search

apolloconfig / apollo

Apollo is a reliable configuration management system suitable for microservice configuration management scenarios.
https://www.apolloconfig.com
Apache License 2.0
29.17k stars 10.2k forks source link

开放平台能否支持管理所有应用,目前是 TOKEN 一个个授权 #3191

Open zhb127 opened 4 years ago

zhb127 commented 4 years ago

Is your feature request related to a problem? Please describe. 在 CI/CD 过程中,构建完成后,系统会通知 APOLLO 更新某个配置项,目前是通过开放平台 HTTP REST API 去更新,但是开放平台的授权,得有一个应用加一次,TOKEN 不能对所有应用(包括未来新增的应用全部授权么),或者不能直接绑定在一个高权限的账号下么?

Describe the solution you'd like A clear and concise description of what you want to happen.

Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered.

Additional context Add any other context or screenshots about the feature request here.

nobodyiam commented 4 years ago

目前的设计是权限细粒度控制,所以同一个token如果需要管理多个app的话,需要多次授权。

cypggs commented 4 years ago

同样的困扰,目前授权app可以直接操作数据库insert into consumerrole (ConsumerId,RoleId,DataChange_CreatedBy,DataChange_CreatedTime,DataChange_LastModifiedBy,DataChange_LastTime) select ConsumerId, $i, DataChange_CreatedBy ,now(),DataChange_LastModifiedBy,now() from consumerrole where id = 3 ;但是无法在应用新增的时候就去授权,无法自动化创建app,进而自动授权。 是否能提供创建app的api

nobodyiam commented 4 years ago

创建app接口需要考虑一下如何授权,因为目前的权限都是在app或namespace上

cypggs commented 4 years ago

创建app接口需要考虑一下如何授权,因为目前的权限都是在app或namespace上

临时通过插入数据库脚本实现了,不知道会不会有坑,验证都ok。(新增把APPNAME替换成应用名就行)

use ApolloConfigDB; INSERT INTO App (AppId, Name, OrgId, OrgName, OwnerName, OwnerEmail) VALUES ('APPNAME', 'APPNAME', 'pay', '支付', 'apollo', 'cyp@xxxx.com');

INSERT INTO AppNamespace (Name, AppId, Format, IsPublic, Comment) VALUES ('application', 'APPNAME', 'properties', 0, 'default app namespace');

INSERT INTO Cluster (Name, AppId) VALUES ('default', 'APPNAME');

INSERT INTO Namespace (AppId, ClusterName, NamespaceName) VALUES ('APPNAME', 'default', 'application');

use ApolloPortalDB;

INSERT INTO App (AppId, Name, OrgId, OrgName, OwnerName, OwnerEmail) VALUES ('APPNAME', 'APPNAME', 'pay', '支付', 'apollo', 'cyp@xxxx.com');

INSERT INTO AppNamespace (Name, AppId, Format, IsPublic, Comment) VALUES ('application', 'APPNAME', 'properties', 0, 'default app namespace');

INSERT INTO Permission ( PermissionType, TargetId) VALUES ( 'CreateCluster', 'APPNAME'), ( 'CreateNamespace', 'APPNAME'), ( 'AssignRole', 'APPNAME'), ( 'ModifyNamespace', 'APPNAME+application'), ( 'ReleaseNamespace', 'APPNAME+application');

INSERT INTO Role ( RoleName) VALUES ( 'Master+APPNAME'), ( 'ModifyNamespace+APPNAME+application'), ( 'ReleaseNamespace+APPNAME+application');

insert into RolePermission (RoleId, PermissionId) select R.id,P.id from Role R ,Permission P where R.RoleName = "Master+APPNAME" and P.TargetId="APPNAME";

insert into RolePermission (RoleId, PermissionId) select R.id,P.id from Role R ,Permission P where R.RoleName = "ModifyNamespace+APPNAME+application" and P.TargetId = "APPNAME+application" and P.PermissionType = "ModifyNamespace";

insert into RolePermission (RoleId, PermissionId) select R.id,P.id from Role R ,Permission P where R.RoleName = "ReleaseNamespace+APPNAME+application" and P.TargetId = "APPNAME+application" and P.PermissionType = "ReleaseNamespace";

insert into UserRole(UserId,RoleId) select "apollo" , r.id from Role r where r.RoleName like '%APPNAME%';

cypggs commented 4 years ago

来个终极脚本版本,自取

!/bin/bash

NS=PAY APP_NAME=case2 TYPE=java mkdir -p /data/apollo-sql/ cd /data/apollo-sql/

备份apollo数据库

mysqldump ApolloConfigDB > ApolloConfigDB.sqldate "+%d" mysqldump ApolloPortalDB > ApolloPortalDB.sqldate "+%d" APP_NAME_CN=mysql -NB ApolloConfigDB -e "select OrgName from App where OrgId=${NS} limit 1"

生成apollo-app应用插入的mysql脚本

cat > /data/apollo-sql/${APP_NAME}.sql <<EOF use ApolloConfigDB; INSERT INTO App (AppId, Name, OrgId, OrgName, OwnerName, OwnerEmail) VALUES ('$APP_NAME', '$APP_NAME', '${NS}', '${APP_NAME_CN}', 'apollo', 'apollo@acme.com'); INSERT INTO AppNamespace (Name, AppId, Format, IsPublic, Comment) VALUES ('application', '$APP_NAME', 'properties', 0, 'default app namespace'); INSERT INTO Cluster (Name, AppId) VALUES ('default', '$APP_NAME'); INSERT INTO Namespace (AppId, ClusterName, NamespaceName) VALUES ('$APP_NAME', 'default', 'application'); use ApolloPortalDB; INSERT INTO App (AppId, Name, OrgId, OrgName, OwnerName, OwnerEmail) VALUES ('$APP_NAME', '$APP_NAME', '${NS}', '${APP_NAME_CN}', 'apollo', 'apollo@acme.com'); INSERT INTO AppNamespace (Name, AppId, Format, IsPublic, Comment) VALUES ('application', '$APP_NAME', 'properties', 0, 'default app namespace'); INSERT INTO Permission ( PermissionType, TargetId) VALUES ('CreateCluster', '$APP_NAME'),('CreateNamespace', '$APP_NAME'),('AssignRole', '$APP_NAME'),('ModifyNamespace', '$APP_NAME+application'),('ReleaseNamespace','$APP_NAME+application'),('ModifyNamespace', '$APP_NAME+application+PRO '),('ReleaseNamespace','$APP_NAME+application+PRO '); INSERT INTO Role ( RoleName) VALUES ('Master+$APP_NAME'),('ModifyNamespace+$APP_NAME+application'),('ReleaseNamespace+$APP_NAME+application'),('ModifyNamespace+$APP_NAME+application+PRO'),('ReleaseNamespace+$APP_NAME+application+PRO'); INSERT INTO RolePermission (RoleId, PermissionId) select R.id,P.id from Role R ,Permission P where R.RoleName = "Master+$APP_NAME" and P.TargetId="$APP_NAME"; INSERT INTO RolePermission (RoleId, PermissionId) select R.id,P.id from Role R ,Permission P where R.RoleName = "ModifyNamespace+$APP_NAME+application" and P.TargetId = "$APP_NAME+application" and P.PermissionType = "ModifyNamespace"; INSERT INTO RolePermission (RoleId, PermissionId) select R.id,P.id from Role R ,Permission P where R.RoleName = "ReleaseNamespace+$APP_NAME+application" and P.TargetId = "$APP_NAME+application" and P.PermissionType = "ReleaseNamespace"; INSERT INTO RolePermission (RoleId, PermissionId) select R.id,P.id from Role R ,Permission P where R.RoleName = "ModifyNamespace+$APP_NAME+application+PRO" and P.TargetId = "$APP_NAME+application+PRO" and P.PermissionType = "ModifyNamespace"; INSERT INTO RolePermission (RoleId, PermissionId) select R.id,P.id from Role R ,Permission P where R.RoleName = "ReleaseNamespace+$APP_NAME+application+PRO" and P.TargetId = "$APP_NAME+application+PRO" and P.PermissionType = "ReleaseNamespace"; INSERT INTO UserRole(UserId,RoleId) select "apollo" , r.id from Role r where r.RoleName = 'Master+$APP_NAME'; INSERT INTO UserRole(UserId,RoleId) select "apollo" , r.id from Role r where r.RoleName = 'ModifyNamespace+$APP_NAME+application'; INSERT INTO UserRole(UserId,RoleId) select "apollo" , r.id from Role r where r.RoleName = 'ReleaseNamespace+$APP_NAME+application'; INSERT INTO ConsumerRole (ConsumerId,RoleId,DataChange_CreatedBy,DataChange_LastModifiedBy) select C.Id, R.id, 'apollo','apollo' from Role R,Consumer C where R.RoleName = "Master+$APP_NAME" and C.AppId = "apollo-api"; EOF

判断应用是否已经存在

CHECKAPP=mysql -NB ApolloConfigDB -e "select AppId from App where AppId='$APP_NAME'" [[ "$TYPE" == 'java' ]] && [[ ! -n "$CHECKAPP" ]] && mysql --default-character-set=utf8 -e "source /data/apollo-sql/${APP_NAME}.sql"

qixiaobo commented 3 years ago

很多ops应用都有此类需求 甚至包含创建app

sulin2018 commented 2 years ago

这个issue有支持计划吗? 还是挺有用的

No-SilverBullet commented 3 months ago

https://github.com/No-SilverBullet/apollo-token-batcher 可以参考这个项目,能对openapi token批量授予应用的权限

lilianzhu commented 1 month ago

同样需要,devops 平台对接需要一个全局的 token 用于修改应用配置,现在要一个个应用加完全不可操作,官方是否有计划优化?