Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[venus-auth] api protection / 增加接口保护 #4870

Closed
4 of 16 tasks
hunjixin opened this issue May 9, 2022 · 1 comment
Closed
4 of 16 tasks

[venus-auth] api protection / 增加接口保护 #4870

hunjixin opened this issue May 9, 2022 · 1 comment
Assignees
@LinZexiao
Labels
C-need-testing Category: Venus testing related C-ux-change Category: ux change that need attentions (CLI, config, database, folder structure) CU-chain-service Venus chain service related issues P2 Medium - we should get to this soon V-venus-auth
Milestone
Chain Service v1....

Comments

@hunjixin
Copy link
Contributor

hunjixin commented May 9, 2022
edited by LinZexiao
Loading

Checklist

  • This is not a new feature or an enhancement to the Filecoin protocol. If it is, please open an FIP issue.
  • This is not brainstorming ideas. If you have an idea you'd like to discuss, please open a new discussion on the venus forum and select the category as Ideas.
  • I have a specific, actionable, and well motivated feature request to propose.

Venus component

  • venus daemon - [chain service] chain sync
  • venus auth - [chain service] authentication
  • venus messager - [chain service] message management (mpool)
  • venus gateway - [chain service] gateway
  • venus miner - [chain service] mining and block production
  • venus sealer/worker - sealing
  • venus sealer - proving (WindowPoSt)
  • venus market - storage deal
  • venus market - retrieval deal
  • venus market - data transfer
  • venus light-weight client
  • venus JSON-RPC API
  • Other

What is the motivation behind this feature request? Is your feature request related to a problem? Please describe.

venus-auth 目前部署在内网,不对外暴露, 因而之前没有做接口防护,但是从更安全的角度来说,venus-auth的接口可能也是有必要提供一定的安全保障

  1. venus-auth初始化完成后自动生成初始账号,初始token
  2. venus-auth每次操作必须带上这个token
  3. venus-auth不提供本地token验证
  4. 其他组件需要响应的支持auth的token验证
  5. 考虑增加配置venus-auth跳过token验证,用于初始化token丢失时使用,从无验证到有验证版本时使用。

Impliment

venus-auth

增加 "--disable-perm-check" ,暂时不启用接口权限检查的特性

增加 用户身份 和 权限 的检查如下:

  • Read 权限
    Verify(ctx context.Context, token string) (*JWTPayload, error) // read

  • Admin 权限:
    GenerateToken(ctx context.Context, cp *JWTPayload) (string, error)
    Tokens(ctx context.Context, skip, limit int64) ([]*TokenInfo, error)
    GetToken(c context.Context, token string) (*TokenInfo, error)
    CreateUser(ctx context.Context, req *CreateUserRequest) (*CreateUserResponse, error)
    VerifyUsers(ctx context.Context, req *VerifyUsersReq) error
    ListUsers(ctx context.Context, req *ListUsersRequest) (ListUsersResponse, error)
    HasUser(ctx context.Context, req *HasUserRequest) (bool, error)
    UpdateUser(ctx context.Context, req *UpdateUserRequest) error
    DeleteUser(ctx *gin.Context, req *DeleteUserRequest) error
    RecoverUser(ctx *gin.Context, req *RecoverUserRequest) error
    GetUserRateLimits(ctx context.Context, req *GetUserRateLimitsReq) (GetUserRateLimitResponse, error)
    UpsertUserRateLimit(ctx context.Context, req *UpsertUserRateLimitReq) (string, error)
    DelUserRateLimit(ctx context.Context, req *DelUserRateLimitReq) error
    HasMiner(ctx context.Context, req *HasMinerRequest) (bool, error)
    GetUserByMiner(ctx context.Context, req *GetUserByMinerRequest) (*OutputUser, error)
    RegisterSigners(ctx context.Context, req *RegisterSignersReq) error
    UnregisterSigners(ctx context.Context, req *UnregisterSignersReq) error
    HasSigner(ctx context.Context, req *HasSignerReq) (bool, error)
    GetUserBySigner(ctx context.Context, req *GetUserBySignerReq) ([]*OutputUser, error)
    UpsertMiner(ctx context.Context, req *UpsertMinerReq) (bool, error)

  • Admin 权限 或者 目标数据拥有者 (意味着这部分接口会对部分非admin权限开放)
    RemoveToken(ctx context.Context, token string) error // +tokenOwner
    RecoverToken(ctx context.Context, token string) error // +tokenOwner
    GetTokenByName(c context.Context, name string) ([]*TokenInfo, error) // +tokenOwner
    GetUser(ctx context.Context, req *GetUserRequest) (*OutputUser, error) // +userOwner
    MinerExistInUser(ctx context.Context, req *MinerExistInUserRequest) (bool, error) // +userOwner
    ListMiners(ctx context.Context, req *ListMinerReq) (ListMinerResp, error) // +userOwner
    DelMiner(ctx context.Context, req *DelMinerReq) (bool, error) // +minerOwner
    SignerExistInUser(ctx context.Context, req *SignerExistInUserReq) (bool, error) // +userOwner
    ListSigner(ctx context.Context, req *ListSignerReq) (ListSignerResp, error) // +userOwner
    DelSigner(ctx context.Context, req *DelSignerReq) (bool, error) // +signerOwner

venus

启动时应带上 flag --auth-token ,或者修改配置文件

  • 增加 api-venusAuthToken 配置项
  • 增加 --auth-token flag 运行 flag

venus-miner

启动方式不变 ,但应更新到对应版本

venus-messager

启动方式不变 ,但应更新到对应版本

  • 增加 JWTConfig-Token 配置项

venus-market

启动方式不变 ,但应更新到对应版本

venus-gateway

启动时,应带上 flag --auth-token ,或者直接在配置中设置

  • 增加 flag : --auth-token flag
  • 增加配置项: AuthConfig-Token

chain-co

启动时,应带上 token

  • flag 变更: '--auth-url' -> '--auth'' , eg: --auth=token:http://xxx:xxx
@Fatman13 Fatman13 added the CU-chain-service Venus chain service related issues label May 13, 2022
@diwufeiwen diwufeiwen mentioned this issue Jul 25, 2022
Closed
36 tasks
@LinZexiao LinZexiao assigned LinZexiao and unassigned LinZexiao Jul 29, 2022
@hunjixin
Copy link
Contributor Author

#5507

@LinZexiao LinZexiao changed the title venus-auth api protection [venus-auth] api protection / 增加借口哦保护 Feb 8, 2023
@LinZexiao LinZexiao changed the title [venus-auth] api protection / 增加借口哦保护 [venus-auth] api protection / 增加借口保护 Feb 8, 2023
@LinZexiao LinZexiao changed the title [venus-auth] api protection / 增加借口保护 [venus-auth] api protection / 增加接口保护 Feb 8, 2023
@LinZexiao LinZexiao mentioned this issue Feb 10, 2023
Merged
5 tasks
@LinZexiao LinZexiao added the C-ux-change Category: ux change that need attentions (CLI, config, database, folder structure) label Feb 13, 2023
@hunjixin hunjixin added C-need-testing Category: Venus testing related P2 Medium - we should get to this soon V-venus-auth labels Feb 15, 2023
@LinZexiao LinZexiao mentioned this issue Feb 22, 2023
Closed
11 tasks
This was referenced Feb 23, 2023
Merged
Merged
Merged
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@LinZexiao LinZexiao

Labels
C-need-testing Category: Venus testing related C-ux-change Category: ux change that need attentions (CLI, config, database, folder structure) CU-chain-service Venus chain service related issues P2 Medium - we should get to this soon V-venus-auth
Projects
Venus Project
Archived in project
Milestone
Chain Service v1.11.0 / 链服务 v1.11.0
Development

No branches or pull requests
3 participants
@Fatman13 @hunjixin @LinZexiao