我们演示还是用books 的Restful api数据接口,把Kong Gateway - 01范例中PostgresSQL中的kong数据库删掉,
导入一个已经配置好的干干净净的后台数据库kong-20180427.bak(参看安装篇 How to Install kong-community-edition On Cent OS 7)
[root@contoso ~]# psql --help
[root@contoso ~]# dropdb --help
[root@contoso ~]# createdb --help
[root@contoso ~]# kong stop # kong 服务必须先停止运行
[root@contoso ~]# dropdb -h 127.0.0.1 -p 5432 -U postgres kong # 删除kong数据库
Password: 123456
[root@contoso ~]# createdb -h 127.0.0.1 -p 5432 -U postgres kong # 创建kong数据库
Password: 123456
[root@contoso ~]# psql -h 127.0.0.1 -p 5432 -U postgres -d kong < /opt/kong-20180427.bak # 恢复kong数据库
Password for user postgres: 123456
[root@contoso ~]# kong start
Kong started
用Kong配置一个book服务
在安装并启动Kong之后,使用Kong的管理API端口8001添加一个名称为book的服务
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/services/ \
--data 'name=book' \
--data 'url=http://contoso.com/v1/books'
HTTP/1.1 201 Created Date: Mon, 07 May 2018 09:28:55 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Access-Control-Allow-Origin: * Server: kong/0.13.1 { "host": "contoso.com", "created_at": 1525656535, "connect_timeout": 60000, "id": "b1daf7d6-1416-444a-b88b-f09f5e1e58c3", "protocol": "http", "name": "book", "read_timeout": 60000, "port": 80, "path": "/v1/books", "updated_at": 1525656535, "retries": 5, "write_timeout": 60000 }
查询已分配了服务名称的路由列表 curl -i -X GET \ --url http://localhost:8001/services/book/routes 查询所有路由列表 curl -i -X GET \ --url http://localhost:8001/routes 根据路由id查询1条路由 curl -i -X GET \ --url http://localhost:8001/routes/4e0ddea7-ec70-41b9-bdd1-9b7c893b8ede 根据路由id删除1条路由 curl -i -X DELETE \ --url http://localhost:8001/routes/4e0ddea7-ec70-41b9-bdd1-9b7c893b8ede 根据id,hosts修改1条路由,根据同一名称的book服务,配置methods参数无 法用不同的路由来区分控制器方法的权限,故不用设置methods参数; 修改路由的方式无法设置参数的null值,我们只能删掉路由,然后创建路由来实现 curl -i -X PATCH \ --url http://localhost:8001/routes/4e0ddea7-ec70-41b9-bdd1-9b7c893b8ede \ --data 'hosts[]=contoso.com' \ --data 'paths[]=/v1/books'添加一个路由(paths[]的值必须与book服务中的/v1/books一致)
使book服务暴露出来以供用户访问,book服务没必要添加多个路由。
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/services/book/routes \
--data 'hosts[]=contoso.com' \
--data 'paths[]=/v1/books'
HTTP/1.1 201 Created Date: Mon, 07 May 2018 09:29:24 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Access-Control-Allow-Origin: * Server: kong/0.13.1 { "created_at": 1525656564, "strip_path": true, "hosts": [ "contoso.com" ], "preserve_host": false, "regex_priority": 0, "updated_at": 1525656564, "paths": [ "/v1/books" ], "service": { "id": "b1daf7d6-1416-444a-b88b-f09f5e1e58c3" }, "methods": null, "protocols": [ "http", "https" ], "id": "0cf82be2-99f3-4934-af8c-5380240d8635" }通过Kong在8000端口暴露出来的服务地址获得所有的书籍
[root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books \
--header 'Host: contoso.com'
HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 191 Connection: keep-alive Date: Mon, 07 May 2018 09:29:56 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13 X-Powered-By: PHP/7.1.13 X-Kong-Upstream-Latency: 43 X-Kong-Proxy-Latency: 43 Via: kong/0.13.1 [ { "id": 1, "title": "Fashion That Changed the World", "author": "Jennifer Croll" }, { "id": 2, "title": "Brigitte Bardot - My Life in Fashion", "author": "Henry-Jean Servat and Brigitte Bardot" }, { "id": 3, "title": "The Fashion Image", "author": "Thomas Werner" } ]curl http://localhost:8001/services/book
curl http://localhost:8001/services/book/plugins
为book服务启用OAuth 2.0 Authentication插件,并激活客户端模式授权
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/services/book/plugins \
--data "name=oauth2" \
--data "config.scopes=email,phone,address" \
--data "config.mandatory_scope=true" \
--data "config.enable_client_credentials=true"
HTTP/1.1 201 Created Date: Mon, 07 May 2018 09:30:49 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Access-Control-Allow-Origin: * Server: kong/0.13.1 { "created_at": 1525685447000, "config": { "refresh_token_ttl": 1209600, "enable_client_credentials": true, "mandatory_scope": true, "token_expiration": 7200, "hide_credentials": false, "scopes": [ "email", "phone", "address" ], "enable_implicit_grant": false, "global_credentials": false, "anonymous": "", "enable_password_grant": false, "accept_http_if_already_terminated": false, "enable_authorization_code": false, "provision_key": "Xy5hdXUmHxsu3Vvfu8bGTN3ezWJHSyrM", "auth_header_name": "authorization" }, "id": "7cbc86a4-d9b5-493e-a6fc-f48523a834c9", "enabled": true, "service_id": "b1daf7d6-1416-444a-b88b-f09f5e1e58c3", "name": "oauth2" }添加1个username为jack的消费者,{custom_id}参数可省略,此参数是个自定义唯一标识,
它作用是把消费者jack映射到另外一个数据库上
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/consumers/ \
--data "username=jack"
HTTP/1.1 201 Created Date: Mon, 07 May 2018 09:31:26 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Access-Control-Allow-Origin: * Server: kong/0.13.1 { "created_at": 1525685487000, "username": "jack", "id": "dfb13af7-2ecc-4f04-9a13-60007f4924c6" }为消费者jack创建1个名称为Book App的应用,redirect_uri参数定义回调地址
参数{client_id}和{client_secret}可自定义,省略时由系统随机生成
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/consumers/jack/oauth2/ \
--data "name=Book App" \
--data "redirect_uri=http://getkong.org/"
HTTP/1.1 201 Created Date: Mon, 07 May 2018 09:33:54 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Access-Control-Allow-Origin: * Server: kong/0.13.1 { "client_id": "72Lq6AqeeZOPipBQcPjYY6DP6zeZtyXI", "created_at": 1525685635000, "id": "2cc8b2f7-2f2b-42dc-adb2-0ead80d0eca6", "redirect_uri": [ "http://getkong.org/" ], "name": "Book App", "client_secret": "WyCbK3DH60HFMGX3NPk8voYIr1abTND5", "consumer_id": "dfb13af7-2ecc-4f04-9a13-60007f4924c6" }根据{client_id}查询消费者的应用程序信息
[root@contoso ~]# curl -i -X GET \
--url http://localhost:8001/oauth2 \
--data "client_id=72Lq6AqeeZOPipBQcPjYY6DP6zeZtyXI"
HTTP/1.1 200 OK Date: Mon, 07 May 2018 09:35:42 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Access-Control-Allow-Origin: * Server: kong/0.13.1 { "total": 1, "data": [ { "created_at": 1525685635000, "client_id": "72Lq6AqeeZOPipBQcPjYY6DP6zeZtyXI", "id": "2cc8b2f7-2f2b-42dc-adb2-0ead80d0eca6", "redirect_uri": [ "http://getkong.org/" ], "name": "Book App", "client_secret": "WyCbK3DH60HFMGX3NPk8voYIr1abTND5", "consumer_id": "dfb13af7-2ecc-4f04-9a13-60007f4924c6" } ] }通过Kong在8000端口暴露出来的服务地址读一条书籍记录,实际上是通过Kong在转
发我的请求,不管是读1条记录还读所有书籍记录,我们都无权获得数据
[root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books/2 \
--header 'Host: contoso.com'
HTTP/1.1 401 Unauthorized Date: Mon, 07 May 2018 09:36:29 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Server: kong/0.13.1 WWW-Authenticate: Bearer realm="service" { "error_description": "The access token is missing", "error": "invalid_request" }键-值对{username:password}字符串 [email protected]:123456
它的Base64编码值等于amFja0Bob3RtYWlsLmNvbSUzQTEyMzQ1Ng==
curl http://localhost:8001/consumers/jack/oauth2
客户端向认证服务器进行身份认证,并要求一个访问令牌
认证服务器确认无误后,向客户端提供访问令牌
客户端发送的username和password的Base64编码值,即
必须带上header头参数Authorization
还包括参数{client_id},{client_secret},{response_type},
{scope},{grant_type},{provision_key},{authenticated_userid}
构成的POST请求获得一个访问令牌
{state}客户端的当前状态,可以指定任意值,认证服务器会原封不动地返回这个值
{scope}表示申请的权限范围
{authenticated_userid}已授予权限的终端登录用户userid
[root@contoso ~]# curl -i -X POST \
--url https://localhost:8443/v1/books/oauth2/token \
--header "Authorization: Basic amFja0Bob3RtYWlsLmNvbSUzQTEyMzQ1Ng==" \
--header "Host: contoso.com" \
--data "client_id=72Lq6AqeeZOPipBQcPjYY6DP6zeZtyXI" \
--data "client_secret=WyCbK3DH60HFMGX3NPk8voYIr1abTND5" \
--data "scope=email" \
--data "response_type=token" \
--data "grant_type=client_credentials" \
--data "provision_key=Xy5hdXUmHxsu3Vvfu8bGTN3ezWJHSyrM" \
--data "authenticated_userid=1206" \
--data "redirect_uri=http://getkong.org/" --insecure
HTTP/1.1 200 OK Date: Mon, 07 May 2018 09:42:32 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Server: kong/0.13.1 cache-control: no-store pragma: no-cache { "token_type": "bearer", "access_token": "W3xqSWKLJpZuzyPARZGEhGP9DuPYIufw", "expires_in": 7200 }现在我们已经获得了一个访问令牌
这样就有可以访问书籍这个接口了
[root@contoso ~]# curl -i -X GET \
--url https://localhost:8443/v1/books \
--header "Authorization: Bearer W3xqSWKLJpZuzyPARZGEhGP9DuPYIufw" \
--header 'Host: contoso.com' --insecure
HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 191 Connection: keep-alive Date: Mon, 07 May 2018 09:44:45 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13 X-Powered-By: PHP/7.1.13 X-Kong-Upstream-Latency: 24 X-Kong-Proxy-Latency: 50 Via: kong/0.13.1 [ { "id": 1, "title": "Fashion That Changed the World", "author": "Jennifer Croll" }, { "id": 2, "title": "Brigitte Bardot - My Life in Fashion", "author": "Henry-Jean Servat and Brigitte Bardot" }, { "id": 3, "title": "The Fashion Image", "author": "Thomas Werner" } ][root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books/3 \
--header "Authorization: Bearer W3xqSWKLJpZuzyPARZGEhGP9DuPYIufw" \
--header 'Host: contoso.com'
HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 63 Connection: keep-alive Date: Mon, 07 May 2018 09:45:29 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13 X-Powered-By: PHP/7.1.13 X-Kong-Upstream-Latency: 41 X-Kong-Proxy-Latency: 0 Via: kong/0.13.1 [{"id":3,"title":"The Fashion Image","author":"Thomas Werner"}][root@contoso ~]# curl -i -X DELETE \
--url https://localhost:8443/v1/books/3 \
--header "Authorization: Bearer W3xqSWKLJpZuzyPARZGEhGP9DuPYIufw" \
--header 'Host: contoso.com' --insecure
HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 34 Connection: keep-alive Date: Mon, 07 May 2018 09:48:44 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13 X-Powered-By: PHP/7.1.13 X-Kong-Upstream-Latency: 28 X-Kong-Proxy-Latency: 0 Via: kong/0.13.1 {"message":"deleted successfully"}[root@contoso ~]# curl -i -X POST \
--url https://localhost:8443/v1/books \
--header "Authorization: Bearer W3xqSWKLJpZuzyPARZGEhGP9DuPYIufw" \
--header 'Host: contoso.com' \
--data 'title=TiDB in Action' \
--data 'author=Tomson' --insecure
HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 35 Connection: keep-alive Date: Mon, 07 May 2018 09:49:01 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13 X-Powered-By: PHP/7.1.13 X-Kong-Upstream-Latency: 26 X-Kong-Proxy-Latency: 0 Via: kong/0.13.1 {"message":"inserted successfully"}