认证授权服务升级文档(V1.0 ~ V1.2)

部署变更说明

对本次升级进行的简要说明,具体的升级步骤,详见 升级说明

  1. 新增 StatefulSet authx-service/redis-server

  2. 新增 Deployment authx-service/rabbitmq-server , 用于将 user-data-service,user-authorization-service,jobs-server 连接的 rabbitmq-server 进行合并

  3. 新增 Deployment authx-service/authx-service-bff

  4. 删除 Deployment user-data-service/rabbitmq-server

  5. 修改 Secret user-data-service/rabbitmq-env-secret , 将 SPRING_RABBITMQ_HOST 修改为 rabbitmq-server.authx-service.svc.cluster.local

  6. 修改 ConfigMap user-data-service/user-data-service-goa-env , 将 JOBS_RABBITMQ_HOST 修改为 rabbitmq-server.authx-service.svc.cluster.local

  7. 修改 Deployment user-data-service/user-data-service-biz , 增加 环境变量 rabbitmq-env-secret

  8. 删除 Deployment user-data-service/rabbitmq-server

  9. 修改 Secret user-authorization-service/rabbitmq-env-secret , 将 SPRING_RABBITMQ_HOST 修改为 rabbitmq-server.authx-service.svc.cluster.local

  10. 修改 ConfigMap user-authorization-service/user-authorization-sa-env , 将 USER_AUTHORIZATION_SA_USER_RABBITMQ_HOST 修改为 rabbitmq-server.authx-service.svc.cluster.local

  11. 删除 Deployment jobs-server/rabbitmq-server

  12. 修改 Secret jobs-server/rabbitmq-env-secret , 将 SPRING_RABBITMQ_HOST 修改为 rabbitmq-server.authx-service.svc.cluster.local

  13. 新增 Secret token-server/rabbitmq-env-secret

  14. 修改 Deployment token-server/token-server, 增加 环境变量 secretRef rabbitmq-env-secret

  15. 变更 CronJob user-data-service/user-data-service-datax-job 的定时 schedule 为 30 */4 * * *

  16. 变更 CronJob user-authorization-service/user-authorization-datax-job 的定时 schedule 为 30 */4 * * *

  17. 变更 CronJob cas-server/cas-server-datax-job 的定时 schedule 为 5 */2 * * *

  18. 删除 Job authx-service/poa-api-docs-installer ,由各服务下独立部署

  19. 新增 Job user-data-service/api-docs-installer

  20. 新增 Job user-authorization-service/api-docs-installer

  21. 新增 Job token-server/api-docs-installer

升级说明

  1. 数据库脚本进行升级

重新执行 Job user-data-service/user-data-service-installer

重新执行 Job user-authorization-service/user-authorization-installer

重新执行 Job cas-server/cas-server-installer

重新执行 Job token-server/token-server-installer

  1. 部署 StatefulSet authx-service/redis-server , Deployment authx-service/rabbitmq-server

部署yaml 位于 1.authx-service/0.authx-service/0.authx-service-base.yaml, 1.authx-service/0.authx-service/1.authx-service-env.yaml

  1. 部署 Deployment authx-service/authx-service-bff

部署yaml 位于 1.authx-service/0.authx-service/4.4.authx-service-bff.yaml

  1. Secret user-data-service/rabbitmq-env-secret , 修改 SPRING_RABBITMQ_HOST
SPRING_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
  1. Secret user-authorization-service/rabbitmq-env-secret , 修改 SPRING_RABBITMQ_HOST
SPRING_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
  1. Secret jobs-server/rabbitmq-env-secret , 修改 SPRING_RABBITMQ_HOST
SPRING_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local

  1. Deployment user-data-service/user-data-service-biz 下的环境变量中,引用其他资源,添加附加资源 Secret rabbitmq-env-secret

  2. ConfigMap user-data-service/user-data-service-goa-env 下,更新 JOBS_RABBITMQ 相关的配置

JOBS_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
  1. ConfigMap user-authorization-service/user-authorization-sa-env 下,新增 USER_AUTHORIZATION_SA_USER_RABBITMQ 相关的配置
USER_AUTHORIZATION_SA_USER_RABBITMQ_CONSUMER_ENABLED: "false"
USER_AUTHORIZATION_SA_USER_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
USER_AUTHORIZATION_SA_USER_RABBITMQ_PORT: "5672"
USER_AUTHORIZATION_SA_USER_RABBITMQ_USERNAME: guest
USER_AUTHORIZATION_SA_USER_RABBITMQ_PASSWORD: guest
  1. 新增 Secret token-server/rabbitmq-env-secret

部署yaml 位于 5.token-server/1.token-server-env.yaml

  1. 修改 Deployment token-server/token-server, 增加 环境变量 secretRef rabbitmq-env-secret

  2. 修改 x-datax-job 的定时策略

CronJob user-data-service/user-data-service-datax-job 下,修改 schedule 为 30 */4 * * *

CronJob user-authorization-service/user-authorization-datax-job 下,修改 schedule 为 30 */4 * * *

CronJob CronJob cas-server/cas-server-datax-job 下,修改 schedule 为 5 */2 * * *

  1. 将 工作负载 下的服务 升级到 1.2.x 版本

  2. 更新 POA 的 api-docs

执行 Job user-data-service/api-docs-installer

执行 Job user-authorization-service/api-docs-installer

执行 Job token-server/api-docs-installer

初始化脚本

  1. 整理 授权服务、云平台管理 下的角色

检查 授权服务下的 以下角色 的 APPLICATION_ID 已经更新为 10

在 user_authz 的 TB_ROLE 表中

确保 cas-admin, user-admin, user-authz-admin, user-authz-grant-admin, user-authz-man-grant-admin 只有一条记录

若 存在 与 上述代码 重复的角色,则删除 APPLICATION_ID = 1 且 ID 不为 20, 30, 40, 41, 42 的 相关角色。

同时,在 admin_center 的 TB_MGT_ROLE 表中,删除 ID 为 20, 30, 40, 41, 42 的 相关角色。

use user_authz;

-- 检查 授权服务下的 以下角色 的 APPLICATION_ID 已经更新为 10
UPDATE TB_ROLE SET APPLICATION_ID='10' WHERE ID='20';

UPDATE TB_ROLE SET APPLICATION_ID='10' WHERE ID='30';

UPDATE TB_ROLE SET APPLICATION_ID='10' WHERE ID='40';
UPDATE TB_ROLE SET APPLICATION_ID='10' WHERE ID='41';
UPDATE TB_ROLE SET APPLICATION_ID='10' WHERE ID='42';

use admin_center;

-- 删除认证授权的角色
delete from TB_MGT_ROLE where ID in ('20', '30', '40','41','42');

commit;
  1. 更新 接口路由、应用、菜单、角色权限

注:如果已经存在,请忽略

use admin_center;

-- 新增接口路由

insert into TB_MGT_ROUTE (ID, DELETED, CODE, NAME, STATUS, PATH_PREFIX, URL, STRIP_PREFIX) 
values ('21', 0, 'authx-service-admin-api', '认证授权 - 聚合接口(认证、授权)', '1', '/api/v2/admin', 'http://localhost:8009', 0);
insert into TB_MGT_ROUTE (ID, DELETED, CODE, NAME, STATUS, PATH_PREFIX, URL, STRIP_PREFIX) 
values ('22', 0, 'authx-service-open-api', '认证授权 - 聚合接口(公开)', '1', '/api/v2/open', 'http://localhost:8009', 0);

commit;

update TB_MGT_ROUTE set URL='http://authx-service-bff-svc.authx-service.svc.cluster.local:8080' where ID='21';
update TB_MGT_ROUTE set URL='http://authx-service-bff-svc.authx-service.svc.cluster.local:8080' where ID='22';

commit;

-- 新增应用

insert into TB_MGT_APPLICATION (ID, DELETED, CODE, NAME, STATUS) 
values ('10', 0, '10', '用户授权', '1');

commit;

-- 更新现有菜单 的 所属 APPLICATION_ID

update TB_MGT_PERMISSION set APPLICATION_ID='10' where ID like '2____';
update TB_MGT_PERMISSION set APPLICATION_ID='10' where ID like '3____';
update TB_MGT_PERMISSION set APPLICATION_ID='10' where ID like '4____';

commit;

-- 新增功能菜单

update TB_MGT_PERMISSION
  set LFT = LFT+10
where LFT>=35
;

update TB_MGT_PERMISSION
  set RGT = RGT+10
where RGT>=35
;

insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT) 
values ('20650', 0, 'casConfig', '认证对接配置', '0', '2', 'el-icon-service', '/cas-server/casConfig', '10', '20000', 20650, 2, 35, 36);

insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT) 
values ('20700', 0, 'loginPageConfig', '登录页面配置', '1', '2', 'su-icon-tongxunxinxi', '/cas-server/loginPageConfig', '10', '20000', 20700, 2, 37, 38);
insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT) 
values ('20800', 0, 'linkLoginConfig', '联合登录配置', '1', '2', 'su-icon-test', '/cas-server/linkLoginConfig', '10', '20000', 20800, 2, 39, 40);

insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT) 
values ('20900', 0, 'infoPerfectConfig', '信息完善配置', '1', '2', 'su-icon-chongxintijiao', '/cas-server/infoPerfectConfig', '10', '20000', 20900, 2, 41, 42);

insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT) 
values ('21000', 0, 'lockManagement', '认证锁定管理', '1', '2', 'su-icon-shouquanjiguanli', '/cas-server/lockManagement', '10', '20000', 21000, 2, 43, 44);

commit;

insert into TB_MGT_ROLE_PERMISSION (ID, DELETED, ROLE_ID, PERMISSION_ID) 

select CONCAT('20_', ID) as ID, 0 as DELETED, '20' as ROLE_ID, ID as PERMISSION_ID 
from TB_MGT_PERMISSION
where ID like '2____'
  and (
      CONCAT('20_', ID) not in (select CONCAT('20_', PERMISSION_ID) from TB_MGT_ROLE_PERMISSION)
   or CONCAT('20_', ID) not in (select ID from TB_MGT_ROLE_PERMISSION)
  )
;

commit;