Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Metadata access rule #14

Merged
merged 11 commits into from
Jun 8, 2017
Merged

Metadata access rule #14

merged 11 commits into from
Jun 8, 2017

Conversation

jolestar
Copy link
Contributor

通过独立定义访问规则的方式来限制节点获取 metadata 的范围。

新增接口:/v1/rule 用于提交访问规则。

  1. PUT|POST: 修改,每个 ip 提交的访问规则会直接替换以前该 ip 的所有规则。

    {
  "192.168.1.10":[{"path":"/clusters/cl-1", "mode":1}]
}

  2. GET: 获取
    返回值同 POST,传递参数 hosts 表示要获取的访问规则的 ip,多个用逗号隔开,不传递表示获取全部。

  3. DELETE: 删除
    传递参数 hosts 表示要删除的访问规则的 ip,多个用逗号隔开。

访问规则定义说明:

type AccessRule struct {
	Path string     `json:"path"` //表示对该规则生效的路径
	Mode AccessMode `json:"mode"` //表示访问规则模式
}

访问规则模式说明:

  • 0 表示禁止访问该路径
  • 1 表示允许读取该路径

访问规则路径的特殊说明:

  1. 访问路径中支持通配符 * 表示匹配所有
  2. 明确路径规则的优先级高于通配符规则
  3. 深路径规则的优先级高于浅路径

比如以下规则:

[  
   {  
      "path":"/",
      "mode":0
   },
   {  
      "path":"/clusters",
      "mode":1
   },
   {  
      "path":"/clusters/*/env",
      "mode":0
   },
   {  
      "path":"/clusters/cl-1",
      "mode":1
   }
]
  1. 根目录是禁止的,但 /cluster 是允许的,所以该客户端可以访问 /cluster 之下的目录,但访问根下的 cluster 之外的目录是不可以的。
  2. /clusters/*/env 这个规则表示所有 clusters/cl-xxx 下的 env 目录是被禁止的,比如该客户端无法访问 /clusters/cl-2/env。
  3. /clusters/cl-1 明确定义了 /clusters/cl-1 目录的读取权限,所以该客户端可以访问 /clusters/cl-1 下的所有数据,包括 /clusters/cl-1/env。

martinyunify
martinyunify requested changes Jun 2, 2017
View reviewed changes
Copy link
Collaborator

@martinyunify martinyunify left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please remove unused parameters and configs...

yangjunsss
yangjunsss reviewed Jun 2, 2017
View reviewed changes
backends/etcdv3/client.go Outdated
@@ -209,39 +274,50 @@ func (c *Client) internalSync(prefix string, store store.Store, stopChan chan bo
}()

for !init {
val, err := c.internalGets(prefix, "/")
err := initStoreFunc()
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. 在这个for !init {}里面是否要加个判断stopChan的条件退出循环?
  2. 这个cancelRoutine和stopChan没看太明白,能否直接用
select { 
  case <- stopChan: 
     cancel()
     return
   default:
}

为什么还需要使用cancelRoutine来控制退出的循环呢?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

这个已经重构。

  1. !init {} 的退出条件已经检测。
  2. cancelRoutine 原来用错了,这个是用来确保读取 stopChan 那个 goroutine 正确退出的。

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

我看internalSync里还有cancelRoutine,这个还有用吗?是不是可以删了?

store/access.go Outdated
}
child := curr.GetChild(component, true)
if child == nil {
child = &AccessNode{Name: component, Mode: AccessModeNil, parent: curr}
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

当前node默认为AccessModeNil的权限,比如/c1/c2/c3 ,如果用户拥有/c1的写权限,他并没有/c1/c2的写权限吗?有考虑子key继承父key的权限吗?

store/access.go
begin = AccessMode(-2)
AccessModeNil = AccessMode(-1)
AccessModeForbidden = AccessMode(0)
AccessModeRead = AccessMode(1)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

这个权限够用吗?有Read, Write,Read/Write的需求吗?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Write 有需求可以加,加的时候把 end 往后挪就行。

metadata/metarepo.go
return r.changeToResult(w, ctx.Done())
}
w := r.data.Watch(nodePath, DEFAULT_WATCH_BUF_LEN)
return r.changeToResult(w, ctx.Done())
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

changeToResult 里是不是可以直接用 case <-time.After(n * time.Second)的timer来处理超时呢?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

这个请求比较频繁,所以弄了个 timePool 控制。

yangjunsss
yangjunsss reviewed Jun 4, 2017
View reviewed changes
metadata/metarepo.go
return val
if traveller.Enter(nodePath) {
val := traveller.GetValue()
traveller.BackToRoot()
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

在连续get某个key的时候,下一个key存在这个curr node的兄弟或子节点概率大吧,在这个时候backToRoot不是过早了?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

这个是 self 的 mapping,记录的路径是绝对路径,如果不 backToRoot,要计算和上一次获取数据的请求的相对路径,比较难实现。

backends/etcdv3/client.go Outdated
@@ -209,39 +274,50 @@ func (c *Client) internalSync(prefix string, store store.Store, stopChan chan bo
}()

for !init {
val, err := c.internalGets(prefix, "/")
err := initStoreFunc()
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

我看internalSync里还有cancelRoutine,这个还有用吗?是不是可以删了?

@jolestar jolestar merged commit 329e0bd into master Jun 8, 2017
@jolestar jolestar deleted the metadata_permision branch June 8, 2017 16:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yangjunsss yangjunsss yangjunsss approved these changes

@martinyunify martinyunify martinyunify approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jolestar @yangjunsss @martinyunify