Merge branch '1.3.x' into 1.4.x
diff --git a/ReleaseNotes.md b/ReleaseNotes.md
index 9090c0c..c91daf1 100644
--- a/ReleaseNotes.md
+++ b/ReleaseNotes.md
@@ -1,5 +1,7 @@
# 认证授权产品发布说明 ReleaseNotes
+[TOC]
+
## 版本说明
@@ -18,8 +20,24 @@
#### develop
-##### 1.3.0 (SNAPSHOT)
+##### 1.4.0 (SNAPSHOT)
+chore: 升级版本,1.4.0-SNAPSHOT
+
+
+#### 1.3.x
+
+##### 1.3.1 (SNAPSHOT)
+
+chore: 升级版本,1.3.1-SNAPSHOT
+
+
+##### 1.3.0
+
+chore: 发布版本 1.3.0-RELEASE
+chore: 新分支1.3.x,预发布,版本号 1.3.0-SNAPSHOT
+feat: 人脸识别接口,支持新开普人脸、百度人脸
+feat: 默认关闭db连接
chore: 升级版本,1.3.0-SNAPSHOT
@@ -56,8 +74,28 @@
#### develop
-##### 1.4.0 (SNAPSHOT)
+##### 1.5.0 (SNAPSHOT)
+chore: 升级版本,1.5.0-SNAPSHOT
+
+
+#### 1.4.x
+
+##### 1.4.1 (SNAPSHOT)
+
+chore: 升级版本,1.4.1-SNAPSHOT
+
+
+##### 1.4.0
+
+chore: 发布版本,1.4.0-RELEASE
+Merge branch 'release-1.3.1' into 1.4.x
+chore: 新分支1.4.x,预发布,版本号 1.4.0-SNAPSHOT
+fix: 日志管理bug修复;用户授权模板中文乱码
+fix: 日志管理bug修复
+fix: authx-log日志代码调整,操作数据类型修改为枚举
+feat: 对接authx-log记录日志
+Merge branch 'release-1.3.0' into develop
chore: 升级版本,1.4.0-SNAPSHOT
@@ -157,8 +195,29 @@
#### develop
-##### 1.4.0 (SNAPSHOT)
+##### 1.5.0 (SNAPSHOT)
+chore: 升级版本,1.5.0-SNAPSHOT
+
+
+#### 1.4.x
+
+##### 1.4.1 (SNAPSHOT)
+
+chore: 升级版本,1.4.1-SNAPSHOT
+
+
+##### 1.4.0
+
+chore: 发布版本,1.4.0-RELEASE
+Merge branch 'release-1.3.1' into 1.4.x
+fix: 日志管理组织机构查询结果不正确修改
+chore: 新分支1.4.x,预发布,版本号 1.4.0-SNAPSHOT
+fix: 修改日志管理bug
+feat: 双因子认证;二次认证
+fix: 人员详情问题修改
+feat: 日志管理
+fix: 人员管理删除人员bug
chore: 升级版本,1.4.0-SNAPSHOT
@@ -216,8 +275,38 @@
#### develop
-##### 1.4.0 (SNAPSHOT)
+##### 1.5.0 (SNAPSHOT)
+chore: 升级版本,1.5.0-SNAPSHOT
+
+
+#### 1.4.x
+
+##### 1.4.1 (SNAPSHOT)
+
+chore: 升级版本,1.4.1-SNAPSHOT
+
+
+##### 1.4.0
+
+chore: 发布版本,1.4.0-RELEASE
+Merge branch 'release-1.3.1' into 1.4.x
+chore: 新分支1.4.x,预发布,版本号 1.4.0-SNAPSHOT
+fix: 日志管理bug修复
+fix: authx-log日志代码调整,操作数据类型修改为枚举
+refactor: 重新整理 authx-log的代码,确保poa rabbitmq 连接正常
+fix: authx-log相关配置修改;chore: 整理k8s脚本
+fix: 修正部署问题
+style: 恢复管理后台修改密码的代码逻辑
+fix: 日志代码修改
+fix: 修正 redis 依赖 导致启动失败的问题
+fix: poa-api pom引用删除spring-cloud-starter-openfeign
+fix: 管理操作日志代码调整
+feat: poa应用调用日志
+fix: 管理操作日志代码调整
+feat: 用户操作日志、管理操作日志
+feat: 新增密码状态字段,及相关检测接口
+Merge branch 'release-1.3.0' into develop
chore: 升级版本,1.4.0-SNAPSHOT
@@ -658,8 +747,29 @@
#### develop
-##### 1.4.0 (SNAPSHOT)
+##### 1.5.0 (SNAPSHOT)
+chore: 升级版本,1.5.0-SNAPSHOT
+
+
+#### 1.4.x
+
+##### 1.4.1 (SNAPSHOT)
+
+chore: 升级版本,1.4.1-SNAPSHOT
+
+
+##### 1.4.0
+
+chore: 发布版本,1.4.0-RELEASE
+Merge branch 'release-1.3.1' into 1.4.x
+fix: 日志管理bug修复
+fix: authx-log日志代码调整,操作数据类型修改为枚举
+fix: 整理authx-log代码
+fix: authx-log相关配置修改;chore: 整理k8s脚本
+feat: poa应用调用日志
+feat: 授权操作日志
+Merge branch 'release-1.3.0' into develop
chore: 升级版本,1.4.0-SNAPSHOT
@@ -881,8 +991,50 @@
#### develop
-##### 1.4.0 (SNAPSHOT)
+##### 1.5.0 (SNAPSHOT)
+chore: 升级版本,1.5.0-SNAPSHOT
+
+
+#### 1.4.x
+
+##### 1.4.1 (SNAPSHOT)
+
+chore: 升级版本,1.4.1-SNAPSHOT
+
+
+##### 1.4.0
+
+chore: 发布版本,1.4.0-RELEASE
+Merge branch 'release-1.3.1' into 1.4.x
+chore: 新分支1.4.x,预发布,版本号 1.4.0-SNAPSHOT
+fix: 修正登录方式的读取
+fix: 修正双因子认证UI
+feat: 读取attest接口返回的 attestServerUrl
+fix: 日志管理bug修复
+refactor: 优化双因子、日志收集的代码逻辑
+fix: 修正rabbitmq template connectionFactory 连接错误的问题
+chore: log 输出线程名,方便调试
+fix: 支持event listener 的异步执行
+fix: 优化rabbitmq 处理,防止线程阻塞、超时
+fix: 发送时,检测token是否过期,若过期,则重新初始化
+fix: 修正无须双因子时,页面请求异常的问题
+fix: 修正时间长度比较的异常
+fix: authx-log日志代码调整,操作数据类型修改为枚举
+fix: 调整attest-server 地址,将 后端请求用的地址 和 前端请求用的地址 的相关配置分开
+feat: 调整redis key 前缀
+feat: 动态检测,用户登录时,是否跨城市
+feat: 根据策略配置,进行检测(动态检测待处理)
+feat: 认证登录,多因子
+feat: 对接authx-log,将登录日志推送至消息队列
+fix: authx-log相关配置修改;chore: 整理k8s脚本
+fix: 修正编译错误
+feat: 整理sql
+fix: 操作日志代码调整
+feat: 操作日志
+feat: 增加跳转标记,处理用户完善、密码修改等跳转,出现冲突
+feat: 登录时,支持密码安全性的检测,若存在异常,则可跳转到修改页面
+Merge branch 'release-1.3.0' into develop
chore: 升级版本,1.4.0-SNAPSHOT
@@ -1363,8 +1515,50 @@
#### develop
-##### 1.4.0 (SNAPSHOT)
+##### 1.5.0 (SNAPSHOT)
+chore: 升级版本,1.5.0-SNAPSHOT
+
+
+#### 1.4.x
+
+##### 1.4.1 (SNAPSHOT)
+
+chore: 升级版本,1.4.1-SNAPSHOT
+
+
+##### 1.4.0
+
+chore: 发布版本,1.4.0-RELEASE
+Merge branch 'release-1.3.1' into 1.4.x
+chore: 整理k8s脚本
+chore: 新分支1.4.x,预发布,版本号 1.4.0-SNAPSHOT
+fix: 修正接口错误
+feat: 新增接口,获取用户在当前设备的公钥
+fix: 修正重试时,无法获取新 token 的问题
+feat: 增加loginName
+refactor: 优化双因子、日志收集的代码逻辑
+fix: 修正登录异常 null,增加判断
+feat: 完善帐号密码登录时,日志记录
+chore: 整理k8s部署脚本
+fix: 修正rabbitmq 相关bean 冲突,导致的启动错误
+feat: 读取attest接口返回的 attestServerUrl
+fix: 修正时间长度比较的异常
+feat: 对登录接口进行mfa 的拦截处理,验证mfa 是否成功
+fix: 调整attest-server 地址,将 后端请求用的地址 和 前端请求用的地址 的相关配置分开
+fix: 获取request 的IP、userAgent
+feat: App端,认证双因子
+feat: 整理登录日志,推送至 authx-log
+chore: 调整poa地址
+refactor: 优化接口
+feat: 修改apppush 接口
+feat: 将 apppush 修改为公共服务,通过poa调用
+fix: 修正 AttestRabbitMQConfiguration 配置错误
+feat: 发送APP推送至用户当前登录的设备
+feat: 登录成功后,返回passwordStatus 密码状态
+feat: 帐号密码登录时,检测密码安全性
+feat: 对接远程接口,detectPassword
+Merge branch 'release-1.3.0' into develop
chore: 升级版本,1.4.0-SNAPSHOT
@@ -1592,8 +1786,40 @@
#### develop
-##### 1.4.0 (SNAPSHOT)
+##### 1.5.0 (SNAPSHOT)
+chore: 升级版本,1.5.0-SNAPSHOT
+
+
+#### 1.4.x
+
+##### 1.4.1 (SNAPSHOT)
+
+chore: 升级版本,1.4.1-SNAPSHOT
+
+
+##### 1.4.0
+
+chore: 发布版本,1.4.0-RELEASE
+Merge branch 'release-1.3.1' into 1.4.x
+chore: 整理k8s脚本
+chore: 新分支1.4.x,预发布,版本号 1.4.0-SNAPSHOT
+fix: 日志管理bug修复
+fix: authx-log 去掉查询日志记录
+fix: authx-log日志代码调整,操作数据类型修改为枚举
+fix: authx-log相关配置修改;chore: 整理k8s脚本
+fix: 用户操作日志修改
+fix: 安全手机、安全邮箱为空时,可跳过验证身份
+fix: 启动类注入EnableAuthxLogTransmitZuul过滤器不生效bug
+feat: 返回安全手机、安全邮箱
+docs: 整理k8s部署yaml
+fix: 关闭RabbitAutoConfiguration 自动配置
+refactor: 将authx-log 的rabbitmq 的相关代码都移入 authx.log 包下;同时,采用独立的rabbitmq 配置,并支持 enable/disable
+feat: 操作日志代码整理
+feat: 调整强制修改密码的接口逻辑
+feat: 用户操作日志
+feat: 密码状态异常时,强制修改密码的接口
+Merge branch 'release-1.3.0' into develop
chore: 升级版本,1.4.0-SNAPSHOT
@@ -1949,8 +2175,59 @@
#### develop
-##### 1.4.0 (SNAPSHOT)
+##### 1.5.0 (SNAPSHOT)
+chore: 升级版本,1.5.0-SNAPSHOT
+
+
+#### 1.4.x
+
+##### 1.4.1 (SNAPSHOT)
+
+chore: 升级版本,1.4.1-SNAPSHOT
+
+
+##### 1.4.0
+
+chore: 发布版本,1.4.0-RELEASE
+Merge branch 'release-1.3.1' into 1.4.x
+chore: 新分支1.4.x,预发布,版本号 1.4.0-SNAPSHOT
+fix: 修正jenkins构建错误
+fix: 修改强制修改密码失败后返回的问题
+fix: 重新修改密码
+fix: 强制密码问题修改
+fix: 强制修改密码没有身份认证
+fix: 强制密码修改-路由修改
+fix: 修改密码提示语
+fix: 重置密码接口联调
+fix: 安全中心修改密码增加密码强度提示
+fix:安全分数提示修改
+fix: 修正移动浏览器,安全中心绑定QQ等,绑定失败的问题处理
+fix: qq绑定问题
+QQ绑定问题修改
+fix: 安全分数计算修改
+fix: 钉钉绑定
+fix: 修改安全登录设置
+fix: 联合登录绑定设置
+fix: 修改安全分数
+fix: 修改H5路径
+fix: 安全等级文字设置
+fix: 修改bug
+fix: 修改绑定第三方
+fix: bug修改
+fix:账号激活证件号码必填
+fix: 字体大小修改
+退出登录
+fix: 修改登录密码问题
+fix: 修改提示消息样式
+fix: 安全登录设置接口联调
+feat:绑定账号
+fix: 社交账号绑定
+feat: 安全中心移动端接口联调
+feat: 安全中心移动端适配
+fix: 激活账号;重置密码移动端适配
+Merge branch 'release-1.3.0' into develop
+fix: 绑定QQ
chore: 升级版本,1.4.0-SNAPSHOT
@@ -2122,6 +2399,112 @@
+### attest-server
+
+身份验证服务
+
+#### develop
+
+##### 1.5.0 (SNAPSHOT)
+
+chore: 升级版本,1.5.0-SNAPSHOT
+
+
+#### 1.4.x
+
+##### 1.4.1 (SNAPSHOT)
+
+chore: 升级版本,1.4.1-SNAPSHOT
+
+
+##### 1.4.0
+
+chore: 发布版本,1.4.0-RELEASE
+chore: 整理k8s脚本
+chore: 新分支1.4.x,预发布,版本号 1.4.0-SNAPSHOT
+chore: jenkins 自动化构建
+chore: 升级版本,1.4.0-SNAPSHOT
+
+
+##### 1.0.0 (SNAPSHOT)
+
+fix: 修正回调页面的问题
+docs: 文档
+feat: APP推送时,回调页面中显示 确认码,确保推送消息与PC端一致性
+fix: url 增加时间戳,防止缓存
+style: 调整命名
+docs: 人脸识别验证的接口文档,调整接口说明
+feat: 支持url scheme 可配置
+docs: 人脸识别验证的接口文档,调整接口说明
+docs: 人脸识别验证的接口文档
+feat: 人脸识别 验证
+feat: 远程获取用户登录APP后提交的公钥
+chore: 修改 application name
+fix: 修正重试时,无法获取新 token 的问题
+feat: 人脸识别
+refactor: 调整GuardService 接口,移除无用的代码
+docs: 完善接口文档
+feat: 发送前,检测token 是否过期
+docs: 整理文档
+feat: GuardToken 增加 state 业务端状态,便于对业务端的提交的验证请求进行合法性校验
+fix: 修正邮件验证码发送失败的问题
+feat: 对接 poa,apppush 接口
+fix: 修正 AttestRabbitMQConfiguration 配置错误
+feat: apppush,向 rabbitmq 发送推送消息,由 token-server 监听后,进行处理
+fix: 修正view 找不到的问题
+feat: APP推送,回调页面
+feat: 修正jwt token 验证
+fix: 解决请求跨域问题
+fix: 修正 token 创建时,空指针异常
+fix: 修正GuardService 注入错误
+chore: 初始导入
+
+
+
+### authx-log
+
+日志服务
+
+#### develop
+
+##### 1.5.0 (SNAPSHOT)
+
+chore: 升级版本,1.5.0-SNAPSHOT
+
+
+#### 1.4.x
+
+##### 1.4.1 (SNAPSHOT)
+
+chore: 升级版本,1.4.1-SNAPSHOT
+
+
+##### 1.4.0
+
+chore: 发布版本,1.4.0-RELEASE
+chore: 整理k8s脚本
+chore: 新分支1.4.x,预发布,版本号 1.4.0-SNAPSHOT
+chore: jenkins 自动化构建
+chore: 升级版本,1.4.0-SNAPSHOT
+
+
+##### 1.0.0 (SNAPSHOT)
+
+fix: 日志管理bug修复
+fix: ip地址截取
+fix: 应用访问日志接口查询条件修改
+fix: 导出bug修复
+feat: 日志管理增加导出接口
+fix: 日志服务修改
+feat: 日志管理查询接口
+fix: 日志服务代码调整
+feat: 日志服务
+docs: 日志服务设计文档
+feat: 日志管理操作接口、消息处理
+feat: 日志服务
+
+
+
### jobs-server
数据同步服务
diff --git "a/deploy-manifests/authx-minio-init/Minio\345\210\235\345\247\213\345\214\226\350\256\276\347\275\256.md" "b/deploy-manifests/authx-minio-init/Minio\345\210\235\345\247\213\345\214\226\350\256\276\347\275\256.md"
new file mode 100644
index 0000000..c4ca074
--- /dev/null
+++ "b/deploy-manifests/authx-minio-init/Minio\345\210\235\345\247\213\345\214\226\350\256\276\347\275\256.md"
@@ -0,0 +1,34 @@
+
+# Minio 初始化设置
+
+
+
+访问 https://authx-minio.paas.xxx.edu.cn
+登录 1y8N@8R@a_2u , 8pxlIe9#lN7Q
+
+## 创建 bucket: cas-server-site-ui
+
+将 cas-server-site-ui 目录下的 图片,上传到 cas-server-site-ui 中(此为认证登录界面上使用的图片,实际项目中,由UI进行设计后,替换)
+
+
+## 创建 bucket: portrait
+
+**设置访问策略 * Read Only**
+
+将 portrait 目录下的 图片,上传到 portrait 中(此为用户的默认头像)
+
+## 创建 bucket: security-center-ui
+
+**设置访问策略 * Read Only**
+
+在 security-center-ui 目录下 创建目录 favicon ,上传文件 security-center-ui/favicon/favicon.ico
+在 security-center-ui 目录下 创建目录 logo ,上传文件 security-center-ui/logo/logo.png
+此为安全中心界面上使用的图片,由UI进行设计后,替换
+
+
+## 创建 bucket: admin-platform
+
+**设置访问策略 * Read Only**
+
+在 admin-platform 目录下 创建目录 favicon ,上传文件 admin-platform/favicon/sw.ico (ico 的文件名,根据 admin-platform 中配置的 SCHOOL_NAME 来确定)
+此为云平台界面上使用的图片,由UI进行设计后,替换
diff --git a/deploy-manifests/authx-minio-init/admin-platform/favicon/sw.ico b/deploy-manifests/authx-minio-init/admin-platform/favicon/sw.ico
new file mode 100644
index 0000000..ffce864
--- /dev/null
+++ b/deploy-manifests/authx-minio-init/admin-platform/favicon/sw.ico
Binary files differ
diff --git a/deploy-manifests/authx-minio-init/cas-server-site-ui/bg.png b/deploy-manifests/authx-minio-init/cas-server-site-ui/bg.png
new file mode 100644
index 0000000..19a2beb
--- /dev/null
+++ b/deploy-manifests/authx-minio-init/cas-server-site-ui/bg.png
Binary files differ
diff --git a/deploy-manifests/authx-minio-init/cas-server-site-ui/favicon.ico b/deploy-manifests/authx-minio-init/cas-server-site-ui/favicon.ico
new file mode 100644
index 0000000..ffce864
--- /dev/null
+++ b/deploy-manifests/authx-minio-init/cas-server-site-ui/favicon.ico
Binary files differ
diff --git a/deploy-manifests/authx-minio-init/cas-server-site-ui/icon.png b/deploy-manifests/authx-minio-init/cas-server-site-ui/icon.png
new file mode 100644
index 0000000..61a5920
--- /dev/null
+++ b/deploy-manifests/authx-minio-init/cas-server-site-ui/icon.png
Binary files differ
diff --git a/deploy-manifests/authx-minio-init/cas-server-site-ui/logo.png b/deploy-manifests/authx-minio-init/cas-server-site-ui/logo.png
new file mode 100644
index 0000000..53938d7
--- /dev/null
+++ b/deploy-manifests/authx-minio-init/cas-server-site-ui/logo.png
Binary files differ
diff --git a/deploy-manifests/authx-minio-init/portrait/1.png b/deploy-manifests/authx-minio-init/portrait/1.png
new file mode 100644
index 0000000..fd1a680
--- /dev/null
+++ b/deploy-manifests/authx-minio-init/portrait/1.png
Binary files differ
diff --git a/deploy-manifests/authx-minio-init/portrait/2.png b/deploy-manifests/authx-minio-init/portrait/2.png
new file mode 100644
index 0000000..fd1a680
--- /dev/null
+++ b/deploy-manifests/authx-minio-init/portrait/2.png
Binary files differ
diff --git a/deploy-manifests/authx-minio-init/portrait/profile.png b/deploy-manifests/authx-minio-init/portrait/profile.png
new file mode 100644
index 0000000..fd1a680
--- /dev/null
+++ b/deploy-manifests/authx-minio-init/portrait/profile.png
Binary files differ
diff --git a/deploy-manifests/authx-minio-init/security-center-ui/favicon/favicon.ico b/deploy-manifests/authx-minio-init/security-center-ui/favicon/favicon.ico
new file mode 100644
index 0000000..ffce864
--- /dev/null
+++ b/deploy-manifests/authx-minio-init/security-center-ui/favicon/favicon.ico
Binary files differ
diff --git a/deploy-manifests/authx-minio-init/security-center-ui/logo/logo.png b/deploy-manifests/authx-minio-init/security-center-ui/logo/logo.png
new file mode 100644
index 0000000..53938d7
--- /dev/null
+++ b/deploy-manifests/authx-minio-init/security-center-ui/logo/logo.png
Binary files differ
diff --git "a/deploy-manifests/charts/1.2.0000.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\256\211\350\243\205\351\203\250\347\275\262\346\211\213\345\206\214\357\274\210\345\237\272\344\272\216\345\272\224\347\224\250\345\225\206\345\272\227\357\274\211.md" "b/deploy-manifests/charts/1.2.0000.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\256\211\350\243\205\351\203\250\347\275\262\346\211\213\345\206\214\357\274\210\345\237\272\344\272\216\345\272\224\347\224\250\345\225\206\345\272\227\357\274\211.md"
index cd9be48..a5b121c 100644
--- "a/deploy-manifests/charts/1.2.0000.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\256\211\350\243\205\351\203\250\347\275\262\346\211\213\345\206\214\357\274\210\345\237\272\344\272\216\345\272\224\347\224\250\345\225\206\345\272\227\357\274\211.md"
+++ "b/deploy-manifests/charts/1.2.0000.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\256\211\350\243\205\351\203\250\347\275\262\346\211\213\345\206\214\357\274\210\345\237\272\344\272\216\345\272\224\347\224\250\345\225\206\345\272\227\357\274\211.md"
@@ -9,11 +9,71 @@
版本 | 作者 | 日期 | 备注
- | - | - | -
v1 | 刘洪青 | 2021-05-15 | 初稿
+v1.4 | 刘洪青 | 2021-09-18 | V1.4 版本的部署更新
[TOC]
+## 部署变更说明
+
+**仅列举了一些重要的、对外部存在影响的变更**
+
+
+### V1.3
+
+1. 域名变更
+
+新增,域名 authx-management,认证、用户、授权管理功能的前端UI的外网域名访问
+
+
+### V1.4
+
+1. 数据库用户变更
+
+新增,authx_log
+(可选)移除,agent_service
+
+2. 镜像变更
+
+新增,authx-log
+新增,attest-server
+
+3. 域名变更
+
+新增,域名 authx-service,将 personal-security-center、security-center、以及 authx-management 合并
+废弃,域名 personal-security-center,合并至 域名 authx-service
+废弃,域名 security-center,合并至 域名 authx-service
+废弃,域名 authx-management,现合并至 authx-service
+废弃,域名 token,合并至 域名 cas
+
+4. Context Path 变更
+
+变更,personal-security-center-zuul,context path 更新为 /personal
+变更,token-server,context path 更新为 /token
+
+5. 访问地址变更
+
+变更,用户认证授权管理前端UI,`https://admin-platform.paas.xxx.edu.cn/authx-management` 变更为 `https://authx-service.paas.xxx.edu.cn/authx-management`
+变更,安全中心后端API,`https://personal-security-center.paas.xxx.edu.cn` 变更为 `https://authx-service.paas.xxx.edu.cn/personal`
+变更,Token 认证,`https://token.paas.xxx.edu.cn` 变更为 `https://cas.pass.xxx.edu.cn/token`
+
+
+## 产品依赖
+
+* minio
+
+请使用 应用商店 部署
+
+* ipaddr
+
+请使用 应用商店 部署
+
+* platform openapi
+
+请使用 应用商店 部署
+
+
## 安装准备
### MySQL 初始配置及相关基础命令
@@ -92,7 +152,7 @@
mysqldump -u root -p token_server > token_server.sql
mysqldump -u root -p user > user.sql
mysqldump -u root -p user_authz > user_authz.sql
- mysqldump -u root -p agent_service > agent_service.sql
+ mysqldump -u root -p authx_log > authx_log.sql
```
还原:
@@ -101,7 +161,7 @@
mysql -u root -p token_server < token_server.sql
mysql -u root -p user < user.sql
mysql -u root -p user_authz < user_authz.sql
- mysql -u root -p agent_service < agent_service.sql
+ mysql -u root -p authx_log < authx_log.sql
```
@@ -131,6 +191,8 @@
authx-service authx-service/*
+ authx-log authx-log/*
+
user-data-service goa/*
user-authorization-service user-authorization-service/*
personal-security-center personal-security-center/*
@@ -139,6 +201,7 @@
cas-server cas-server/*
token-server token-server/*
+ attest-server attest-server/*
```
同步规则,创建完成后,进行镜像同步
@@ -192,7 +255,7 @@
jobs-server 同步服务
- cas-server 认证(CAS 认证 + Token Server)
+ cas-server 认证(CAS 认证 + Token Server + 身份认证服务)
```
* 确定命名空间
@@ -208,7 +271,7 @@
jobs-server 同步服务
- cas-server 认证(CAS 认证 + Token Server)
+ cas-server 认证(CAS 认证 + Token Server + 身份认证服务)
```
@@ -222,10 +285,9 @@
```
authx-minio.paas.xxx.edu.cn 文件服务
- security-center.paas.xxx.edu.cn 安全中心
+ authx-service.paas.xxx.edu.cn 用户授权服务(包含 后台管理UI + 安全中心UI + 安全中心后端)
- cas.paas.xxx.edu.cn CAS 认证(视具体情况,可调整)
- token.paas.xxx.edu.cn Token 认证(APP适用)
+ cas.paas.xxx.edu.cn 认证(视具体情况,可调整;包含 CAS 认证 + Token Server + 身份认证服务)
```
如果使用 学校域名,则去除 .paas 即可,同时申请开通相关域名
@@ -249,8 +311,7 @@
服务 | 数据库帐号
- | -
- 第三方代理服务 thridparty-agent-service | agent_service
- - | -
+ 日志服务 authx-log | authx_log
用户服务 user-data-service | user
授权服务 user-authorization-service | user_authz
- | -
@@ -262,10 +323,10 @@
命令:
**请修改命令中的 `your_password` 为实际的数据库用户的密码**
```
- create user 'agent_service'@'%' identified with mysql_native_password by 'your_password';
-
+ create user 'authx_log'@'%' identified with mysql_native_password by 'your_password';
create user 'user'@'%' identified with mysql_native_password by 'your_password';
create user 'user_authz'@'%' identified with mysql_native_password by 'your_password';
+
create user 'cas_server'@'%' identified with mysql_native_password by 'your_password';
create user 'token_server'@'%' identified with mysql_native_password by 'your_password';
@@ -279,8 +340,7 @@
服务 | 数据库
- | -
- 第三方代理服务 thridparty-agent-service | agent_service
- - | -
+ 日志服务 authx-log | authx_log
用户服务 user-data-service | user
授权服务 user-authorization-service | user_authz
- | -
@@ -291,10 +351,10 @@
命令:
```
- create database `agent_service` DEFAULT CHARSET utf8 COLLATE utf8_general_ci;
-
+ create database `authx_log` DEFAULT CHARSET utf8 COLLATE utf8_general_ci;
create database `user` DEFAULT CHARSET utf8 COLLATE utf8_general_ci;
create database `user_authz` DEFAULT CHARSET utf8 COLLATE utf8_general_ci;
+
create database `cas_server` DEFAULT CHARSET utf8 COLLATE utf8_general_ci;
create database `token_server` DEFAULT CHARSET utf8 COLLATE utf8_general_ci;
@@ -308,10 +368,10 @@
命令:
```
- grant all privileges on `agent_service`.* to 'agent_service'@'%' with grant option;
-
+ grant all privileges on `authx_log`.* to 'authx_log'@'%' with grant option;
grant all privileges on `user`.* to 'user'@'%' with grant option;
grant all privileges on `user_authz`.* to 'user_authz'@'%' with grant option;
+
grant all privileges on `cas_server`.* to 'cas_server'@'%' with grant option;
grant all privileges on `token_server`.* to 'token_server'@'%' with grant option;
@@ -328,6 +388,7 @@
```
grant SUPER on *.* to 'user'@'%';
grant SUPER on *.* to 'user_authz'@'%';
+
grant SUPER on *.* to 'cas_server'@'%';
grant SUPER on *.* to 'tmp_data'@'%';
@@ -388,15 +449,6 @@
命名空间: agent-service
-* 外部MYSQL-连接配置
- 外部MySQL host: <请填写数据库服务的IP地址>
- 外部MySQL port: <请填写数据库服务的端口>
-
-* AGENT SERVICE - MYSQL数据库配置
- 用户名: `agent_service` ,固定值、或按实际情况修改
- 密码: <请填写创建的数据库用户的密码>
- 数据库名: `agent_service` ,固定值、或按实际情况修改
-
* 文件服务设置
Minio Url: `http://minio.authx-minio.svc.cluster.local:9000` ,若 minio 的命名空间有调整,请修改
Minio Access Key: `1y8N@8R@a_2u`
@@ -417,6 +469,24 @@
阿里云短信接口Access Key:
阿里云短信接口Access Secret:
+* 人脸服务配置
+ 可与 新开普人脸平台 或 百度人脸服务 进行对接
+
+ 人脸登录类型: aiface: 新开普人脸, aipface: 百度人脸
+
+ **以下配置从 新开普人脸平台 申请**
+ 新开普人脸服务 Url:
+ 新开普人脸服务 App Key:
+ 新开普人脸服务 App Secret:
+ 新开普人脸服务 Secret Key:
+ 新开普人脸服务 Term Code:
+
+ **以下配置从 百度开放平台 申请**
+ 百度人脸服务 App Id:
+ 百度人脸服务 Api Key:
+ 百度人脸服务 Secret Key:
+ 百度人脸服务 组ID:
+
#### authx-service
@@ -448,14 +518,20 @@
密码: <请填写创建的数据库用户的密码>
数据库名: `user_authz` ,固定值、或按实际情况修改
+* MYSQL数据库配置 - 日志服务
+
+ 用户名: `authx_log` ,固定值、或按实际情况修改
+ 密码: <请填写创建的数据库用户的密码>
+ 数据库名: `authx_log` ,固定值、或按实际情况修改
+
* 域名全局设置
根域名: `paas.<school>.edu.cn` ,请修改为实际的学校域名
-* 域名配置 - 安全中心
+* 域名配置 - 用户授权服务
- 子域名: `security-center` ,若须修改,根据实际情况修改即可
+ 子域名: `authx-service` ,若须修改,根据实际情况修改即可
* POA 设置
@@ -480,6 +556,7 @@
Agent Service 文件上传路径: `/api/v1/tpas/file/minio` ,一般不用修改
Agent Service 邮件发送路径: `/api/v1/tpas/mail/smtp` ,一般不用修改
Agent Service 短信发送路径: `/api/v1/tpas/sms/aliyun` , 若不使用阿里云短信服务,须修改
+ Agent Service 人脸服务接口: `/api/v1/tpas/face/aiface` ,新开普人脸 aiface,百度人脸 aipface
* 依赖 API - CAS SERVER
@@ -544,22 +621,29 @@
数据库名: `token_server` ,固定值、或按实际情况修改
+* 外部RABBITMQ - 连接配置
+
+ 外部RabbitMQ host: `authx-service-rabbitmq.authx-service.svc.cluster.local` ,连接 authx-service 的rabbitmq, 若 authx-service 的命名空间有调整,请修改
+ 外部RabbitMQ port: 5672
+
+* RABBITMQ配置 - 安全配置
+
+ 用户名: guest
+ 密码: guest
+
+
* 域名全局设置
根域名: `paas.<school>.edu.cn` ,请修改为实际的学校域名
-* 域名配置 - CAS 认证
+* 域名配置 - 认证服务
子域名: `cas` ,若须修改,根据实际情况修改即可
-* 域名配置 - Token Server
-
- 子域名: `token` ,若须修改,根据实际情况修改即可
-
* POA 设置
- POA网关地址: `http://poa.paas.<school>.edu.cn` ,请设置为 poa 网关的外网地址
+ POA网关地址: `https://poa.paas.<school>.edu.cn` ,请设置为 poa 网关的外网地址
POA SA地址: 请设置为 poa-sa 管理接口的 k8s 内部地址(根据实际部署的 POA 进行调整)
@@ -570,6 +654,7 @@
Agent Service 文件上传路径: `/api/v1/tpas/file/minio` ,一般不用修改
Agent Service 邮件发送路径: `/api/v1/tpas/mail/smtp` ,一般不用修改
Agent Service 短信发送路径: `/api/v1/tpas/sms/aliyun` , 若不使用阿里云短信服务,须修改
+ Agent Service 人脸服务接口: `/api/v1/tpas/face/aiface` ,新开普人脸 aiface,百度人脸 aipface
* 依赖 API - 用户服务
@@ -580,6 +665,12 @@
用户授权API内部地址: `http://authx-service-user-authz-service-sa.authx-service.svc.cluster.local:8080` ,固定值,若 authx-service 的命名空间有调整,请修改
+* POA CLIENT
+
+ Client Id: 从 POA 进行申请
+ Client Secret: 从 POA 进行申请
+
+
* 动态密码
@@ -618,12 +709,6 @@
消息服务应用ID: 由消息服务提供
-* TOKEN SERVER - POA CLIENT
-
- Client Id: 从 POA 进行申请
- Client Secret: 从 POA 进行申请
-
-
* TOKEN SERVER - 人脸服务配置
可与 新开普人脸平台 或 百度人脸服务 进行对接
diff --git "a/deploy-manifests/charts/1.2.0001.\350\256\244\350\257\201\346\216\210\346\235\203-\350\256\244\350\257\201\345\257\271\346\216\245\346\225\260\346\215\256\345\210\235\345\247\213\345\214\226\357\274\210\345\256\211\345\205\250\344\270\255\345\277\203\357\274\211.md" "b/deploy-manifests/charts/1.2.0001.\350\256\244\350\257\201\346\216\210\346\235\203-\350\256\244\350\257\201\345\257\271\346\216\245\346\225\260\346\215\256\345\210\235\345\247\213\345\214\226\357\274\210\345\256\211\345\205\250\344\270\255\345\277\203\357\274\211.md"
index e30d9d0..02ae0d9 100644
--- "a/deploy-manifests/charts/1.2.0001.\350\256\244\350\257\201\346\216\210\346\235\203-\350\256\244\350\257\201\345\257\271\346\216\245\346\225\260\346\215\256\345\210\235\345\247\213\345\214\226\357\274\210\345\256\211\345\205\250\344\270\255\345\277\203\357\274\211.md"
+++ "b/deploy-manifests/charts/1.2.0001.\350\256\244\350\257\201\346\216\210\346\235\203-\350\256\244\350\257\201\345\257\271\346\216\245\346\225\260\346\215\256\345\210\235\345\247\213\345\214\226\357\274\210\345\256\211\345\205\250\344\270\255\345\277\203\357\274\211.md"
@@ -34,9 +34,9 @@
update TB_SERVICE
set
DELETED=1,
- INFORMATION_URL='http://personal-security-center.paas.example.com',
- LOGOUT_URL='http://personal-security-center.paas.example.com/slo?redirect_uri=http://security-center.paas.example.com/?clearCertification=clearCertification',
- SERVICE_ID='http://personal-security-center.paas.example.com/cas/(.*)'
+ INFORMATION_URL='http://authx-service.paas.example.com/personal',
+ LOGOUT_URL='http://authx-service.paas.example.com/personal/slo?redirect_uri=http://authx-service.paas.example.com/?clearCertification=clearCertification',
+ SERVICE_ID='http://authx-service.paas.example.com/personal/cas/(.*)'
where ID='2'; -- todo, modify
@@ -48,9 +48,9 @@
`ENABLED`, `SSO_ENABLED`, `REQUIRE_ALL_ATTRIBUTES`,
`APPLICATION_ID`, `EXTERNAL_ID`)
VALUES ('22', '1', 0, 'admin', '2020-07-01 00:00:00',
- '安全中心', '安全中心', 'https://security-center.paas.example.com', 'https://security-center.paas.example.com/?clearCertification=clearCertification',
+ '安全中心', '安全中心', 'https://authx-service.paas.example.com', 'https://authx-service.paas.example.com/?clearCertification=clearCertification',
'REDIRECT', 'FRONT_CHANNEL',
- 22, '安全中心', 22, 'https://security-center.paas.example.com/(.*)',
+ 22, '安全中心', 22, 'https://authx-service.paas.example.com/(.*)',
1, 1, 1,
'22', '22');
@@ -59,12 +59,12 @@
-- 修改根域名
update TB_SERVICE
set
- INFORMATION_URL='http://security-center.paas.example.com',
- LOGOUT_URL='http://security-center.paas.example.com/?clearCertification=clearCertification',
- SERVICE_ID='http://security-center.paas.example.com/(.*)',
+ INFORMATION_URL='http://authx-service.paas.example.com',
+ LOGOUT_URL='http://authx-service.paas.example.com/?clearCertification=clearCertification',
+ SERVICE_ID='http://authx-service.paas.example.com/(.*)',
ID_TOKEN_ENABLED=1,
JWT_AS_SERVICE_TICKET=1,
- APPLICATION_DOMAIN='security-center.paas.example.com'
+ APPLICATION_DOMAIN='authx-service.paas.example.com'
where ID='22'; -- todo, modify
commit;
diff --git "a/deploy-manifests/charts/1.3.0001.\350\256\244\350\257\201\346\216\210\346\235\203-\344\272\221\345\271\263\345\217\260SPA\345\234\260\345\235\200\351\205\215\347\275\256.md" "b/deploy-manifests/charts/1.3.0001.\350\256\244\350\257\201\346\216\210\346\235\203-\344\272\221\345\271\263\345\217\260SPA\345\234\260\345\235\200\351\205\215\347\275\256.md"
index 8106c31..3aaa885 100644
--- "a/deploy-manifests/charts/1.3.0001.\350\256\244\350\257\201\346\216\210\346\235\203-\344\272\221\345\271\263\345\217\260SPA\345\234\260\345\235\200\351\205\215\347\275\256.md"
+++ "b/deploy-manifests/charts/1.3.0001.\350\256\244\350\257\201\346\216\210\346\235\203-\344\272\221\345\271\263\345\217\260SPA\345\234\260\345\235\200\351\205\215\347\275\256.md"
@@ -21,9 +21,9 @@
* 管理功能 - 认证授权
- 认证管理SPA的地址: `https://authx-management.paas.<school>.edu.cn/authx-management`
- 用户管理SPA的地址: `https://authx-management.paas.<school>.edu.cn/authx-management`
- 授权管理SPA的地址: `https://authx-management.paas.<school>.edu.cn/authx-management`
+ 认证管理SPA的地址: `https://authx-service.paas.<school>.edu.cn/authx-management`
+ 用户管理SPA的地址: `https://authx-service.paas.<school>.edu.cn/authx-management`
+ 授权管理SPA的地址: `https://authx-service.paas.<school>.edu.cn/authx-management`
修改完成后,需要手动重启 admin-platform 的 Deployment
diff --git "a/deploy-manifests/charts/1.4.0001.\350\256\244\350\257\201\346\216\210\346\235\203-\344\272\221\345\271\263\345\217\260\346\225\260\346\215\256\345\210\235\345\247\213\345\214\226\357\274\210API\350\267\257\347\224\261\343\200\201\350\217\234\345\215\225\343\200\201\350\247\222\350\211\262\346\235\203\351\231\220\357\274\211.md" "b/deploy-manifests/charts/1.4.0001.\350\256\244\350\257\201\346\216\210\346\235\203-\344\272\221\345\271\263\345\217\260\346\225\260\346\215\256\345\210\235\345\247\213\345\214\226\357\274\210API\350\267\257\347\224\261\343\200\201\350\217\234\345\215\225\343\200\201\350\247\222\350\211\262\346\235\203\351\231\220\357\274\211.md"
new file mode 100644
index 0000000..cfa9afb
--- /dev/null
+++ "b/deploy-manifests/charts/1.4.0001.\350\256\244\350\257\201\346\216\210\346\235\203-\344\272\221\345\271\263\345\217\260\346\225\260\346\215\256\345\210\235\345\247\213\345\214\226\357\274\210API\350\267\257\347\224\261\343\200\201\350\217\234\345\215\225\343\200\201\350\247\222\350\211\262\346\235\203\351\231\220\357\274\211.md"
@@ -0,0 +1,261 @@
+
+# 认证授权-云平台数据初始化
+
+
+[TOC]
+
+
+## 文档说明
+
+
+
+## 操作指南
+
+**请仔细阅读文档后,再进行操作**
+
+本文档中的各部分操作,只须 选择其中一种方式处理即可
+
+
+## 初始化数据
+
+
+### 创建路由
+
+在 云平台 管理中心 中,添加 接口路由;
+
+管理功能的接口请求,由管理中心的后端网关,统一路由至 相关服务。
+
+**若 路由记录已经存在,请确认 其 路由服务地址 是否正确**
+
+
+#### 方式一,手动添加
+
+进入 云平台 - 基础管理 - 路由管理,添加路由记录
+
+注:
+* 路由前缀 如:`/api/v1/sample/**`,确保与其他路由信息 **不存在冲突**
+* 后端服务地址 如:`http://xxx.sample.edu.cn`
+* 是否丢弃前缀,若是,转发到后端服务时的请求为 `http://xxx.sample.edu.cn/**`,否则为 `http://xxx.sample.edu.cn/api/v1/sample/**`
+
+
+代码 | 名称 | 描述 | 是否启用 | 路由前缀 | 路由服务地址 | 是否丢弃前缀
+- | - | - | - | - | - | - | -
+authx-service-user-api | 认证授权 - 用户接口 | | 是 | /api/v1/base | http://authx-service-user-data-service-goa.authx-service.svc.cluster.local:8080 | 否
+authx-service-personal-api | 认证授权 - 个人信息接口 | | 是 | /api/v1/personal | http://authx-service-personal-security-center-bff.authx-service.svc.cluster.local:8080/api/v1 | 是
+authx-service-admin-api | 认证授权 - 聚合接口(认证、授权) | | 是 | /api/v2/admin | http://authx-service-bff.authx-service.svc.cluster.local:8080 | 否
+authx-service-open-api | 认证授权 - 聚合接口(公开) | | 是 | /api/v2/open | http://authx-service-bff.authx-service.svc.cluster.local:8080 | 否
+authx-service-log-api | 认证授权 - 日志接口 | | 是 | /api/v2/log | http://authx-service-authx-log-sa.authx-service.svc.cluster.local:8080 | 否
+
+
+#### 方式二,bash脚本
+
+```json
+{"id": "20", "code": "authx-service-user-api", "name":"认证授权 - 用户接口", "memo":"", "status":"1", "pathPrefix":"/api/v1/base", "url":"http://authx-service-user-data-service-goa.authx-service.svc.cluster.local:8080", "stripPrefix":false}
+
+{"id": "40", "code": "authx-service-personal-api", "name":"认证授权 - 个人信息接口", "memo":"", "status":"1", "pathPrefix":"/api/v1/personal", "url":"http://authx-service-personal-security-center-bff.authx-service.svc.cluster.local:8080/api/v1", "stripPrefix":true}
+
+{"id": "21", "code": "authx-service-admin-api", "name":"认证授权 - 聚合接口(认证、授权)", "memo":"", "status":"1", "pathPrefix":"/api/v2/admin", "url":"http://authx-service-bff.authx-service.svc.cluster.local:8080", "stripPrefix":false}
+{"id": "22", "code": "authx-service-open-api", "name":"认证授权 - 聚合接口(公开)", "memo":"", "status":"1", "pathPrefix":"/api/v2/open", "url":"http://authx-service-bff.authx-service.svc.cluster.local:8080", "stripPrefix":false}
+
+{"id": "25", "code": "authx-service-log-api", "name":"认证授权 - 日志接口", "memo":"", "status":"1", "pathPrefix":"/api/v2/log", "url":"http://authx-service-authx-log-sa.authx-service.svc.cluster.local:8080", "stripPrefix":false}
+```
+
+```bash
+curl -i -s -X POST "http://admin-platform-admin-center-sa.admin-platform.svc.cluster.local:8080/v1/admin/routes" -H 'Content-Type: application/json' \
+-d \
+'
+{"id": "20", "code": "authx-service-user-api", "name":"认证授权 - 用户接口", "memo":"", "status":"1", "pathPrefix":"/api/v1/base", "url":"http://authx-service-user-data-service-goa.authx-service.svc.cluster.local:8080", "stripPrefix":false}
+'
+
+curl -i -s -X POST "http://admin-platform-admin-center-sa.admin-platform.svc.cluster.local:8080/v1/admin/routes" -H 'Content-Type: application/json' \
+-d \
+'
+{"id": "40", "code": "authx-service-personal-api", "name":"认证授权 - 个人信息接口", "memo":"", "status":"1", "pathPrefix":"/api/v1/personal", "url":"http://authx-service-personal-security-center-bff.authx-service.svc.cluster.local:8080/api/v1", "stripPrefix":true}
+'
+
+curl -i -s -X POST "http://admin-platform-admin-center-sa.admin-platform.svc.cluster.local:8080/v1/admin/routes" -H 'Content-Type: application/json' \
+-d \
+'
+{"id": "21", "code": "authx-service-admin-api", "name":"认证授权 - 聚合接口(认证、授权)", "memo":"", "status":"1", "pathPrefix":"/api/v2/admin", "url":"http://authx-service-bff.authx-service.svc.cluster.local:8080", "stripPrefix":false}
+'
+
+curl -i -s -X POST "http://admin-platform-admin-center-sa.admin-platform.svc.cluster.local:8080/v1/admin/routes" -H 'Content-Type: application/json' \
+-d \
+'
+{"id": "22", "code": "authx-service-open-api", "name":"认证授权 - 聚合接口(公开)", "memo":"", "status":"1", "pathPrefix":"/api/v2/open", "url":"http://authx-service-bff.authx-service.svc.cluster.local:8080", "stripPrefix":false}
+'
+
+curl -i -s -X POST "http://admin-platform-admin-center-sa.admin-platform.svc.cluster.local:8080/v1/admin/routes" -H 'Content-Type: application/json' \
+-d \
+'
+{"id": "25", "code": "authx-service-log-api", "name":"认证授权 - 日志接口", "memo":"", "status":"1", "pathPrefix":"/api/v2/log", "url":"http://authx-service-authx-log-sa.authx-service.svc.cluster.local:8080", "stripPrefix":false}
+'
+```
+
+
+#### 方式三,SQL脚本(不推荐)
+
+连接至 admin_center 数据库,执行以下 SQL脚本
+
+```sql
+use admin_center;
+
+delete from TB_MGT_ROUTE where ID in ('20','40','21','22','25');
+
+insert into TB_MGT_ROUTE (ID, DELETED, CODE, NAME, STATUS, PATH_PREFIX, URL, STRIP_PREFIX)
+values ('20', 0, 'authx-service-user-api', '认证授权 - 用户接口', '1', '/api/v1/base', 'https://localhost:8022', 0);
+
+insert into TB_MGT_ROUTE (ID, DELETED, CODE, NAME, STATUS, PATH_PREFIX, URL, STRIP_PREFIX)
+values ('40', 0, 'authx-service-personal-api', '认证授权 - 个人信息接口', '1', '/api/v1/personal', 'http://localhost:8041/api/v1', 1);
+
+insert into TB_MGT_ROUTE (ID, DELETED, CODE, NAME, STATUS, PATH_PREFIX, URL, STRIP_PREFIX)
+values ('21', 0, 'authx-service-admin-api', '认证授权 - 聚合接口(认证、授权)', '1', '/api/v2/admin', 'http://localhost:8009', 0);
+insert into TB_MGT_ROUTE (ID, DELETED, CODE, NAME, STATUS, PATH_PREFIX, URL, STRIP_PREFIX)
+values ('22', 0, 'authx-service-open-api', '认证授权 - 聚合接口(公开)', '1', '/api/v2/open', 'http://localhost:8009', 0);
+
+insert into TB_MGT_ROUTE (ID, DELETED, CODE, NAME, STATUS, PATH_PREFIX, URL, STRIP_PREFIX)
+values ('25', 0, 'authx-service-log-api', '认证授权 - 日志接口', '1', '/api/v2/log', 'http://localhost:8009', 0);
+
+commit;
+
+update TB_MGT_ROUTE set URL='http://authx-service-user-data-service-goa.authx-service.svc.cluster.local:8080' where ID='20';
+
+update TB_MGT_ROUTE set URL='http://authx-service-personal-security-center-bff.authx-service.svc.cluster.local:8080/api/v1' where ID='40';
+
+update TB_MGT_ROUTE set URL='http://authx-service-bff.authx-service.svc.cluster.local:8080' where ID='21';
+update TB_MGT_ROUTE set URL='http://authx-service-bff.authx-service.svc.cluster.local:8080' where ID='22';
+
+update TB_MGT_ROUTE set URL='http://authx-service-authx-log-sa.authx-service.svc.cluster.local:8080' where ID='25';
+
+commit;
+```
+
+
+### 创建菜单
+
+#### 方式一,手动导入
+
+**将 origin 修改为正确的 学校域名**
+
+进入 云平台 - 基础管理 - 菜单管理,导入
+
+所属应用 选择 用户授权
+
+菜单列表(JSON)如下,(复制后粘贴)
+
+
+* 认证管理
+
+```json
+[
+ {
+ "id": "20920", "parentIdOrCode":"20000", "code": "twoFactorAuth", "name": "双因子认证", "memo": "", "status": "1",
+ "icon": "su-icon-test", "origin": "http://admin-platform.paas.xxx.edu.cn", "url": "/cas-server/twoFactorAuth", "target": "",
+ "order": 20920, "resourceIdOrCodes": []
+ },
+ {
+ "id": "22000", "parentIdOrCode":"20000", "code": "logManagement", "name": "日志管理", "memo": "", "status": "1",
+ "icon": "su-icon-taocanguanli", "origin": "http://admin-platform.paas.xxx.edu.cn", "url": "/cas-server/logManagement", "target": "",
+ "order": 22000, "resourceIdOrCodes": []
+ }
+]
+```
+
+
+#### 方式二,bash脚本
+
+**将 origin 修改为正确的 学校域名**
+
+进入 admin-center-sa 下的 pod, 执行命令行
+
+
+* 认证管理
+
+```bash
+curl -i -s -X POST "http://localhost:8080/v1/admin/menus/importMenu" -H 'Content-Type: application/json' \
+-d \
+'
+{
+ "applicationId": "10",
+ "menuList":
+ [
+ {
+ "id": "20920", "parentIdOrCode":"20000", "code": "twoFactorAuth", "name": "双因子认证", "memo": "", "status": "1",
+ "icon": "su-icon-test", "origin": "http://admin-platform.paas.xxx.edu.cn", "url": "/cas-server/twoFactorAuth", "target": "",
+ "order": 20920, "resourceIdOrCodes": []
+ },
+ {
+ "id": "22000", "parentIdOrCode":"20000", "code": "logManagement", "name": "日志管理", "memo": "", "status": "1",
+ "icon": "su-icon-taocanguanli", "origin": "http://admin-platform.paas.xxx.edu.cn", "url": "/cas-server/logManagement", "target": "",
+ "order": 22000, "resourceIdOrCodes": []
+ }
+ ]
+}
+'
+```
+
+
+### 关联角色权限
+
+角色由授权服务进行初始化
+
+
+#### 方式一,手动导入(暂不支持)
+
+进入 云平台 - 基础管理 - 角色权限,导入
+
+角色权限(JSON)如下,(复制后粘贴)
+
+```json
+[
+ {
+ "roleId": "20", "roleCode":"cas-admin",
+ "permissionIdOrCodes": ["20920", "22000"]
+ }
+]
+```
+
+
+#### 方式二,bash脚本
+
+进入 admin-center-sa 下的 pod, 执行命令行
+
+```bash
+curl -i -s -X POST "http://localhost:8080/v1/admin/rolePermissions/importRolePermission" -H 'Content-Type: application/json' \
+-d \
+'
+{
+ "roleCodeIdMap": {
+ "cas-admin": "20",
+ "user-admin": "30",
+ "user-authz-admin": "40",
+ "user-authz-grant-admin": "41",
+ "user-authz-man-grant-admin": "42"
+ },
+ "rolePermissionList":
+ [
+ {
+ "roleId": "20", "roleCode":"cas-admin",
+ "permissionIdOrCodes": ["1", "20000", "20100", "20200", "20300", "20400", "20500", "20600", "20700", "20800", "20900", "20920", "21000", "21100", "22000"]
+ },
+ {
+ "roleId": "30", "roleCode": "user-admin",
+ "permissionIdOrCodes": ["1", "30000", "30100", "30200", "30300", "30400", "30500", "30600", "30700", "30800", "31000"]
+ },
+ {
+ "roleId": "40", "roleCode": "user-authz-admin",
+ "permissionIdOrCodes": ["1", "40000", "40050", "40100", "40200", "40300", "40500", "40900", "41100", "41200", "41300", "41350", "41400", "41500"]
+ },
+ {
+ "roleId": "41", "roleCode": "user-authz-grant-admin",
+ "permissionIdOrCodes": ["1", "40000", "40100", "40300", "40500"]
+ },
+ {
+ "roleId": "42", "roleCode": "user-authz-man-grant-admin",
+ "permissionIdOrCodes": ["1", "40000", "40900"]
+ }
+ ]
+}
+'
+```
+
diff --git a/deploy-manifests/charts/certs/jwt/readme.md b/deploy-manifests/charts/certs/jwt/readme.md
index 81ac267..88c409e 100644
--- a/deploy-manifests/charts/certs/jwt/readme.md
+++ b/deploy-manifests/charts/certs/jwt/readme.md
@@ -24,75 +24,8 @@
openssl rsa -in jwt_private_key.pem -pubout -out jwt_public_key.pem
```
-4. 将 jwt_public_key.pem 中的内容,去除换行和空格,转成字符串。
+4. 基于 chart 部署
-处理前:
-```language
------BEGIN PUBLIC KEY-----
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwow0APEh9F91vvtAzl7V
-FmXRAOGhlo+22KX+rqC3ziGg4+yIk8evAL1T97XEuK1huqcAp+p4PIG2t/Rb3FBD
-+vVJGoXKsyLCMUmT4Sy5/TRhb3TM0CHefvMZTSMwcVzKT07DtxyGgFZj9WsUYZWr
-BUPcu0vD6s7m5Qe3qFJJWVeRX8NDnVAxySzrz4bI4+1qvtyey/uap3I6txxRxUlI
-aMyTsD8pl63u14dD2FHRM6JY3tmdEpBEMWI91qmYbl9HkH/D6Xtumg0Hmzh06bdr
-lO3YNscpr6iN2ug6yGNtAh4/ug4P4ZV9nxImcj8l8Pt3jio1O0IIpf4MUCMD+C7P
-rQIDAQAB
------END PUBLIC KEY-----
-```
-处理后:
-```language
------BEGIN PUBLIC KEY-----
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwow0APEh9F91vvtAzl7VFmXRAOGhlo+22KX+rqC3ziGg4+yIk8evAL1T97XEuK1huqcAp+p4PIG2t/Rb3FBD+vVJGoXKsyLCMUmT4Sy5/TRhb3TM0CHefvMZTSMwcVzKT07DtxyGgFZj9WsUYZWrBUPcu0vD6s7m5Qe3qFJJWVeRX8NDnVAxySzrz4bI4+1qvtyey/uap3I6txxRxUlIaMyTsD8pl63u14dD2FHRM6JY3tmdEpBEMWI91qmYbl9HkH/D6Xtumg0Hmzh06bdrlO3YNscpr6iN2ug6yGNtAh4/ug4P4ZV9nxImcj8l8Pt3jio1O0IIpf4MUCMD+C7PrQIDAQAB
------END PUBLIC KEY-----
-```
+将 jwt_public_key.pem 中的内容,复制、粘贴 到 『JWT公钥』
-4. 将 jwt_private_key_pkcs8.pem 中的内容,去除换行和空格,转成字符串。
-
-处理前:
-```language
------BEGIN PRIVATE KEY-----
-MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDCjDQA8SH0X3W+
-+0DOXtUWZdEA4aGWj7bYpf6uoLfOIaDj7IiTx68AvVP3tcS4rWG6pwCn6ng8gba3
-9FvcUEP69UkahcqzIsIxSZPhLLn9NGFvdMzQId5+8xlNIzBxXMpPTsO3HIaAVmP1
-axRhlasFQ9y7S8PqzublB7eoUklZV5Ffw0OdUDHJLOvPhsjj7Wq+3J7L+5qncjq3
-HFHFSUhozJOwPymXre7Xh0PYUdEzolje2Z0SkEQxYj3WqZhuX0eQf8Ppe26aDQeb
-OHTpt2uU7dg2xymvqI3a6DrIY20CHj+6Dg/hlX2fEiZyPyXw+3eOKjU7Qgil/gxQ
-IwP4Ls+tAgMBAAECggEAaQOlTpza5z5gIKcfZEZsX5q2JvOkddE9sdRolXrLvMkK
-P/39+0def9ey65OCjO2KQ2bCQ+Gc5YxfRQzySQpKp7yfqWFu+SNaD6DX4kRyYOtV
-bQRvSin+ICi5D5pfG9IqooSxwLX1JHF9o4wZhFN17XGkRLWxG55zpE12JbXFQiPB
-pck6hcMfx+r5wk7t4ret/8P/MDcyrPuUavJemd4D2jRrD7AmOGJDvElioFcOKA+V
-S8oe/uBdpU8cbYJvct68fHOzG9IW3hdqYV18fhNtWqp9WeuUP+F2UMmOXbAtZ106
-Zcd+V/jsse2G9KvGzmDA61ZGxzHUjt+JNIpN+V2HQQKBgQDkfYb8vIMc2yV0CM30
-mAaPIapgpw8brYS8v+azQR/jjsuHFJ1CQJAih79y2gwdjKbDl0XByjj/qiHLTPcu
-6dkuavdsV9MrlFfVqAXUMNDHrWEn5nMahlq3UZbflBqlavTr0gvEA8Da+ZXcRvWg
-TP5+g5RFrKHJVOyQ+GzgDggQawKBgQDZ+IDRthf0UHvvZsoUbeb37Wut9jdjRgLJ
-S1X4RtH+NPN23lvtTKJmUNfrFxiOfeVBfCXmGep0ibTqDVo0zBeHSu4BFM3BsICu
-7xafmLafZxZqHcgWuF9keOCWjKN5fzub5xGqd2yge9hGN2zA2U9qp4mltGzeoZ/0
-TuLuR59GRwKBgCGga7ZUVANyKQ/rn8vod8am0LlKvMl4/vj8UQp+gh/uSvvFR+OR
-NuUuDznq5y+OHJjacXS0uzC9LB4MZLBtz/2p1mIGhth6C3cxNDJnQMKyPIMvwi7c
-KQujoU2kMUu48vSlw/+EAeT4KFrzwoBl9GpQGQkr/99udSZcuUE8L2mjAoGAPRLn
-LVuDTL58a3D2sFC3BcLth/nUPSmxwCsutHlLf5ngme7l/RCa9GY0ibeX9t0JrpaV
-m+qpCexH18jT/LUu5oa1N3JX0Kye8eUmBqPoj7N30VX06YDRobpI24Yei/19e0p8
-ZbI+qpzo1YvUGhkJqo21AMwUMTFCO1cbOL6yvyMCgYAHUNBLhSOaIZpvbmyh5uz5
-Va/IIYU5nJcVAan8ExzdVBqeiDqlIDsUt/4xoV2sWOK1lDmL1QYeOOTOHdVcSUyN
-ZpvB3b/9RZ1bNQZA1trBBxjY7dXNwZZp0ah/bmO+i4dPXl+bU2mUqdyb1emFwcj0
-uNGn7GMQXLxalpCkz4SXRg==
------END PRIVATE KEY-----
-```
-处理后:
-```language
------BEGIN PRIVATE KEY-----
-MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDCjDQA8SH0X3W++0DOXtUWZdEA4aGWj7bYpf6uoLfOIaDj7IiTx68AvVP3tcS4rWG6pwCn6ng8gba39FvcUEP69UkahcqzIsIxSZPhLLn9NGFvdMzQId5+8xlNIzBxXMpPTsO3HIaAVmP1axRhlasFQ9y7S8PqzublB7eoUklZV5Ffw0OdUDHJLOvPhsjj7Wq+3J7L+5qncjq3HFHFSUhozJOwPymXre7Xh0PYUdEzolje2Z0SkEQxYj3WqZhuX0eQf8Ppe26aDQebOHTpt2uU7dg2xymvqI3a6DrIY20CHj+6Dg/hlX2fEiZyPyXw+3eOKjU7Qgil/gxQIwP4Ls+tAgMBAAECggEAaQOlTpza5z5gIKcfZEZsX5q2JvOkddE9sdRolXrLvMkKP/39+0def9ey65OCjO2KQ2bCQ+Gc5YxfRQzySQpKp7yfqWFu+SNaD6DX4kRyYOtVbQRvSin+ICi5D5pfG9IqooSxwLX1JHF9o4wZhFN17XGkRLWxG55zpE12JbXFQiPBpck6hcMfx+r5wk7t4ret/8P/MDcyrPuUavJemd4D2jRrD7AmOGJDvElioFcOKA+VS8oe/uBdpU8cbYJvct68fHOzG9IW3hdqYV18fhNtWqp9WeuUP+F2UMmOXbAtZ106Zcd+V/jsse2G9KvGzmDA61ZGxzHUjt+JNIpN+V2HQQKBgQDkfYb8vIMc2yV0CM30mAaPIapgpw8brYS8v+azQR/jjsuHFJ1CQJAih79y2gwdjKbDl0XByjj/qiHLTPcu6dkuavdsV9MrlFfVqAXUMNDHrWEn5nMahlq3UZbflBqlavTr0gvEA8Da+ZXcRvWgTP5+g5RFrKHJVOyQ+GzgDggQawKBgQDZ+IDRthf0UHvvZsoUbeb37Wut9jdjRgLJS1X4RtH+NPN23lvtTKJmUNfrFxiOfeVBfCXmGep0ibTqDVo0zBeHSu4BFM3BsICu7xafmLafZxZqHcgWuF9keOCWjKN5fzub5xGqd2yge9hGN2zA2U9qp4mltGzeoZ/0TuLuR59GRwKBgCGga7ZUVANyKQ/rn8vod8am0LlKvMl4/vj8UQp+gh/uSvvFR+ORNuUuDznq5y+OHJjacXS0uzC9LB4MZLBtz/2p1mIGhth6C3cxNDJnQMKyPIMvwi7cKQujoU2kMUu48vSlw/+EAeT4KFrzwoBl9GpQGQkr/99udSZcuUE8L2mjAoGAPRLnLVuDTL58a3D2sFC3BcLth/nUPSmxwCsutHlLf5ngme7l/RCa9GY0ibeX9t0JrpaVm+qpCexH18jT/LUu5oa1N3JX0Kye8eUmBqPoj7N30VX06YDRobpI24Yei/19e0p8ZbI+qpzo1YvUGhkJqo21AMwUMTFCO1cbOL6yvyMCgYAHUNBLhSOaIZpvbmyh5uz5Va/IIYU5nJcVAan8ExzdVBqeiDqlIDsUt/4xoV2sWOK1lDmL1QYeOOTOHdVcSUyNZpvB3b/9RZ1bNQZA1trBBxjY7dXNwZZp0ah/bmO+i4dPXl+bU2mUqdyb1emFwcj0uNGn7GMQXLxalpCkz4SXRg==
------END PRIVATE KEY-----
-```
-
-
-5. (可选)将pem内容进行 base64 编码后,配置到k8s
-
-echo -n '-----BEGIN PUBLIC KEY-----
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwow0APEh9F91vvtAzl7VFmXRAOGhlo+22KX+rqC3ziGg4+yIk8evAL1T97XEuK1huqcAp+p4PIG2t/Rb3FBD+vVJGoXKsyLCMUmT4Sy5/TRhb3TM0CHefvMZTSMwcVzKT07DtxyGgFZj9WsUYZWrBUPcu0vD6s7m5Qe3qFJJWVeRX8NDnVAxySzrz4bI4+1qvtyey/uap3I6txxRxUlIaMyTsD8pl63u14dD2FHRM6JY3tmdEpBEMWI91qmYbl9HkH/D6Xtumg0Hmzh06bdrlO3YNscpr6iN2ug6yGNtAh4/ug4P4ZV9nxImcj8l8Pt3jio1O0IIpf4MUCMD+C7PrQIDAQAB
------END PUBLIC KEY-----' |base64
-
-
-echo -n '-----BEGIN PRIVATE KEY-----
-MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDCjDQA8SH0X3W++0DOXtUWZdEA4aGWj7bYpf6uoLfOIaDj7IiTx68AvVP3tcS4rWG6pwCn6ng8gba39FvcUEP69UkahcqzIsIxSZPhLLn9NGFvdMzQId5+8xlNIzBxXMpPTsO3HIaAVmP1axRhlasFQ9y7S8PqzublB7eoUklZV5Ffw0OdUDHJLOvPhsjj7Wq+3J7L+5qncjq3HFHFSUhozJOwPymXre7Xh0PYUdEzolje2Z0SkEQxYj3WqZhuX0eQf8Ppe26aDQebOHTpt2uU7dg2xymvqI3a6DrIY20CHj+6Dg/hlX2fEiZyPyXw+3eOKjU7Qgil/gxQIwP4Ls+tAgMBAAECggEAaQOlTpza5z5gIKcfZEZsX5q2JvOkddE9sdRolXrLvMkKP/39+0def9ey65OCjO2KQ2bCQ+Gc5YxfRQzySQpKp7yfqWFu+SNaD6DX4kRyYOtVbQRvSin+ICi5D5pfG9IqooSxwLX1JHF9o4wZhFN17XGkRLWxG55zpE12JbXFQiPBpck6hcMfx+r5wk7t4ret/8P/MDcyrPuUavJemd4D2jRrD7AmOGJDvElioFcOKA+VS8oe/uBdpU8cbYJvct68fHOzG9IW3hdqYV18fhNtWqp9WeuUP+F2UMmOXbAtZ106Zcd+V/jsse2G9KvGzmDA61ZGxzHUjt+JNIpN+V2HQQKBgQDkfYb8vIMc2yV0CM30mAaPIapgpw8brYS8v+azQR/jjsuHFJ1CQJAih79y2gwdjKbDl0XByjj/qiHLTPcu6dkuavdsV9MrlFfVqAXUMNDHrWEn5nMahlq3UZbflBqlavTr0gvEA8Da+ZXcRvWgTP5+g5RFrKHJVOyQ+GzgDggQawKBgQDZ+IDRthf0UHvvZsoUbeb37Wut9jdjRgLJS1X4RtH+NPN23lvtTKJmUNfrFxiOfeVBfCXmGep0ibTqDVo0zBeHSu4BFM3BsICu7xafmLafZxZqHcgWuF9keOCWjKN5fzub5xGqd2yge9hGN2zA2U9qp4mltGzeoZ/0TuLuR59GRwKBgCGga7ZUVANyKQ/rn8vod8am0LlKvMl4/vj8UQp+gh/uSvvFR+ORNuUuDznq5y+OHJjacXS0uzC9LB4MZLBtz/2p1mIGhth6C3cxNDJnQMKyPIMvwi7cKQujoU2kMUu48vSlw/+EAeT4KFrzwoBl9GpQGQkr/99udSZcuUE8L2mjAoGAPRLnLVuDTL58a3D2sFC3BcLth/nUPSmxwCsutHlLf5ngme7l/RCa9GY0ibeX9t0JrpaVm+qpCexH18jT/LUu5oa1N3JX0Kye8eUmBqPoj7N30VX06YDRobpI24Yei/19e0p8ZbI+qpzo1YvUGhkJqo21AMwUMTFCO1cbOL6yvyMCgYAHUNBLhSOaIZpvbmyh5uz5Va/IIYU5nJcVAan8ExzdVBqeiDqlIDsUt/4xoV2sWOK1lDmL1QYeOOTOHdVcSUyNZpvB3b/9RZ1bNQZA1trBBxjY7dXNwZZp0ah/bmO+i4dPXl+bU2mUqdyb1emFwcj0uNGn7GMQXLxalpCkz4SXRg==
------END PRIVATE KEY-----' |base64
+将 jwt_private_key_pkcs8.pem 中的内容,复制、粘贴 到 『JWT私钥』
diff --git "a/deploy-manifests/k8s-rancher/0.1.1.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\256\211\350\243\205\351\203\250\347\275\262\346\211\213\345\206\214.md" "b/deploy-manifests/k8s-rancher/0.1.1.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\256\211\350\243\205\351\203\250\347\275\262\346\211\213\345\206\214.md"
index a92e6a0..91cb8de 100644
--- "a/deploy-manifests/k8s-rancher/0.1.1.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\256\211\350\243\205\351\203\250\347\275\262\346\211\213\345\206\214.md"
+++ "b/deploy-manifests/k8s-rancher/0.1.1.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\256\211\350\243\205\351\203\250\347\275\262\346\211\213\345\206\214.md"
@@ -9,11 +9,27 @@
版本 | 作者 | 日期 | 备注
- | - | - | -
v1 | 刘洪青 | 2020-06-10 | 初稿
+v1.4 | 刘洪青 | 2021-09-21 | V1.4部署更新
[TOC]
+## 产品依赖
+
+* minio
+
+请使用 应用商店 部署
+
+* ipaddr
+
+请使用 应用商店 部署
+
+* platform openapi
+
+请使用 应用商店 部署
+
+
## 安装准备
### MySQL 初始配置及相关基础命令
@@ -92,6 +108,8 @@
mysqldump -u root -p token_server > token_server.sql
mysqldump -u root -p user > user.sql
mysqldump -u root -p user_authz > user_authz.sql
+ mysqldump -u root -p authx_log > authx_log.sql
+
mysqldump -u root -p agent_service > agent_service.sql
```
@@ -101,6 +119,8 @@
mysql -u root -p token_server < token_server.sql
mysql -u root -p user < user.sql
mysql -u root -p user_authz < user_authz.sql
+ mysql -u root -p authx_log < authx_log.sql
+
mysql -u root -p agent_service < agent_service.sql
```
@@ -117,7 +137,7 @@
* 镜像同步
- 从 https://harbor.supwisdom.com 中同步镜像
+ 从 https://harbor.supwisdom.com 中同步镜像(须申请 harbor 帐号)
仓库管理 下 新建目标
```
@@ -129,6 +149,7 @@
```
admin-portal admin-portal/*
authx-service authx-service/*
+ authx-log authx-log/*
thirdparty-agent-service thirdparty-agent-service/*
@@ -136,6 +157,7 @@
user-authorization-service user-authorization-service/*
cas-server cas-server/*
token-server token-server/*
+ attest-server attest-server/*
jobs-server jobs-server/*
@@ -185,12 +207,14 @@
本产品安装需要的域名如下:
```
- cas.paas.xxx.edu.cn 认证(视具体情况,可调整)
- token.paas.xxx.edu.cn 认证(APP适用)
+ cas.paas.xxx.edu.cn 认证(视具体情况,可调整;包括,CAS 认证、Token 认证、身份验证服务)
+ token.paas.xxx.edu.cn (废弃,合并至 cas)认证(APP适用)
- personal-security-center.paas.xxx.edu.cn 个人安全中心后端API
+ personal-security-center.paas.xxx.edu.cn (废弃,合并至 authx-service)个人安全中心后端API
- security-center.paas.xxx.edu.cn 安全中心前端UI(帐号激活、忘记密码)
+ security-center.paas.xxx.edu.cn (废弃,合并至 authx-service)安全中心前端UI(帐号激活、忘记密码)
+
+ authx-service.paas.xxx.edu.cn 用户授权服务(包括,用户认证授权管理前端UI、安全中心前端UI、安全中心后端API)
authx-minio.paas.xxx.edu.cn 文件服务
```
@@ -262,18 +286,27 @@
MINIO_SECRET_KEY | minio密钥(base64加密),默认为 8pxlIe9#lN7Q | OHB4bEllOSNsTjdR
-* auth-service 下的 poa-api-docs-installer
+* auth-service 下的 authx-service-bff
- ConfigMap,poa-api-docs-installer-env
+ ConfigMap,authx-service-bff-env
key | 说明 | 配置示例
- | - | -
- POA_SERVER_URL | POA网关地址(外部访问地址) | http://poa.paas.xxx.edu.cn
- POA_SA_SERVER_URL | POA管理接口地址(k8s集群内部地址) | http://poa-sa-svc.poa.svc.cluster.local:8443
+ UNIAUTH_BASIC_AUTH_USERNAME | uniauth sa basic 认证 的 用户名 | saadmin
+ UNIAUTH_BASIC_AUTH_PASSWORD | uniauth sa basic 认证 的 密码 | saadminfoobar
- | - | -
- USER_API_SERVER_URL | 用户服务开放接口地址(k8s集群内部地址) | http://user-data-service-poa-svc.user-data-service.svc.cluster.local:8080
- USER_AUTHZ_API_SERVER_URL | 授权服务开放接口地址(k8s集群内部地址) | http://user-authorization-poa-svc.user-authorization-service.svc.cluster.local:8080
- COMMUNICATE_API_SERVER_URL | 通信服务开放接口地址(k8s集群内部地址) | http://communicate-center-poa-svc.communicate-center.svc.cluster.local:8080
+ CASSERVER_SA_API_SERVER_URL | CAS认证服务管理接口地址(k8s集群内部地址) | http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080
+ USER_DATA_SERVICE_SERVER_URL | 用户服务管理接口地址(k8s集群内部地址) | http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080
+ USER_AUTHZ_SERVICE_SERVER_URL | 授权服务管理接口地址(k8s集群内部地址) | http://user-authorization-sa-svc.user-authorization-service.svc.cluster.local:8080
+ UNIAUTH_SERVER_SA_API_SERVER_URL | Uniauth 管理接口地址(k8s集群内部地址) | http://uniauth-prod-backend.uniauth.svc.cluster.local:9090
+ TPAS_FILE_API_URL | 文件服务接口地址(k8s集群内部地址)<br/>默认:minio文件服务 | http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080/api/v1/tpas/file/minio
+ - | - | -
+ AUTHX_LOG_ENABLED | 是否开启日志推送 | true
+ AUTHX_LOG_RABBITMQ_HOST | rabbit mq 服务地址(k8s集群内部地址) | rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT | rabbit mq 服务端口 | 5672
+ AUTHX_LOG_RABBITMQ_USERNAME | rabbit mq 服务用户 |
+ AUTHX_LOG_RABBITMQ_PASSWORD | rabbit mq 服务密码 |
+
* thirdparty-agent-service 下的 thirdparty-agent-service
@@ -298,6 +331,20 @@
SMS_ALIYUN_REGION_ID | 区域 | cn-hangzhou
SMS_ALIYUN_ACCESS_KEY_ID | 阿里云短信服务的帐号 |
SMS_ALIYUN_ACCESS_SECRET | 阿里云短信服务的密钥 |
+ - | - | -
+ FACE_AIFACE_AUTOCONFIGURE_ENABLED | 新开普人脸开启开关 | true、false
+ FACE_AIFACE_URL | 新开普人脸地址 |
+ FACE_AIFACE_APPKEY | app key |
+ FACE_AIFACE_APPSECRET | app secret |
+ FACE_AIFACE_SECRETKEY | secret key |
+ FACE_AIFACE_TERM_CODE | term code |
+ - | - | -
+ FACE_AIPFACE_AUTOCONFIGURE_ENABLED | 百度人脸开启开关 | true、false
+ FACE_AIPFACE_APPID | app id |
+ FACE_AIPFACE_APIKEY | app key |
+ FACE_AIPFACE_SECRETKEY | secret key |
+ FACE_AIPFACE_GROUPIDLIST | 组ID,多个用逗号分隔,最多20个 |
+
Secret,agent-service-env-secret
@@ -316,6 +363,15 @@
CASSERVER_SA_API_SERVER_URL | CAS认证服务管理接口地址(k8s集群内部地址) | http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080
- | - | -
TPAS_FILE_API_URL | 文件服务接口地址(k8s集群内部地址)<br/>默认:minio文件服务 | http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080/api/v1/tpas/file/minio
+ - | - | -
+ FILE_SERVER_TYPE | 文件服务类型 | minio
+ FILE_SERVER_URL | 文件服务地址(外网地址) | https://authx-minio.paas.xxx.edu.cn
+ - | - | -
+ AUTHX_LOG_ENABLED | 是否开启日志推送 | true
+ AUTHX_LOG_RABBITMQ_HOST | rabbit mq 服务地址(k8s集群内部地址) | rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT | rabbit mq 服务端口 | 5672
+ AUTHX_LOG_RABBITMQ_USERNAME | rabbit mq 服务用户 |
+ AUTHX_LOG_RABBITMQ_PASSWORD | rabbit mq 服务密码 |
* user-data-service 下的 user-data-service-goa
@@ -335,6 +391,12 @@
JOBS_RABBITMQ_ACCOUNTUSERSVC2JOBSSYNCPASSWORDRABBITSENDER_ENABLED | 是否同步密码(明文密码)到 jobs 的 MQ | true、false
JOBS_RABBITMQ_ORGANIZATIONUSERSVC2JOBSRABBITSENDER_ENABLED | 是否同步组织机构数据至 jobs 的 MQ | true、false
JOBS_RABBITMQ_GROUPUSERSVC2JOBSRABBITSENDER_ENABLED | 是否同步用户组数据至 jobs 的 MQ | true、false
+ - | - | -
+ AUTHX_LOG_ENABLED | 是否开启日志推送 | true
+ AUTHX_LOG_RABBITMQ_HOST | rabbit mq 服务地址(k8s集群内部地址) | rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT | rabbit mq 服务端口 | 5672
+ AUTHX_LOG_RABBITMQ_USERNAME | rabbit mq 服务用户 |
+ AUTHX_LOG_RABBITMQ_PASSWORD | rabbit mq 服务密码 |
* user-data-service 下的 user-data-service-biz
@@ -345,7 +407,15 @@
- | - | -
CASSERVER_SA_API_SERVER_URL | CAS认证服务管理接口地址(k8s集群内部地址) | http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080
- | - | -
+ USER_AUTHZ_SERVICE_SERVER_URL | 授权服务管理接口地址(k8s集群内部地址) | http://user-authorization-sa-svc.user-authorization-service.svc.cluster.local:8080
+ - | - | -
TPAS_FILE_API_URL | 文件服务接口地址(k8s集群内部地址)<br/>默认:minio文件服务 | http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080/api/v1/tpas/file/minio
+ - | - | -
+ AUTHX_LOG_ENABLED | 是否开启日志推送 | true
+ AUTHX_LOG_RABBITMQ_HOST | rabbit mq 服务地址(k8s集群内部地址) | rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT | rabbit mq 服务端口 | 5672
+ AUTHX_LOG_RABBITMQ_USERNAME | rabbit mq 服务用户 |
+ AUTHX_LOG_RABBITMQ_PASSWORD | rabbit mq 服务密码 |
* user-authorization-service 下的 user-authorization-service-poa
@@ -355,6 +425,12 @@
key | 说明 | 配置示例
- | - | -
USER_DATA_SERVICE_SERVER_URL | 用户服务管理接口地址(k8s集群内部地址) | http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080
+ - | - | -
+ AUTHX_LOG_ENABLED | 是否开启日志推送 | true
+ AUTHX_LOG_RABBITMQ_HOST | rabbit mq 服务地址(k8s集群内部地址) | rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT | rabbit mq 服务端口 | 5672
+ AUTHX_LOG_RABBITMQ_USERNAME | rabbit mq 服务用户 |
+ AUTHX_LOG_RABBITMQ_PASSWORD | rabbit mq 服务密码 |
* user-authorization-service 下的 user-authorization-service-sa
@@ -363,7 +439,17 @@
key | 说明 | 配置示例
- | - | -
- 暂无 | |
+ USER_AUTHORIZATION_SA_USER_RABBITMQ_CONSUMER_ENABLED | 是否开启用户数据订阅 | true
+ USER_AUTHORIZATION_SA_USER_RABBITMQ_HOST | rabbit mq 服务地址(k8s集群内部地址) | rabbitmq-server.authx-service.svc.cluster.local
+ USER_AUTHORIZATION_SA_USER_RABBITMQ_PORT | rabbit mq 服务端口 | 5672
+ USER_AUTHORIZATION_SA_USER_RABBITMQ_USERNAME | rabbit mq 服务用户 |
+ USER_AUTHORIZATION_SA_USER_RABBITMQ_PASSWORD | rabbit mq 服务密码 |
+ - | - | -
+ AUTHX_LOG_ENABLED | 是否开启日志推送 | true
+ AUTHX_LOG_RABBITMQ_HOST | rabbit mq 服务地址(k8s集群内部地址) | rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT | rabbit mq 服务端口 | 5672
+ AUTHX_LOG_RABBITMQ_USERNAME | rabbit mq 服务用户 |
+ AUTHX_LOG_RABBITMQ_PASSWORD | rabbit mq 服务密码 |
* cas-server 下的 cas-server-sa-api
@@ -377,6 +463,12 @@
FEDERATION_REFRESH_REDIS_TIMER_ENABLED | 是否定时刷新联合登录帐号绑定数据<br/>默认:true | true、false
- | - | -
USER_DATA_SERVICE_SA_API_SERVER_URL | 用户服务管理接口地址(k8s集群内部地址) | http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080
+ - | - | -
+ AUTHX_LOG_ENABLED | 是否开启日志推送 | true
+ AUTHX_LOG_RABBITMQ_HOST | rabbit mq 服务地址(k8s集群内部地址) | rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT | rabbit mq 服务端口 | 5672
+ AUTHX_LOG_RABBITMQ_USERNAME | rabbit mq 服务用户 |
+ AUTHX_LOG_RABBITMQ_PASSWORD | rabbit mq 服务密码 |
* cas-server 下的 cas-server-security-engine
@@ -403,24 +495,6 @@
CAS_AUTHN_TOKEN_CRYPTO_SIGNING_KEY | jwt格式的ticket的签名密钥 | `(@<rhnPaUYKC_k770*DuWwYQ_#Zc#8c(2rB?kae)rN)>K7qy)awCjxp$L653Mf$2`
SPRING_THYMELEAF_PREFIX | 登录页面UI的代码目录 | classpath:/templates/themes/classic/
- | - | -
- CASSERVER_FEDERATION_QQ_ENABLED | 联合登录 QQ,是否启用 | true、false
- CASSERVER_FEDERATION_QQ_APPID | 联合登录 QQ,appid |
- CASSERVER_FEDERATION_QQ_APPKEY | 联合登录 QQ,appkey |
- - | - | -
- CASSERVER_FEDERATION_OPENWEIXIN_ENABLED | 联合登录 微信,是否启用 | true、false
- CASSERVER_FEDERATION_OPENWEIXIN_APPID | 联合登录 微信,appid |
- CASSERVER_FEDERATION_OPENWEIXIN_APPSECRET | 联合登录 微信,appsecret |
- - | - | -
- CASSERVER_FEDERATION_WORKWEIXIN_ENABLED | 联合登录 企业微信,是否启用 | true、false
- CASSERVER_FEDERATION_WORKWEIXIN_CORPID | 联合登录 企业微信,企业ID |
- CASSERVER_FEDERATION_WORKWEIXIN_AGENTID | 联合登录 企业微信,应用AgentId |
- CASSERVER_FEDERATION_WORKWEIXIN_SECRET | 联合登录 企业微信,Secret |
- - | - | -
- CASSERVER_FEDERATION_ALIPAY_ENABLED | 联合登录 支付宝,是否启用 | true、false
- CASSERVER_FEDERATION_ALIPAY_APPID | 联合登录 支付宝,appid |
- CASSERVER_FEDERATION_ALIPAY_APPPRIVATEKEY | 联合登录 支付宝,应用私钥 |
- CASSERVER_FEDERATION_ALIPAY_ALIPAYPUBLICKEY | 联合登录 支付宝,支付宝公钥 |
- - | - | -
CASSERVER_JWT_ISS | idToken 签发者标识 | cas.paas.xxx.edu.cn
CASSERVER_JWT_PRIVATE_KEY_PEM_PKCS8 | idToken 签名私钥(pkcs8),参考 certs/jwt/readme.md 生成公私钥pem |
CASSERVER_JWT_PUBLIC_KEY_PEM | idToken 签名公钥,参考 certs/jwt/readme.md 生成公私钥pem |
@@ -433,6 +507,8 @@
CASSERVERSITE_PASSWORDLESS_SMS_FROM | 动态密码的短信发送者 | 认证中心
CASSERVERSITE_PASSWORDLESS_SMS_TEXT_TEMPLATE | 动态密码的短信模板 | 【认证中心】您正在登录统一身份认证,本次登录的动态密码为{token},有效期5分钟,请尽快完成登录。
- | - | -
+ SUPERAPP_TOKEN_SIGNING_KEY_URL | TOKEN认证验签公钥地址(k8s集群内部地址) | http://token-server-svc.token-server.svc.cluster.local:8080/token/jwt/publicKey
+ - | - | -
TPAS_AGENT_SERVICE_SERVER_URL | 代理服务接口地址(k8s集群内部地址) | http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080
TPAS_AGENT_SERVICE_SMS_SENDER_PATH | 短信发送服务地址<br/>console:控制台输出,默认<br/>aliyun:阿里云短信服务<br/>其他,支持学校定制接口 | /api/v1/tpas/sms/console/send
TPAS_AGENT_SERVICE_FILE_PATH | 文件服务地址<br/>默认:minio文件服务 | /api/v1/tpas/file/minio
@@ -443,7 +519,15 @@
- | - | -
USER_AUTHZ_SERVICE_SA_API_SERVER_URL | 授权服务管理接口地址(k8s集群内部地址) | http://user-authorization-sa-svc.user-authorization-service.svc.cluster.local:8080
- | - | -
- SUPERAPP_TOKEN_SIGNING_KEY_URL | TOKEN认证验签公钥地址(外部访问地址) | https://token.paas.xxx.edu.cn/jwt/publicKey
+ ATTEST_SERVER_URL | 身份验证服务地址(k8s集群内部地址) | http://attest-server-svc.attest-server.svc.cluster.local:8080/attest
+ - | - | -
+ IPADDR_SERVER_URL | IP地址服务 | http://ipaddr.ipaddr.svc.cluster.local:9090
+ - | - | -
+ AUTHX_LOG_ENABLED | 是否开启日志推送 | true
+ AUTHX_LOG_RABBITMQ_HOST | rabbit mq 服务地址(k8s集群内部地址) | rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT | rabbit mq 服务端口 | 5672
+ AUTHX_LOG_RABBITMQ_USERNAME | rabbit mq 服务用户 |
+ AUTHX_LOG_RABBITMQ_PASSWORD | rabbit mq 服务密码 |
* cas-server 下的 cas-server-site-scheme
@@ -465,7 +549,7 @@
key | 说明 | 配置示例
- | - | -
- TOKEN_SERVER_PREFIX | TOKEN认证地址(外部访问地址) | https://token.paas.xxx.edu.cn
+ TOKEN_SERVER_PREFIX | TOKEN认证地址(外部访问地址) | https://token.paas.xxx.edu.cn/token
- | - | -
TOKEN_SERVER_SECURITY_JWT_ISS | idToken签发者标识 | token.paas.xxx.edu.cn
TOKEN_SERVER_SECURITY_JWT_EXPIRATION | idToken 失效时长<br/>默认:30天 | 2592000
@@ -488,9 +572,17 @@
TOKEN_SERVER_PASSWORDLESS_SMS_TEXT_TEMPLATE | 动态密码的短信模板 | 【认证中心】您正在登录统一身份认证,本次登录的动态密码为{token},有效期5分钟,请尽快完成登录。
TOKEN_SERVER_PASSWORDLESS_SMS_FROM | 动态密码的短信发送者 | 认证中心
- | - | -
+ GETUI_SERVER_URL | 个推服务地址 | https://openapi-gy.getui.com
+ GETUI_GEYAN_APP_ID | 个推,个验 app id |
+ GETUI_GEYAN_APP_KEY | 个推,个验 app key |
+ GETUI_GEYAN_APP_SECRET | 个推,个验 app secret |
+ GETUI_GEYAN_MASTER_SECRET | 个推,个验 master secret |
+ - | - | -
MESSAGECENTER_ENABLED | 是否对接消息平台<br/>默认:false| true、false
MESSAGECENTER_APP_ID | 应用ID(由消息平台生成)|
- MESSAGECENTER_MESSAGE_TYPE_CODE_APP_LOGIN | 消息类型代码(APP 登录) | APP_LOGIN
+ MESSAGECENTER_MESSAGE_TYPE_CODE_APP_LOGIN | 消息类型代码,APP 登录 | APP_LOGIN
+ MESSAGECENTER_MESSAGE_TYPE_CODE_PASSWORD | 消息类型代码,密码修改登出 | PASSWORD
+ MESSAGECENTER_MESSAGE_TYPE_CODE_APPPUSH | 消息类型代码,消息推送 | APPPUSH
- | - | -
POA_SERVER_URL | POA网关地址(外部访问地址) | https://poa.paas.xxx.edu.cn
POA_CLIENT_ID | client id |
@@ -503,6 +595,23 @@
CASSERVER_SA_API_SERVER_URL | CAS认证服务管理接口地址(k8s集群内部地址) | http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080
- | - | -
USER_DATA_SERVICE_SA_API_SERVER_URL | 用户服务管理接口地址(k8s集群内部地址) | http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080
+ - | - | -
+ ATTEST_SERVER_URL | 身份验证服务地址(k8s集群内部地址) | http://attest-server-svc.attest-server.svc.cluster.local:8080/attest
+ - | - | -
+ IPADDR_SERVER_URL | IP地址服务 | http://ipaddr.ipaddr.svc.cluster.local:9090
+ - | - | -
+ AUTHX_LOG_ENABLED | 是否开启日志推送 | true
+ AUTHX_LOG_RABBITMQ_HOST | rabbit mq 服务地址(k8s集群内部地址) | rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT | rabbit mq 服务端口 | 5672
+ AUTHX_LOG_RABBITMQ_USERNAME | rabbit mq 服务用户 |
+ AUTHX_LOG_RABBITMQ_PASSWORD | rabbit mq 服务密码 |
+ - | - | -
+ USER_RABBITMQ_ENABLED | 是否开启用户数据的消息接收 | true
+ USER_RABBITMQ_HOST | rabbit mq 服务地址(k8s集群内部地址) | rabbitmq-server.authx-service.svc.cluster.local
+ USER_RABBITMQ_PORT | rabbit mq 服务端口 | 5672
+ USER_RABBITMQ_USERNAME | rabbit mq 服务用户 |
+ USER_RABBITMQ_PASSWORD | rabbit mq 服务密码 |
+ USER_RABBITMQ_CONSUMER_ENABLED | 是否开启用户数据订阅 | true
* personal-security-center 下的 personal-security-center-bff
@@ -511,10 +620,10 @@
key | 说明 | 配置示例
- | - | -
- PERSONAL_SECURITY_CENTER_SERVER_PREFIX | 个人安全中心访问地址(外部访问地址) | https://personal-security-center.paas.xxx.edu.cn
- CAS_SERVER_PREFIX | CAS认证地址(外部访问地址) | https://cas.paas.xxx.edu.cn
+ PERSONAL_SECURITY_CENTER_SERVER_PREFIX | 个人安全中心访问地址(外部访问地址) | https://authx-service.paas.xxx.edu.cn/personal
+ CAS_SERVER_PREFIX | CAS认证地址(外部访问地址) | https://cas.paas.xxx.edu.cn/cas
- | - | -
- CASSERVER_SITE_SERVER_URL | CAS认证接口地址(k8s集群内部地址) | http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080
+ CASSERVER_SITE_SERVER_URL | CAS认证接口地址(k8s集群内部地址) | http://cas-server-site-webapp-svc.cas-server.svc.cluster.local:8080/cas
- | - | -
CASSERVER_SA_API_SERVER_URL | CAS认证服务管理接口地址(k8s集群内部地址) | http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080
- | - | -
@@ -523,6 +632,13 @@
TPAS_FILE_API_URL | 文件服务接口地址(k8s集群内部地址)<br/>默认:minio文件服务 | http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080/api/v1/tpas/file/minio
TPAS_MAIL_API_URL | 邮件发送服务地址(k8s集群内部地址)<br/>console:控制台输出,默认<br/>smtp:SMTP服务<br/>其他,支持学校定制接口 | http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080/api/v1/tpas/mail/smtp
TPAS_SMS_API_URL | 短信发送服务地址(k8s集群内部地址)<br/>console:控制台输出,默认<br/>aliyun:阿里云短信服务<br/>其他,支持学校定制接口 | http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080/api/v1/tpas/sms/console
+ - | - | -
+ AUTHX_LOG_ENABLED | 是否开启日志推送 | true
+ AUTHX_LOG_RABBITMQ_HOST | rabbit mq 服务地址(k8s集群内部地址) | rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT | rabbit mq 服务端口 | 5672
+ AUTHX_LOG_RABBITMQ_USERNAME | rabbit mq 服务用户 |
+ AUTHX_LOG_RABBITMQ_PASSWORD | rabbit mq 服务密码 |
+
ConfigMap,personal-security-center-bff-template-env
邮件内容模板、短信内容模板
@@ -576,10 +692,14 @@
key | 说明 | 配置示例
- | - | -
- APP_SERVER_HOST_URL | 个人安全中心访问地址(外部访问地址) | http://personal-security-center.paas.xxx.edu.cn
- CAS_SERVER_HOST_URL | CAS认证地址(外部访问地址) | https://cas.paas.xxx.edu.cn
+ APP_SERVER_HOST_URL | 个人安全中心访问地址(外部访问地址) | https://authx-service.paas.xxx.edu.cn/personal
+ CAS_SERVER_HOST_URL | CAS认证地址(外部访问地址) | https://cas.paas.xxx.edu.cn/cas
- | - | -
- APPLICATION_INDEX_REDIRECT_URI | 网关服务的默认首页,安全中心访问地址(外部访问地址) | http://security-center.paas.xxx.edu.cn
+ APPLICATION_INDEX_REDIRECT_URI | 网关服务的默认首页,安全中心访问地址(外部访问地址) | https://authx-service.paas.xxx.edu.cn
+ - | - | -
+ USER_DATA_SERVICE_SERVER_URL | 用户服务开放接口地址(k8s集群内部地址) | http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080
+ - | - | -
+ USER_AUTHZ_SERVICE_SERVER_URL | 授权服务管理接口地址(k8s集群内部地址) | http://user-authorization-sa-svc.user-authorization-service.svc.cluster.local:8080
* personal-security-center 下的 security-center-ui
@@ -588,14 +708,73 @@
key | 说明 | 配置示例
- | - | -
- RESOURCE_PREFIX | LOGO、FAVICON 等资源地址 | http://authx-minio.paas.xxx.edu.cn/security-center-ui
- MAIN_SERVER | 安全中心访问地址(外部访问地址) | http://security-center.paas.xxx.edu.cn
+ RESOURCE_PREFIX | LOGO、FAVICON 等资源地址 | https://authx-minio.paas.xxx.edu.cn/security-center-ui
+ MAIN_SERVER | 安全中心访问地址(外部访问地址) | https://authx-service.paas.xxx.edu.cn
- | - | -
- PERSONAL_CENTER_API | 后端API,个人安全中心访问地址(外部访问地址) | http://personal-security-center.paas.xxx.edu.cn
+ PERSONAL_CENTER_API | 后端API,个人安全中心访问地址(外部访问地址) | https://authx-service.paas.xxx.edu.cn/personal
+ - | - | -
+ AUTH_TYPE | 认证对接方式,可选 cas,uniauth | cas
- | - | -
AUTH_CAS | CAS认证地址(外部访问地址) | http://cas.paas.xxx.edu.cn/cas
JWT_ISS | JWT Token 签名方标识 | http://cas.paas.xxx.edu.cn/cas
JWT_SECRET | JWT Token 签名密钥 | 固定值,`(@<rhnPaUYKC_k770*DuWwYQ_#Zc#8c(2rB?kae)rN)>K7qy)awCjxp$L653Mf$2`
+ - | - | -
+ UNIAUTH_IDTOKEN | uniauth认证地址(外部访问地址) | https://uniauth.paas.xxx.edu.cn/idtoken
+ UNIAUTH_IDTOKEN_ISS | Id Token 签名方标识 | uniauth
+ UNIAUTH_CLIENT_ID | client id | 22
+
+ 注:
+ AUTH_TYPE 为 cas 时,配置 AUTH_CAS、JWT_ISS、JWT_SECRET
+ AUTH_TYPE 为 uniauth 时,配置 UNIAUTH_IDTOKEN、UNIAUTH_IDTOKEN_ISS、UNIAUTH_CLIENT_ID
+
+
+* attest-server 下的 attest-server
+
+ ConfigMap,attest-server-env
+
+ key | 说明 | 配置示例
+ - | - | -
+ POA_SERVER_URL | POA网关地址(外部访问地址) | https://poa.paas.xxx.edu.cn
+ POA_CLIENT_ID | client id |
+ POA_CLIENT_SECRET | client secret |
+ POA_SCOPES | api 接口的 scope | appPush:v1:apppushByMessageType
+ - | - | -
+ ATTEST_SERVER_PREFIX | 身份验证服务地址(外部访问地址) | https://attest.paas.xxx.edu.cn/attest
+ - | - | -
+ ATTEST_SERVER_SECUREPHONE_SMS_TEXT_TEMPLATE | 短信内容模板 | 【认证服务】{name}:您正在进行验证身份,验证码为{code},有效期5分钟,请尽快完成验证。
+ ATTEST_SERVER_SECUREPHONE_SMS_FROM | 短信内容标题 | 认证服务
+ - | - | -
+ ATTEST_SERVER_SECUREEMAIL_MAIL_TEXT_TEMPLATE | 邮件内容模板 | 【认证服务】{name}:您正在进行验证身份,验证码为{code},有效期5分钟,请尽快完成验证。
+ ATTEST_SERVER_SECUREEMAIL_MAIL_FROM | 邮件内容标题 | 认证服务
+ - | - | -
+ ATTEST_SERVER_FACEVERIFY_SUPERAPP_URL_SCHEME | 在超级APP 中唤起人脸识别的 URL Scheme | superapp
+ - | - | -
+ TOKEN_SERVER_TOKEN_SIGNING_KEY_URL | TOKEN认证验签公钥地址(k8s集群内部地址) | http://token-server-svc.token-server.svc.cluster.local:8080/token/jwt/publicKey
+ - | - | -
+ TPAS_AGENT_SERVICE_SERVER_URL | 代理服务接口地址(k8s集群内部地址) | http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080
+ TPAS_AGENT_SERVICE_SMS_SENDER_PATH | 短信发送服务地址<br/>console:控制台输出,默认<br/>aliyun:阿里云短信服务<br/>其他,支持学校定制接口 | /api/v1/tpas/sms/console/send
+ TPAS_AGENT_SERVICE_MAIL_SENDER_PATH | 邮件发送服务地址<br/>console:控制台输出,默认<br/>smtp:SMTP服务<br/>其他,支持学校定制接口 | /api/v1/tpas/mail/console/send
+ - | - | -
+ USER_DATA_SERVICE_SA_API_SERVER_URL | 用户服务管理接口地址(k8s集群内部地址) | http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080
+ - | - | -
+ TOKEN_SERVER_SERVER_URL | Token认证服务接口地址(k8s集群内部地址)| http://token-server-svc.token-server.svc.cluster.local:8080/token
+
+
+* authx-log 下的 authx-log-sa
+
+ ConfigMap,authx-log-sa-env
+
+ key | 说明 | 配置示例
+ - | - | -
+ USER_DATA_SERVICE_SERVER_URL | 用户服务管理接口地址(k8s集群内部地址) | http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080
+ - | - | -
+ IPADDR_SERVER_URL | IP地址服务 | http://ipaddr.ipaddr.svc.cluster.local:9090
+ - | - | -
+ AUTHX_LOG_ENABLED | 是否开启日志推送 | true
+ AUTHX_LOG_RABBITMQ_HOST | rabbit mq 服务地址(k8s集群内部地址) | rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT | rabbit mq 服务端口 | 5672
+ AUTHX_LOG_RABBITMQ_USERNAME | rabbit mq 服务用户 |
+ AUTHX_LOG_RABBITMQ_PASSWORD | rabbit mq 服务密码 |
## 开始安装
@@ -611,10 +790,13 @@
- | -
用户服务 user-data-service | user
授权服务 user-authorization-service | user_authz
+ - | -
+ 日志服务 authx-log | authx_log
+ - | -
认证服务 cas-server | cas_server
认证服务(APP适用) token-server | token_server
- | -
- 第三方代理服务 thridparty-agent-service | agent_service
+ (可选)第三方代理服务 thridparty-agent-service | agent_service
- | -
v4认证迁移数据 | tmp_data
@@ -623,6 +805,9 @@
```
create user 'user'@'%' identified with mysql_native_password by 'your_password';
create user 'user_authz'@'%' identified with mysql_native_password by 'your_password';
+
+ create user 'authx_log'@'%' identified with mysql_native_password by 'your_password';
+
create user 'cas_server'@'%' identified with mysql_native_password by 'your_password';
create user 'token_server'@'%' identified with mysql_native_password by 'your_password';
@@ -640,10 +825,13 @@
- | -
用户服务 user-data-service | user
授权服务 user-authorization-service | user_authz
+ - | -
+ 日志服务 authx-log | authx_log
+ - | -
认证服务 cas-server | cas_server
认证服务(APP适用) token-server | token_server
- | -
- 第三方代理服务 thridparty-agent-service | agent_service
+ (可选)第三方代理服务 thridparty-agent-service | agent_service
- | -
v4认证迁移数据 | tmp_data
@@ -651,6 +839,9 @@
```
create database `user` DEFAULT CHARSET utf8 COLLATE utf8_general_ci;
create database `user_authz` DEFAULT CHARSET utf8 COLLATE utf8_general_ci;
+
+ create database `authx_log` DEFAULT CHARSET utf8 COLLATE utf8_general_ci;
+
create database `cas_server` DEFAULT CHARSET utf8 COLLATE utf8_general_ci;
create database `token_server` DEFAULT CHARSET utf8 COLLATE utf8_general_ci;
@@ -668,6 +859,9 @@
```
grant all privileges on `user`.* to 'user'@'%' with grant option;
grant all privileges on `user_authz`.* to 'user_authz'@'%' with grant option;
+
+ grant all privileges on `authx_log`.* to 'authx_log'@'%' with grant option;
+
grant all privileges on `cas_server`.* to 'cas_server'@'%' with grant option;
grant all privileges on `token_server`.* to 'token_server'@'%' with grant option;
@@ -874,6 +1068,18 @@
TODO: 修改 bff、zuul 配置
TODO: 修改 security-center-ui 配置
+ 7.attest-server
+
+ 此为 身份验证服务
+
+ 提供双因子、二次认证时,进行用户的身份验证,包括 APP推送验证、安全手机验证、安全邮箱验证、人脸识别验证 等能力
+
+ 8.authx-log
+
+ 此为 日志服务
+
+ 收集 用户、认证、授权 的管理、使用过程中产生的 操作日志、登录日志;同时,提供日志查询、基于日志的统计功能
+
9.jobs-server
此为 任务调度服务
@@ -924,9 +1130,13 @@
cas-server
token-server
-
+
personal-security-center
+ attest-server
+
+ authx-log
+
jobs-server
```
@@ -956,15 +1166,14 @@
先修改 脚本中的域名(如果存在)
+* 必须,1.authx0service/10.0.init.sql
+
+ 包括,
+ 安全中心的认证对接配置
+ 云平台,管理接口的路由配置
+ 云平台,管理功能的菜单配置
* 可选,1.authx-service/10.0.tmp.sql
若通过交换同步组织机构、帐号数据的,须执行该数据库脚本
-
-* 可选,1.authx-service/10.1.init-flow.sql
-
- 若部署了 流程平台 的产品
-
- 可默认创建几个管理员帐号,以及初始授权
-
diff --git "a/deploy-manifests/k8s-rancher/0.1.1.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\256\211\350\243\205\351\203\250\347\275\262\346\211\213\345\206\214.pdf" "b/deploy-manifests/k8s-rancher/0.1.1.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\256\211\350\243\205\351\203\250\347\275\262\346\211\213\345\206\214.pdf"
index 35bc552..ceaccec 100644
--- "a/deploy-manifests/k8s-rancher/0.1.1.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\256\211\350\243\205\351\203\250\347\275\262\346\211\213\345\206\214.pdf"
+++ "b/deploy-manifests/k8s-rancher/0.1.1.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\256\211\350\243\205\351\203\250\347\275\262\346\211\213\345\206\214.pdf"
Binary files differ
diff --git "a/deploy-manifests/k8s-rancher/0.1.4.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\215\207\347\272\247\346\226\207\346\241\243\357\274\210V1.3-V1.4\357\274\211.md" "b/deploy-manifests/k8s-rancher/0.1.4.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\215\207\347\272\247\346\226\207\346\241\243\357\274\210V1.3-V1.4\357\274\211.md"
new file mode 100644
index 0000000..cb2db4f
--- /dev/null
+++ "b/deploy-manifests/k8s-rancher/0.1.4.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\215\207\347\272\247\346\226\207\346\241\243\357\274\210V1.3-V1.4\357\274\211.md"
@@ -0,0 +1,306 @@
+
+# 认证授权服务升级文档(V1.3 ~ V1.4)
+
+
+## 部署变更说明
+
+对本次升级进行的简要说明,具体的升级步骤,详见 **升级说明**
+
+1. 数据库用户变更
+
+新增,authx_log
+(可选)移除,agent_service
+
+2. 镜像变更
+
+新增,authx-log
+新增,attest-server
+
+3. 域名变更
+
+(可选)新增,域名 authx-service,将 personal-security-center、security-center、以及 authx-management 合并
+(可选)废弃,域名 personal-security-center,合并至 域名 authx-service
+(可选)废弃,域名 security-center,合并至 域名 authx-service
+(可选)迁移,原域名 authx-management 挂在 域名 admin-platform 域名下,现合并至 authx-service
+(可选)废弃,域名 token,合并至 域名 cas
+
+4. Context Path 变更
+
+(可选)变更,personal-security-center-zuul,context path 更新为 /personal
+(可选)变更,token-server,context path 更新为 /token
+
+5. 访问地址变更
+
+(可选)变更,用户认证授权管理前端UI,`https://admin-platform.paas.xxx.edu.cn/authx-management` 变更为 `https://authx-service.paas.xxx.edu.cn/authx-management`
+(可选)变更,安全中心后端API,`https://personal-security-center.paas.xxx.edu.cn` 变更为 `https://authx-service.paas.xxx.edu.cn/personal`
+(可选)变更,Token 认证,`https://token.paas.xxx.edu.cn` 变更为 `https://cas.pass.xxx.edu.cn/token`
+
+6. 部署yaml 变更
+
+新增,7.attest-server
+新增,8.authx-log
+
+新增,0.authx-service,4.4.authx-service-bff.yaml,ConfigMap 增加 日志服务相关配置 `AUTHX_LOG_*`
+
+新增,1.thirdparty-agent-service,4.2.thirdparty-agent-service.yaml,ConfigMap 增加 人脸服务对接配置 `FACE_*`
+
+新增,2.user-data-service,4.1.user-data-service-poa.yaml,ConfigMap 增加 日志服务相关配置 `AUTHX_LOG_*`
+新增,2.user-data-service,4.2.user-data-service-goa.yaml,ConfigMap 增加 日志服务相关配置 `AUTHX_LOG_*`
+新增,2.user-data-service,4.3.user-data-service-biz.yaml,ConfigMap 增加 日志服务相关配置 `AUTHX_LOG_*`
+
+新增,3.user-authorization-service,4.1.user-authorization-poa.yaml,ConfigMap 增加 日志服务相关配置 `AUTHX_LOG_*`
+新增,3.user-authorization-service,4.2.user-authorization-sa.yaml,ConfigMap 增加 日志服务相关配置 `AUTHX_LOG_*`
+
+新增,4.cas-server,4.2.cas-server-sa-api.yaml,ConfigMap 增加 日志服务相关配置 `AUTHX_LOG_*`
+新增,4.cas-server,4.5.cas-server-site-webapp.yaml,ConfigMap 增加 日志服务相关配置 `AUTHX_LOG_*`
+
+新增,5.token-server,4.1.token-server.yaml,ConfigMap 增加 日志服务相关配置 `AUTHX_LOG_*`
+变更,5.token-server,4.1.token-server.yaml,ConfigMap 修改 将 `SPRING_RABBITMQ_*` 调整为 `USER_RABBITMQ_*`
+(可选)新增,5.token-server,4.1.token-server.yaml,ConfigMap 增加 context path 配置 `SERVER_SERVLET_CONTEXT_PATH: /token`
+(可选)变更,5.token-server,4.1.token-server.yaml,ConfigMap 修改 `TOKEN_SERVER_PREFIX: https://cas.paas.xxx.edu.cn/token`
+
+新增,6.personal-security-center,4.4.personal-security-center-bff.yaml,ConfigMap 增加 日志服务相关配置 `AUTHX_LOG_*`
+(可选)新增,6.personal-security-center,4.5.personal-security-center-zuul.yaml,ConfigMap 增加 context path 配置 `SERVER_SERVLET_CONTEXT_PATH: /personal`
+(可选)变更,6.personal-security-center,4.4.personal-security-center-bff.yaml,ConfigMap 修改 `PERSONAL_SECURITY_CENTER_SERVER_PREFIX: https://authx-service.paas.xxx.edu.cn/personal`
+(可选)变更,6.personal-security-center,4.5.personal-security-center-zuul.yaml,ConfigMap 修改 `APP_SERVER_HOST_URL: https://authx-service.paas.xxx.edu.cn/personal`
+(可选)变更,6.personal-security-center,4.5.personal-security-center-zuul.yaml,ConfigMap 修改 `APPLICATION_INDEX_REDIRECT_URI: https://authx-service.paas.xxx.edu.cn`
+(可选)变更,6.personal-security-center,4.9.security-center-ui.yaml,ConfigMap 修改 `MAIN_SERVER: https://authx-service.paas.xxx.edu.cn`
+(可选)变更,6.personal-security-center,4.9.security-center-ui.yaml,ConfigMap 修改 `PERSONAL_CENTER_API: https://authx-service.paas.xxx.edu.cn/personal`
+
+
+## 升级说明
+
+1. 将 工作负载 下的服务 升级到 1.4.x 版本(注意,先执行 `*-installer`)
+
+2. 部署 7.attest-server
+
+3. 部署 8.authx-log
+
+4. ConfigMap 增加 日志服务相关配置 `AUTHX_LOG_*`
+ 包括:
+ authx-service-bff
+ user-data-service-poa
+ user-data-service-goa
+ user-data-service-biz
+ user-authorization-poa
+ user-authorization-sa
+ cas-server-sa-api
+ cas-server-site-webapp
+ token-server
+ personal-security-center-bff
+
+5. token-server,ConfigMap 增加 `USER_RABBITMQ_*`
+
+6. (可选)调整 authx-management-ingress 的 host 为 authx-service.paas.xxx.edu.cn
+
+7. (可选,和 6 一起修改)修改 ConfigMap admin-platform/admin-platform-spa-env 下的配置项 `CAS_SERVER_SPA_URL`, `USER_SERVER_SPA_URL`, `AUTH_SERVER_SPA_URL`
+
+ ```
+ CAS_SERVER_SPA_URL: https://authx-service.paas.xxx.edu.cn/authx-management/cas-server-ui
+ USER_SERVER_SPA_URL: https://authx-service.paas.xxx.edu.cn/authx-management/user-server-ui
+ AUTH_SERVER_SPA_URL: https://authx-service.paas.xxx.edu.cn/authx-management/auth-server-ui
+ ```
+
+8. (可选)token-server,ConfigMap 增加 context path 配置 `SERVER_SERVLET_CONTEXT_PATH: /token`
+9. (可选,和 8 一起修改)调整 token-server-ingress 下 token-server-svc 对应的 path 为 /token
+
+10. (可选)调整 token-server-ingress 的 host 为 cas.paas.xxx.edu.cn;调整 host 后,必须增加 context path 配置(即 8、9)
+
+ 注:
+ 若 修改了 token-server 的 context path、或 调整了host,则须调整 超级APP 的配置
+
+11. (可选)修改 token-server 的 ConfigMap
+
+ `TOKEN_SERVER_PREFIX: https://cas.paas.xxx.edu.cn/token`
+ 注:
+ 若 context path 未配置,则不修改;
+ 若 host 未调整,则修改为 `https://token.paas.xxx.edu.cn/token`
+
+12. (可选)personal-security-center-zuul,ConfigMap 增加 context path 配置 `SERVER_SERVLET_CONTEXT_PATH: /personal`
+13. (可选,和 12 一起修改)调整 personal-security-center-ingress 下 personal-security-center-zuul-svc 对应的 path 为 /personal
+
+14. (可选)调整 personal-security-center-ingress 的 host 为 authx-service.paas.xxx.edu.cn;调整 host 后,必须增加 context path 配置(即 12、13)
+
+ 注:
+ 若 修改了 personal-security-center-zuul 的 context path、或 调整了host,则须调整 超级APP 的配置、门户个人中心 的配置
+
+15. (可选)调整 security-center-ingress 的 host 为 authx-service.paas.xxx.edu.cn
+
+14. (可选)修改 personal-security-center-zuul 的 ConfigMap
+
+ `PERSONAL_SECURITY_CENTER_SERVER_PREFIX: https://authx-service.paas.xxx.edu.cn/personal`
+ 注:
+ 若 context path 未配置,则不修改;
+ 若 host 未调整,则修改为 `https://personal-security-center.paas.xxx.edu.cn/personal`
+
+ `APP_SERVER_HOST_URL: https://authx-service.paas.xxx.edu.cn/personal`
+ 注:
+ 若 context path 未配置,则不修改;
+ 若 host 未调整,则修改为 `https://personal-security-center.paas.xxx.edu.cn/personal`
+
+ `APPLICATION_INDEX_REDIRECT_URI: https://authx-service.paas.xxx.edu.cn` (若 host 未调整,则不修改)
+
+
+15. (可选)修改 security-center-ui 的 ConfigMap
+
+ `MAIN_SERVER: https://authx-service.paas.xxx.edu.cn` (若 host 未调整,则不修改)
+
+ `PERSONAL_CENTER_API: https://authx-service.paas.xxx.edu.cn/personal`
+ 注:
+ 若 context path 未配置,则不修改;
+ 若 host 未调整,则修改为 `https://personal-security-center.paas.xxx.edu.cn/personal`
+
+
+
+## 初始化数据
+
+
+### 创建路由
+
+在 云平台 管理中心 中,添加 接口路由;
+
+管理功能的接口请求,由管理中心的后端网关,统一路由至 相关服务。
+
+**若 路由记录已经存在,请确认 其 路由服务地址 是否正确**
+
+
+#### 方式一,手动添加
+
+进入 云平台 - 基础管理 - 路由管理,添加路由记录
+
+注:
+* 路由前缀 如:`/api/v1/sample/**`,确保与其他路由信息 **不存在冲突**
+* 后端服务地址 如:`http://xxx.sample.edu.cn`
+* 是否丢弃前缀,若是,转发到后端服务时的请求为 `http://xxx.sample.edu.cn/**`,否则为 `http://xxx.sample.edu.cn/api/v1/sample/**`
+
+
+代码 | 名称 | 描述 | 是否启用 | 路由前缀 | 路由服务地址 | 是否丢弃前缀
+- | - | - | - | - | - | - | -
+authx-service-user-api | 认证授权 - 用户接口 | | 是 | /api/v1/base | http://authx-service-user-data-service-goa.authx-service.svc.cluster.local:8080 | 否
+authx-service-personal-api | 认证授权 - 个人信息接口 | | 是 | /api/v1/personal | http://authx-service-personal-security-center-bff.authx-service.svc.cluster.local:8080/api/v1 | 是
+authx-service-admin-api | 认证授权 - 聚合接口(认证、授权) | | 是 | /api/v2/admin | http://authx-service-bff.authx-service.svc.cluster.local:8080 | 否
+authx-service-open-api | 认证授权 - 聚合接口(公开) | | 是 | /api/v2/open | http://authx-service-bff.authx-service.svc.cluster.local:8080 | 否
+authx-service-log-api | 认证授权 - 日志接口 | | 是 | /api/v2/log | http://authx-service-authx-log-sa.authx-service.svc.cluster.local:8080 | 否
+
+
+### 创建菜单
+
+#### 方式一,手动导入
+
+进入 云平台 - 基础管理 - 菜单管理,导入
+
+所属应用 选择 用户授权
+
+菜单列表(JSON)如下,(复制后粘贴)
+
+**将 origin 修改为正确的 学校域名**
+
+* 认证管理
+
+```json
+[
+ {
+ "id": "20920", "parentIdOrCode":"20000", "code": "twoFactorAuth", "name": "双因子认证", "memo": "", "status": "1",
+ "icon": "su-icon-test", "origin": "http://admin-platform.paas.xxx.edu.cn", "url": "/cas-server/twoFactorAuth", "target": "",
+ "order": 20920, "resourceIdOrCodes": []
+ },
+ {
+ "id": "22000", "parentIdOrCode":"20000", "code": "logManagement", "name": "日志管理", "memo": "", "status": "1",
+ "icon": "su-icon-taocanguanli", "origin": "http://admin-platform.paas.xxx.edu.cn", "url": "/cas-server/logManagement", "target": "",
+ "order": 22000, "resourceIdOrCodes": []
+ }
+]
+```
+
+
+#### 方式二,bash脚本
+
+* 认证管理
+
+```bash
+curl -i -s -X POST "http://admin-platform-admin-center-sa.admin-platform.svc.cluster.local:8080/v1/admin/menus/importMenu" -H 'Content-Type: application/json' \
+-d \
+'
+{
+ "applicationId": "10",
+ "menuList":
+ [
+ {
+ "id": "20920", "parentIdOrCode":"20000", "code": "twoFactorAuth", "name": "双因子认证", "memo": "", "status": "1",
+ "icon": "su-icon-test", "origin": "http://admin-platform.paas.xxx.edu.cn", "url": "/cas-server/twoFactorAuth", "target": "",
+ "order": 20920, "resourceIdOrCodes": []
+ },
+ {
+ "id": "22000", "parentIdOrCode":"20000", "code": "logManagement", "name": "日志管理", "memo": "", "status": "1",
+ "icon": "su-icon-taocanguanli", "origin": "http://admin-platform.paas.xxx.edu.cn", "url": "/cas-server/logManagement", "target": "",
+ "order": 22000, "resourceIdOrCodes": []
+ }
+ ]
+}
+'
+```
+
+
+### 关联角色权限
+
+角色由授权服务进行初始化
+
+
+#### 方式一,手动导入(暂不支持)
+
+进入 云平台 - 基础管理 - 角色权限,导入
+
+角色权限(JSON)如下,(复制后粘贴)
+
+```json
+[
+ {
+ "roleId": "20", "roleCode":"cas-admin",
+ "permissionIdOrCodes": ["20920", "22000"]
+ }
+]
+```
+
+
+#### 方式二,bash脚本
+
+```bash
+curl -i -s -X POST "http://admin-platform-admin-center-sa.admin-platform.svc.cluster.local:8080/v1/admin/rolePermissions/importRolePermission" -H 'Content-Type: application/json' \
+-d \
+'
+{
+ "roleCodeIdMap": {
+ "cas-admin": "20",
+ "user-admin": "30",
+ "user-authz-admin": "40",
+ "user-authz-grant-admin": "41",
+ "user-authz-man-grant-admin": "42"
+ },
+ "rolePermissionList":
+ [
+ {
+ "roleId": "20", "roleCode":"cas-admin",
+ "permissionIdOrCodes": ["1", "20000", "20100", "20200", "20300", "20400", "20500", "20600", "20700", "20800", "20900", "20920", "21000", "21100", "22000"]
+ },
+ {
+ "roleId": "30", "roleCode": "user-admin",
+ "permissionIdOrCodes": ["1", "30000", "30100", "30200", "30300", "30400", "30500", "30600", "30700", "30800", "31000"]
+ },
+ {
+ "roleId": "40", "roleCode": "user-authz-admin",
+ "permissionIdOrCodes": ["1", "40000", "40050", "40100", "40200", "40300", "40500", "40900", "41100", "41200", "41300", "41350", "41400", "41500"]
+ },
+ {
+ "roleId": "41", "roleCode": "user-authz-grant-admin",
+ "permissionIdOrCodes": ["1", "40000", "40100", "40300", "40500"]
+ },
+ {
+ "roleId": "42", "roleCode": "user-authz-man-grant-admin",
+ "permissionIdOrCodes": ["1", "40000", "40900"]
+ }
+ ]
+}
+'
+```
+
+
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/0.authx-service/2.authx-service-ingresses.yaml b/deploy-manifests/k8s-rancher/1.authx-service/0.authx-service/2.authx-service-ingresses.yaml
index abf1755..c8f87da 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/0.authx-service/2.authx-service-ingresses.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/0.authx-service/2.authx-service-ingresses.yaml
@@ -6,14 +6,14 @@
kind: Ingress
metadata:
namespace: authx-service
- name: authx-management-ingress
+ name: authx-service-authx-management-ingress
annotations:
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/rewrite-target: /$1
spec:
rules:
# 修改为学校的根域名
- - host: admin-platform.paas.xxx.edu.cn
+ - host: authx-service.paas.xxx.edu.cn
http:
paths:
- path: /authx-management/(.*)
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/0.authx-service/4.4.authx-service-bff.yaml b/deploy-manifests/k8s-rancher/1.authx-service/0.authx-service/4.4.authx-service-bff.yaml
index 36b4b70..c535c46 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/0.authx-service/4.4.authx-service-bff.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/0.authx-service/4.4.authx-service-bff.yaml
@@ -74,6 +74,14 @@
#TPAS_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
#TPAS_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+ AUTHX_LOG_ENABLED: "true"
+ AUTHX_LOG_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT: "5672"
+ AUTHX_LOG_RABBITMQ_USERNAME: guest
+ AUTHX_LOG_RABBITMQ_PASSWORD: guest
+
+
---
apiVersion: v1
kind: Service
@@ -114,7 +122,7 @@
spec:
containers:
- name: authx-service-bff
- image: harbor.supwisdom.com/authx-service/authx-service-bff:1.3.1-RELEASE
+ image: harbor.supwisdom.com/authx-service/authx-service-bff:1.4.0-RELEASE
imagePullPolicy: Always
ports:
- containerPort: 8080
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/0.authx-service/4.9.authx-management.yaml b/deploy-manifests/k8s-rancher/1.authx-service/0.authx-service/4.9.authx-management.yaml
index 8fedc83..06c3911 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/0.authx-service/4.9.authx-management.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/0.authx-service/4.9.authx-management.yaml
@@ -44,7 +44,7 @@
spec:
containers:
- name: authx-management
- image: harbor.supwisdom.com/authx-service/authx-management:1.3.1-RELEASE
+ image: harbor.supwisdom.com/authx-service/authx-management:1.4.0-RELEASE
imagePullPolicy: Always
ports:
- containerPort: 80
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/1.thirdparty-agent-service/4.2.thirdparty-agent-service.yaml b/deploy-manifests/k8s-rancher/1.authx-service/1.thirdparty-agent-service/4.2.thirdparty-agent-service.yaml
index a129c1c..eef5afa 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/1.thirdparty-agent-service/4.2.thirdparty-agent-service.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/1.thirdparty-agent-service/4.2.thirdparty-agent-service.yaml
@@ -62,6 +62,23 @@
# 若须对接sms 接口,须进行二开定制
+ # face
+ # aiface 新开普人脸
+ FACE_AIFACE_AUTOCONFIGURE_ENABLED: "false"
+ FACE_AIFACE_URL: ""
+ FACE_AIFACE_APPKEY: ""
+ FACE_AIFACE_APPSECRET: ""
+ FACE_AIFACE_SECRETKEY: ""
+ FACE_AIFACE_TERM_CODE: ""
+
+ # aipface 百度人脸
+ FACE_AIPFACE_AUTOCONFIGURE_ENABLED: "true"
+ FACE_AIPFACE_APPID: "24825582"
+ FACE_AIPFACE_APIKEY: "1KK9A5hIB9HNbHWQGVrw26Ww"
+ FACE_AIPFACE_SECRETKEY: "AsANn1AoxhHDGsscQ7QUIKmWnCW0vggH"
+ FACE_AIPFACE_GROUPIDLIST: "TEST_1"
+
+
---
apiVersion: v1
kind: Secret
@@ -121,7 +138,7 @@
containers:
- name: agent-service
# 若使用了学校搭设的私有仓库,请修改
- image: harbor.supwisdom.com/thirdparty-agent-service/agent-service:1.2.0-RELEASE
+ image: harbor.supwisdom.com/thirdparty-agent-service/agent-service:1.3.0-RELEASE
imagePullPolicy: Always
ports:
- containerPort: 8080
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/10.0.init.sql b/deploy-manifests/k8s-rancher/1.authx-service/10.0.init.sql
index 3298454..371d490 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/10.0.init.sql
+++ b/deploy-manifests/k8s-rancher/1.authx-service/10.0.init.sql
@@ -313,3 +313,30 @@
commit;
+
+-- V1.4,初始数据脚本
+
+update TB_MGT_PERMISSION
+set CODE='logManagement', URL='/cas-server/logManagement'
+where ID='22000'
+;
+
+commit;
+
+
+-- 注意
+update TB_MGT_PERMISSION
+ set LFT = LFT+2
+where LFT>=45
+;
+
+update TB_MGT_PERMISSION
+ set RGT = RGT+2
+where RGT>=45
+;
+
+insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT)
+values ('21100', 0, 'twoFactorAuth', '双因子认证', '1', '2', 'su-icon-test', '/cas-server/twoFactorAuth', '10', '20000', 21100, 2, 45, 46);
+
+commit;
+
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/4.0.user-data-service-installer.yaml b/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/4.0.user-data-service-installer.yaml
index fdecf82..745c460 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/4.0.user-data-service-installer.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/4.0.user-data-service-installer.yaml
@@ -28,7 +28,7 @@
containers:
- name: user-data-service-installer
# 若使用了学校搭设的私有仓库,请修改
- image: harbor.supwisdom.com/goa/installer:1.3.1-RELEASE
+ image: harbor.supwisdom.com/goa/installer:1.4.0-RELEASE
imagePullPolicy: Always
envFrom:
- configMapRef:
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/4.1.user-data-service-poa.yaml b/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/4.1.user-data-service-poa.yaml
index 0e86267..63d972c 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/4.1.user-data-service-poa.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/4.1.user-data-service-poa.yaml
@@ -51,6 +51,13 @@
LOGGING_LEVEL_COM_SUPWISDOM_INSTITUTE_GOA_COMMON_LOG: INFO
+ AUTHX_LOG_ENABLED: "true"
+ AUTHX_LOG_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT: "5672"
+ AUTHX_LOG_RABBITMQ_USERNAME: guest
+ AUTHX_LOG_RABBITMQ_PASSWORD: guest
+
+
---
apiVersion: v1
kind: Service
@@ -92,7 +99,7 @@
containers:
- name: user-data-service-poa
# 若使用了学校搭设的私有仓库,请修改
- image: harbor.supwisdom.com/goa/poa-api:1.3.1-RELEASE
+ image: harbor.supwisdom.com/goa/poa-api:1.4.0-RELEASE
imagePullPolicy: Always
ports:
- containerPort: 8080
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/4.2.user-data-service-goa.yaml b/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/4.2.user-data-service-goa.yaml
index 8d5d776..68cfc18 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/4.2.user-data-service-goa.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/4.2.user-data-service-goa.yaml
@@ -69,10 +69,25 @@
IPADDR_API_URL: http://ipaddr.ipaddr.svc.cluster.local:9090/v1/find
+ CASSERVER_SA_API_SERVER_URL: http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080
+ CASSERVER_SA_API_CLIENT_AUTH_ENABLED: "false"
+ #CASSERVER_SA_API_CLIENT_AUTH_KEY_PASSWORD: ""
+ #CASSERVER_SA_API_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #CASSERVER_SA_API_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #CASSERVER_SA_API_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #CASSERVER_SA_API_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+
+ AUTHX_LOG_ENABLED: "true"
+ AUTHX_LOG_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT: "5672"
+ AUTHX_LOG_RABBITMQ_USERNAME: guest
+ AUTHX_LOG_RABBITMQ_PASSWORD: guest
+
+
LOGGING_LEVEL_COM_SUPWISDOM_GOA: INFO
LOGGING_LEVEL_COM_SUPWISDOM_INSTITUTE_GOA_COMMON_LOG: INFO
-
---
apiVersion: v1
kind: Service
@@ -114,7 +129,7 @@
containers:
- name: user-data-service-goa
# 若使用了学校搭设的私有仓库,请修改
- image: harbor.supwisdom.com/goa/goa-api:1.3.1-RELEASE
+ image: harbor.supwisdom.com/goa/goa-api:1.4.0-RELEASE
imagePullPolicy: Always
ports:
- containerPort: 8080
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/4.3.user-data-service-biz.yaml b/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/4.3.user-data-service-biz.yaml
index 6494b6e..74d6c2a 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/4.3.user-data-service-biz.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/4.3.user-data-service-biz.yaml
@@ -55,6 +55,13 @@
LOGGING_LEVEL_COM_SUPWISDOM_INSTITUTE_GOA_COMMON_LOG: INFO
+ AUTHX_LOG_ENABLED: "true"
+ AUTHX_LOG_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT: "5672"
+ AUTHX_LOG_RABBITMQ_USERNAME: guest
+ AUTHX_LOG_RABBITMQ_PASSWORD: guest
+
+
---
apiVersion: v1
kind: Service
@@ -96,7 +103,7 @@
containers:
- name: user-data-service-biz
# 若使用了学校搭设的私有仓库,请修改
- image: harbor.supwisdom.com/goa/biz-api:1.3.1-RELEASE
+ image: harbor.supwisdom.com/goa/biz-api:1.4.0-RELEASE
imagePullPolicy: Always
ports:
- containerPort: 8080
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/5.user-data-service-datax-job.yaml b/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/5.user-data-service-datax-job.yaml
index 5e8d4a4..1bba19f 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/5.user-data-service-datax-job.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/5.user-data-service-datax-job.yaml
@@ -41,7 +41,7 @@
containers:
- name: user-data-service-datax-job
# 若使用了学校搭设的私有仓库,请修改
- image: harbor.supwisdom.com/goa/datax-job:1.3.1-RELEASE
+ image: harbor.supwisdom.com/goa/datax-job:1.4.0-RELEASE
imagePullPolicy: Always
envFrom:
- configMapRef:
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/9.api-docs-installer.yaml b/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/9.api-docs-installer.yaml
index fc658da..bfc4af5 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/9.api-docs-installer.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/2.user-data-service/9.api-docs-installer.yaml
@@ -38,7 +38,7 @@
containers:
- name: api-docs-installer
# 若使用了学校搭设的私有仓库,请修改
- image: harbor.supwisdom.com/goa/api-docs-installer:1.3.1-RELEASE
+ image: harbor.supwisdom.com/goa/api-docs-installer:1.4.0-RELEASE
imagePullPolicy: Always
envFrom:
- configMapRef:
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/3.user-authorization-service/4.0.user-authorization-installer.yaml b/deploy-manifests/k8s-rancher/1.authx-service/3.user-authorization-service/4.0.user-authorization-installer.yaml
index c47a567..4afd7d8 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/3.user-authorization-service/4.0.user-authorization-installer.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/3.user-authorization-service/4.0.user-authorization-installer.yaml
@@ -28,7 +28,7 @@
containers:
- name: user-authorization-installer
# 若使用了学校搭设的私有仓库,请修改
- image: harbor.supwisdom.com/user-authorization-service/user-authorization-installer:1.3.1-RELEASE
+ image: harbor.supwisdom.com/user-authorization-service/user-authorization-installer:1.4.0-RELEASE
imagePullPolicy: Always
envFrom:
- configMapRef:
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/3.user-authorization-service/4.1.user-authorization-poa.yaml b/deploy-manifests/k8s-rancher/1.authx-service/3.user-authorization-service/4.1.user-authorization-poa.yaml
index 487e850..740ee97 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/3.user-authorization-service/4.1.user-authorization-poa.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/3.user-authorization-service/4.1.user-authorization-poa.yaml
@@ -37,6 +37,14 @@
LOGGING_LEVEL_COM_SUPWISDOM_INSTITUTE_USER_AUTHORIZATION_SERVICE_COMMON_LOG: INFO
+
+ AUTHX_LOG_ENABLED: "true"
+ AUTHX_LOG_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT: "5672"
+ AUTHX_LOG_RABBITMQ_USERNAME: guest
+ AUTHX_LOG_RABBITMQ_PASSWORD: guest
+
+
---
apiVersion: v1
kind: Service
@@ -78,7 +86,7 @@
containers:
- name: user-authorization-poa
# 若使用了学校搭设的私有仓库,请修改
- image: harbor.supwisdom.com/user-authorization-service/user-authorization-poa:1.3.1-RELEASE
+ image: harbor.supwisdom.com/user-authorization-service/user-authorization-poa:1.4.0-RELEASE
imagePullPolicy: Always
ports:
- containerPort: 8080
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/3.user-authorization-service/4.2.user-authorization-sa.yaml b/deploy-manifests/k8s-rancher/1.authx-service/3.user-authorization-service/4.2.user-authorization-sa.yaml
index a9e66f0..bb55321 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/3.user-authorization-service/4.2.user-authorization-sa.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/3.user-authorization-service/4.2.user-authorization-sa.yaml
@@ -36,6 +36,14 @@
LOGGING_LEVEL_COM_SUPWISDOM_INSTITUTE_USER_AUTHORIZATION_SERVICE_COMMON_LOG: INFO
+
+ AUTHX_LOG_ENABLED: "true"
+ AUTHX_LOG_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT: "5672"
+ AUTHX_LOG_RABBITMQ_USERNAME: guest
+ AUTHX_LOG_RABBITMQ_PASSWORD: guest
+
+
# SBA_URL: http://spring-boot-admin-svc.base.svc.cluster.local:8080
@@ -80,7 +88,7 @@
containers:
- name: user-authorization-sa
# 若使用了学校搭设的私有仓库,请修改
- image: harbor.supwisdom.com/user-authorization-service/user-authorization-sa:1.3.1-RELEASE
+ image: harbor.supwisdom.com/user-authorization-service/user-authorization-sa:1.4.0-RELEASE
imagePullPolicy: Always
ports:
- containerPort: 8080
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/3.user-authorization-service/5.user-authorization-datax-job.yaml b/deploy-manifests/k8s-rancher/1.authx-service/3.user-authorization-service/5.user-authorization-datax-job.yaml
index 888963d..e4789b1 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/3.user-authorization-service/5.user-authorization-datax-job.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/3.user-authorization-service/5.user-authorization-datax-job.yaml
@@ -41,7 +41,7 @@
containers:
- name: user-authorization-datax-job
# 若使用了学校搭设的私有仓库,请修改
- image: harbor.supwisdom.com/user-authorization-service/user-authorization-datax-job:1.3.1-RELEASE
+ image: harbor.supwisdom.com/user-authorization-service/user-authorization-datax-job:1.4.0-RELEASE
imagePullPolicy: Always
envFrom:
- configMapRef:
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/3.user-authorization-service/9.api-docs-installer.yaml b/deploy-manifests/k8s-rancher/1.authx-service/3.user-authorization-service/9.api-docs-installer.yaml
index 1df04c9..90d8627 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/3.user-authorization-service/9.api-docs-installer.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/3.user-authorization-service/9.api-docs-installer.yaml
@@ -38,7 +38,7 @@
containers:
- name: api-docs-installer
# 若使用了学校搭设的私有仓库,请修改
- image: harbor.supwisdom.com/user-authorization-service/api-docs-installer:1.3.1-RELEASE
+ image: harbor.supwisdom.com/user-authorization-service/api-docs-installer:1.4.0-RELEASE
imagePullPolicy: Always
envFrom:
- configMapRef:
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/2.cas-server-ingresses.yaml b/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/2.cas-server-ingresses.yaml
index 8238b1e..42eca24 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/2.cas-server-ingresses.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/2.cas-server-ingresses.yaml
@@ -17,16 +17,7 @@
name: cas-ingress
annotations:
nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
- # cert-manager.io/cluster-issuer: "letsencrypt-staging"
- # nginx.ingress.kubernetes.io/ssl-redirect: "true"
- # nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
- # nginx.ingress.kubernetes.io/auth-tls-secret: "cas-server/ca-secret"
- # nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1"
spec:
- # tls:
- # - hosts:
- # - cas.paas.xxx.edu.cn
- # secretName: cas-ingress-tls
rules:
# 修改为学校的根域名
- host: cas.paas.xxx.edu.cn
@@ -40,6 +31,3 @@
backend:
serviceName: cas-server-site-scheme-svc
servicePort: http
-
-
-# TODO: https 配置说明
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/4.0.cas-server-installer.yaml b/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/4.0.cas-server-installer.yaml
index feac2b9..8fe13ae 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/4.0.cas-server-installer.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/4.0.cas-server-installer.yaml
@@ -28,7 +28,7 @@
containers:
- name: cas-server-installer
# 若使用了学校搭设的私有仓库,请修改
- image: harbor.supwisdom.com/cas-server/cas-server-installer:1.3.1-RELEASE
+ image: harbor.supwisdom.com/cas-server/cas-server-installer:1.4.0-RELEASE
imagePullPolicy: Always
envFrom:
- configMapRef:
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/4.2.cas-server-sa-api.yaml b/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/4.2.cas-server-sa-api.yaml
index 74a1079..4ba150a 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/4.2.cas-server-sa-api.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/4.2.cas-server-sa-api.yaml
@@ -42,6 +42,13 @@
#USER_DATA_SERVICE_SA_API_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ AUTHX_LOG_ENABLED: "true"
+ AUTHX_LOG_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT: "5672"
+ AUTHX_LOG_RABBITMQ_USERNAME: guest
+ AUTHX_LOG_RABBITMQ_PASSWORD: guest
+
+
---
apiVersion: v1
kind: Secret
@@ -95,7 +102,7 @@
containers:
- name: cas-server-sa-api
# 若使用了学校搭设的私有仓库,请修改
- image: harbor.supwisdom.com/cas-server/cas-server-sa-api:1.3.1-RELEASE
+ image: harbor.supwisdom.com/cas-server/cas-server-sa-api:1.4.0-RELEASE
imagePullPolicy: Always
ports:
- containerPort: 8080
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/4.3.cas-server-security-engine.yaml b/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/4.3.cas-server-security-engine.yaml
index 6bc00dc..38a0a80 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/4.3.cas-server-security-engine.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/4.3.cas-server-security-engine.yaml
@@ -65,7 +65,7 @@
containers:
- name: cas-server-security-engine
# 若使用了学校搭设的私有仓库,请修改
- image: harbor.supwisdom.com/cas-server/cas-server-security-engine:1.3.1-RELEASE
+ image: harbor.supwisdom.com/cas-server/cas-server-security-engine:1.4.0-RELEASE
imagePullPolicy: Always
ports:
- containerPort: 6060
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/4.5.cas-server-site-webapp.yaml b/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/4.5.cas-server-site-webapp.yaml
index 6a080d9..6826c26 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/4.5.cas-server-site-webapp.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/4.5.cas-server-site-webapp.yaml
@@ -13,11 +13,11 @@
#SSL_KEYSTORE_FILE: file:/certs/server/server.keystore
#SSL_KEYSTORE_PASSWORD: ""
- SERVER_MAXHTTPHEADERSIZE: "10240"
+ SERVER_MAXHTTPHEADERSIZE: "2097152"
SERVER_TOMCAT_ACCEPT_COUNT: "5000"
SERVER_TOMCAT_MAX_CONNECTIONS: "10000"
- SERVER_TOMCAT_MAX_THREADS: "800"
+ SERVER_TOMCAT_MAX_THREADS: "350"
SERVER_TOMCAT_MIN_SPARE_THREADS: "100"
@@ -116,8 +116,8 @@
CASSERVERSITE_SMS_SENDER_IMPL: agent-service
# **修改** 学校的根域名
- CASSERVERSITE_FORGOT_PASSWORD_URL: https://security-center.paas.xxx.edu.cn/find-pwd
- CASSERVERSITE_ACTIVE_ACCOUNT_URL: https://security-center.paas.xxx.edu.cn/active-account
+ CASSERVERSITE_FORGOT_PASSWORD_URL: https://authx-service.paas.xxx.edu.cn/find-pwd
+ CASSERVERSITE_ACTIVE_ACCOUNT_URL: https://authx-service.paas.xxx.edu.cn/active-account
## 动态码登录相关配置
CASSERVERSITE_PASSWORDLESS_TOKEN_EXPIRATION_IN_SECONDS: "300"
@@ -131,6 +131,11 @@
# http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080/api/v1/security/accounts/verifyAccountPassword
+ ##
+ # 超级APP Token 的验签公钥
+ SUPERAPP_TOKEN_SIGNING_KEY_URL: http://token-server-svc.token-server.svc.cluster.local:8080/token/jwt/publicKey
+
+
TPAS_AGENT_SERVICE_SERVER_URL: http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080
TPAS_AGENT_SERVICE_CLIENT_AUTH_ENABLED: "false"
#TPAS_AGENT_SERVICE_CLIENT_AUTH_KEY_PASSWORD: ""
@@ -172,11 +177,30 @@
#USER_AUTHZ_SERVICE_SA_API_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
#USER_AUTHZ_SERVICE_SA_API_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
- ##
- # 超级APP Token 的验签公钥
- # 如须和 超级APP 进行对接,修改此配置
- # **修改** 学校的根域名
- SUPERAPP_TOKEN_SIGNING_KEY_URL: https://token.paas.xxx.edu.cn/jwt/publicKey
+
+ ATTEST_SERVER_URL: http://attest-server-svc.attest-server.svc.cluster.local:8080/attest
+ ATTEST_CLIENT_AUTH_ENABLED: "false"
+ #ATTEST_CLIENT_AUTH_KEY_PASSWORD: ""
+ #ATTEST_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #ATTEST_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #ATTEST_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #ATTEST_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+
+ IPADDR_SERVER_URL: http://ipaddr.ipaddr.svc.cluster.local:9090
+ IPADDR_CLIENT_AUTH_ENABLED: "false"
+ #IPADDR_CLIENT_AUTH_KEY_PASSWORD: ""
+ #IPADDR_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #IPADDR_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #IPADDR_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #IPADDR_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+
+ AUTHX_LOG_ENABLED: "true"
+ AUTHX_LOG_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT: "5672"
+ AUTHX_LOG_RABBITMQ_USERNAME: guest
+ AUTHX_LOG_RABBITMQ_PASSWORD: guest
##
@@ -228,7 +252,7 @@
containers:
- name: cas-server-site-webapp
# 若使用了学校搭设的私有仓库,请修改
- image: harbor.supwisdom.com/cas-server/cas-server-site-webapp:1.3.1-RELEASE
+ image: harbor.supwisdom.com/cas-server/cas-server-site-webapp:1.4.0-RELEASE
imagePullPolicy: Always
ports:
- containerPort: 8080
@@ -246,9 +270,9 @@
name: cas-server-site-webapp-env
resources:
requests:
- memory: "6000Mi"
+ memory: "4096Mi"
limits:
- memory: "6000Mi"
+ memory: "4096Mi"
readinessProbe:
tcpSocket:
port: 8080
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/4.6.cas-server-site-scheme.yaml b/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/4.6.cas-server-site-scheme.yaml
index 5aada1b..4ca985f 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/4.6.cas-server-site-scheme.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/4.6.cas-server-site-scheme.yaml
@@ -95,7 +95,7 @@
memory: "256Mi"
- name: cas-server-site-scheme-generator
# 根据情况修改镜像地址
- image: harbor.supwisdom.com/cas-server/cas-server-site-scheme:1.3.1-RELEASE
+ image: harbor.supwisdom.com/cas-server/cas-server-site-scheme:1.4.0-RELEASE
imagePullPolicy: Always
envFrom:
- configMapRef:
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/5.cas-server-datax-job.yaml b/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/5.cas-server-datax-job.yaml
index e1e880d..b390d9b 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/5.cas-server-datax-job.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/5.cas-server-datax-job.yaml
@@ -42,7 +42,7 @@
containers:
- name: cas-server-datax-job
# 若使用了学校搭设的私有仓库,请修改
- image: harbor.supwisdom.com/cas-server/cas-server-datax-job:1.3.1-RELEASE
+ image: harbor.supwisdom.com/cas-server/cas-server-datax-job:1.4.0-RELEASE
imagePullPolicy: Always
envFrom:
- configMapRef:
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/5.token-server/2.token-server-ingresses.yaml b/deploy-manifests/k8s-rancher/1.authx-service/5.token-server/2.token-server-ingresses.yaml
index 808eb18..3634ed7 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/5.token-server/2.token-server-ingresses.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/5.token-server/2.token-server-ingresses.yaml
@@ -13,10 +13,10 @@
spec:
rules:
# 修改为学校的根域名
- - host: token.paas.xxx.edu.cn
+ - host: cas.paas.xxx.edu.cn
http:
paths:
- - path: /
+ - path: /token
backend:
serviceName: token-server-svc
servicePort: http
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/5.token-server/4.0.token-server-installer.yaml b/deploy-manifests/k8s-rancher/1.authx-service/5.token-server/4.0.token-server-installer.yaml
index 9b43336..ad0118a 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/5.token-server/4.0.token-server-installer.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/5.token-server/4.0.token-server-installer.yaml
@@ -28,7 +28,7 @@
containers:
- name: token-server-installer
# 若使用了学校搭设的私有仓库,请修改
- image: harbor.supwisdom.com/token-server/token-server-installer:1.3.1-RELEASE
+ image: harbor.supwisdom.com/token-server/token-server-installer:1.4.0-RELEASE
imagePullPolicy: Always
envFrom:
- configMapRef:
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/5.token-server/4.1.token-server.yaml b/deploy-manifests/k8s-rancher/1.authx-service/5.token-server/4.1.token-server.yaml
index b7cc3bf..89706ed 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/5.token-server/4.1.token-server.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/5.token-server/4.1.token-server.yaml
@@ -13,7 +13,9 @@
#SSL_KEYSTORE_FILE: file:/certs/server/server.keystore
#SSL_KEYSTORE_PASSWORD: ""
- SERVER_MAXHTTPHEADERSIZE: "10240"
+ SERVER_SERVLET_CONTEXT_PATH: "/token"
+
+ SERVER_MAXHTTPHEADERSIZE: "20480"
SERVER_TOMCAT_ACCEPT_COUNT: "5000"
SERVER_TOMCAT_MAX_CONNECTIONS: "10000"
@@ -33,7 +35,7 @@
# **修改** 学校的根域名
- TOKEN_SERVER_PREFIX: https://token.paas.xxx.edu.cn
+ TOKEN_SERVER_PREFIX: https://token.paas.xxx.edu.cn/token
# **修改** 学校的根域名
TOKEN_SERVER_SECURITY_JWT_ISS: token.paas.xxx.edu.cn
#TOKEN_SERVER_SECURITY_JWT_EXPIRATION: 2592000
@@ -89,6 +91,8 @@
MESSAGECENTER_MESSAGE_TYPE_CODE_APP_LOGIN: APP_LOGIN
MESSAGECENTER_MESSAGE_TYPE_CODE_PASSWORD: PASSWORD
+ MESSAGECENTER_MESSAGE_TYPE_CODE_APPPUSH: APPPUSH
+
# **修改** 从POA申请
POA_SERVER_URL: https://poa.paas.xxx.edu.cn
POA_CLIENT_ID: ""
@@ -96,6 +100,18 @@
POA_SCOPES: messagecenter:v1:sendMessage
+ TPAS_AGENT_SERVICE_SERVER_URL: http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080
+ TPAS_AGENT_SERVICE_CLIENT_AUTH_ENABLED: "false"
+ #TPAS_AGENT_SERVICE_CLIENT_AUTH_KEY_PASSWORD: ""
+ #TPAS_AGENT_SERVICE_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #TPAS_AGENT_SERVICE_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #TPAS_AGENT_SERVICE_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #TPAS_AGENT_SERVICE_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+ TPAS_AGENT_SERVICE_SMS_SENDER_PATH: /api/v1/tpas/sms/console/send
+ TPAS_AGENT_SERVICE_FACE_FACEVERIFY_PATH: /api/v1/tpas/face/aiface/faceverify
+
+
CASSERVER_SA_API_SERVER_URL: http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080
CASSERVER_SA_API_CLIENT_AUTH_ENABLED: "false"
#CASSERVER_SA_API_CLIENT_AUTH_KEY_PASSWORD: ""
@@ -113,15 +129,45 @@
#USER_DATA_SERVICE_SA_API_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
- TPAS_AGENT_SERVICE_SERVER_URL: http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080
- TPAS_AGENT_SERVICE_CLIENT_AUTH_ENABLED: "false"
- #TPAS_AGENT_SERVICE_CLIENT_AUTH_KEY_PASSWORD: ""
- #TPAS_AGENT_SERVICE_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
- #TPAS_AGENT_SERVICE_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
- #TPAS_AGENT_SERVICE_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
- #TPAS_AGENT_SERVICE_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+ ATTEST_SERVER_URL: http://attest-server-svc.attest-server.svc.cluster.local:8080/attest
+ ATTEST_CLIENT_AUTH_ENABLED: "false"
+ #ATTEST_CLIENT_AUTH_KEY_PASSWORD: ""
+ #ATTEST_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #ATTEST_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #ATTEST_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #ATTEST_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
- TPAS_AGENT_SERVICE_SMS_SENDER_PATH: /api/v1/tpas/sms/console/send
+
+ IPADDR_SERVER_URL: http://ipaddr.ipaddr.svc.cluster.local:9090
+ IPADDR_CLIENT_AUTH_ENABLED: "false"
+ #IPADDR_CLIENT_AUTH_KEY_PASSWORD: ""
+ #IPADDR_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #IPADDR_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #IPADDR_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #IPADDR_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+
+ ##
+ # authx-log rabbitmq
+ #
+ AUTHX_LOG_ENABLED: "true"
+ AUTHX_LOG_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT: "5672"
+ AUTHX_LOG_RABBITMQ_USERNAME: guest
+ AUTHX_LOG_RABBITMQ_PASSWORD: guest
+
+
+ ##
+ # 接收 user 推送的 rabbitmq 数据
+ #
+ USER_RABBITMQ_ENABLED: "true"
+ USER_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
+ USER_RABBITMQ_PORT: "5672"
+ USER_RABBITMQ_USERNAME: guest
+ USER_RABBITMQ_PASSWORD: guest
+
+ USER_RABBITMQ_CONSUMER_ENABLED: "true"
+
---
apiVersion: v1
@@ -179,7 +225,7 @@
containers:
- name: token-server
# 若使用了学校搭设的私有仓库,请 **修改**
- image: harbor.supwisdom.com/token-server/token-server:1.3.1-RELEASE
+ image: harbor.supwisdom.com/token-server/token-server:1.4.0-RELEASE
imagePullPolicy: Always
ports:
- containerPort: 8080
@@ -204,7 +250,7 @@
memory: "1024Mi"
readinessProbe:
httpGet:
- path: /actuator/health
+ path: /token/actuator/health
port: 8080
initialDelaySeconds: 20
periodSeconds: 5
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/5.token-server/9.api-docs-installer.yaml b/deploy-manifests/k8s-rancher/1.authx-service/5.token-server/9.api-docs-installer.yaml
index fe7387c..836af30 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/5.token-server/9.api-docs-installer.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/5.token-server/9.api-docs-installer.yaml
@@ -38,7 +38,7 @@
containers:
- name: api-docs-installer
# 若使用了学校搭设的私有仓库,请修改
- image: harbor.supwisdom.com/token-server/api-docs-installer:1.3.1-RELEASE
+ image: harbor.supwisdom.com/token-server/api-docs-installer:1.4.0-RELEASE
imagePullPolicy: Always
envFrom:
- configMapRef:
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/2.personal-security-center-ingresses.yaml b/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/2.personal-security-center-ingresses.yaml
index 3bdc109..e2f3c30 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/2.personal-security-center-ingresses.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/2.personal-security-center-ingresses.yaml
@@ -13,26 +13,25 @@
spec:
rules:
# 修改为学校的根域名
- - host: personal-security-center.paas.xxx.edu.cn
+ - host: authx-service.paas.xxx.edu.cn
http:
paths:
- - path: /
+ - path: /personal
backend:
serviceName: personal-security-center-zuul-svc
servicePort: http
-
-# 安全中心前端
+# 安全中心
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
namespace: personal-security-center
- name: security-center-ui-ingress
+ name: security-center-ingress
spec:
rules:
# 修改为学校的根域名
- - host: security-center.paas.xxx.edu.cn
+ - host: authx-service.paas.xxx.edu.cn
http:
paths:
- path: /
@@ -40,3 +39,30 @@
serviceName: security-center-ui-svc
servicePort: http
+
+# 也可以合并为一个 ingress,参考如下:
+
+# # 安全中心 前端UI、后端API
+# ---
+# apiVersion: extensions/v1beta1
+# kind: Ingress
+# metadata:
+# namespace: personal-security-center
+# name: authx-service-security-center-ingress
+# annotations:
+# nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
+# spec:
+# rules:
+# # 修改为学校的根域名
+# - host: authx-service.paas.xxx.edu.cn
+# http:
+# paths:
+# - path: /
+# backend:
+# serviceName: security-center-ui-svc
+# servicePort: http
+# - path: /personal
+# backend:
+# serviceName: personal-security-center-zuul-svc
+# servicePort: http
+
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/4.4.personal-security-center-bff.yaml b/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/4.4.personal-security-center-bff.yaml
index ae9611c..9f93bb9 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/4.4.personal-security-center-bff.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/4.4.personal-security-center-bff.yaml
@@ -93,9 +93,9 @@
# 修改为学校的 personal-security-center 的访问域名
- PERSONAL_SECURITY_CENTER_SERVER_PREFIX: http://personal-security-center.paas.xxx.edu.cn
+ PERSONAL_SECURITY_CENTER_SERVER_PREFIX: https://authx-service.paas.xxx.edu.cn/personal
# 修改为学校的 cas 的访问域名
- CAS_SERVER_PREFIX: http://cas.paas.xxx.edu.cn/cas
+ CAS_SERVER_PREFIX: https://cas.paas.xxx.edu.cn/cas
PERSONAL_SECURITY_BFF_NONCE_STORE_IMPL: redis
@@ -150,6 +150,7 @@
TPAS_FILE_API_URL: http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080/api/v1/tpas/file/minio
TPAS_MAIL_API_URL: http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080/api/v1/tpas/mail/smtp
TPAS_SMS_API_URL: http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080/api/v1/tpas/sms/console
+ TPAS_FACE_API_URL: http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080/api/v1/tpas/face/aiface
TPAS_CLIENT_AUTH_ENABLED: "false"
#TPAS_CLIENT_AUTH_KEY_PASSWORD: ""
#TPAS_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
@@ -166,6 +167,14 @@
# COMMUNICATOR_SMS_SENDER_URL: https://agent-service-api.supwisdom.com/api/v1/tpas/sms/console/send
+
+ AUTHX_LOG_ENABLED: "true"
+ AUTHX_LOG_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT: "5672"
+ AUTHX_LOG_RABBITMQ_USERNAME: guest
+ AUTHX_LOG_RABBITMQ_PASSWORD: guest
+
+
---
apiVersion: v1
kind: Secret
@@ -218,7 +227,7 @@
containers:
- name: personal-security-center-bff
# 若使用了学校搭设的私有仓库,请修改
- image: harbor.supwisdom.com/personal-security-center/personal-security-bff:1.3.1-RELEASE
+ image: harbor.supwisdom.com/personal-security-center/personal-security-bff:1.4.0-RELEASE
imagePullPolicy: Always
ports:
- containerPort: 8080
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/4.5.personal-security-center-zuul.yaml b/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/4.5.personal-security-center-zuul.yaml
index 9bcd61f..32c52ba 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/4.5.personal-security-center-zuul.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/4.5.personal-security-center-zuul.yaml
@@ -14,6 +14,8 @@
#SSL_TRUSTSTORE_FILE: file:/certs/server/server.truststore
#SSL_TRUSTSTORE_PASSWORD: ""
+ SERVER_SERVLET_CONTEXT_PATH: "/personal"
+
SERVER_MAXHTTPHEADERSIZE: "10240"
SERVER_TOMCAT_ACCEPT_COUNT: "5000"
@@ -62,18 +64,18 @@
#INFRAS_SECURITY_JWT_TOKEN_SIGNING_KEY_URL: "http://uniauth-prod-backend.uniauth.svc.cluster.local:9090/idtoken/publicKey"
- INFRAS_SECURITY_CAS_ENABLED: "true"
- # 修改为学校的 personal-security-center 的访问域名
- APP_SERVER_HOST_URL: "http://personal-security-center.paas.xxx.edu.cn"
+ INFRAS_SECURITY_CAS_ENABLED: "false"
+ # 修改为学校的 security-center 的访问域名
+ APP_SERVER_HOST_URL: "https://authx-service.paas.xxx.edu.cn/personal"
#APP_LOGIN_URL: "/cas/login"
#APP_LOGOUT_URL: "/cas/logout"
# 修改为学校的 cas 的访问域名
- CAS_SERVER_HOST_URL: "http://cas.paas.xxx.edu.cn/cas"
+ CAS_SERVER_HOST_URL: "https://cas.paas.xxx.edu.cn/cas"
# 后端API服务,域名访问时,默认跳转地址
# 修改为学校的 security-center 安全中心的访问域名
- APPLICATION_INDEX_REDIRECT_URI: "http://security-center.paas.xxx.edu.cn"
+ APPLICATION_INDEX_REDIRECT_URI: "https://authx-service.paas.xxx.edu.cn"
ZUUL_HTTPCLIENT_CLIENT_AUTH_ENABLED: "false"
@@ -152,7 +154,7 @@
containers:
- name: personal-security-center-zuul
# 若使用了学校搭设的私有仓库,请修改
- image: harbor.supwisdom.com/personal-security-center/personal-security-zuul:1.3.1-RELEASE
+ image: harbor.supwisdom.com/personal-security-center/personal-security-zuul:1.4.0-RELEASE
imagePullPolicy: Always
ports:
- containerPort: 8080
@@ -175,7 +177,7 @@
memory: "512Mi"
readinessProbe:
httpGet:
- path: /actuator/health
+ path: /personal/actuator/health
port: 8080
initialDelaySeconds: 20
periodSeconds: 5
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/4.9.security-center-ui.yaml b/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/4.9.security-center-ui.yaml
index 7072e3d..671389a 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/4.9.security-center-ui.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/6.personal-security-center/4.9.security-center-ui.yaml
@@ -8,23 +8,23 @@
name: security-center-ui-env
data:
# **修改** 学校的根域名
- RESOURCE_PREFIX: http://authx-minio.paas.xxx.edu.cn/security-center-ui
+ RESOURCE_PREFIX: https://authx-minio.paas.xxx.edu.cn/security-center-ui
SCHOOL_NAME: ""
- MAIN_SERVER: http://security-center.paas.xxx.edu.cn
+ MAIN_SERVER: https://authx-service.paas.xxx.edu.cn
- PERSONAL_CENTER_API: http://personal-security-center.paas.xxx.edu.cn
+ PERSONAL_CENTER_API: https://authx-service.paas.xxx.edu.cn/personal
# 可选 cas,uniauth
AUTH_TYPE: cas
# AUTH_TYPE 为 uniauth 时,配置
- UNIAUTH_IDTOKEN: http://uniauth.paas.xxx.edu.cn/idtoken
+ UNIAUTH_IDTOKEN: https://uniauth.paas.xxx.edu.cn/idtoken
UNIAUTH_IDTOKEN_ISS: "uniauth"
UNIAUTH_CLIENT_ID: "22"
# AUTH_TYPE 为 cas 时,配置 AUTH_CAS、JWT_ISS、JWT_SECRET
- AUTH_CAS: http://cas.paas.xxx.edu.cn/cas
- JWT_ISS: http://cas.paas.xxx.edu.cn/cas
+ AUTH_CAS: https://cas.paas.xxx.edu.cn/cas
+ JWT_ISS: https://cas.paas.xxx.edu.cn/cas
JWT_SECRET: (@<rhnPaUYKC_k770*DuWwYQ_#Zc#8c(2rB?kae)rN)>K7qy)awCjxp$L653Mf$2
@@ -64,7 +64,7 @@
containers:
- name: security-center-ui
# 若使用了学校搭设的私有仓库,请修改
- image: harbor.supwisdom.com/personal-security-center/security-center-ui:1.3.1-RELEASE
+ image: harbor.supwisdom.com/personal-security-center/security-center-ui:1.4.0-RELEASE
imagePullPolicy: Always
ports:
- containerPort: 80
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/7.attest-server/0.attest-server-base.yaml b/deploy-manifests/k8s-rancher/1.authx-service/7.attest-server/0.attest-server-base.yaml
new file mode 100644
index 0000000..c3968d2
--- /dev/null
+++ b/deploy-manifests/k8s-rancher/1.authx-service/7.attest-server/0.attest-server-base.yaml
@@ -0,0 +1,16 @@
+# 0.attest-server-base.yaml
+
+####################################################
+# supwisdom harbor private docker registry
+####################################################
+---
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/dockerconfigjson
+metadata:
+ namespace: attest-server
+ name: harbor-registry
+data:
+ # 修改harbor仓库配置,并使用 base64 工具进行编码
+ # {"auths":{"harbor.supwisdom.com":{"password":"PWMgP85qiLFC","username":"rancher.devops"}}}
+ .dockerconfigjson: eyJhdXRocyI6eyJoYXJib3Iuc3Vwd2lzZG9tLmNvbSI6eyJwYXNzd29yZCI6IlBXTWdQODVxaUxGQyIsInVzZXJuYW1lIjoicmFuY2hlci5kZXZvcHMifX19
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/7.attest-server/1.attest-server-env.yaml b/deploy-manifests/k8s-rancher/1.authx-service/7.attest-server/1.attest-server-env.yaml
new file mode 100644
index 0000000..c6be3bc
--- /dev/null
+++ b/deploy-manifests/k8s-rancher/1.authx-service/7.attest-server/1.attest-server-env.yaml
@@ -0,0 +1,10 @@
+# 1.attest-server-env.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: attest-server
+ name: jvm-env
+data:
+ MAX_RAM_PERCENTAGE: "75.0"
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/7.attest-server/2.attest-server-ingresses.yaml b/deploy-manifests/k8s-rancher/1.authx-service/7.attest-server/2.attest-server-ingresses.yaml
new file mode 100644
index 0000000..71f4d2a
--- /dev/null
+++ b/deploy-manifests/k8s-rancher/1.authx-service/7.attest-server/2.attest-server-ingresses.yaml
@@ -0,0 +1,21 @@
+# 2.attest-server-ingresses.yaml
+
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+ name: attest-server-ingress
+ namespace: attest-server
+ annotations:
+ nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
+spec:
+ rules:
+ # 修改为学校的根域名
+ - host: cas.paas.xxx.edu.cn
+ http:
+ paths:
+ - path: /attest
+ backend:
+ serviceName: attest-server-svc
+ servicePort: http
+
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/7.attest-server/4.1.attest-server.yaml b/deploy-manifests/k8s-rancher/1.authx-service/7.attest-server/4.1.attest-server.yaml
new file mode 100644
index 0000000..fb8aa8b
--- /dev/null
+++ b/deploy-manifests/k8s-rancher/1.authx-service/7.attest-server/4.1.attest-server.yaml
@@ -0,0 +1,172 @@
+# 4.1.attest-server.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: attest-server
+ name: attest-server-env
+data:
+ SERVER_PORT: "8080"
+ SSL_ENABLED: "false"
+ #SSL_KEY_PASSWORD: ""
+ #SSL_KEYSTORE_FILE: file:/certs/server/server.keystore
+ #SSL_KEYSTORE_PASSWORD: ""
+
+ SERVER_SERVLET_CONTEXT_PATH: "/attest"
+
+ SERVER_MAXHTTPHEADERSIZE: "20480"
+
+ SERVER_TOMCAT_ACCEPT_COUNT: "500"
+ SERVER_TOMCAT_MAX_CONNECTIONS: "10000"
+ SERVER_TOMCAT_MAX_THREADS: "500"
+ SERVER_TOMCAT_MIN_SPARE_THREADS: "100"
+
+
+ # **修改** 从POA申请
+ POA_SERVER_URL: https://poa.paas.xxx.edu.cn
+ POA_CLIENT_ID: ""
+ POA_CLIENT_SECRET: ""
+ POA_SCOPES: appPush:v1:apppushByMessageType
+
+
+ # 修改为学校的根域名
+ ATTEST_SERVER_PREFIX: https://cas.paas.xxx.edu.cn/attest
+
+
+ # guard
+ ATTEST_SERVER_SECUREPHONE_SMS_TEXT_TEMPLATE: 【认证服务】{name}:您正在进行验证身份,验证码为{code},有效期5分钟,请尽快完成验证。
+ ATTEST_SERVER_SECUREPHONE_SMS_FROM: 认证服务
+
+ ATTEST_SERVER_SECUREEMAIL_MAIL_TEXT_TEMPLATE: 【认证服务】{name}:您正在进行验证身份,验证码为{code},有效期5分钟,请尽快完成验证。
+ ATTEST_SERVER_SECUREEMAIL_MAIL_FROM: 认证服务
+
+ # 在超级APP 中唤起人脸识别的 URL Scheme
+ ATTEST_SERVER_FACEVERIFY_SUPERAPP_URL_SCHEME: superapp
+
+
+ # 超级APP Token 的验签公钥
+ TOKEN_SERVER_TOKEN_SIGNING_KEY_URL: http://token-server-svc.token-server.svc.cluster.local:8080/token/jwt/publicKey
+
+
+ USER_DATA_SERVICE_SA_API_SERVER_URL: http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080
+ USER_DATA_SERVICE_SA_API_CLIENT_AUTH_ENABLED: "false"
+ #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_KEY_PASSWORD: ""
+ #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+
+ TPAS_AGENT_SERVICE_SERVER_URL: http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080
+ TPAS_AGENT_SERVICE_CLIENT_AUTH_ENABLED: "false"
+ #TPAS_AGENT_SERVICE_CLIENT_AUTH_KEY_PASSWORD: ""
+ #TPAS_AGENT_SERVICE_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #TPAS_AGENT_SERVICE_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #TPAS_AGENT_SERVICE_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #TPAS_AGENT_SERVICE_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+ TPAS_AGENT_SERVICE_SMS_SENDER_PATH: /api/v1/tpas/sms/console/send
+ TPAS_AGENT_SERVICE_MAIL_SENDER_PATH: /api/v1/tpas/mail/console/send
+ TPAS_AGENT_SERVICE_FACE_FACEVERIFY_PATH: /api/v1/tpas/face/aiface/faceverify
+
+
+ ##
+ # token-server
+ #
+ TOKEN_SERVER_SERVER_URL: http://token-server-svc.token-server.svc.cluster.local:8080/token
+
+
+ ##
+ # 将 attest 数据 推送到 rabbitmq
+ #
+ # ATTEST_RABBITMQ_ENABLED: "false"
+ # ATTEST_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
+ # ATTEST_RABBITMQ_PORT: "5672"
+ # ATTEST_RABBITMQ_USERNAME: guest
+ # ATTEST_RABBITMQ_PASSWORD: guest
+ #
+ # ATTEST_RABBITMQ_APPPUSHATTEST2TOKENRABBITSENDER_ENABLED: "false"
+
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ namespace: attest-server
+ name: attest-server-env-secret
+type: Opaque
+data:
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: attest-server
+ name: attest-server-svc
+ labels:
+ app: attest-server
+ needMonitor: 'true'
+spec:
+ ports:
+ - port: 8080
+ targetPort: http
+ protocol: TCP
+ name: http
+ - port: 6060
+ targetPort: http-metrics
+ protocol: TCP
+ name: http-metrics
+ selector:
+ app: attest-server
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ namespace: attest-server
+ name: attest-server
+spec:
+ selector:
+ matchLabels:
+ app: attest-server
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: attest-server
+ spec:
+ containers:
+ - name: attest-server
+ image: harbor.supwisdom.com/attest-server/attest-server:1.4.0-RELEASE
+ imagePullPolicy: Always
+ ports:
+ - containerPort: 8080
+ name: http
+ - containerPort: 6060
+ name: http-metrics
+ envFrom:
+ - configMapRef:
+ name: jvm-env
+ - configMapRef:
+ name: attest-server-env
+ - secretRef:
+ name: attest-server-env-secret
+ resources:
+ requests:
+ memory: "1024Mi"
+ limits:
+ memory: "1024Mi"
+ readinessProbe:
+ httpGet:
+ path: /attest/actuator/health
+ port: 8080
+ initialDelaySeconds: 20
+ periodSeconds: 5
+ timeoutSeconds: 5
+ successThreshold: 1
+ failureThreshold: 10
+ imagePullSecrets:
+ - name: harbor-registry
+
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/8.authx-log/0.authx-log-base.yaml b/deploy-manifests/k8s-rancher/1.authx-service/8.authx-log/0.authx-log-base.yaml
new file mode 100644
index 0000000..84e9a09
--- /dev/null
+++ b/deploy-manifests/k8s-rancher/1.authx-service/8.authx-log/0.authx-log-base.yaml
@@ -0,0 +1,16 @@
+# 0.authx-log-base.yaml
+
+####################################################
+# supwisdom harbor private docker registry
+####################################################
+---
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/dockerconfigjson
+metadata:
+ namespace: authx-log
+ name: harbor-registry
+data:
+ # 修改harbor仓库配置,并使用 base64 工具进行编码
+ # {"auths":{"harbor.supwisdom.com":{"password":"PWMgP85qiLFC","username":"rancher.devops"}}}
+ .dockerconfigjson: eyJhdXRocyI6eyJoYXJib3Iuc3Vwd2lzZG9tLmNvbSI6eyJwYXNzd29yZCI6IlBXTWdQODVxaUxGQyIsInVzZXJuYW1lIjoicmFuY2hlci5kZXZvcHMifX19
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/8.authx-log/1.authx-log-env.yaml b/deploy-manifests/k8s-rancher/1.authx-service/8.authx-log/1.authx-log-env.yaml
new file mode 100644
index 0000000..8b20aad
--- /dev/null
+++ b/deploy-manifests/k8s-rancher/1.authx-service/8.authx-log/1.authx-log-env.yaml
@@ -0,0 +1,26 @@
+# 1.authx-log-env.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: authx-log
+ name: jvm-env
+data:
+ MAX_RAM_PERCENTAGE: "75.0"
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ namespace: authx-log
+ name: datasource-env-secret
+type: Opaque
+data:
+ # jdbc:mysql://mysql-server.authx-service.svc.cluster.local:3306/authx_log?serverTimezone=Asia/Shanghai
+ JDBC_URL: amRiYzpteXNxbDovL215c3FsLXNlcnZlci5hdXRoeC1zZXJ2aWNlLnN2Yy5jbHVzdGVyLmxvY2FsOjMzMDYvYXV0aHhfbG9nP3NlcnZlclRpbWV6b25lPUFzaWEvU2hhbmdoYWk=
+ # authx_log
+ JDBC_USERNAME: YXV0aHhfbG9n
+ # 修改为实际的数据库密码,并使用 base64 工具进行编码
+ # kingstar
+ JDBC_PASSWORD: a2luZ3N0YXI=
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/8.authx-log/4.0.authx-log-installer.yaml b/deploy-manifests/k8s-rancher/1.authx-service/8.authx-log/4.0.authx-log-installer.yaml
new file mode 100644
index 0000000..bfc032f
--- /dev/null
+++ b/deploy-manifests/k8s-rancher/1.authx-service/8.authx-log/4.0.authx-log-installer.yaml
@@ -0,0 +1,40 @@
+# 4.0.authx-log-installer.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: authx-log
+ name: authx-log-installer-env
+data:
+ DB_TYPE: mysql8
+
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ namespace: authx-log
+ name: authx-log-installer
+spec:
+ completions: 1
+ parallelism: 1
+ template:
+ metadata:
+ labels:
+ app: authx-log-installer
+ spec:
+ restartPolicy: Never
+ containers:
+ - name: authx-log-installer
+ image: harbor.supwisdom.com/authx-log/authx-log-installer:1.4.0-RELEASE
+ imagePullPolicy: Always
+ envFrom:
+ - configMapRef:
+ name: jvm-env
+ - secretRef:
+ name: datasource-env-secret
+ - configMapRef:
+ name: authx-log-installer-env
+ imagePullSecrets:
+ - name: harbor-registry
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/8.authx-log/4.2.authx-log-sa.yaml b/deploy-manifests/k8s-rancher/1.authx-service/8.authx-log/4.2.authx-log-sa.yaml
new file mode 100644
index 0000000..36bd04c
--- /dev/null
+++ b/deploy-manifests/k8s-rancher/1.authx-service/8.authx-log/4.2.authx-log-sa.yaml
@@ -0,0 +1,116 @@
+# 4.2.authx-log-sa.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: authx-log
+ name: authx-log-sa-env
+data:
+ SERVER_PORT: "8080"
+ SSL_ENABLED: "false"
+ #SSL_KEYSTORE_FILE: file:/certs/server/server.keystore
+ #SSL_KEYSTORE_PASSWORD: ""
+ #SSL_TRUSTSTORE_FILE: file:/certs/server/server.truststore
+ #SSL_TRUSTSTORE_PASSWORD: ""
+
+ SERVER_MAXHTTPHEADERSIZE: "10240"
+
+ #同环境中用户的地址
+ USER_DATA_SERVICE_SERVER_URL: http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080
+ USER_DATA_SERVICE_CLIENT_AUTH_ENABLED: "false"
+ # USER_DATA_SERVICE_CLIENT_AUTH_KEY_PASSWORD: ""
+ # USER_DATA_SERVICE_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/common/common.keystore
+ # USER_DATA_SERVICE_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ # USER_DATA_SERVICE_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/common/common.truststore
+ # USER_DATA_SERVICE_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+ #ipaddr
+ IPADDR_SERVER_URL: http://ipaddr.ipaddr.svc.cluster.local:9090
+ IPADDR_CLIENT_AUTH_ENABLED: "false"
+ #IPADDR_CLIENT_AUTH_KEY_PASSWORD: ""
+ #IPADDR_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #IPADDR_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #IPADDR_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #IPADDR_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+
+ AUTHX_LOG_ENABLED: "true"
+ AUTHX_LOG_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT: "5672"
+ AUTHX_LOG_RABBITMQ_USERNAME: guest
+ AUTHX_LOG_RABBITMQ_PASSWORD: guest
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: authx-log
+ name: authx-log-sa-svc
+ labels:
+ app: authx-log-sa
+ needMonitor: 'true'
+spec:
+ ports:
+ - port: 8080
+ targetPort: http
+ protocol: TCP
+ name: http
+ - port: 6060
+ targetPort: http-metrics
+ protocol: TCP
+ name: http-metrics
+ selector:
+ app: authx-log-sa
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ namespace: authx-log
+ name: authx-log-sa
+spec:
+ selector:
+ matchLabels:
+ app: authx-log-sa
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: authx-log-sa
+ annotations:
+ co.elastic.logs/enabled: "true"
+ spec:
+ containers:
+ - name: authx-log-sa
+ image: harbor.supwisdom.com/authx-log/authx-log-sa:1.4.0-RELEASE
+ imagePullPolicy: Always
+ ports:
+ - containerPort: 8080
+ name: http
+ - containerPort: 6060
+ name: http-metrics
+ envFrom:
+ - configMapRef:
+ name: jvm-env
+ - secretRef:
+ name: datasource-env-secret
+ - configMapRef:
+ name: authx-log-sa-env
+ resources:
+ requests:
+ memory: "1024Mi"
+ limits:
+ memory: "1024Mi"
+ readinessProbe:
+ httpGet:
+ path: /actuator/health
+ port: 8080
+ initialDelaySeconds: 20
+ periodSeconds: 5
+ timeoutSeconds: 5
+ successThreshold: 1
+ failureThreshold: 10
+ imagePullSecrets:
+ - name: harbor-registry
diff --git "a/docs/\344\272\247\345\223\201\351\203\250\347\275\262\344\271\213\344\270\255\345\217\260\346\234\215\345\212\241\345\257\271\346\216\245\346\225\260\346\215\256\345\210\235\345\247\213\345\214\226\347\233\270\345\205\263\346\216\245\345\217\243\347\232\204\350\257\264\346\230\216.md" "b/docs/\344\272\247\345\223\201\351\203\250\347\275\262\344\271\213\344\270\255\345\217\260\346\234\215\345\212\241\345\257\271\346\216\245\346\225\260\346\215\256\345\210\235\345\247\213\345\214\226\347\233\270\345\205\263\346\216\245\345\217\243\347\232\204\350\257\264\346\230\216.md"
index a3ad150..44c2def 100644
--- "a/docs/\344\272\247\345\223\201\351\203\250\347\275\262\344\271\213\344\270\255\345\217\260\346\234\215\345\212\241\345\257\271\346\216\245\346\225\260\346\215\256\345\210\235\345\247\213\345\214\226\347\233\270\345\205\263\346\216\245\345\217\243\347\232\204\350\257\264\346\230\216.md"
+++ "b/docs/\344\272\247\345\223\201\351\203\250\347\275\262\344\271\213\344\270\255\345\217\260\346\234\215\345\212\241\345\257\271\346\216\245\346\225\260\346\215\256\345\210\235\345\247\213\345\214\226\347\233\270\345\205\263\346\216\245\345\217\243\347\232\204\350\257\264\346\230\216.md"
@@ -20,81 +20,311 @@
### CAS认证
-**采用 sql 文件执行接口进行部署**
+**采用业务管理接口进行部署**
-版本要求:1.2.2
+版本要求:1.2.0
* 部署接口
+1. 创建 Service
+
```bash
curl -i -s -X POST \
- -H 'Content-Type: text/plain' \
- --data-binary @cas_server_integrate.sql \
- 'http://cas-server-sa.cas-server.svc.cluster.local:8080/deploy/execSql'
+ -H 'Content-Type: application/json' \
+ -d '{
+ "id": "0",
+ "companyId": 1,
+ "name": "示例",
+ "description": "示例",
+ "informationUrl": "https://example.com",
+ "logoutUrl": "https://example.com/slo",
+ "responseType": "REDIRECT",
+ "logoutType": "FRONT_CHANNEL",
+ "evaluationOrder": 0,
+ "friendlyName": "示例",
+ "registeredServiceId": 0,
+ "serviceId": "https://example.com/(.*)",
+ "enabled": true,
+ "ssoEnabled": true,
+ "requireAllAttributes": true,
+ "idTokenEnabled": false,
+ "jwtAsServiceTicket": false,
+ "adaptV4Product": false,
+ "applicationId": "0",
+ "applicationDomain": "example.com",
+ "externalId": "0"
+}' \
+ 'http://authx-service-user-data-service-goa.authx-service.svc.cluster.local:8080/v1/admin/services'
```
-* SQL脚本示例
+2. 更新 Service
-cas_server_integrate.sql
-```sql
--- Service 的创建
-INSERT INTO TB_SERVICE (ID, COMPANY_ID, DELETED, ADD_ACCOUNT, ADD_TIME,
- NAME, DESCRIPTION, INFORMATION_URL, LOGOUT_URL,
- RESPONSE_TYPE, LOGOUT_TYPE,
- EVALUATION_ORDER, FRIENDLY_NAME, REGISTERED_SERVICE_ID, SERVICE_ID,
- ENABLED, SSO_ENABLED, REQUIRE_ALL_ATTRIBUTES,
- ID_TOKEN_ENABLED, JWT_AS_SERVICE_TICKET, ADAPT_V4_PRODUCT,
- APPLICATION_ID, APPLICATION_DOMAIN, EXTERNAL_ID)
-VALUES ('0', '1', 0, 'admin', null,
- '示例', '示例', 'https://example.com', 'https://example.com/slo',
- 'REDIRECT', 'FRONT_CHANNEL',
- 0, '示例', 0, 'https://example.com/(.*)',
- 1, 1, 1,
- 0, 0, 0,
- '0', 'example.com', '0');
-
-commit;
+```bash
+curl -i -s -X PUT \
+ -H 'Content-Type: application/json' \
+ -d '{
+ "id": "0",
+ "companyId": 1,
+ "name": "示例",
+ "description": "示例",
+ "informationUrl": "https://example.com",
+ "logoutUrl": "https://example.com/slo",
+ "responseType": "REDIRECT",
+ "logoutType": "FRONT_CHANNEL",
+ "evaluationOrder": 0,
+ "friendlyName": "示例",
+ "registeredServiceId": 0,
+ "serviceId": "https://example.com/(.*)",
+ "enabled": true,
+ "ssoEnabled": true,
+ "requireAllAttributes": true,
+ "idTokenEnabled": false,
+ "jwtAsServiceTicket": false,
+ "adaptV4Product": false,
+ "applicationId": "0",
+ "applicationDomain": "example.com",
+ "externalId": "0"
+}' \
+ 'http://authx-service-user-data-service-goa.authx-service.svc.cluster.local:8080/v1/admin/services'
```
+
> 说明
-修改 ID、EVALUATION_ORDER、REGISTERED_SERVICE_ID、APPLICATION_ID、EXTERNAL_ID,应用的ID、标识等
+修改 id、registeredServiceId、applicationId、externalId,应用的ID、标识等
-修改 NAME、DESCRIPTION、FRIENDLY_NAME,应用的名称
+修改 evaluationOrder
-修改 ID_TOKEN_ENABLED、JWT_AS_SERVICE_TICKET,1 启用,0 禁用
+修改 name、description、friendlyName,应用的名称
-修改 INFORMATION_URL、LOGOUT_URL、SERVICE_ID、APPLICATION_DOMAIN,相关地址、域名修改
+修改 idTokenEnabled、jwtAsServiceTicket、adaptV4Product,true 启用,false 禁用
-> 应用对接表 TB_SERVICE
+修改 informationUrl、logoutUrl、serviceId、applicationDomain,相关地址、域名修改
-字段名 | 字段说明
+
+
+* 接口属性说明
+
+> 应用(Service)的属性说明
+
+属性名 | 说明
- | -
-ID | 确保唯一性
-COMPANY_ID | 固定为 1
-DELETED | 是否删除,固定为 0
-ADD_ACCOUNT | 创建帐号
-ADD_TIME | 创建时间,建议为 null;如必要,可填入时间
-- | -
-NAME | 应用名称
-DESCRIPTION | 描述
-INFORMATION_URL | 应用的访问地址
-LOGOUT_URL | 应用的前端注销地址
-RESPONSE_TYPE | 登录成功后的响应方式,固定为 REDIRECT
-LOGOUT_TYPE | 单点注销方式,固定为 FRONT_CHANNEL
-EVALUATION_ORDER | 优先级
-FRIENDLY_NAME | 同 应用名称
-REGISTERED_SERVICE_ID | 唯一ID,整型
-SERVICE_ID | 应用匹配规则,确保前缀与对接时的 service 相匹配
-ENABLED | 是否启用
-SSO_ENABLED | 是否支持单点登录
-REQUIRE_ALL_ATTRIBUTES | 固定为 true
-ID_TOKEN_ENABLED | 是否返回 ID Token,方便公司内产品的前端,调用后端接口
-JWT_AS_SERVICE_TICKET | 是否返回 JWT 格式的票据,便于纯前端项目对接
-ADAPT_V4_PRODUCT | 是否适配认证V4,用于兼容公司历史版本的认证
-APPLICATION_ID | 应用标识,与 ID 保持一致
-APPLICATION_DOMAIN | 应用域,使用访问地址中的 域名
-EXTERNAL_ID | 外部ID(预留),与 ID 保持一致
+id | 确保唯一性
+name | 应用名称
+description | 描述
+informationUrl | 应用的访问地址
+logoutUrl | 应用的前端注销地址
+responseType | 登录成功后的响应方式,固定为 REDIRECT
+logoutType | 单点注销方式,固定为 FRONT_CHANNEL
+evaluationOrder | 优先级
+friendlyName | 同 应用名称
+registeredServiceId | 唯一ID,整型
+serviceId | 应用匹配规则,确保前缀与对接时的 service 相匹配
+enabled | 是否启用
+ssoEnabled | 是否支持单点登录
+requireAllAttributes | 固定为 true
+idTokenEnabled | 是否返回 ID Token,方便公司内产品的前端,调用后端接口
+jwtAsServiceTicket | 是否返回 JWT 格式的票据,便于纯前端项目对接
+adaptV4Product | 是否适配认证V4,用于兼容公司历史版本的认证
+applicationId | 应用标识,可与 id 保持一致
+applicationDomain | 应用域,使用访问地址中的 域名
+externalId | 外部ID(预留),与 id 保持一致
+
+
+
+### 用户服务
+
+可以添加 用户、账号,部门,用户组,
+
+服务地址:`http://authx-service-user-data-service-goa.authx-service.svc.cluster.local:8080`
+
+* 用户创建接口
+
+版本要求:1.2.7、1.3.2、1.4.1、1.5.0
+
+**仅创建用户的基本信息,不会创建账号**
+
+POST /api/v1/trans/user?transOrigin=init
+Content-Type: application/json
+
+```json
+{
+ "uid": "string",
+ "passWord": "string",
+ "name": "string",
+ "nameSpelling": "string",
+ "fullNameSpelling": "string",
+ "certificateTypeCode": "string",
+ "certificateNumber": "string",
+ "phoneNumber": "string",
+ "email": "string",
+ "imageUrl": "string",
+ "genderCode": "string",
+ "nationCode": "string",
+ "countryCode": "string",
+ "addressCode": "string",
+ "activation": true,
+ "dataCenter": true,
+ "externalId": "string"
+}
+```
+
+> 用户的属性说明
+
+属性名 | 说明 | 是否必填
+- | - | -
+uid | 用户标识 | 否,为空时,随机生成
+passWord | 密码 | 否,为空时,默认 123456,且激活状态为 未激活
+name | 姓名 | 是
+nameSpelling | 姓名简拼 | 否
+fullNameSpelling | 姓名全拼 | 否
+certificateTypeCode | 证件类型代码(参考字典表 证件类型,如 1 居民身份证) | 是
+certificateNumber | 证件号码 | 是
+phoneNumber | 联系电话(预留手机) | 否
+email | 电子邮箱(预留邮箱) | 否
+imageUrl | 头像地址 | 否
+genderCode | 性别代码(参考字典表 性别,如 1 男,2 女) | 否
+nationCode | 民族代码(参考字典表 民族,如 01 汉族) | 否
+countryCode | 国家代码(参考字典表 国家,如 156 中国) | 否
+addressCode | 地区代码(参考字典表 地区,如 110000 北京市,120000 天津市,310000 上海市) | 否
+activation | 是否激活(true 是,false 否) | 是
+dataCenter | 是否来源数据中心(true 是,false 否) | 是
+externalId | 外部Id | 否
+
+
+* 账号(包含用户信息)创建接口
+
+版本要求:1.0+
+
+POST /api/v1/trans/account?transOrigin=init
+Content-Type: application/json
+
+```json
+{
+ "uid": "string",
+ "passWord": "string",
+ "name": "string",
+ "nameSpelling": "string",
+ "fullNameSpelling": "string",
+ "certificateTypeCode": "string",
+ "certificateNumber": "string",
+ "phoneNumber": "string",
+ "email": "string",
+ "imageUrl": "string",
+ "genderCode": "string",
+ "nationCode": "string",
+ "countryCode": "string",
+ "addressCode": "string",
+ "accountName": "string",
+ "organizationCode": "string",
+ "identityTypeCode": "string",
+ "accountExpiryDateMillis": 0,
+ "state": "string",
+ "activation": true,
+ "dataCenter": true,
+ "externalId": "string"
+}
+```
+
+> 账号的属性说明
+
+属性名 | 说明 | 是否必填
+- | - | -
+uid | 用户标识 | 否,为空时,随机生成
+passWord | 密码 | 否,为空时,默认 123456,且激活状态为 未激活
+name | 姓名 | 是
+nameSpelling | 姓名简拼 | 否
+fullNameSpelling | 姓名全拼 | 否
+certificateTypeCode | 证件类型代码(参考字典表 证件类型,如 1 居民身份证) | 是
+certificateNumber | 证件号码 | 是
+phoneNumber | 联系电话(预留手机) | 否
+email | 电子邮箱(预留邮箱) | 否
+imageUrl | 头像地址 | 否
+genderCode | 性别代码(参考字典表 性别,如 1 男,2 女) | 否
+nationCode | 民族代码(参考字典表 民族,如 01 汉族) | 否
+countryCode | 国家代码(参考字典表 国家,如 156 中国) | 否
+addressCode | 地区代码(参考字典表 地区,如 110000 北京市,120000 天津市,310000 上海市) | 否
+accountName | 账号名 | 是
+organizationCode | 组织机构代码(对应组织机构的代码) | 是
+identityTypeCode | 身份代码(对应身份的代码) | 是
+accountExpiryDateMillis | 过期时间(时间戳,毫秒) | 否
+state | 状态(NORMAL: 正常, FREEZE: 冻结, WRITTENOFF: 注销) | 是
+activation | 是否激活(true 是,false 否) | 是
+dataCenter | 是否来源数据中心(true 是,false 否) | 是
+externalId | 外部Id | 否
+
+
+* 部门创建接口
+
+版本要求:1.0+
+
+POST /api/v1/trans/organization?transOrigin=init
+Content-Type: application/json
+
+```json
+{
+ "parentOrganizationCode": "string",
+ "code": "string",
+ "name": "string",
+ "description": "string",
+ "typeCode": "string",
+ "state": 0,
+ "isDataCenter": true,
+ "externalId": "string"
+}
+```
+
+> 组织机构的属性说明
+
+属性名 | 说明 | 是否必填
+- | - | -
+parentOrganizationCode | 上级部门的代码(对应组织机构的代码) | 是
+code | 代码 | 是
+name | 名称 | 是
+description | 描述 | 否
+typeCode | 组织机构类型代码(参考字典表 组织机构类型) | 是
+state | 状态(0: 正常, 1: 冻结, 2: 注销) | 是
+isDataCenter | 是否来源数据中心(true 是,false 否) | 否,为空时,默认为 true
+externalId | 外部Id | 否
+
+
+* 用户组创建接口
+
+版本要求:1.2.9、1.3.5、1.4.3、1.5.0
+
+POST /api/v1/trans/group?transOrigin=init
+Content-Type: application/json
+
+```json
+{
+ "code": "string",
+ "name": "string",
+ "description": "string",
+ "type": "string",
+ "state": 0,
+ "categoryCode": "string",
+ "common": true,
+ "applicationId": "string",
+ "isDataCenter": true,
+ "externalId": "string"
+}
+```
+
+> 用户组的属性说明
+
+属性名 | 说明 | 是否必填
+- | - | -
+parentOrganizationCode | 上级部门的代码(对应组织机构的代码) | 是
+code | 代码 | 是
+name | 名称 | 是
+description | 描述 | 否
+type | 类型(1: 普通用户组, 2: 岗位用户组) | 是
+state | 状态(1: 启用, 0: 禁用) | 是
+common | 是否公共用户组(true 是,false 否) | 否,为空时,默认为 true
+applicationId | 所属应用标识(common 为 false 时,须设置) | 否
+isDataCenter | 是否来源数据中心(true 是,false 否) | 否,为空时,默认为 true
+externalId | 外部Id | 否
+
### 授权服务
@@ -133,16 +363,10 @@
'示例应用', '0', '', 1);
commit;
-
--- 应用角色的创建脚本
-INSERT INTO TB_ROLE (ID, COMPANY_ID, DELETED, ADD_ACCOUNT, ADD_TIME,
- APPLICATION_ID, CODE, NAME, DESCRIPTION, ENABLED, EXTERNAL_ID)
-VALUES ('0', '1', 0, 'init', null,
- '0', 'example-admin', '示例管理员', '示例管理员', 1, '0');
-
-commit;
```
+如须自动同步角色,请修改 `SYNC_URL`
+
> 系统信息表 TB_R_SYSTEM
字段名 | 字段说明
@@ -177,22 +401,38 @@
ENABLED | 是否启用(1 启用,0 禁用)
+** 采用业务管理接口进行部署 **
+
+> 创建角色
+
+```bash
+curl -i -s -X POST \
+ -H 'Content-Type: application/json' \
+ -d '{
+ "id": "0",
+ "code": "example-admin",
+ "name": "示例管理员",
+ "description": "示例管理员",
+ "enabled": true,
+ "applicationId": "0",
+ "externalId": "0"
+}' \
+ 'http://authx-service-user-authz-service-sa.authx-service.svc.cluster.local:8080/v1/admin/roles'
+```
+
+
+
> 角色表 TB_ROLE
-字段名 | 字段说明
+属性名 | 说明
- | -
-ID | 确保唯一性
-COMPANY_ID | 固定为 1
-DELETED | 是否删除,固定为 0
-ADD_ACCOUNT | 创建帐号
-ADD_TIME | 创建时间,建议为 null;如必要,可填入时间
-- | -
-APPLICATION_ID | 所属应用,同 TB_APPLICATION 的 ID
-CODE | 角色代码
-NAME | 角色名称
-DESCRIPTION | 角色描述
-ENABLED | 是否启用(1 启用,0 禁用)
-EXTERNAL_ID | 对应所在应用内的数据的ID
+id | 确保唯一性
+applicationId | 所属应用,同 TB_APPLICATION 的 ID
+code | 角色代码
+name | 角色名称
+description | 角色描述
+enabled | 是否启用(1 启用,0 禁用)
+externalId | 对应所在应用内的数据的ID
diff --git "a/docs/\344\272\247\345\223\201\351\203\250\347\275\262\344\271\213\344\270\255\345\217\260\346\234\215\345\212\241\345\257\271\346\216\245\346\225\260\346\215\256\345\210\235\345\247\213\345\214\226\347\233\270\345\205\263\346\216\245\345\217\243\347\232\204\350\257\264\346\230\216.pdf" "b/docs/\344\272\247\345\223\201\351\203\250\347\275\262\344\271\213\344\270\255\345\217\260\346\234\215\345\212\241\345\257\271\346\216\245\346\225\260\346\215\256\345\210\235\345\247\213\345\214\226\347\233\270\345\205\263\346\216\245\345\217\243\347\232\204\350\257\264\346\230\216.pdf"
index 3d3313b..0113cfa 100644
--- "a/docs/\344\272\247\345\223\201\351\203\250\347\275\262\344\271\213\344\270\255\345\217\260\346\234\215\345\212\241\345\257\271\346\216\245\346\225\260\346\215\256\345\210\235\345\247\213\345\214\226\347\233\270\345\205\263\346\216\245\345\217\243\347\232\204\350\257\264\346\230\216.pdf"
+++ "b/docs/\344\272\247\345\223\201\351\203\250\347\275\262\344\271\213\344\270\255\345\217\260\346\234\215\345\212\241\345\257\271\346\216\245\346\225\260\346\215\256\345\210\235\345\247\213\345\214\226\347\233\270\345\205\263\346\216\245\345\217\243\347\232\204\350\257\264\346\230\216.pdf"
Binary files differ
diff --git "a/docs/\344\272\247\345\223\201\351\203\250\347\275\262\344\271\213\344\270\255\345\217\260\346\234\215\345\212\241\345\257\271\346\216\245\346\225\260\346\215\256\345\210\235\345\247\213\345\214\226\347\233\270\345\205\263\346\216\245\345\217\243\347\232\204\350\257\264\346\230\216_v1.pdf" "b/docs/\344\272\247\345\223\201\351\203\250\347\275\262\344\271\213\344\270\255\345\217\260\346\234\215\345\212\241\345\257\271\346\216\245\346\225\260\346\215\256\345\210\235\345\247\213\345\214\226\347\233\270\345\205\263\346\216\245\345\217\243\347\232\204\350\257\264\346\230\216_v1.pdf"
new file mode 100644
index 0000000..3d3313b
--- /dev/null
+++ "b/docs/\344\272\247\345\223\201\351\203\250\347\275\262\344\271\213\344\270\255\345\217\260\346\234\215\345\212\241\345\257\271\346\216\245\346\225\260\346\215\256\345\210\235\345\247\213\345\214\226\347\233\270\345\205\263\346\216\245\345\217\243\347\232\204\350\257\264\346\230\216_v1.pdf"
Binary files differ
diff --git "a/docs/\344\272\247\345\223\201\351\203\250\347\275\262\344\271\213\344\270\255\345\217\260\346\234\215\345\212\241\345\257\271\346\216\245\346\225\260\346\215\256\345\210\235\345\247\213\345\214\226\347\233\270\345\205\263\346\216\245\345\217\243\347\232\204\350\257\264\346\230\216_v2.0.pdf" "b/docs/\344\272\247\345\223\201\351\203\250\347\275\262\344\271\213\344\270\255\345\217\260\346\234\215\345\212\241\345\257\271\346\216\245\346\225\260\346\215\256\345\210\235\345\247\213\345\214\226\347\233\270\345\205\263\346\216\245\345\217\243\347\232\204\350\257\264\346\230\216_v2.0.pdf"
new file mode 100644
index 0000000..d35b3f0
--- /dev/null
+++ "b/docs/\344\272\247\345\223\201\351\203\250\347\275\262\344\271\213\344\270\255\345\217\260\346\234\215\345\212\241\345\257\271\346\216\245\346\225\260\346\215\256\345\210\235\345\247\213\345\214\226\347\233\270\345\205\263\346\216\245\345\217\243\347\232\204\350\257\264\346\230\216_v2.0.pdf"
Binary files differ
