目标

使用java实现keystone v3相关功能与概念:

  1. api client authentication
  2. service discovery
  3. distributed multi-tenant authorization

架构

服务注册发现

(图1)

  • Register

    服务中介与权限管理.

  • Provider

    服务提供者.

  • Consumer

    服务消费者.

分布式校验

(图2)

  • Domain: 全局独立的服务提供者或消费者.

    • API: 服务API(如果Domain对外提供服务,例如CDN服务), Domain的endpoint属性与API的method/path属性组成完成的服务URL.
    • Policy: API策略. 即API与Role的关联表, 规定不同的Role(管理员/普通用户)能否访问的API集合.
    • User: 子用户概念. 例如升龙5.0与云2.0作为CDN的消费者, 拥有自己独立的用户系统. 同时CDN又作为自己服务的消费者,也会有一套独立的用户系统.
    • Project: 业务数据的逻辑集合. 例如升龙5.0, 云2.0以及CDN里面为不同业务方创建不同的项目划分数据归属.
    • Principal: 用户策略. 即User, Project, 和Role的关联表, 规定User在不同Project中的角色, 与Policy配合实现细粒度控制用户对项目数据的操作.
  • Role: 全局惟一的角色. 角色只是一抽象集合, 各个Domain的Policy会关联具体的API.

关键

  • 域名与角色是全局惟一的. The domain name, role name and service name is globally unique across all domains.
  • 用户名,项目名是域惟一的. The user name and project name are only unique to the owning domain.

用户类别:

  1. 系统管理用户: ADMIN域ADMIN项目ADMIN角色的用户. 允许:

    • 创建新域.
    • 销毁无用域, 无用域指至多只包含ADMIN项目的域.
    • 创建新角色.
    • 销毁无用角色, 无用角色指不在policy表或principal表出现的角色.
    • 更新IP白名单.
    • 更新全局域缓存.

    系统管理用户不是超级管理用户. 系统用户不能干扰域的日常管理, 例如创建用户, 创建项目, 加减用户角色等.

  2. 域管理用户: 特定域ADMIN项目ADMIN角色的用户. 允许:

    • 创建/销毁用户
    • 创建/销毁项目
    • 发布/更新服务与策略
    • 验证TOKEN并返回Session信息(发起者domain,user,project,roles,effectMillis等)

  3. 项目管理用户: 特定域特定项目ADMIN角色的用户. 允许操作由各个域发布的策略(policy)决定.

  4. 项目普通用户: 除系统管理用户, 域管理用户, 项目管理用户外的其他用户.

    项目管理用户与项目普通用户的允许行为 由域本身定义.

API类目

系统管理用户

  • 创建新域:
curl -XPOST 'https://oauth.huya.com/v1/domain/createDomain'

-H "X-AUTH-DOMAIN:${domain}" #required

-H "X-AUTH-USER:${user}" #required

-H "X-AUTH-PROJECT:${project}" #optional, maybe null

-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds

-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds

-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"'

-d '{"domain":"my_domain","user":"my_admin","pass":"123","enabled":true}'

response: 200 OK

{"errno":0,"data":{"domain":"my_domain"}}

结果:

- 创建my_domain域

- 在my_domain域创建ADMIN项目

- 在my_domain域创建my_admin管理用户,其密码为123.
  • 销毁无用域:
curl -XDELETE 'https://oauth.huya.com/v1/domain/destroyDomain?domain=my_domain2'

-H "X-AUTH-DOMAIN:${domain}" #required

-H "X-AUTH-USER:${user}" #required

-H "X-AUTH-PROJECT:${project}" #optional, maybe null

-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds

-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds

-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"

response: 200 OK

{"errno":0}

注意:

- 无用域必须没有项目或仅仅含有ADMIN项目. 删除域会清除该域下所有用户,项目,服务,策略等数据.
  • 创建新角色:
curl -XPOST 'https://oauth.huya.com/v1/domain/createRole'

-H "X-AUTH-DOMAIN:${domain}" #required

-H "X-AUTH-USER:${user}" #required

-H "X-AUTH-PROJECT:${project}" #optional, maybe null

-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds

-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds

-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"'

-d '{"role":"SERVICE","remark":"服务角色"}'

response: 200 OK

{"errno":0,"data":{"role":"SERVICE","remark":"服务角色"}}
  • 销毁无用角色:
curl -XDELETE 'https://oauth.huya.com/v1/domain/destroyRole?role=SERVICE2'

-H "X-AUTH-DOMAIN:${domain}" #required

-H "X-AUTH-USER:${user}" #required

-H "X-AUTH-PROJECT:${project}" #optional, maybe null

-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds

-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds

-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"

response: 200 OK

{"errno":0}

注意:

- 无用角色必须没有policy或principal引用.
  • 刷新IP白名单:
curl -XPUT 'https://oauth.huya.com/v1/system/updateAllowHosts'

-H "X-AUTH-DOMAIN:${domain}" #required

-H "X-AUTH-USER:${user}" #required

-H "X-AUTH-PROJECT:${project}" #optional, maybe null

-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds

-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds

-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"

response: 200 OK

{"errno":0}
  • 刷新全部域缓存:
curl -XPUT 'https://oauth.huya.com/v1/system/updateDomainCache'

-H "X-AUTH-DOMAIN:${domain}" #required

-H "X-AUTH-USER:${user}" #required

-H "X-AUTH-PROJECT:${project}" #optional, maybe null

-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds

-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds

-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"

response: 200 OK

{"errno":0}

域管理用户

  • 创建用户
curl -XPOST 'https://oauth.huya.com/v1/domain/createUser'

-H "X-AUTH-DOMAIN:${domain}" #required

-H "X-AUTH-USER:${user}" #required

-H "X-AUTH-PROJECT:${project}" #optional, maybe null

-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds

-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds

-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"'

-d '{"user":"my_user","pass":"456","remark":"this is a test user","enabled":true}'

response: 200 OK

{"errno":0,"data":{"domain":"my_domain","user":"my_user","remark":"this is a test user","enabled":true}}
  • 禁启用户
curl -XPUT 'https://oauth.huya.com/v1/domain/enableUser'

-H "X-AUTH-DOMAIN:${domain}" #required

-H "X-AUTH-USER:${user}" #required

-H "X-AUTH-PROJECT:${project}" #optional, maybe null

-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds

-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds

-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"'

-d '{"user":"my_user","enabled":true}'

response: 200 OK

{"errno":0}
  • 销毁用户
curl -XDELETE 'https://oauth.huya.com/v1/domain/destroyUser?user=my_user2'

-H "X-AUTH-DOMAIN:${domain}" #required

-H "X-AUTH-USER:${user}" #required

-H "X-AUTH-PROJECT:${project}" #optional, maybe null

-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds

-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds

-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"

response: 200 OK

{"errno":0}
  • 创建项目
curl -XPOST 'https://oauth.huya.com/v1/domain/createProject'

-H "X-AUTH-DOMAIN:${domain}" #required

-H "X-AUTH-USER:${user}" #required

-H "X-AUTH-PROJECT:${project}" #optional, maybe null

-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds

-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds

-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"'

-d '{"project":"my_project","remark":"这是我的测试项目!","enabled":true}'

response: 200 OK

{"errno":0,"data":{"domain":"my_domain","project":"my_project","remark":"这是我的测试项目!","enabled":true}}
  • 禁启项目
curl -XPUT 'https://oauth.huya.com/v1/domain/enableProject'

-H "X-AUTH-DOMAIN:${domain}" #required

-H "X-AUTH-USER:${user}" #required

-H "X-AUTH-PROJECT:${project}" #optional, maybe null

-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds

-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds

-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"'

-d '{"project":"my_project2","enabled":true}'

response: 200 OK

{"errno":0}
  • 销毁项目
curl -XDELETE 'https://oauth.huya.com/v1/domain/destroyProject?project=my_project2'

-H "X-AUTH-DOMAIN:${domain}" #required

-H "X-AUTH-USER:${user}" #required

-H "X-AUTH-PROJECT:${project}" #optional, maybe null

-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds

-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds

-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"

response: 200 OK

{"errno":0}
  • 添加用户角色
curl -XPOST 'https://oauth.huya.com/v1/domain/addUserRole'

-H "X-AUTH-DOMAIN:${domain}" #required

-H "X-AUTH-USER:${user}" #required

-H "X-AUTH-PROJECT:${project}" #optional, maybe null

-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds

-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds

-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"'

-d '{"user":"my_user","project":"my_project","role":"SERVICE"}'

response: 200 OK

{"errno":0,"data":{"domain":"my_domain","user":"my_user","project":"my_project","role":"SERVICE"}}
  • 查询用户角色
curl -XGET 'https://oauth.huya.com/v1/domain/getUserRoles?user=my_user&project=my_project'

-H "X-AUTH-DOMAIN:${domain}" #required

-H "X-AUTH-USER:${user}" #required

-H "X-AUTH-PROJECT:${project}" #optional, maybe null

-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds

-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds

-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"

response: 200 OK

{"errno":0,"data":["ADMIN","SERVICE"]}
  • 删除用户角色
curl -XDELETE 'https://oauth.huya.com/v1/domain/delUserRole?user=my_user&project=my_project&role=ADMIN'

-H "X-AUTH-DOMAIN:${domain}" #required

-H "X-AUTH-USER:${user}" #required

-H "X-AUTH-PROJECT:${project}" #optional, maybe null

-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds

-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds

-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"

response: 200 OK

{"errno":0}
  • 查询域用户
curl -XGET 'https://oauth.huya.com/v1/domain/getDomainUser'

-H "X-AUTH-DOMAIN:${domain}" #required

-H "X-AUTH-USER:${user}" #required

-H "X-AUTH-PROJECT:${project}" #optional, maybe null

-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds

-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds

-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"

response: 200 OK

{"errno":0,"data":[{"domain":"my_domain","user":"my_admin","enabled":true},{"domain":"my_domain","user":"my_user","remark":"this is a test user","enabled":true}]}
  • 查询域项目
curl -XGET 'https://oauth.huya.com/v1/domain/getDomainProject'

-H "X-AUTH-DOMAIN:${domain}" #required

-H "X-AUTH-USER:${user}" #required

-H "X-AUTH-PROJECT:${project}" #optional, maybe null

-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds

-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds

-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"

response: 200 OK

{"errno":0,"data":[{"domain":"my_domain","project":"ADMIN","enabled":true},{"domain":"my_domain","project":"my_project","remark":"这是我的测试项目!","enabled":true}]}
  • 发布/更新服务
curl -XPUT 'https://oauth.huya.com/v1/domain/publishService'

-H "X-AUTH-DOMAIN:${domain}" #required

-H "X-AUTH-USER:${user}" #required

-H "X-AUTH-PROJECT:${project}" #optional, maybe null

-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds

-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds

-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"'

-d '{"endpoint":"https://cdn.game.yy.com/v1","apis":[{"api":"api_name_0","method":"GET","path":"/service/action0","category":"test"},{"api":"api_name_1","method":"GET","path":"/service/action1","category":"test"},{"api":"api_name_2","method":"GET","path":"/service/action2","category":"test"},{"api":"api_name_3","method":"GET","path":"/service/action3","category":"test"},{"api":"api_name_4","method":"GET","path":"/service/action4","category":"test"},{"api":"api_name_5","method":"GET","path":"/service/action5","category":"test"},{"api":"api_name_6","method":"GET","path":"/service/action6","category":"test"},{"api":"api_name_7","method":"GET","path":"/service/action7","category":"test"},{"api":"api_name_8","method":"GET","path":"/service/action8","category":"test"},{"api":"api_name_9","method":"GET","path":"/service/action9","category":"test"}],"policies":[{"role":"SERVICE","rules":"test,test:*"}]}'

response: 200 OK

{"errno":0}

注意:

- 发布服务可以指定endpoint, apis, policies. 每次发布这些信息都是全量覆盖.
  • 验证会话TOKEN
curl -XPOST 'https://oauth.huya.com/v1/domain/verifyRequest'

-H "X-AUTH-DOMAIN:${domain}" #required

-H "X-AUTH-USER:${user}" #required

-H "X-AUTH-PROJECT:${project}" #optional, maybe null

-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds

-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds

-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"'

-d '{"domain":"my_domain","user":"my_user","project":"my_project","expires":"1598b5b3eb7","nonce":"74a465fddab8b","signature":"56f8519d7f31460821e4722de0c77c5f","api":"api_name_0"}'

response: 200 OK

{"errno":0,"data":{"domain":"my_domain","user":"my_user","project":"my_project","expires":"1598b5b3eb7","nonce":"74a465fddab8b","signature":"56f8519d7f31460821e4722de0c77c5f","api":"api_name_0","roles":["SERVICE"]}}

- 如果指定api, 则根据policy规则校验

- 如果不指定api, 则仅仅验证签名

其他用户

  • 查询全部域
curl -XGET 'https://oauth.huya.com/v1/domain/lookupService?service=my_domain'

-H "X-AUTH-DOMAIN:${domain}" #required

-H "X-AUTH-USER:${user}" #required

-H "X-AUTH-PROJECT:${project}" #optional, maybe null

-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds

-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds

-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"

response: 200 OK

{"errno":0,"data":{"endpoint":"https://cdn.game.yy.com/v1","apis":[{"api":"api_name_4","method":"GET","path":"/service/action4","category":"test"},{"api":"api_name_3","method":"GET","path":"/service/action3","category":"test"},{"api":"api_name_6","method":"GET","path":"/service/action6","category":"test"},{"api":"api_name_5","method":"GET","path":"/service/action5","category":"test"},{"api":"api_name_0","method":"GET","path":"/service/action0","category":"test"},{"api":"api_name_2","method":"GET","path":"/service/action2","category":"test"},{"api":"api_name_1","method":"GET","path":"/service/action1","category":"test"},{"api":"api_name_8","method":"GET","path":"/service/action8","category":"test"},{"api":"api_name_7","method":"GET","path":"/service/action7","category":"test"},{"api":"api_name_9","method":"GET","path":"/service/action9","category":"test"}]}}
  • 查询全部角色
curl -XGET 'https://oauth.huya.com/v1/domain/getAllRole'

-H "X-AUTH-DOMAIN:${domain}" #required

-H "X-AUTH-USER:${user}" #required

-H "X-AUTH-PROJECT:${project}" #optional, maybe null

-H "X-AUTH-EXPIRES:${HEX(expires_millis)}" #required, hex format of expires millliseonds

-H "X-AUTH-NONCE:${HEX(nonce_nanos)}" #required, hex format of nonce nanoseonds

-H "X-AUTH-SIGNATURE:${HEX(signature)} #required, hex format of signatue=MD5(domain,user,project(maybe null),SHA1(pass),HEX(expires_millis),HEX(nonce_nanos))"

response: 200 OK

{"errno":0,"data":[{"role":"ADMIN","remark":"全局管理角色"},{"role":"SERVICE","remark":"服务角色"},{"role":"ut_role_d6a62c98_c243_4fcc_9a61_b732185ffb3d"}]}
  • 查询域服务API
curl -XGET 'https://oauth.huya.com/v1/domain/lookupService?service=my_domain' \

-H "X-AUTH-DOMAIN:${DOMAIN}" \

-H "X-AUTH-USER:${USER}" \

-H "X-AUTH-PASS:${PASS}"

response: 200 OK

{"errno":0,"data":{"endpoint":"","apis":[{"api":"api_name_4","method":"GET","path":"/service/action4"},{"api":"api_name_3","method":"GET","path":"/service/action3"},{"api":"api_name_6","method":"GET","path":"/service/action6"},{"api":"api_name_5","method":"GET","path":"/service/action5"},{"api":"api_name_0","method":"GET","path":"/service/action0"},{"api":"api_name_2","method":"GET","path":"/service/action2"},{"api":"api_name_1","method":"GET","path":"/service/action1"},{"api":"api_name_8","method":"GET","path":"/service/action8"},{"api":"api_name_7","method":"GET","path":"/service/action7"},{"api":"api_name_9","method":"GET","path":"/service/action9"}]}}

请求头及签名规则:

请求头:

X-AUTH-DOMAIN: 域

X-AUTH-USER: 用户

X-AUTH-PROJECT: 项目,可选

X-AUTH-EXPIRES: 有效时间点毫秒时间戳的16进制

X-AUTH-NONCE: 惟一随机数值, 一般使用当前纳秒时间戳的16进制

X-AUTH-SIGNATURE: 用户签名, 规则见下

规则:

-带项目:

signature=md5sum(domain,user,project,sha1sum(pass),hex(expires_millis),hex(current_nanos))

-不带项目:

signature=md5sum(domain,user,sha1sum(pass),hex(expires_millis),hex(current_nanos))

例子:

  • 服务请求方:
假设my_domain的my_user的密码为456, 其要访问my_project的数据. 则相应脚本:

expires_millis_hex=$(printf '%x' $(($(date +%s)*1000+5000)))

nonce_nanos_hex=$(printf '%x' $(date +%N))

pass_sha1=$(printf 456 | openssl sha1 | awk '{print $2}')

signature=$(printf '%s%s%s%s%s%s' my_domain my_user $pass_sha1 my_project $expires_millis_hex $nonce_nanos_hex | openssl md5 | awk '{print $2}')

curl -XGET 'https://test.huya.com/v1/api_name_0' \

-H "X-AUTH-DOMAIN:my_domain" \

-H "X-AUTH-USER:my_user" \

-H "X-AUTH-PROJECT:my_project" \

-H "X-AUTH-EXPIRES:${HEX(expires_millis_hex)}" \

-H "X-AUTH-NONCE:nonce_nanos_hex" \

-H "X-AUTH-SIGNATURE:signature" \
  • 服务提供方:

提取http request中的X-AUTH-*头部,发往ikeystone验证, 成功返回对应用户的角色等信息:

假设test服务管理员为test, 密码也为456, 验证请求脚本(与ikeystone交互不需要项目)

expires_millis_hex=$(printf '%x' $(($(date +%s)*1000+5000)))

nonce_nanos_hex=$(printf '%x' $(date +%N))

pass_sha1=$(printf 456 | openssl sha1 | awk '{print $2}')

signature=$(printf '%s%s%s%s%s' test test $pass_sha1 $expires_millis_hex $nonce_nanos_hex | openssl md5 | awk '{print $2}')

curl -XPOST 'https://oauth.huya.com/v1/domain/verifyRequest' \

-H "X-AUTH-DOMAIN:my_domain" \

-H "X-AUTH-USER:my_user" \

-H "X-AUTH-EXPIRES:${HEX(expires_millis_hex)}" \

-H "X-AUTH-NONCE:nonce_nanos_hex" \

-H "X-AUTH-SIGNATURE:signature" \

-d '{"domain":"my_domain","user":"my_user","project":"my_project","expires":"1598b7efac5","nonce":"74c67a48ebe23","signature":"bd99837ae32dcda3f21c91b7f95671cf","api":"api_name_0"}'

response: 200 OK

{"errno":0,"data":{"domain":"my_domain","user":"my_user","project":"my_project","expires":"1598b7efac5","nonce":"74c67a48ebe23","signature":"bd99837ae32dcda3f21c91b7f95671cf","api":"api_name_0","roles":["SERVICE"]}}

参考

  1. OpenStack Keystone V3 简介
  2. Keystone, the OpenStack Identity Service
  3. Intro to Keystone v3 API

在Keystone V3基础上改进的分布式认证体系的更多相关文章

  1. python实现决策树C4.5算法(在ID3基础上改进)

    一.概论 C4.5主要是在ID3的基础上改进,ID3选择(属性)树节点是选择信息增益值最大的属性作为节点.而C4.5引入了新概念"信息增益率",C4.5是选择信息增益率最大的属性作 ...

  2. C++在C的基础上改进了哪些细节

    C++ 是在C语言的基础上改进的,C语言的很多语法在 C++ 中依然广泛使用,例如:  C++ 仍然使用 char.short.int.long.float.double 等基本数据类型:   ...

  3. VMware的存储野心(上):软件定义、分布式DAS支持

    ChinaByte比特网 http://storage.chinabyte.com/291/12477791_2.shtml 11月29日(文/黄亮)- SDN(软件定义的网络,Software De ...

  4. [转]OpenStack Keystone V3

    Keystone V3 Keystone 中主要涉及到如下几个概念:User.Tenant.Role.Token.下面对这几个概念进行简要说明. User:顾名思义就是使用服务的用户,可以是人.服务或 ...

  5. OpenStack Keystone V3 简介

    Keystone V3 简介 Keystone 中主要涉及到如下几个概念:User.Tenant.Role.Token.下面对这几个概念进行简要说明. User:顾名思义就是使用服务的用户,可以是人. ...

  6. 沉淀,再出发——在Hadoop集群的基础上搭建Spark

    在Hadoop集群的基础上搭建Spark 一.环境准备 在搭建Spark环境之前必须搭建Hadoop平台,尽管以前的一些博客上说在单机的环境下使用本地FS不用搭建Hadoop集群,可是在新版spark ...

  7. 框架使用的技术主要是SpringMVC 在此基础上进行扩展

    框架使用的技术主要是SpringMVC 在此基础上进行扩展 1 Web前端使用 2 前段控制器采用SpringMVC零配置 3 IOC容器Spring 4 ORM使用 Mybites或者hiberna ...

  8. Swift基础之OC文件调用Swift代码(在上次的基础上写的)

    前两天刚写过Swift调用OC,今天在原来的基础上,实现OC调用Swift. 首先,创建一个OneSwiftFile.swift文件,创建一个继承于NSObject的类(这个地方你可以自己选择继承的父 ...

  9. 使用openstackclient调用Keystone v3 API

    本文内容属于个人原创,转载务必注明出处:  http://www.cnblogs.com/Security-Darren/p/4138945.html 考虑到Keystone社区逐渐弃用第二版身份AP ...

随机推荐

  1. 用live555将内网摄像机视频推送到外网server,附源代码

    近期非常多人问,怎样将内网的摄像机流媒体数据公布到公网,假设用公网与局域网间的port映射方式太过麻烦,一个摄像机要做一组映射,并且不是每个局域网都是有固定ip地址,即使外网主机配置好了每个摄像机的映 ...

  2. URAL 1542. Autocompletion 字典树

    给你最多10w个单词和相应的频率 接下来最多1w5千次询问 每次输入一个字符串让你从前面的单词中依照频率从大到小输出最多10个以该字符串为前缀的单词 開始把单词建成了字典树 然后每次询问找到全部满足条 ...

  3. 修改Linux中的用户名 分类: B3_LINUX 2014-07-24 11:40 440人阅读 评论(0) 收藏

    需要修改2个文件: /etc/hosts /etc/sysconfig/network 然后重启 1.修改/etc/sysconfig/network NETWORKING=yes HOSTNAME= ...

  4. Android 5.0中使用JobScheduler

    在这篇文章中,你会学习到在Android 5.0中怎样使用JobScheduler API. JobScheduler API同意开发人员在符合某些条件时创建运行在后台的任务. 介绍 在Android ...

  5. Android 设置图片透明度

    我了解的比较快捷的ImageView设置图片的透明度的方法有: setAlpha(); setImageAlpha(); getDrawable().setAlpha(). 其中setAlpha()已 ...

  6. Android Thread.setDaemon设置说明

    Thread.setDaemon的用法,经过学习以后了解: 1. setDaemon需要在start方法调用之前使用 2. 线程划分为用户线程和后台(daemon)进程,setDaemon将线程设置为 ...

  7. 矩阵分解(matrix factorization)

    1. 基本概念 针对高维空间中的数据集,矩阵分解通过寻找到一组基及每一个数据点在该基向量下的表示,可对原始高维空间中的数据集进行压缩表示. 令 X=[x1,⋯,xm]∈Rm×n 为数据矩阵,矩阵分解的 ...

  8. Linux中export导入环境变量的几种方式

    1.首先类似于windows中的设定系统环境变量的方式为,在/etc/profile中 export PATH=$PATH:....:... 注意间隔符为: 然后复用原来路径是$PATH的方式 2.用 ...

  9. 【codeforces 534C】Polycarpus' Dice

    [题目链接]:http://codeforces.com/contest/534/problem/C [题意] 给你n个奇怪的骰子,第i个骰子有di个面; 然后给你n个骰子的点数之和; 问你每一个骰子 ...

  10. Redmine迁移至华为软件开发云-项目管理

    一.方案概述 要想将Redmine中某个项目的数据导入到华为软件开发云(以下简称开发云),如果说是按照Redmine中的数据一条一条的在开发云中新建出来,肯定不是一个明智的方案,下面就是给大家介绍一个 ...