igeeky / wolf Goto Github PK

/wolf/user/list
接口是 按key 多个字段like的，
能不能加个参数通过 username 精确匹配userinfo

背景：公司里已经有现成的OIDC服务用作单点登录，但是没有对资源的权限管控服务，需要自行额外开发菜单权限管理和API权限管理与验证功能。
需求与规划：目前已经通过APISIX Gateway的OIDC插件完成了用户登录验证功能，打算在Gateway通过调用wolf的Admin API来验证当前用户是否有权限。（当前拿到的是公司OIDC服务颁发的AccessToken，不是通过wolf登录的token）
问题：现有/wolf/rbac/access_check接口中是通过x-rbac-token加上action和resName参数做校验的，但是如上所述，Gateway没有x-rbac-token。是否有可能增加一个不需要x-rbac-token的公共服务接口，然后在request body中传递{userid, appid, action, resName}，然后wolf返回校验是否通过（response只需告知true或false，不需要userinfo）
或者，是否还有其他什么好的集成方案？万分感谢！！！

QQ group，Wechat group and so on

像casbin那边讨论的:
https://casbin.org/docs/zh-CN/data-permissions
casbin/casbin#137

场景是这样的:
A是部门主管,除了他自己的权限之外,他也该拥有该部门普通员工的权限.
不过现在wolf的各个role之间似乎是独立的,没有组织结构的关系.

希望控制台支持中文显示

/wolf/rbac/access_check 是提供给 client 作权限 check 使用的，它的返回值包含了 权限 check 结果 和 user_info。
/wolf/rbac/user_info 接口是用来返回 user_info 的内容。

/wolf/rbac/user_info 的结果里返回了可以访问的账户信息和路径地址（包含了一些隐藏地址），所以出于安全性屏蔽了这个接口，但我想用 /wolf/rbac/access_check 接口来提供给 client 权限 check，但现在 access_check 的结果中也返回了 user_info 信息。

求助：access_check 返回的内容是否可以减少为只是 check 结果，或者通过某个参数控制返回结果中不返回 user_info。

/wolf/rbac/access_check 接口的返回结果

{
  "ok": true,
  "reason": "",
  "data": {
    "userInfo": {
      "id": 696,
      "username": "root",
      "nickname": "root(super man)",
      "email": null,
      "appIDs": [
        "openresty"
      ],
      "manager": "super",
      "lastLogin": 1589100441,
      "profile": null,
      "createTime": 1578401859,
      "permissions": {},
      "roles": {}
    }
  }
}

• 删除用户的api是这样的
• args-util也是特殊处理的,还加了注释,这个有什么特殊意图吗?我看default分支注释里是有delete的

类似于apisix的 hmac-auth
在user上新增一个secret_key字段
客户端通过用户名+secret_key+body+时间戳等规则生成sign值，服务以同样方式生成校验sign值是否正确而发放token

这通常是提供api的服务给客户端使用，不期望密码在传输过程中暴露

你好，请问wolf的资源能否指定host吗？
我现在使用apisix结合wolf做权限管理，不知道如何分别设置测试与线上api的权限

When deploying in k8s, the startup fails with an error message

Error: failed to start container "container-6harf2": Error response from daemon: OCI runtime create failed: container_linux.go:349: starting container process caused "exec: \"npm run start\": executable file not found in $PATH": unknown

The configuration file is created according to the docker-compose.yaml in the quick-start-with-docker directory

containers:
        - name: container-6harf2
          image: igeeky/wolf-server
          command:
            - npm run start
          ports:
            - name: http-10080
              containerPort: 10080
              protocol: TCP
          env:
            - name: RBAC_ROOT_PASSWORD
              value: wolf-123456
            - name: RBAC_TOKEN_KEY
              value: f40215a5f25cbb6d36df07629aaf1172240fe48d
            - name: WOLF_CRYPT_KEY
              value: fbd4962351924792cb5e5b131435cd30b24e3570
            - name: RBAC_SQL_URL
              value: 'postgres://root:123456@wolf-database:5432/wolf'
            - name: CLIENT_CHANGE_PWD
              value: '"no"'
          resources:
            limits:
              cpu: 500m
              memory: 500Mi
            requests:
              cpu: 10m
              memory: 10Mi
          volumeMounts:
            - name: volume-bhm8gz
              mountPath: /data/www

You indicate in the document that the request method of the /wolf/user-role/set interface is POST, but I test accidentally found that the PUT method can also be successful. Is this a bug?
I have not tested other interfaces, please test other by the way

Another problem ：

• Even if the user's appID list does not have this application, the role binding of this application can still be added and it can take effect
• Do a reverse experiment,
  Directly delete the application in the user's appID list without first deleting the role binding under this application, then its role binding can still take effect

I don’t know this is express designed by you or a bug, Hope you can answer.

所有权限都开了

组件已经启动成功，但是shell文件运行出现错误

npm run dev 后

访问后登录不了

RT.

wolf console
npm install give error

> [email protected] install /home/zhangpo/dev/hpems/wolf/console/node_modules/yorkie
> node bin/install.js

internal/modules/cjs/loader.js:834
  throw err;
  ^

Error: Cannot find module '/home/zhangpo/dev/hpems/wolf/console/node_modules/yorkie/bin/install.js'
    at Function.Module._resolveFilename (internal/modules/cjs/loader.js:831:15)
    at Function.Module._load (internal/modules/cjs/loader.js:687:27)
    at Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:60:12)
    at internal/main/run_main_module.js:17:47 {
  code: 'MODULE_NOT_FOUND',
  requireStack: []
}

看到现在有的api在修改角色拥有的权限时需要将已有的跟新加的合并后再次传递, 是否考虑增加修改角色拥有的权限可以增量添加权限

[root@localhost example]# curl http://127.0.0.1:9080/apisix/plugin/wolf-rbac/login -i -H "Content-Type: application/json" -d '{"appid": "restful-demo", "username":"root", "password":"wolf-123456"}'
HTTP/1.1 500 Internal Server Error
Date: Sat, 21 Nov 2020 03:43:33 GMT
Content-Type: text/plain
Transfer-Encoding: chunked
Connection: keep-alive
Server: APISIX web server

{"message":"request to wolf-server failed! connection refused"}

I followed the github steps and I had this problem,{"message":"request to wolf-server failed! connection refused"}

Seems miss some doccument about /wolf/user-role. I can't use RESTful api to bind roles or permissions.

WHEN the redis hung ！ then do a login, the api give the mess PASSWORD ERROR not give the right message!
by the way when apisix connect the wolf access check, the wolf will not response( this reason maybe redis) the the apisix-plugin will give the 401 with err:close . BTW: when i use redis:5 image start the redis will happen often redis:6 will happen few

Wolf has api to set user-role - assign a role to a given user, but it doesn't seem to support this action on wolf dashboard?

Not sure if I missed anything, but there seems to be no way to query or set the user-role info on wolf dashboard?

在官方文档，找了半天，有几个EXPIRE相关的环境变量，尝试后均不生效。
后发现如下环境变量配置：
RBAC_TOKEN_EXPIRE_TIME Agent 登录接口返回的token的有效期, 默认为30天. 单位为秒。
配置后生效

打算和现有使用mysql的权限系统整合起来使用，不想再单独部署PostgreSQL了。是否能够支持一下？

现有的wolf控制台在下拉选择框时使用limit限制了查询条数, 是否可以将其limit设置大一点,? 避免部分数据被过滤掉

1. "before all" hook in "{root}"

0 passing (2m)
1 failing

1. "before all" hook in "{root}":
   Error: Timeout of 100000ms exceeded. For async tests and hooks, ensure "done()" is called; if returning a Promise, ensure it resolves.
   at listOnTimeout (internal/timers.js:549:17)
   at processTimers (internal/timers.js:492:7)

修改密码返回的 : /wolf/rbac/change_pwd

"before all" hook in "{root}":
AssertionError: res.body[[{"ok":false,"reason":"ERR_SERVER_ERROR","errmsg":"relation "user" does not exist"}]]: expected value to match json-schema '{"type":"object","properties":...' -> '{"ok":false,"reason":"ERR_SERV...'
Missing required property: data
schema: {"type":"object","properties":{"ok":{"type":"boolean","enum"...
rule: /required/2 -> "data"
at Function.assert.jsonSchema (node_modules/chai-json-schema/index.js:183:44)
at processTicksAndRejections (internal/process/task_queues.js:93:5)
at async adminLoginInternal (test/util/util.js:142:15)
at async Context. (test/util/util.js:179:31)

设置 Access Token 存活时间不生效

请问一下这里的Access Token 存活时间 应该怎么样设置生效？

你好：
最近在调研Apisix，第一次了解到wolf。
我想问一下性能、稳定性等是否适合生产环境？
谢谢，

I want to know if I want to use this system for my http applications, what should I do? And if I add a new application in the console, how can I access it?

I think the return status code here should be 400. What do you think?

If you think so too, I will Fix it in the PR #9

• 我看好多地方限制了查询的数据256条,能不能搜索的时候走服务器查询,这样数据多的时候也能查出来
• 其实这个地方最好是用穿梭树

常见的toB业务，用户是按companyId来进行租户划分的，目前wolf基于的前提是单租户

版本：0.5.4

RBAC_REDIS_URL: redis://[email protected]:6379
尝试换为 redis://[email protected]:6379/0、 redis://h:[email protected]:6379 都无法成功

反复出现连接auth错误
[ERROR] The server returned "wrong number of arguments for 'auth' command". You are probably passing both username and password to Redis version 5 or below. You should only pass the 'password' option for Redis version 5 and under.
[ioredis] Unhandled error event: ReplyError: NOAUTH Authentication required.
at parseError (/opt/wolf/server/node_modules/redis-parser/lib/parser.js:179:12)
at parseType (/opt/wolf/server/node_modules/redis-parser/lib/parser.js:302:14)
[ioredis] Unhandled error event: ReplyError: NOAUTH Authentication required

how about the stress resistance when used with apisix gateway，anyone tested it？

I am using apisix and am trying to do rbac with wolf-rbac. When I looked at the consumer and route options in apisix, it seemed like there was no separate setting for the role. When an apisix route is requested with a token received from wolf-rbac, how can the route know its permissions?

What is the expiration time of the token obtained through the Console login interface? I did not clearly see it in the document, and I found it is really long, So is it permanent? Thanks

请问通过API添加用户时所需要token是必须的吗? 如果是在没有登录的情况下是否可以提供一个永久期限的token用作在本地调用API时使用

It'd be great to have some external integration, so that the project can be used in an existing environment (already using OpenLDAP/AD on-prem or SaaS e.g. https://jumpcloud.com/).

1. Authentication can be delegated to ldap (simple authentication) easily, which seems to be a low hanging fruit.
2. Authorization can be solved by associating roles to ldap user/group objects .

@iGeeky any thoughts/plans/roadmaps that could be shared?