前言
原文ChartMuseum Auth Server Example
源码地址:https://github.com/chartmuseum/auth-server-example.git
本项目服务器案例可生成用于chart 仓库授权的JWT token
先把这个范例跑起来
先决条件:
- docker-compose
- curl
clone项目到本地,并在根目录执行命令:
git clone https://github.com/chartmuseum/auth-server-example.git
cd auth-server-example
docker-compose pull
docker-compose up -d
流程
第1步: curl 一个未授权的url
chart仓库使用bearer授权。
为了访问一个受保护的资源,头文件中的Authorization必须包含一个JWT token,表示:对特定source执行特定action的访问权限
为了获取这个token,需要scope,所以,首先访问未授权url
举例:
curl -v http://localhost:8080/org1/repo1/index.yaml
输出为:
< HTTP/1.1 401 Unauthorized
< Content-Type: application/json; charset=utf-8
< Www-Authenticate: Bearer realm="http://localhost:5001/oauth/token",service="localhost:5001",scope="artifact-repository:org1/repo1:pull"
结果为401未授权,符合预期,提出里面的
realm -> http://localhost:5001/oauth/token
scope -> artifact-repository:org1/repo1:pull
获取token需要这两个字段。
第二步: 从授权服务器获取token
拿着第一步的realm和scope来执行下面的命令:
REALM="http://localhost:5001/oauth/token"
SCOPE="artifact-repository:org1/repo1:pull"
curl -s -X POST -H "Authorization: Bearer MASTERKEY" \
"$REALM?grant_type=client_credentials&scope=$SCOPE"
Note: “MASTERKEY” is a hardcoded token in the auth server which is required to authenticate.
上述命令输出:
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1NDM5OTU3NzAsImlhdCI6MTU0Mzk5NTQ3MCwiYWNjZXNzIjpbeyJ0eXBlIjoiYXJ0aWZhY3QtcmVwb3NpdG9yeSIsIm5hbWUiOiJvcmcxL3JlcG8xIiwiYWN0aW9ucyI6WyJwdWxsIl19XX0.0Ajgwy5Yhl_HwF3yKoggicpxCiFTffiGcWVxhttR_SU3czn2WogkRazXAAQE2CuIzganw5u5WDuZIBPC2RucP8KT5uKvKDiakDsVYHMACCDjpTotAWamZF2MFCTpXzhpCLkcv_dgGHnInGV_VYJj1xhD6B4ksuxMpDflLCNPqV4GyTxdrIplRxurePNLs5yLKngMXs42eAsD44FGDSLbW65RLM7QFZaUvwlbcst0g9KsVxN4NJ4uIPS-dC0HOvdf6bw2E_GTbpTcpzgn5gMXKzKGFxTi8Tch-NA9t6jghsEDUk3WYJGH1Ko0-xI8XpjYf6l4wQ6_Yg2dGrMBxFqfmQ"
}
这个就是想要的token,拿着这个token到 https://jwt.io 或者jwt-cli
输出如下:
{
"exp": 1543995770,
"iat": 1543995470,
"access": [
{
"type": "artifact-repository",
"name": "org1/repo1",
"actions": [
"pull"
]
}
]
}
第三步: 制造一个带有认证的request
将上述token放到请求头的Authorization字段,如下:
TOKEN="eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1NDM5OTU3NzAsImlhdCI6MTU0Mzk5NTQ3MCwiYWNjZXNzIjpbeyJ0eXBlIjoiYXJ0aWZhY3QtcmVwb3NpdG9yeSIsIm5hbWUiOiJvcmcxL3JlcG8xIiwiYWN0aW9ucyI6WyJwdWxsIl19XX0.0Ajgwy5Yhl_HwF3yKoggicpxCiFTffiGcWVxhttR_SU3czn2WogkRazXAAQE2CuIzganw5u5WDuZIBPC2RucP8KT5uKvKDiakDsVYHMACCDjpTotAWamZF2MFCTpXzhpCLkcv_dgGHnInGV_VYJj1xhD6B4ksuxMpDflLCNPqV4GyTxdrIplRxurePNLs5yLKngMXs42eAsD44FGDSLbW65RLM7QFZaUvwlbcst0g9KsVxN4NJ4uIPS-dC0HOvdf6bw2E_GTbpTcpzgn5gMXKzKGFxTi8Tch-NA9t6jghsEDUk3WYJGH1Ko0-xI8XpjYf6l4wQ6_Yg2dGrMBxFqfmQ"
curl -v -H "Authorization: Bearer $TOKEN" \
http://localhost:8080/org1/repo1/index.yaml
这时候的结果应该是200 ok了,如下:
apiVersion: v1
entries:
mychart:
- created: "2018-12-05T06:57:46Z"
digest: 159ba395ef891a90339f5d8a6ff964fb38265ec24a2e1d09fe6c390cda75b17c
name: mychart
urls:
- charts/mychart-0.1.0.tgz
version: 0.1.0
generated: "2018-12-05T07:04:40Z"
serverInfo: {}
和helm-push一起用
安装helm-push插件,安装后,支持添加cm:协议的chart仓库, 和HELM_REPO_ACCESS_TOKEN 搭配使用
helm plugin install https://github.com/chartmuseum/helm-push
# export necessary vars
export HELM_REPO_USE_HTTP="true" # needed if repo running over http vs https
export HELM_REPO_ACCESS_TOKEN="$TOKEN" # token created above
# Add the repo with cm protocol
helm repo add chartmuseum cm://localhost:8080/org1/repo1
# Run repo-related helm commands
helm push mychart/ chartmuseum
helm repo update
helm fetch chartmuseum/mychart
第二步中产生push和pull操作对应token的scope如下:
artifact-repository:org1/repo1:pull,push
scope 格式:
artifact-repository:<namespace>:<action[s]>
其中, “repo” 是 default, single-tenant
关于helm 3
helm3 中token的产生和授权方式如下图:
helm login 命令是否引进到helm 3中待定 (没错,现在还无法使用helm login …)
现在貌似通过 helm install --username=user --password=password
授权流程图是盗过来,丝毫不以为耻。。。,盗的docker的授权流程Docker docs。
