我们演示还是用books 的Restful api数据接口,把Kong Gateway - 01范例中PostgresSQL中的kong数据库删掉,
导入一个已经配置好的干干净净的后台数据库kong-20180427.bak(参看安装篇 How to Install kong-community-edition On Cent OS 7)
[root@contoso ~]# psql --help
[root@contoso ~]# dropdb --help
[root@contoso ~]# createdb --help
[root@contoso ~]# kong stop # kong 服务必须先停止运行
[root@contoso ~]# dropdb -h 127.0.0.1 -p 5432 -U postgres kong # 删除kong数据库
Password: 123456
[root@contoso ~]# createdb -h 127.0.0.1 -p 5432 -U postgres kong # 创建kong数据库
Password: 123456
[root@contoso ~]# psql -h 127.0.0.1 -p 5432 -U postgres -d kong < /opt/kong-20180427.bak # 恢复kong数据库
Password for user postgres: 123456
[root@contoso ~]# kong start
Kong started
用Kong配置一个book服务
在安装并启动Kong之后,使用Kong的管理API端口8001添加一个名称为book的服务
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/services/ \
--data 'name=book' \
--data 'url=http://contoso.com/v1/books'
HTTP/1.1 201 Created Date: Mon, 07 May 2018 05:26:01 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Access-Control-Allow-Origin: * Server: kong/0.13.1 { "host": "contoso.com", "created_at": 1525641961, "connect_timeout": 60000, "id": "8232d5da-13aa-4940-ace8-60c1d88af757", "protocol": "http", "name": "book", "read_timeout": 60000, "port": 80, "path": "/v1/books", "updated_at": 1525641961, "retries": 5, "write_timeout": 60000 }
查询已分配了服务名称的路由列表 curl -i -X GET \ --url http://localhost:8001/services/book/routes 查询所有路由列表 curl -i -X GET \ --url http://localhost:8001/routes 根据路由id查询1条路由 curl -i -X GET \ --url http://localhost:8001/routes/4e0ddea7-ec70-41b9-bdd1-9b7c893b8ede 根据路由id删除1条路由 curl -i -X DELETE \ --url http://localhost:8001/routes/4e0ddea7-ec70-41b9-bdd1-9b7c893b8ede 根据id,hosts修改1条路由,根据同一名称的book服务,配置methods参数无 法用不同的路由来区分控制器方法的权限,故不用设置methods参数; 修改路由的方式无法设置参数的null值,我们只能删掉路由,然后创建路由来实现 curl -i -X PATCH \ --url http://localhost:8001/routes/4e0ddea7-ec70-41b9-bdd1-9b7c893b8ede \ --data 'hosts[]=contoso.com' \ --data 'paths[]=/v1/books'添加一个路由(paths[]的值必须与book服务中的/v1/books一致)
使book服务暴露出来以供用户访问,book服务没必要添加多个路由。
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/services/book/routes \
--data 'hosts[]=contoso.com' \
--data 'paths[]=/v1/books'
HTTP/1.1 201 Created Date: Mon, 07 May 2018 05:26:26 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Access-Control-Allow-Origin: * Server: kong/0.13.1 { "created_at": 1525641986, "strip_path": true, "hosts": [ "contoso.com" ], "preserve_host": false, "regex_priority": 0, "updated_at": 1525641986, "paths": [ "/v1/books" ], "service": { "id": "8232d5da-13aa-4940-ace8-60c1d88af757" }, "methods": null, "protocols": [ "http", "https" ], "id": "5981a6e1-434e-44cd-a1e9-eaf052d7b346" }通过Kong在8000端口暴露出来的服务地址获得所有的书籍
[root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books \
--header 'Host: contoso.com'
HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 191 Connection: keep-alive Date: Mon, 07 May 2018 05:27:09 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13 X-Powered-By: PHP/7.1.13 X-Kong-Upstream-Latency: 69 X-Kong-Proxy-Latency: 52 Via: kong/0.13.1 [ { "id": 1, "title": "Fashion That Changed the World", "author": "Jennifer Croll" }, { "id": 2, "title": "Brigitte Bardot - My Life in Fashion", "author": "Henry-Jean Servat and Brigitte Bardot" }, { "id": 3, "title": "The Fashion Image", "author": "Thomas Werner" } ]curl http://localhost:8001/services/book
curl http://localhost:8001/services/book/plugins
为book服务启用OAuth 2.0 Authentication插件,并激活简化模式授权
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/services/book/plugins \
--data "name=oauth2" \
--data "config.scopes=email,phone" \
--data "config.mandatory_scope=true" \
--data "config.enable_implicit_grant=true"
HTTP/1.1 201 Created Date: Mon, 07 May 2018 05:48:47 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Access-Control-Allow-Origin: * Server: kong/0.13.1 { "created_at": 1525672126000, "config": { "refresh_token_ttl": 1209600, "enable_client_credentials": false, "mandatory_scope": true, "token_expiration": 7200, "hide_credentials": false, "scopes": [ "email", "phone" ], "enable_implicit_grant": true, "global_credentials": false, "anonymous": "", "enable_password_grant": false, "accept_http_if_already_terminated": false, "enable_authorization_code": false, "provision_key": "GXz8TtR8Pql9zhxzhyMEKLqbBhU6l9lW", "auth_header_name": "authorization" }, "id": "eb1d080d-cbe1-496e-affd-b28107fccf2d", "enabled": true, "service_id": "8232d5da-13aa-4940-ace8-60c1d88af757", "name": "oauth2" }添加1个username为jack的消费者,{custom_id}参数可省略,此参数是个自定义唯一标识,
它作用是把消费者jack映射到另外一个数据库上
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/consumers/ \
--data "username=jack"
HTTP/1.1 201 Created Date: Mon, 07 May 2018 05:49:25 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Access-Control-Allow-Origin: * Server: kong/0.13.1 { "created_at": 1525672165000, "username": "jack", "id": "30c1dce1-870f-4f94-ae6e-72b47e9a9002" }为消费者jack创建1个名称为Book App的应用,redirect_uri参数定义发送code和state的回调地址
参数{client_id}和{client_secret}可自定义,省略时由系统随机生成
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/consumers/jack/oauth2/ \
--data "name=Book App" \
--data "redirect_uri=http://getkong.org/"
HTTP/1.1 201 Created Date: Mon, 07 May 2018 05:49:54 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Access-Control-Allow-Origin: * Server: kong/0.13.1 { "client_id": "e4cWEP3SxOLxE5hrTXeHrQ4fHDunGXA3", "created_at": 1525672195000, "id": "47221663-75d7-41e6-a4cd-a62eef1228d8", "redirect_uri": [ "http://getkong.org/" ], "name": "Book App", "client_secret": "Pg2CQxt0cciP7WtZkFUoobWFJE4nbprb", "consumer_id": "30c1dce1-870f-4f94-ae6e-72b47e9a9002" }根据{client_id}查询消费者的应用程序信息
[root@contoso ~]# curl -i -X GET \
--url http://localhost:8001/oauth2 \
--data "client_id=e4cWEP3SxOLxE5hrTXeHrQ4fHDunGXA3"
HTTP/1.1 200 OK Date: Mon, 07 May 2018 05:50:40 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Access-Control-Allow-Origin: * Server: kong/0.13.1 { "total": 1, "data": [ { "created_at": 1525672195000, "client_id": "e4cWEP3SxOLxE5hrTXeHrQ4fHDunGXA3", "id": "47221663-75d7-41e6-a4cd-a62eef1228d8", "redirect_uri": [ "http://getkong.org/" ], "name": "Book App", "client_secret": "Pg2CQxt0cciP7WtZkFUoobWFJE4nbprb", "consumer_id": "30c1dce1-870f-4f94-ae6e-72b47e9a9002" } ] }通过Kong在8000端口暴露出来的服务地址读一条书籍记录,实际上是通过Kong在转
发我的请求,不管是读1条记录还读所有书籍记录,我们都无权获得数据
[root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books/2 \
--header 'Host: contoso.com'
HTTP/1.1 401 Unauthorized Date: Mon, 07 May 2018 05:51:08 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Server: kong/0.13.1 WWW-Authenticate: Bearer realm="service" { "error_description": "The access token is missing", "error": "invalid_request" }curl http://localhost:8001/consumers/jack/oauth2
所有步骤在浏览器中完成,简化模式下令牌对访问者是可见的,且客户端不需要认证。
客户端将发送由参数{client_id},{response_type},
{scope},{provision_key},{authenticated_userid},{state}
构成的POST请求直接获得访问令牌
{state}客户端的当前状态,可以指定任意值,认证服务器会原封不动地返回这个值
{scope}表示申请的权限范围
{authenticated_userid}已授予权限的终端登录用户userid
[root@contoso ~]# curl -i -X POST \
--url https://localhost:8443/v1/books/oauth2/authorize \
--header 'Host: contoso.com' \
--data "client_id=e4cWEP3SxOLxE5hrTXeHrQ4fHDunGXA3" \
--data "response_type=token" \
--data "scope=email" \
--data "provision_key=GXz8TtR8Pql9zhxzhyMEKLqbBhU6l9lW" \
--data "authenticated_userid=1206" \
--data "state=xyz" --insecure
HTTP/1.1 200 OK Date: Mon, 07 May 2018 05:58:34 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Server: kong/0.13.1 cache-control: no-store pragma: no-cache {"redirect_uri":"http:\/\/getkong.org\/#access_token=ZKbQeM4jozahYwQEhdwmOR0xnmaUMYEr&expires_in=7200&state=xyz&token_type=bearer"}现在我们获得了一个访问令牌
这样就有可以访问书籍这个接口了
[root@contoso ~]# curl -i -X GET \
--url https://localhost:8443/v1/books \
--header "Authorization: Bearer ZKbQeM4jozahYwQEhdwmOR0xnmaUMYEr" \
--header 'Host: contoso.com' --insecure
HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 244 Connection: keep-alive Date: Mon, 07 May 2018 06:38:39 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13 X-Powered-By: PHP/7.1.13 X-Kong-Upstream-Latency: 42 X-Kong-Proxy-Latency: 36 Via: kong/0.13.1 [ { "id": 1, "title": "Fashion That Changed the World", "author": "Jennifer Croll" }, { "id": 2, "title": "Brigitte Bardot - My Life in Fashion", "author": "Henry-Jean Servat and Brigitte Bardot" }, { "id": 3, "title": "The Fashion Image", "author": "Thomas Werner" } ][root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books/2 \
--header "Authorization: Bearer ZKbQeM4jozahYwQEhdwmOR0xnmaUMYEr" \
--header 'Host: contoso.com'
HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 106 Connection: keep-alive Date: Mon, 07 May 2018 06:39:48 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13 X-Powered-By: PHP/7.1.13 X-Kong-Upstream-Latency: 45 X-Kong-Proxy-Latency: 0 Via: kong/0.13.1 [ { "id": 2, "title": "Brigitte Bardot - My Life in Fashion", "author": "Henry-Jean Servat and Brigitte Bardot" } ][root@contoso ~]# curl -i -X DELETE \
--url https://localhost:8443/v1/books/2 \
--header "Authorization: Bearer ZKbQeM4jozahYwQEhdwmOR0xnmaUMYEr" \
--header 'Host: contoso.com' --insecure
HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 34 Connection: keep-alive Date: Mon, 07 May 2018 06:40:15 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13 X-Powered-By: PHP/7.1.13 X-Kong-Upstream-Latency: 46 X-Kong-Proxy-Latency: 0 Via: kong/0.13.1 {"message":"deleted successfully"}[root@contoso ~]# curl -i -X POST \
--url https://localhost:8443/v1/books \
--header "Authorization: Bearer ZKbQeM4jozahYwQEhdwmOR0xnmaUMYEr" \
--header 'Host: contoso.com' \
--data 'title=TiDB in Action' \
--data 'author=Tomson' --insecure
HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 35 Connection: keep-alive Date: Mon, 07 May 2018 06:40:38 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13 X-Powered-By: PHP/7.1.13 X-Kong-Upstream-Latency: 43 X-Kong-Proxy-Latency: 0 Via: kong/0.13.1 {"message":"inserted successfully"}