认证授权服务升级文档(V1.2 ~ V1.3)

部署变更说明

对本次升级进行的简要说明,具体的升级步骤,详见 升级说明

  1. 新增 authx-service/authx-management ,用户认证授权管理前端

  2. 新增 authx-service/authx-ingress ,提供 authx-management 的外网域名访问,暂用 admin-platform.paas.xxx.edu.cn

升级说明

  1. 将 工作负载 下的服务 升级到 1.3.x 版本

  2. 部署 Deployment authx-service/authx-management

部署yaml 位于 1.authx-service/0.authx-service/4.9.authx-management.yaml

  1. 部署 Ingress authx-service/authx-management-ingress

部署yaml 位于 1.authx-service/0.authx-service/2.authx-service-ingresses.yaml

若无发提供新域名的,可以使用 admin-platform.paas.xxx.edu.cn

  1. 部署成功后,须修改 admin-platform 的相关配置

修改 ConfigMap admin-platform/admin-platform-spa-env 下的配置项 CAS_SERVER_SPA_URL, USER_SERVER_SPA_URL, AUTH_SERVER_SPA_URL

CAS_SERVER_SPA_URL: http://admin-platform.paas.xxx.edu.cn/authx-management/cas-server
USER_SERVER_SPA_URL: http://admin-platform.paas.xxx.edu.cn/authx-management/user-server
AUTH_SERVER_SPA_URL: http://admin-platform.paas.xxx.edu.cn/authx-management/auth-server

初始化数据

创建菜单

方式一,手动导入

将 origin 修改为正确的 学校域名

进入 云平台 - 基础管理 - 菜单管理,导入

所属应用 选择 用户授权

菜单列表(JSON)如下,(复制后粘贴)

  • 认证管理
[
  {
    "id": "22000", "parentIdOrCode":"20000", "code": "journalManage", "name": "日志管理", "memo": "", "status": "1", 
    "icon": "su-icon-taocanguanli", "origin": "http://admin-platform.paas.xxx.edu.cn", "url": "/cas-server/journalManage", "target": "", 
    "order": 22000, "resourceIdOrCodes": []
  }
]
  • 授权管理
[
  {
    "id": "41100", "parentIdOrCode":"40000", "code": "accountAuthorizationAudit", "name": "账号授权审计", "memo": "", "status": "1", 
    "icon": "su-icon-zhsqsj", "origin": "http://admin-platform.paas.xxx.edu.cn", "url": "/auth-server/accountAuthorizationAudit", "target": "", 
    "order": 41100, "resourceIdOrCodes": []
  },
  {
    "id": "41200", "parentIdOrCode":"40000", "code": "userAudit", "name": "用户规则权限审计", "memo": "", "status": "0", 
    "icon": "su-icon-yhgzqxsj", "origin": "http://admin-platform.paas.xxx.edu.cn", "url": "/auth-server/userAudit", "target": "", 
    "order": 41200, "resourceIdOrCodes": []
  },
  {
    "id": "41300", "parentIdOrCode":"40000", "code": "rolePermissionAudit", "name": "角色授权审计", "memo": "", "status": "1", 
    "icon": "su-icon-jszsqsj", "origin": "http://admin-platform.paas.xxx.edu.cn", "url": "/auth-server/rolePermissionAudits", "target": "", 
    "order": 41300, "resourceIdOrCodes": []
  },
  {
    "id": "41350", "parentIdOrCode":"40000", "code": "roleGroupPermissionAudit", "name": "角色组授权审计", "memo": "", "status": "1", 
    "icon": "su-icon-jszsqsj", "origin": "http://admin-platform.paas.xxx.edu.cn", "url": "/auth-server/roleGroupPermissionAudit", "target": "", 
    "order": 41350, "resourceIdOrCodes": []
  },
  {
    "id": "41400", "parentIdOrCode":"40000", "code": "authOperationsAudit", "name": "权限操作审计", "memo": "", "status": "1", 
    "icon": "su-icon-qxczsj", "origin": "http://admin-platform.paas.xxx.edu.cn", "url": "/auth-server/authOperationsAudit", "target": "", 
    "order": 41400, "resourceIdOrCodes": []
  },
  {
    "id": "41500", "parentIdOrCode":"40000", "code": "authStatisticalMonitor", "name": "授权统计监控", "memo": "", "status": "1", 
    "icon": "su-icon-sqtjjk", "origin": "http://admin-platform.paas.xxx.edu.cn", "url": "/auth-server/authStatisticalMonitor", "target": "", 
    "order": 41500, "resourceIdOrCodes": []
  }
]

方式二,bash脚本

将 origin 修改为正确的 学校域名

进入 admin-center-sa 下的 pod, 执行命令行

  • 认证管理
curl -i -s -X POST "http://localhost:8080/v1/admin/menus/importMenu" -H 'Content-Type: application/json' \
-d \
'
{
  "applicationId": "10",
  "menuList": 
    [
      {
        "id": "22000", "parentIdOrCode":"20000", "code": "journalManage", "name": "日志管理", "memo": "", "status": "1", 
        "icon": "su-icon-taocanguanli", "origin": "http://admin-platform.paas.xxx.edu.cn", "url": "/cas-server/journalManage", "target": "", 
        "order": 22000, "resourceIdOrCodes": []
      }
    ]
}
'
  • 授权管理
curl -i -s -X POST "http://localhost:8080/v1/admin/menus/importMenu" -H 'Content-Type: application/json' \
-d \
'
{
  "applicationId": "10",
  "menuList": 
    [
      {
        "id": "41100", "parentIdOrCode":"40000", "code": "accountAuthorizationAudit", "name": "账号授权审计", "memo": "", "status": "1", 
        "icon": "su-icon-zhsqsj", "origin": "http://admin-platform.paas.xxx.edu.cn", "url": "/auth-server/accountAuthorizationAudit", "target": "", 
        "order": 41100, "resourceIdOrCodes": []
      },
      {
        "id": "41200", "parentIdOrCode":"40000", "code": "userAudit", "name": "用户规则权限审计", "memo": "", "status": "0", 
        "icon": "su-icon-yhgzqxsj", "origin": "http://admin-platform.paas.xxx.edu.cn", "url": "/auth-server/userAudit", "target": "", 
        "order": 41200, "resourceIdOrCodes": []
      },
      {
        "id": "41300", "parentIdOrCode":"40000", "code": "rolePermissionAudit", "name": "角色授权审计", "memo": "", "status": "1", 
        "icon": "su-icon-jszsqsj", "origin": "http://admin-platform.paas.xxx.edu.cn", "url": "/auth-server/rolePermissionAudits", "target": "", 
        "order": 41300, "resourceIdOrCodes": []
      },
      {
        "id": "41350", "parentIdOrCode":"40000", "code": "roleGroupPermissionAudit", "name": "角色组授权审计", "memo": "", "status": "1", 
        "icon": "su-icon-jszsqsj", "origin": "http://admin-platform.paas.xxx.edu.cn", "url": "/auth-server/roleGroupPermissionAudit", "target": "", 
        "order": 41350, "resourceIdOrCodes": []
      },
      {
        "id": "41400", "parentIdOrCode":"40000", "code": "authOperationsAudit", "name": "权限操作审计", "memo": "", "status": "1", 
        "icon": "su-icon-qxczsj", "origin": "http://admin-platform.paas.xxx.edu.cn", "url": "/auth-server/authOperationsAudit", "target": "", 
        "order": 41400, "resourceIdOrCodes": []
      },
      {
        "id": "41500", "parentIdOrCode":"40000", "code": "authStatisticalMonitor", "name": "授权统计监控", "memo": "", "status": "1", 
        "icon": "su-icon-sqtjjk", "origin": "http://admin-platform.paas.xxx.edu.cn", "url": "/auth-server/authStatisticalMonitor", "target": "", 
        "order": 41500, "resourceIdOrCodes": []
      }
    ]
}
'

关联角色权限

角色由授权服务进行初始化

方式一,手动导入(暂不支持)

进入 云平台 - 基础管理 - 角色权限,导入

角色权限(JSON)如下,(复制后粘贴)

[
  {
    "roleId": "20", "roleCode":"cas-admin", 
    "permissionIdOrCodes": ["1", "20000", "20100", "20200", "20300", "20400", "20500", "20600", "20700", "20800", "20900", "21000", "21100", "22000"]
  },
  {
    "roleId": "40", "roleCode": "user-authz-admin", 
    "permissionIdOrCodes": ["1", "40000", "40050", "40100", "40200", "40300", "40500", "40900", "41100", "41200", "41300", "41350", "41400", "41500"]
  }
]

方式二,bash脚本

进入 admin-center-sa 下的 pod, 执行命令行

curl -i -s -X POST "http://localhost:8080/v1/admin/rolePermissions/importRolePermission" -H 'Content-Type: application/json' \
-d \
'
{
  "roleCodeIdMap": {
    "cas-admin": "20",
    "user-admin": "30",
    "user-authz-admin": "40",
    "user-authz-grant-admin": "41",
    "user-authz-man-grant-admin": "42"
  },
  "rolePermissionList": 
    [
      {
        "roleId": "20", "roleCode":"cas-admin", 
        "permissionIdOrCodes": ["1", "20000", "20100", "20200", "20300", "20400", "20500", "20600", "20700", "20800", "20900", "21000", "21100", "22000"]
      },
      {
        "roleId": "40", "roleCode": "user-authz-admin", 
        "permissionIdOrCodes": ["1", "40000", "40050", "40100", "40200", "40300", "40500", "40900", "41100", "41200", "41300", "41350", "41400", "41500"]
      }
    ]
}
'