我们演示还是用books 的Restful api数据接口,把Kong Gateway - 01范例中PostgresSQL中的kong数据库删掉,
导入一个已经配置好的干干净净的后台数据库kong-20180427.bak(参看安装篇 How to Install kong-community-edition On Cent OS 7)
[root@contoso ~]# psql --help
[root@contoso ~]# dropdb --help
[root@contoso ~]# createdb --help
[root@contoso ~]# kong stop # kong 服务必须先停止运行
[root@contoso ~]# dropdb -h 127.0.0.1 -p 5432 -U postgres kong # 删除kong数据库
Password: 123456
[root@contoso ~]# createdb -h 127.0.0.1 -p 5432 -U postgres kong # 创建kong数据库
Password: 123456
[root@contoso ~]# psql -h 127.0.0.1 -p 5432 -U postgres -d kong < /opt/kong-20180427.bak # 恢复kong数据库
Password for user postgres: 123456
[root@contoso ~]# kong start
Kong started
用Kong配置一个book服务
在安装并启动Kong之后,使用Kong的管理API端口8001添加一个名称为book的服务
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/services/ \
--data 'name=book' \
--data 'url=http://contoso.com/v1/books'
HTTP/1.1 201 Created
Date: Mon, 07 May 2018 09:28:55 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"host": "contoso.com",
"created_at": 1525656535,
"connect_timeout": 60000,
"id": "b1daf7d6-1416-444a-b88b-f09f5e1e58c3",
"protocol": "http",
"name": "book",
"read_timeout": 60000,
"port": 80,
"path": "/v1/books",
"updated_at": 1525656535,
"retries": 5,
"write_timeout": 60000
}
查询已分配了服务名称的路由列表 curl -i -X GET \ --url http://localhost:8001/services/book/routes 查询所有路由列表 curl -i -X GET \ --url http://localhost:8001/routes 根据路由id查询1条路由 curl -i -X GET \ --url http://localhost:8001/routes/4e0ddea7-ec70-41b9-bdd1-9b7c893b8ede 根据路由id删除1条路由 curl -i -X DELETE \ --url http://localhost:8001/routes/4e0ddea7-ec70-41b9-bdd1-9b7c893b8ede 根据id,hosts修改1条路由,根据同一名称的book服务,配置methods参数无 法用不同的路由来区分控制器方法的权限,故不用设置methods参数; 修改路由的方式无法设置参数的null值,我们只能删掉路由,然后创建路由来实现 curl -i -X PATCH \ --url http://localhost:8001/routes/4e0ddea7-ec70-41b9-bdd1-9b7c893b8ede \ --data 'hosts[]=contoso.com' \ --data 'paths[]=/v1/books'添加一个路由(paths[]的值必须与book服务中的/v1/books一致)
使book服务暴露出来以供用户访问,book服务没必要添加多个路由。
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/services/book/routes \
--data 'hosts[]=contoso.com' \
--data 'paths[]=/v1/books'
HTTP/1.1 201 Created
Date: Mon, 07 May 2018 09:29:24 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"created_at": 1525656564,
"strip_path": true,
"hosts": [
"contoso.com"
],
"preserve_host": false,
"regex_priority": 0,
"updated_at": 1525656564,
"paths": [
"/v1/books"
],
"service": {
"id": "b1daf7d6-1416-444a-b88b-f09f5e1e58c3"
},
"methods": null,
"protocols": [
"http",
"https"
],
"id": "0cf82be2-99f3-4934-af8c-5380240d8635"
}通过Kong在8000端口暴露出来的服务地址获得所有的书籍
[root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books \
--header 'Host: contoso.com'
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 191
Connection: keep-alive
Date: Mon, 07 May 2018 09:29:56 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 43
X-Kong-Proxy-Latency: 43
Via: kong/0.13.1
[
{
"id": 1,
"title": "Fashion That Changed the World",
"author": "Jennifer Croll"
},
{
"id": 2,
"title": "Brigitte Bardot - My Life in Fashion",
"author": "Henry-Jean Servat and Brigitte Bardot"
},
{
"id": 3,
"title": "The Fashion Image",
"author": "Thomas Werner"
}
]curl http://localhost:8001/services/book
curl http://localhost:8001/services/book/plugins
为book服务启用OAuth 2.0 Authentication插件,并激活客户端模式授权
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/services/book/plugins \
--data "name=oauth2" \
--data "config.scopes=email,phone,address" \
--data "config.mandatory_scope=true" \
--data "config.enable_client_credentials=true"
HTTP/1.1 201 Created
Date: Mon, 07 May 2018 09:30:49 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"created_at": 1525685447000,
"config": {
"refresh_token_ttl": 1209600,
"enable_client_credentials": true,
"mandatory_scope": true,
"token_expiration": 7200,
"hide_credentials": false,
"scopes": [
"email",
"phone",
"address"
],
"enable_implicit_grant": false,
"global_credentials": false,
"anonymous": "",
"enable_password_grant": false,
"accept_http_if_already_terminated": false,
"enable_authorization_code": false,
"provision_key": "Xy5hdXUmHxsu3Vvfu8bGTN3ezWJHSyrM",
"auth_header_name": "authorization"
},
"id": "7cbc86a4-d9b5-493e-a6fc-f48523a834c9",
"enabled": true,
"service_id": "b1daf7d6-1416-444a-b88b-f09f5e1e58c3",
"name": "oauth2"
}添加1个username为jack的消费者,{custom_id}参数可省略,此参数是个自定义唯一标识,
它作用是把消费者jack映射到另外一个数据库上
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/consumers/ \
--data "username=jack"
HTTP/1.1 201 Created
Date: Mon, 07 May 2018 09:31:26 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"created_at": 1525685487000,
"username": "jack",
"id": "dfb13af7-2ecc-4f04-9a13-60007f4924c6"
}为消费者jack创建1个名称为Book App的应用,redirect_uri参数定义回调地址
参数{client_id}和{client_secret}可自定义,省略时由系统随机生成
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/consumers/jack/oauth2/ \
--data "name=Book App" \
--data "redirect_uri=http://getkong.org/"
HTTP/1.1 201 Created
Date: Mon, 07 May 2018 09:33:54 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"client_id": "72Lq6AqeeZOPipBQcPjYY6DP6zeZtyXI",
"created_at": 1525685635000,
"id": "2cc8b2f7-2f2b-42dc-adb2-0ead80d0eca6",
"redirect_uri": [
"http://getkong.org/"
],
"name": "Book App",
"client_secret": "WyCbK3DH60HFMGX3NPk8voYIr1abTND5",
"consumer_id": "dfb13af7-2ecc-4f04-9a13-60007f4924c6"
}根据{client_id}查询消费者的应用程序信息
[root@contoso ~]# curl -i -X GET \
--url http://localhost:8001/oauth2 \
--data "client_id=72Lq6AqeeZOPipBQcPjYY6DP6zeZtyXI"
HTTP/1.1 200 OK
Date: Mon, 07 May 2018 09:35:42 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"total": 1,
"data": [
{
"created_at": 1525685635000,
"client_id": "72Lq6AqeeZOPipBQcPjYY6DP6zeZtyXI",
"id": "2cc8b2f7-2f2b-42dc-adb2-0ead80d0eca6",
"redirect_uri": [
"http://getkong.org/"
],
"name": "Book App",
"client_secret": "WyCbK3DH60HFMGX3NPk8voYIr1abTND5",
"consumer_id": "dfb13af7-2ecc-4f04-9a13-60007f4924c6"
}
]
}通过Kong在8000端口暴露出来的服务地址读一条书籍记录,实际上是通过Kong在转
发我的请求,不管是读1条记录还读所有书籍记录,我们都无权获得数据
[root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books/2 \
--header 'Host: contoso.com'
HTTP/1.1 401 Unauthorized
Date: Mon, 07 May 2018 09:36:29 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: kong/0.13.1
WWW-Authenticate: Bearer realm="service"
{
"error_description": "The access token is missing",
"error": "invalid_request"
}键-值对{username:password}字符串 [email protected]:123456
它的Base64编码值等于amFja0Bob3RtYWlsLmNvbSUzQTEyMzQ1Ng==
curl http://localhost:8001/consumers/jack/oauth2
客户端向认证服务器进行身份认证,并要求一个访问令牌
认证服务器确认无误后,向客户端提供访问令牌
客户端发送的username和password的Base64编码值,即
必须带上header头参数Authorization
还包括参数{client_id},{client_secret},{response_type},
{scope},{grant_type},{provision_key},{authenticated_userid}
构成的POST请求获得一个访问令牌
{state}客户端的当前状态,可以指定任意值,认证服务器会原封不动地返回这个值
{scope}表示申请的权限范围
{authenticated_userid}已授予权限的终端登录用户userid
[root@contoso ~]# curl -i -X POST \
--url https://localhost:8443/v1/books/oauth2/token \
--header "Authorization: Basic amFja0Bob3RtYWlsLmNvbSUzQTEyMzQ1Ng==" \
--header "Host: contoso.com" \
--data "client_id=72Lq6AqeeZOPipBQcPjYY6DP6zeZtyXI" \
--data "client_secret=WyCbK3DH60HFMGX3NPk8voYIr1abTND5" \
--data "scope=email" \
--data "response_type=token" \
--data "grant_type=client_credentials" \
--data "provision_key=Xy5hdXUmHxsu3Vvfu8bGTN3ezWJHSyrM" \
--data "authenticated_userid=1206" \
--data "redirect_uri=http://getkong.org/" --insecure
HTTP/1.1 200 OK
Date: Mon, 07 May 2018 09:42:32 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: kong/0.13.1
cache-control: no-store
pragma: no-cache
{
"token_type": "bearer",
"access_token": "W3xqSWKLJpZuzyPARZGEhGP9DuPYIufw",
"expires_in": 7200
}现在我们已经获得了一个访问令牌
这样就有可以访问书籍这个接口了
[root@contoso ~]# curl -i -X GET \
--url https://localhost:8443/v1/books \
--header "Authorization: Bearer W3xqSWKLJpZuzyPARZGEhGP9DuPYIufw" \
--header 'Host: contoso.com' --insecure
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 191
Connection: keep-alive
Date: Mon, 07 May 2018 09:44:45 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 24
X-Kong-Proxy-Latency: 50
Via: kong/0.13.1
[
{
"id": 1,
"title": "Fashion That Changed the World",
"author": "Jennifer Croll"
},
{
"id": 2,
"title": "Brigitte Bardot - My Life in Fashion",
"author": "Henry-Jean Servat and Brigitte Bardot"
},
{
"id": 3,
"title": "The Fashion Image",
"author": "Thomas Werner"
}
][root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books/3 \
--header "Authorization: Bearer W3xqSWKLJpZuzyPARZGEhGP9DuPYIufw" \
--header 'Host: contoso.com'
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 63
Connection: keep-alive
Date: Mon, 07 May 2018 09:45:29 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 41
X-Kong-Proxy-Latency: 0
Via: kong/0.13.1
[{"id":3,"title":"The Fashion Image","author":"Thomas Werner"}][root@contoso ~]# curl -i -X DELETE \
--url https://localhost:8443/v1/books/3 \
--header "Authorization: Bearer W3xqSWKLJpZuzyPARZGEhGP9DuPYIufw" \
--header 'Host: contoso.com' --insecure
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 34
Connection: keep-alive
Date: Mon, 07 May 2018 09:48:44 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 28
X-Kong-Proxy-Latency: 0
Via: kong/0.13.1
{"message":"deleted successfully"}[root@contoso ~]# curl -i -X POST \
--url https://localhost:8443/v1/books \
--header "Authorization: Bearer W3xqSWKLJpZuzyPARZGEhGP9DuPYIufw" \
--header 'Host: contoso.com' \
--data 'title=TiDB in Action' \
--data 'author=Tomson' --insecure
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 35
Connection: keep-alive
Date: Mon, 07 May 2018 09:49:01 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 26
X-Kong-Proxy-Latency: 0
Via: kong/0.13.1
{"message":"inserted successfully"}