Shulou(Shulou.com)06/01 Report--

Editor to share with you how to achieve Openresty gateway access control, I believe that most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

Technology stack

This section adopts the following technology stacks:

Openresty (lua+nginx)

Mysql

Redis

Cjson

Verification process

The user requests the module of openresty that passes through nginx,nginx to determine the permission by intercepting the request.

Openresty's access_by_lua_file module, made a series of judgments

Whether the user's request is a whitelist uri, if it is a whitelist uri, it will be verified directly and proceed to the next verification session, content_by_lua_file, which directly prints a sentence: "Congratulations, request approved."

If the user request is not a whitelist url, the token in the request header needs to be taken out. If no token exists in the requested header, the result 401 will be returned directly without permission to access it.

If the request header of the uri requested by the user contains token, the token is taken out, and the token is decrypted to retrieve the user id

Query the database to obtain the user's permission according to the extracted userid. If the permission contains the uri of the request, the request can be passed, otherwise, the request will not be passed.

If the request passes through the access_by_lua_file module, it goes to the content_by_lua_file module, which directly returns a string to the user request, which may be routed to the server of the specific application in the actual development.

The verification flowchart is as follows:

Vim / usr/example/example.conf, plus the following configuration:

Location / {default_type "text/html"; access_by_lua_file / usr/example/lua/api_access.lua; content_by_lua_file / usr/example/lua/api_content.lua;}

The above configuration indicates that if all requests for existing location paths are not met, the path with location / will be taken. Requests that conform to this location will go into the module judgment of access_by_lua_file and content_by_lua_file.

Vim / usr/example/lua/access_by_lua_file, plus the following code:

Local tokentool = require "tokentool" local mysqltool = require "mysqltool" function is_include (value, tab) for k for v in ipairs (tab) do if v = = value then return true end end return false endlocal white_uri= {"/ user/login" "/ user/validate"}-- local user_id = ngx.req.get_uri_args () ["userId"]-- get the token value of header local headers = ngx.req.get_headers () local token=headers ["token"] local url=ngx.var.uriif (not token) or (token==null) or (token== ngx.null) then if is_include (url,white_uri) then else return ngx.exit (401) end else ngx.log (ngx.ERR) "token:". Token) local user_id=tokentool.get_user_id (token) if (not user_id) or (user_id= = null) or (user_id= = ngx.null) then return ngx.exit (401) end ngx.log (ngx.ERR "user_id".. user _ id) local permissions= {} permissions= tokentool.get_permissions (user_id) if (not permissions) or (permissions==null) or (permissions== ngx.null) then permissions= mysqltool.select_user_permission (user_id) if permissions and permissions ~ = ngx.null then tokentool.set_permissions (user_id Permissions) end end if (not permissions) or (permissions==null) or (permissions== ngx.null) then return ngx.exit end local is_contain_permission = is_include (url,permissions) if is_contain_permission = true then-- ngx.say ("congratuation! You have pass the api gateway ") else return ngx.exit (401) end end

In the above code:

Is_include (value, tab), which determines whether a string is in the table or not.

White_uri= {"/ user/login", "/ user/validate"} is a whitelist.

Local headers = ngx.req.get_headers () gets the token from the request header of the requested uri

Is_include (url,white_uri) determines whether the url is a whitelist url

Local user_id=tokentool.get_user_id (token) obtains the user_id of the user corresponding to the token according to the token. In common cases, it parses the user_id according to the token, but it is troublesome to encrypt and encrypt the token in different languages, so I stole the laziness and saved the redis directly. After the user successfully logged in, I saved it.

Permissions = tokentool.get_permissions (user_id) according to user_id

Get the user's permissions from redis.

Permissions= mysqltool.select_user_permission (user_id) if redis does not have permission to store the user, it reads from the database.

Tokentool.set_permissions (user_id,permissions), the permission points that will be read from the database are stored in the reddis.

Local is_contain_permission = is_include (url,permissions) to determine that the url is not in the corresponding permission list for the user.

If all the judgments pass and the user requests permission to access, enter the content_by_lua_file module and directly return "congratulations! you have passed the api gateway" to the request in this module.

Vim / usr/example/lua/api_content.lua, add the following:

Ngx.say ("congratulations!", "you have passed", "the api gateway")-200status code exits return ngx.exit verification demo

Open a browser to access http://116.196.177.123/user/login, and the browser displays:

Congratulations! You have passed the api gateway

/ user/login the url is within the scope of the whitelist, so it can be verified by permissions.

Open a browser to access http://116.196.177.123/user/sss and display the following:

401 Authorization Required

Openresty/1.11.2.4

Add a pair of key-value,key to redis whose token_forezp,value is 1, that is, the id of the user corresponding to token_forezp is 1. 0.

/ usr/servers/redis-3.2.6src/redis-cliset token_forezp 1

Initialize the following sql script to associate roles, roles, and permissions to a user with an id of 1:

INSERT INTO `permission`VALUES ('1century,' / user/orgs'); INSERT INTO `role` VALUES ('1VALUES,' user'); INSERT INTO `permission`VALUES ('1levels,' 1cycles,'1'); INSERT INTO `user`VALUES ('1customers,' forezp'); INSERT INTO `role`VALUES ('1levels,' 1customers,'1')

Use postman to request, and add token to the request header with a value of token_forezp. The request result is as follows:

The above is all the contents of the article "how to achieve gateway access control in Openresty". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.