "key": "key-1",
+ "vault": {}
+ }
+ }
+}'
+```
+
+在这里,插件在 Consumer 配置中提到的 Consumer 用户 `jack` 的 Vault 路径(`<vault.prefix from conf.yaml>/consumer/jack/jwt-auth`)中查找密钥 `secret`,并使用它进行后续的签名和 JWT 验证。如果在该路径中没有找到密钥,该插件将记录一个错误,并且无法执行 JWT 验证。
+
+2. RS256 rsa 密钥对, 包括公钥和私钥都存粗在 Vault 中。
Review comment:
```suggestion
2. RS256 RSA 密钥对, 包括公钥和私钥都存粗在 Vault 中。
```
##########
File path: docs/zh/latest/plugins/jwt-auth.md
##########
@@ -98,6 +114,76 @@ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f13
}'
```
+### Vault 与 APISIX jwt-auth 插件集成的不同用例
+
+Apache APISIX `jwt-auth` 插件可以被配置为从 Vault 存储中获取简单的文本密钥以及 RS256 公私密钥对。
+
+**注意**:对于该集成支持的早期版本,该插件期望存储在 Vault 路径中的密钥名称为「`secret`,`public_key`,`private_key`」其中之一。在未来的版本中,我们将支持引用自定义命名键。
+
+要启用 Vault 的兼容性,只需要在 `jwt-auth` 插件内添加空的 Vault 对象。
+
+1. 用在 Vault 储存的 HS256 签名密钥来进行 jwt 签名和认证。
Review comment:
```suggestion
1. 用在 Vault 储存的 HS256 签名密钥来进行 JWT 签名和认证。
```
##########
File path: docs/zh/latest/plugins/jwt-auth.md
##########
@@ -98,6 +114,76 @@ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f13
}'
```
+### Vault 与 APISIX jwt-auth 插件集成的不同用例
+
+Apache APISIX `jwt-auth` 插件可以被配置为从 Vault 存储中获取简单的文本密钥以及 RS256 公私密钥对。
+
+**注意**:对于该集成支持的早期版本,该插件期望存储在 Vault 路径中的密钥名称为「`secret`,`public_key`,`private_key`」其中之一。在未来的版本中,我们将支持引用自定义命名键。
+
+要启用 Vault 的兼容性,只需要在 `jwt-auth` 插件内添加空的 Vault 对象。
+
+1. 用在 Vault 储存的 HS256 签名密钥来进行 jwt 签名和认证。
+
+```shell
+curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+ "username": "jack",
+ "plugins": {
+ "jwt-auth": {
+ "key": "key-1",
+ "vault": {}
+ }
+ }
+}'
+```
+
+在这里,插件在 Consumer 配置中提到的 Consumer 用户 `jack` 的 Vault 路径(`<vault.prefix from conf.yaml>/consumer/jack/jwt-auth`)中查找密钥 `secret`,并使用它进行后续的签名和 JWT 验证。如果在该路径中没有找到密钥,该插件将记录一个错误,并且无法执行 JWT 验证。
+
+2. RS256 rsa 密钥对, 包括公钥和私钥都存粗在 Vault 中。
+
+```shell
+curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+ "username": "kowalski",
+ "plugins": {
+ "jwt-auth": {
+ "key": "rsa-keypair",
+ "algorithm": "RS256",
+ "vault": {}
+ }
+ }
+}'
+```
+
+该插件在 Vault 键值对路径(`<vault.prefix from conf.yaml>/consumer/jim/jwt-auth`)中为插件 Vault 配置中提到的用户 `jim` 查找 `public_key` 和 `private_key`。如果没有找到,认证失败。
+
+如果你不确定如何将公钥和私钥存储到 Vault 键值对中,请使用这个命令。
+
+```shell
+# provided, your current directory contains the files named "public.pem" and "private.pem"
+$ vault kv put kv/apisix/consumer/jim/jwt-auth public_key=@public.pem private_key=@private.pem
+Success! Data written to: kv/apisix/consumer/jim/jwt-auth
+```
+
+3. 公钥在 Consumer 配置中,而私钥在 Vault 中。
+
+```shell
+curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+ "username": "rico",
+ "plugins": {
+ "jwt-auth": {
+ "key": "user-key",
+ "algorithm": "RS256",
+ "public_key": "-----BEGIN PUBLIC KEY-----\n……\n-----END PUBLIC KEY-----"
+ "vault": {}
+ }
+ }
+}'
+```
+
+这个插件使用 Consumer 配置中的 rsa 公钥,并直接使用从 Vault 中获取的私钥。
Review comment:
```suggestion
这个插件使用 Consumer 配置中的 RSA 公钥,并直接使用从 Vault 中获取的私钥。
```
##########
File path: docs/zh/latest/plugins/jwt-auth.md
##########
@@ -98,6 +114,76 @@ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f13
}'
```
+### Vault 与 APISIX jwt-auth 插件集成的不同用例
+
+Apache APISIX `jwt-auth` 插件可以被配置为从 Vault 存储中获取简单的文本密钥以及 RS256 公私密钥对。
+
+**注意**:对于该集成支持的早期版本,该插件期望存储在 Vault 路径中的密钥名称为「`secret`,`public_key`,`private_key`」其中之一。在未来的版本中,我们将支持引用自定义命名键。
+
+要启用 Vault 的兼容性,只需要在 `jwt-auth` 插件内添加空的 Vault 对象。
+
+1. 用在 Vault 储存的 HS256 签名密钥来进行 jwt 签名和认证。
+
+```shell
+curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+ "username": "jack",
+ "plugins": {
+ "jwt-auth": {
+ "key": "key-1",
+ "vault": {}
+ }
+ }
+}'
+```
+
+在这里,插件在 Consumer 配置中提到的 Consumer 用户 `jack` 的 Vault 路径(`<vault.prefix from conf.yaml>/consumer/jack/jwt-auth`)中查找密钥 `secret`,并使用它进行后续的签名和 JWT 验证。如果在该路径中没有找到密钥,该插件将记录一个错误,并且无法执行 JWT 验证。
+
+2. RS256 rsa 密钥对, 包括公钥和私钥都存粗在 Vault 中。
+
+```shell
+curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+ "username": "kowalski",
+ "plugins": {
+ "jwt-auth": {
+ "key": "rsa-keypair",
+ "algorithm": "RS256",
+ "vault": {}
+ }
+ }
+}'
+```
+
+该插件在 Vault 键值对路径(`<vault.prefix from conf.yaml>/consumer/jim/jwt-auth`)中为插件 Vault 配置中提到的用户 `jim` 查找 `public_key` 和 `private_key`。如果没有找到,认证失败。
Review comment:
```suggestion
该插件在 Vault 键值对路径(`<vault.prefix from conf.yaml>/consumer/jim/jwt-auth`)中为插件 Vault 配置中提到的用户 `kowalski` 查找 `public_key` 和 `private_key`。如果没有找到,认证失败。
```
Should we use `kowalski` instead of `jim` ?
I don't know if I'm wrong 😂
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tzssangglass commented on pull request #6127: docs: update the jwt-auth zh version
Posted by GitBox <gi...@apache.org>.
tzssangglass commented on pull request #6127:
URL: https://github.com/apache/apisix/pull/6127#issuecomment-1060632701
hi @guoqqqi pls fix conflicting files
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tzssangglass commented on a change in pull request #6127: docs: update the jwt-auth zh version
Posted by GitBox <gi...@apache.org>.
tzssangglass commented on a change in pull request #6127:
URL: https://github.com/apache/apisix/pull/6127#discussion_r821416212
##########
File path: docs/zh/latest/plugins/jwt-auth.md
##########
@@ -98,6 +114,76 @@ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f13
}'
```
+### Vault 与 APISIX jwt-auth 插件集成的不同用例
+
+Apache APISIX `jwt-auth` 插件可以被配置为从 Vault 存储中获取简单的文本密钥以及 RS256 公私密钥对。
+
+**注意**:对于该集成支持的早期版本,该插件期望存储在 Vault 路径中的密钥名称为「`secret`,`public_key`,`private_key`」其中之一。在未来的版本中,我们将支持引用自定义命名键。
+
+要启用 Vault 的兼容性,只需要在 `jwt-auth` 插件内添加空的 Vault 对象。
+
+1. 用在 Vault 储存的 HS256 签名密钥来进行 jwt 签名和认证。
+
+```shell
+curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+ "username": "jack",
+ "plugins": {
+ "jwt-auth": {
+ "key": "key-1",
+ "vault": {}
+ }
+ }
+}'
+```
+
+在这里,插件在 Consumer 配置中提到的 Consumer 用户 `jack` 的 Vault 路径(`<vault.prefix from conf.yaml>/consumer/jack/jwt-auth`)中查找密钥 `secret`,并使用它进行后续的签名和 JWT 验证。如果在该路径中没有找到密钥,该插件将记录一个错误,并且无法执行 JWT 验证。
+
+2. RS256 rsa 密钥对, 包括公钥和私钥都存粗在 Vault 中。
+
+```shell
+curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+ "username": "kowalski",
+ "plugins": {
+ "jwt-auth": {
+ "key": "rsa-keypair",
+ "algorithm": "RS256",
+ "vault": {}
+ }
+ }
+}'
+```
+
+该插件在 Vault 键值对路径(`<vault.prefix from conf.yaml>/consumer/jim/jwt-auth`)中为插件 Vault 配置中提到的用户 `jim` 查找 `public_key` 和 `private_key`。如果没有找到,认证失败。
+
+如果你不确定如何将公钥和私钥存储到 Vault 键值对中,请使用这个命令。
+
+```shell
+# 提供你当前目录包含的 ”public.pem“ 和 ”private.pem“ 文件
Review comment:
```suggestion
# 提供你当前目录包含的 "public.pem" 和 "private.pem" 文件
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] spacewander commented on pull request #6127: docs: update the jwt-auth zh version
Posted by GitBox <gi...@apache.org>.
spacewander commented on pull request #6127:
URL: https://github.com/apache/apisix/pull/6127#issuecomment-1060126689
Let's merge master to make CI pass.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zaunist commented on a change in pull request #6127: docs: update the jwt-auth zh version
Posted by GitBox <gi...@apache.org>.
zaunist commented on a change in pull request #6127:
URL: https://github.com/apache/apisix/pull/6127#discussion_r821254160
##########
File path: docs/zh/latest/plugins/jwt-auth.md
##########
@@ -98,6 +114,76 @@ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f13
}'
```
+### Vault 与 APISIX jwt-auth 插件集成的不同用例
+
+Apache APISIX `jwt-auth` 插件可以被配置为从 Vault 存储中获取简单的文本密钥以及 RS256 公私密钥对。
+
+**注意**:对于该集成支持的早期版本,该插件期望存储在 Vault 路径中的密钥名称为「`secret`,`public_key`,`private_key`」其中之一。在未来的版本中,我们将支持引用自定义命名键。
+
+要启用 Vault 的兼容性,只需要在 `jwt-auth` 插件内添加空的 Vault 对象。
+
+1. 用在 Vault 储存的 HS256 签名密钥来进行 jwt 签名和认证。
+
+```shell
+curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+ "username": "jack",
+ "plugins": {
+ "jwt-auth": {
+ "key": "key-1",
+ "vault": {}
+ }
+ }
+}'
+```
+
+在这里,插件在 Consumer 配置中提到的 Consumer 用户 `jack` 的 Vault 路径(`<vault.prefix from conf.yaml>/consumer/jack/jwt-auth`)中查找密钥 `secret`,并使用它进行后续的签名和 jwt 验证。如果在该路径中没有找到密钥,该插件将记录一个错误,并且无法执行 JWT 验证。
Review comment:
```suggestion
在这里,插件在 Consumer 配置中提到的 Consumer 用户 `jack` 的 Vault 路径(`<vault.prefix from conf.yaml>/consumer/jack/jwt-auth`)中查找密钥 `secret`,并使用它进行后续的签名和 JWT 验证。如果在该路径中没有找到密钥,该插件将记录一个错误,并且无法执行 JWT 验证。
```
We should standardize the case.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] yzeng25 commented on a change in pull request #6127: docs: update the jwt-auth zh version
Posted by GitBox <gi...@apache.org>.
yzeng25 commented on a change in pull request #6127:
URL: https://github.com/apache/apisix/pull/6127#discussion_r786789832
##########
File path: docs/zh/latest/plugins/jwt-auth.md
##########
@@ -48,6 +53,9 @@ title: jwt-auth
| algorithm | string | 可选 | "HS256" | ["HS256", "HS512", "RS256"] | 加密算法 |
| exp | integer | 可选 | 86400 | [1,...] | token 的超时时间 |
| base64_secret | boolean | 可选 | false | | 密钥是否为 base64 编码 |
+| vault | object | 可选 | | | Vault 是否用于密钥(HS256/HS512 的密钥或 RS256 的公钥和私钥)的存储和检索。该插件默认使用的 Vault 路径为 `kv/apisix/consumer/<consumer name>/jwt-auth` 用于检索密钥 |
Review comment:
```suggestion
| vault | object | 可选 | | | 是否使用 Vault 作为存储和检索密钥(HS256/HS512 的密钥或 RS256 的公钥和私钥)的方式。该插件默认使用 `kv/apisix/consumer/<consumer name>/jwt-auth` 路径进行密钥检索。 |
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] yzeng25 commented on a change in pull request #6127: docs: update the jwt-auth zh version
Posted by GitBox <gi...@apache.org>.
yzeng25 commented on a change in pull request #6127:
URL: https://github.com/apache/apisix/pull/6127#discussion_r786789832
##########
File path: docs/zh/latest/plugins/jwt-auth.md
##########
@@ -48,6 +53,9 @@ title: jwt-auth
| algorithm | string | 可选 | "HS256" | ["HS256", "HS512", "RS256"] | 加密算法 |
| exp | integer | 可选 | 86400 | [1,...] | token 的超时时间 |
| base64_secret | boolean | 可选 | false | | 密钥是否为 base64 编码 |
+| vault | object | 可选 | | | Vault 是否用于密钥(HS256/HS512 的密钥或 RS256 的公钥和私钥)的存储和检索。该插件默认使用的 Vault 路径为 `kv/apisix/consumer/<consumer name>/jwt-auth` 用于检索密钥 |
Review comment:
```suggestion
| vault | object | 可选 | | | Vault 是否用于密钥(HS256/HS512 的密钥或 RS256 的公钥和私钥)的存储和检索。该插件默认使用 Vault 路径为 `kv/apisix/consumer/<consumer name>/jwt-auth` 进行密钥检索。 |
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] guoqqqi commented on pull request #6127: docs: update the jwt-auth zh version
Posted by GitBox <gi...@apache.org>.
guoqqqi commented on pull request #6127:
URL: https://github.com/apache/apisix/pull/6127#issuecomment-1061334620
I have updated the latest code, feel free to review~
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] leslie-tsang commented on a change in pull request #6127: docs: update the jwt-auth zh version
Posted by GitBox <gi...@apache.org>.
leslie-tsang commented on a change in pull request #6127:
URL: https://github.com/apache/apisix/pull/6127#discussion_r786390308
##########
File path: docs/zh/latest/plugins/jwt-auth.md
##########
@@ -48,6 +53,9 @@ title: jwt-auth
| algorithm | string | 可选 | "HS256" | ["HS256", "HS512", "RS256"] | 加密算法 |
| exp | integer | 可选 | 86400 | [1,...] | token 的超时时间 |
| base64_secret | boolean | 可选 | false | | 密钥是否为 base64 编码 |
+| vault | object | 可选 | | | Vault 是否用于密钥(HS256/HS512 的密钥或 RS256 的公钥和私钥)的存储和检索。该插件默认使用的 Vault 路径为 `kv/apisix/consumer/<consumer name>/jwt-auth` 用于检索密钥 |
Review comment:
Strange. I can't actually get the point of it.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] guoqqqi commented on a change in pull request #6127: docs: update the jwt-auth zh version
Posted by GitBox <gi...@apache.org>.
guoqqqi commented on a change in pull request #6127:
URL: https://github.com/apache/apisix/pull/6127#discussion_r821460604
##########
File path: docs/zh/latest/plugins/jwt-auth.md
##########
@@ -98,6 +114,76 @@ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f13
}'
```
+### Vault 与 APISIX jwt-auth 插件集成的不同用例
+
+Apache APISIX `jwt-auth` 插件可以被配置为从 Vault 存储中获取简单的文本密钥以及 RS256 公私密钥对。
+
+**注意**:对于该集成支持的早期版本,该插件期望存储在 Vault 路径中的密钥名称为「`secret`,`public_key`,`private_key`」其中之一。在未来的版本中,我们将支持引用自定义命名键。
+
+要启用 Vault 的兼容性,只需要在 `jwt-auth` 插件内添加空的 Vault 对象。
+
+1. 用在 Vault 储存的 HS256 签名密钥来进行 jwt 签名和认证。
+
+```shell
+curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+ "username": "jack",
+ "plugins": {
+ "jwt-auth": {
+ "key": "key-1",
+ "vault": {}
+ }
+ }
+}'
+```
+
+在这里,插件在 Consumer 配置中提到的 Consumer 用户 `jack` 的 Vault 路径(`<vault.prefix from conf.yaml>/consumer/jack/jwt-auth`)中查找密钥 `secret`,并使用它进行后续的签名和 JWT 验证。如果在该路径中没有找到密钥,该插件将记录一个错误,并且无法执行 JWT 验证。
+
+2. RS256 rsa 密钥对, 包括公钥和私钥都存粗在 Vault 中。
+
+```shell
+curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+ "username": "kowalski",
+ "plugins": {
+ "jwt-auth": {
+ "key": "rsa-keypair",
+ "algorithm": "RS256",
+ "vault": {}
+ }
+ }
+}'
+```
+
+该插件在 Vault 键值对路径(`<vault.prefix from conf.yaml>/consumer/jim/jwt-auth`)中为插件 Vault 配置中提到的用户 `jim` 查找 `public_key` 和 `private_key`。如果没有找到,认证失败。
Review comment:
cc @starsz have a look
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] starsz commented on a change in pull request #6127: docs: update the jwt-auth zh version
Posted by GitBox <gi...@apache.org>.
starsz commented on a change in pull request #6127:
URL: https://github.com/apache/apisix/pull/6127#discussion_r821528106
##########
File path: docs/zh/latest/plugins/jwt-auth.md
##########
@@ -98,6 +114,76 @@ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f13
}'
```
+### Vault 与 APISIX jwt-auth 插件集成的不同用例
+
+Apache APISIX `jwt-auth` 插件可以被配置为从 Vault 存储中获取简单的文本密钥以及 RS256 公私密钥对。
+
+**注意**:对于该集成支持的早期版本,该插件期望存储在 Vault 路径中的密钥名称为「`secret`,`public_key`,`private_key`」其中之一。在未来的版本中,我们将支持引用自定义命名键。
+
+要启用 Vault 的兼容性,只需要在 `jwt-auth` 插件内添加空的 Vault 对象。
+
+1. 用在 Vault 储存的 HS256 签名密钥来进行 jwt 签名和认证。
+
+```shell
+curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+ "username": "jack",
+ "plugins": {
+ "jwt-auth": {
+ "key": "key-1",
+ "vault": {}
+ }
+ }
+}'
+```
+
+在这里,插件在 Consumer 配置中提到的 Consumer 用户 `jack` 的 Vault 路径(`<vault.prefix from conf.yaml>/consumer/jack/jwt-auth`)中查找密钥 `secret`,并使用它进行后续的签名和 JWT 验证。如果在该路径中没有找到密钥,该插件将记录一个错误,并且无法执行 JWT 验证。
+
+2. RS256 rsa 密钥对, 包括公钥和私钥都存粗在 Vault 中。
+
+```shell
+curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+ "username": "kowalski",
+ "plugins": {
+ "jwt-auth": {
+ "key": "rsa-keypair",
+ "algorithm": "RS256",
+ "vault": {}
+ }
+ }
+}'
+```
+
+该插件在 Vault 键值对路径(`<vault.prefix from conf.yaml>/consumer/jim/jwt-auth`)中为插件 Vault 配置中提到的用户 `jim` 查找 `public_key` 和 `private_key`。如果没有找到,认证失败。
Review comment:
Need to use `kowalski`.
As you can see it's a consumer name in line :147.
By the way, @guoqqqi Where you get the name of `jim` ? (I didn't see it in english doc)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] spacewander merged pull request #6127: docs: update the jwt-auth zh version
Posted by GitBox <gi...@apache.org>.
spacewander merged pull request #6127:
URL: https://github.com/apache/apisix/pull/6127
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tzssangglass commented on a change in pull request #6127: docs: update the jwt-auth zh version
Posted by GitBox <gi...@apache.org>.
tzssangglass commented on a change in pull request #6127:
URL: https://github.com/apache/apisix/pull/6127#discussion_r794178594
##########
File path: docs/zh/latest/plugins/jwt-auth.md
##########
@@ -48,6 +53,9 @@ title: jwt-auth
| algorithm | string | 可选 | "HS256" | ["HS256", "HS512", "RS256"] | 加密算法 |
| exp | integer | 可选 | 86400 | [1,...] | token 的超时时间 |
| base64_secret | boolean | 可选 | false | | 密钥是否为 base64 编码 |
+| vault | object | 可选 | | | 是否使用 Vault 作为存储和检索密钥(HS256/HS512 的密钥或 RS256 的公钥和私钥)的方式。该插件默认使用 `kv/apisix/consumer/<consumer name>/jwt-auth` 路径进行密钥检索 |
+
+**注意**: 要启用 Vault 集成,首先访问 [config.yaml](https://github.com/apache/apisix/blob/master/conf/config.yaml),更新您的 Vault 服务器配置、主机地址和访问令牌。您可以在 vault 属性下的 [config-default.yaml](https://github.com/apache/apisix/blob/master/conf/config-default.yaml) 中查看 APISIX 的期望配置。
Review comment:
```suggestion
**注意**: 要启用 Vault 集成,首先访问 [config.yaml](https://github.com/apache/apisix/blob/master/conf/config.yaml),更新您的 Vault 服务器配置、主机地址和访问令牌。您可以在 vault 属性下的 [config-default.yaml](https://github.com/apache/apisix/blob/master/conf/config-default.yaml) 中查看 APISIX 的预期配置。
```
`期望` -> `预期` is better?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org