wso2apim是一个开源的api管理平台, 提供了一系列api创建,发布,生命周期管理,版本控制,货币化,治理和安全等功能,用于支持组织实现soa。
wso2api的模式是生产者消费者模式。服务提供方建立api,发布和部署到网关,服务调用方可以在api store里面浏览、订阅api和调用api。
apim包含api publisher,api store, api gateway, key manager, traffic manager,analytics六个组件,架构图如下
apim组件
用户和角色
内置四种角色
-
admin: 托管和管理api网关,创建角色,分配角色,管理数据库和安全性等。拥有所有权限 -
creator: 一般为技术人员,了解api的技术细节(接口,文档,版本等),可以向api store添加api但是无法管理生命周期 -
publisher: 管理整个企业或业务部门的一组api,控制api生命周期和订阅等,可以访问api的统计信息 -
subscriber: 在api stroe 中浏览和订阅api,阅读文档以及对api进行评级反馈,获取令牌和调用api
API Publisher
用于api开发和管理,一般由具有creator和publisher角色的用户操作,将api的创建和管理解耦,技术人员负责创建api,发布者负责管理api的生命周期和调用统计。
支持热部署,即发布者发布的api成功后,就可以在api store进行调用。
api publisher lifecycle
API Lifecycle
api有自己的生命周期,独立于后端应用,由api发布者管理
api lifecycle
-
created: api元数据被添加到api strore,但未部署到网关,订阅者无法在api store中查看到这些api -
prototyped: api作为原型在api sotre中部署和发布,用户无需订阅即可调用这类api,通常用于api的公开测试和获得用户反馈 -
published: api被发布到api store中,只有订阅才能访问,一般还要提供token做安全检查 -
deprecated: 弃用的api,已经订阅过的用户可以在api store中查看和调用,但还未订阅过则不可见。弃用的api仍然在api gateway中部署,仍然可以被调用,直到retired -
retired: api从api store和api gateway中删除,无法查看、订阅和调用 -
blocked: 阻塞状态,暂时阻止访问api,api store中不显示该api,也无法被调用
API Store
给api使用者提供一个协作界面,用于发现,评估,订阅和使用发布者发布的api,对于一些受保护的api一般需要身份认证
api store lifecycle
Applications
api的逻辑集合,目的是将使用者和api解耦,一般有如下作用:
- 为多个api生成单一的密钥(key)
- 多次订阅具有不同层级/服务级别协议(SLA)的单个api
API Gateway
api gateway 是wso2 esb开发的运行时后端组件(API代理),可以用于保护,管理和扩展api。
- 使用处理程序应用限制和安全性策略来拦截api请求
- 管理api统计信息,配置报警和监控,记录调用日志
api每次调用通过验证策略,则将调用传递给实际的后端服务,如果是token 请求(这里的token是在应用里面生成的token),则将服务调用传递给key manager
Key Manager
Key Manager使用oauth2协议生成token,将创建oauth应用程序和验证token的操作分离,可以插入第三方授权服务器来进行密钥验证。部署一个第三方key manager
key manager
api store中为application生成token的时候,api gateway会调用key manager来生成token
token的校验分两种情况
- 如果启用了api gateway缓存,则从缓存中校验,避免每次请求都要和key manager通信
- 如果未启用缓存,网关将token,api 和api版本传递给key manager,发起验证调用
api gateway和key manager的通信方式有如下两种:
- 通过web service调用
- 通过 Thrift调用(默认情况采用该方式进行通信)
在不支持Thrift负载均衡的集群中部署多个key manager 节点,需要修改
Traffic Manager
流量管理,用于隔离不同级别的消费者,方便api管理,同时api调用限制策略也可以防止api遭受安全攻击。
traffic manager可以动态限制api调用,可以实时处理限制策略,包含api请求的次数限制。
traffic manager
Analytics
apim的监控和分析组件,提供大量的统计图表和内置的预警机制
analytics
多租户配置
主要概念
-
API visibility: 控制api的可见性,有public,restricted by role,visible to my domain三个选项 -
Subscription availability: 订阅可见性,有如下三个选项,available to current tenant only,available to all the tenants,available to specific tenants
详细配置
配置主用户存储
wso2apim拥有有自己内部用户存储,默认情况下从这里读取用户信息,但也支持从ldap服务器和第三方jdbc数据库读取用户/角色信息,这里只简略介绍下使用第三方数据库的情况。
用户-角色-权限的基本鉴权逻辑下,wso2pim做了如下分离:
- Carbon数据库,用于内部存储授权信息
- 第三方数据库的用户和角色信息
所以,修改
org.wso2.carbon.user.core.tenant.JDBCTenantManager
false
true
true
^[\S]{3,30}$
^[\S]{3,30}$
Username pattern policy violated
^[\S]{5,30}$
^[\S]{5,30}$
Password length should be within 5 to 30 characters
^[\S]{3,30}$
^[\S]{3,30}$
true
false
true
SHA-256
true
,
100
100
true
false
org.wso2.carbon.user.core.tenant.JDBCTenantManager
com.mysql.jdbc.Driver
jdbc:mysql://localhost:3306/tcsdev
shavantha
welcome
false
100
100
true
SHA-256
true
false
false
default
true
false
false
^[\S]{5,30}$
^[\S]{5,30}$
^[\S]{5,30}$
^[\S]{5,30}$
^[\S]{5,30}$
^[\S]{5,30}$
false
SELECT * FROM UM_USER WHERE UM_USER_NAME=? AND UM_TENANT_ID=?
SELECT UM_ROLE_NAME, UM_TENANT_ID, UM_SHARED_ROLE FROM UM_ROLE WHERE UM_ROLE_NAME LIKE ? AND UM_TENANT_ID=? AND UM_SHARED_ROLE ='0' ORDER BY UM_ROLE_NAME
SELECT UM_ROLE_NAME, UM_TENANT_ID, UM_SHARED_ROLE FROM UM_ROLE WHERE UM_ROLE_NAME LIKE ? AND UM_SHARED_ROLE ='1' ORDER BY UM_ROLE_NAME
SELECT UM_USER_NAME FROM UM_USER WHERE UM_USER_NAME LIKE ? AND UM_TENANT_ID=? ORDER BY UM_USER_NAME
SELECT UM_ROLE_NAME FROM UM_USER_ROLE, UM_ROLE, UM_USER WHERE UM_USER.UM_USER_NAME=? AND UM_USER.UM_ID=UM_USER_ROLE.UM_USER_ID AND UM_ROLE.UM_ID=UM_USER_ROLE.UM_ROLE_ID AND UM_USER_ROLE.UM_TENANT_ID=? AND UM_ROLE.UM_TENANT_ID=? AND UM_USER.UM_TENANT_ID=?
SELECT UM_ROLE_NAME, UM_ROLE.UM_TENANT_ID, UM_SHARED_ROLE FROM UM_SHARED_USER_ROLE INNER JOIN UM_USER ON UM_SHARED_USER_ROLE.UM_USER_ID = UM_USER.UM_ID INNER JOIN UM_ROLE ON UM_SHARED_USER_ROLE.UM_ROLE_ID = UM_ROLE.UM_ID WHERE UM_USER.UM_USER_NAME = ? AND UM_SHARED_USER_ROLE.UM_USER_TENANT_ID = UM_USER.UM_TENANT_ID AND UM_SHARED_USER_ROLE.UM_ROLE_TENANT_ID = UM_ROLE.UM_TENANT_ID AND UM_SHARED_USER_ROLE.UM_USER_TENANT_ID = ?
SELECT UM_ID FROM UM_ROLE WHERE UM_ROLE_NAME=? AND UM_TENANT_ID=?
SELECT UM_USER_NAME FROM UM_USER_ROLE, UM_ROLE, UM_USER WHERE UM_ROLE.UM_ROLE_NAME=? AND UM_USER.UM_ID=UM_USER_ROLE.UM_USER_ID AND UM_ROLE.UM_ID=UM_USER_ROLE.UM_ROLE_ID AND UM_USER_ROLE.UM_TENANT_ID=? AND UM_ROLE.UM_TENANT_ID=? AND UM_USER.UM_TENANT_ID=?
SELECT UM_USER_NAME FROM UM_SHARED_USER_ROLE INNER JOIN UM_USER ON UM_SHARED_USER_ROLE.UM_USER_ID = UM_USER.UM_ID INNER JOIN UM_ROLE ON UM_SHARED_USER_ROLE.UM_ROLE_ID = UM_ROLE.UM_ID WHERE UM_ROLE.UM_ROLE_NAME= ? AND UM_SHARED_USER_ROLE.UM_USER_TENANT_ID = UM_USER.UM_TENANT_ID AND UM_SHARED_USER_ROLE.UM_ROLE_TENANT_ID = UM_ROLE.UM_TENANT_ID
SELECT UM_ID FROM UM_USER WHERE UM_USER_NAME=? AND UM_TENANT_ID=?
SELECT UM_ATTR_NAME, UM_ATTR_VALUE FROM UM_USER_ATTRIBUTE, UM_USER WHERE UM_USER.UM_ID = UM_USER_ATTRIBUTE.UM_USER_ID AND UM_USER.UM_USER_NAME=? AND UM_PROFILE_ID=? AND UM_USER_ATTRIBUTE.UM_TENANT_ID=? AND UM_USER.UM_TENANT_ID=?
SELECT UM_ATTR_VALUE FROM UM_USER_ATTRIBUTE, UM_USER WHERE UM_USER.UM_ID = UM_USER_ATTRIBUTE.UM_USER_ID AND UM_USER.UM_USER_NAME=? AND UM_ATTR_NAME=? AND UM_PROFILE_ID=? AND UM_USER_ATTRIBUTE.UM_TENANT_ID=? AND UM_USER.UM_TENANT_ID=?
SELECT UM_USER_NAME FROM UM_USER, UM_USER_ATTRIBUTE WHERE UM_USER_ATTRIBUTE.UM_USER_ID = UM_USER.UM_ID AND UM_USER_ATTRIBUTE.UM_ATTR_NAME =? AND UM_USER_ATTRIBUTE.UM_ATTR_VALUE =? AND UM_USER_ATTRIBUTE.UM_PROFILE_ID=? AND UM_USER_ATTRIBUTE.UM_TENANT_ID=? AND UM_USER.UM_TENANT_ID=?SELECT UM_USER_NAME FROM UM_USER, UM_USER_ATTRIBUTE WHERE UM_USER_ATTRIBUTE.UM_USER_ID = UM_USER.UM_ID AND UM_USER_ATTRIBUTE.UM_ATTR_NAME =? AND UM_USER_ATTRIBUTE.UM_ATTR_VALUE LIKE ? AND UM_USER_ATTRIBUTE.UM_PROFILE_ID=? AND UM_USER_ATTRIBUTE.UM_TENANT_ID=? AND UM_USER.UM_TENANT_ID=?
SELECT DISTINCT UM_PROFILE_ID FROM UM_USER_ATTRIBUTE WHERE UM_TENANT_ID=?
SELECT DISTINCT UM_PROFILE_ID FROM UM_USER_ATTRIBUTE WHERE UM_USER_ID=(SELECT UM_ID FROM UM_USER WHERE UM_USER_NAME=? AND UM_TENANT_ID=?) AND UM_TENANT_ID=?
SELECT UM_ID FROM UM_USER WHERE UM_USER_NAME=? AND UM_TENANT_ID=?
SELECT UM_USER_NAME FROM UM_USER WHERE UM_TENANT_ID=?
SELECT UM_TENANT_ID FROM UM_USER WHERE UM_USER_NAME=?
INSERT INTO UM_USER (UM_USER_NAME, UM_USER_PASSWORD, UM_SALT_VALUE, UM_REQUIRE_CHANGE, UM_CHANGED_TIME, UM_TENANT_ID) VALUES (?, ?, ?, ?, ?, ?)
INSERT INTO UM_USER_ROLE (UM_USER_ID, UM_ROLE_ID, UM_TENANT_ID) VALUES ((SELECT UM_ID FROM UM_USER WHERE UM_USER_NAME=? AND UM_TENANT_ID=?),(SELECT UM_ID FROM UM_ROLE WHERE UM_ROLE_NAME=? AND UM_TENANT_ID=?), ?)
INSERT INTO UM_ROLE (UM_ROLE_NAME, UM_TENANT_ID) VALUES (?, ?)
UPDATE UM_ROLE SET UM_SHARED_ROLE = ? WHERE UM_ROLE_NAME = ? AND UM_TENANT_ID = ?
INSERT INTO UM_USER_ROLE (UM_ROLE_ID, UM_USER_ID, UM_TENANT_ID) VALUES ((SELECT UM_ID FROM UM_ROLE WHERE UM_ROLE_NAME=? AND UM_TENANT_ID=?),(SELECT UM_ID FROM UM_USER WHERE UM_USER_NAME=? AND UM_TENANT_ID=?), ?)
INSERT INTO UM_SHARED_USER_ROLE (UM_ROLE_ID, UM_USER_ID, UM_USER_TENANT_ID, UM_ROLE_TENANT_ID) VALUES ((SELECT UM_ID FROM UM_ROLE WHERE UM_ROLE_NAME=? AND UM_TENANT_ID=?),(SELECT UM_ID FROM UM_USER WHERE UM_USER_NAME=? AND UM_TENANT_ID=?), ?, ?)
DELETE FROM UM_SHARED_USER_ROLE WHERE UM_ROLE_ID=(SELECT UM_ID FROM UM_ROLE WHERE UM_ROLE_NAME=? AND UM_TENANT_ID=?) AND UM_USER_ID=(SELECT UM_ID FROM UM_USER WHERE UM_USER_NAME=? AND UM_TENANT_ID=?) AND UM_USER_TENANT_ID=? AND UM_ROLE_TENANT_ID = ?
DELETE FROM UM_USER_ROLE WHERE UM_USER_ID=(SELECT UM_ID FROM UM_USER WHERE UM_USER_NAME=? AND UM_TENANT_ID=?) AND UM_ROLE_ID=(SELECT UM_ID FROM UM_ROLE WHERE UM_ROLE_NAME=? AND UM_TENANT_ID=?) AND UM_TENANT_ID=?
DELETE FROM UM_USER_ROLE WHERE UM_ROLE_ID=(SELECT UM_ID FROM UM_ROLE WHERE UM_ROLE_NAME=? AND UM_TENANT_ID=?) AND UM_USER_ID=(SELECT UM_ID FROM UM_USER WHERE UM_USER_NAME=? AND UM_TENANT_ID=?) AND UM_TENANT_ID=?
DELETE FROM UM_ROLE WHERE UM_ROLE_NAME = ? AND UM_TENANT_ID=?
DELETE FROM UM_USER_ROLE WHERE UM_ROLE_ID=(SELECT UM_ID FROM UM_ROLE WHERE UM_ROLE_NAME=? AND UM_TENANT_ID=?) AND UM_TENANT_ID=?
DELETE FROM UM_USER WHERE UM_USER_NAME = ? AND UM_TENANT_ID=?
DELETE FROM UM_USER_ROLE WHERE UM_USER_ID=(SELECT UM_ID FROM UM_USER WHERE UM_USER_NAME=? AND UM_TENANT_ID=?) AND UM_TENANT_ID=?
DELETE FROM UM_USER_ATTRIBUTE WHERE UM_USER_ID=(SELECT UM_ID FROM UM_USER WHERE UM_USER_NAME=? AND UM_TENANT_ID=?) AND UM_TENANT_ID=?
UPDATE UM_USER SET UM_USER_PASSWORD= ?, UM_SALT_VALUE=?, UM_REQUIRE_CHANGE=?, UM_CHANGED_TIME=? WHERE UM_USER_NAME= ? AND UM_TENANT_ID=?
UPDATE UM_ROLE set UM_ROLE_NAME=? WHERE UM_ROLE_NAME = ? AND UM_TENANT_ID=?
INSERT INTO UM_USER_ATTRIBUTE (UM_USER_ID, UM_ATTR_NAME, UM_ATTR_VALUE, UM_PROFILE_ID, UM_TENANT_ID) VALUES ((SELECT UM_ID FROM UM_USER WHERE UM_USER_NAME=? AND UM_TENANT_ID=?), ?, ?, ?, ?)
UPDATE UM_USER_ATTRIBUTE SET UM_ATTR_VALUE=? WHERE UM_USER_ID=(SELECT UM_ID FROM UM_USER WHERE UM_USER_NAME=? AND UM_TENANT_ID=?) AND UM_ATTR_NAME=? AND UM_PROFILE_ID=? AND UM_TENANT_ID=?
DELETE FROM UM_USER_ATTRIBUTE WHERE UM_USER_ID=(SELECT UM_ID FROM UM_USER WHERE UM_USER_NAME=? AND UM_TENANT_ID=?) AND UM_ATTR_NAME=? AND UM_PROFILE_ID=? AND UM_TENANT_ID=?
SELECT UM_ID FROM UM_USER WHERE UM_USER_NAME=?
SELECT UM_DOMAIN_ID FROM UM_DOMAIN WHERE UM_DOMAIN_NAME=? AND UM_TENANT_ID=?
INSERT INTO UM_DOMAIN (UM_DOMAIN_NAME, UM_TENANT_ID) VALUES (?, ?)
INSERT INTO UM_USER_ROLE (UM_USER_ID, UM_ROLE_ID, UM_TENANT_ID) SELECT (SELECT UM_ID FROM UM_USER WHERE UM_USER_NAME=? AND UM_TENANT_ID=?),(SELECT UM_ID FROM UM_ROLE WHERE UM_ROLE_NAME=? AND UM_TENANT_ID=?),(?)
INSERT INTO UM_USER_ROLE (UM_ROLE_ID, UM_USER_ID, UM_TENANT_ID) SELECT (SELECT UM_ID FROM UM_ROLE WHERE UM_ROLE_NAME=? AND UM_TENANT_ID=?),(SELECT UM_ID FROM UM_USER WHERE UM_USER_NAME=? AND UM_TENANT_ID=?), (?)
INSERT INTO UM_USER_ATTRIBUTE (UM_USER_ID, UM_ATTR_NAME, UM_ATTR_VALUE, UM_PROFILE_ID, UM_TENANT_ID) SELECT (SELECT UM_ID FROM UM_USER WHERE UM_USER_NAME=? AND UM_TENANT_ID=?), (?), (?), (?), (?)
INSERT INTO UM_USER_ROLE (UM_USER_ID, UM_ROLE_ID, UM_TENANT_ID) SELECT UU.UM_ID, UR.UM_ID, ? FROM UM_USER UU, UM_ROLE UR WHERE UU.UM_USER_NAME=? AND UU.UM_TENANT_ID=? AND UR.UM_ROLE_NAME=? AND UR.UM_TENANT_ID=?
INSERT INTO UM_USER_ROLE (UM_ROLE_ID, UM_USER_ID, UM_TENANT_ID) SELECT UR.UM_ID, UU.UM_ID, ? FROM UM_ROLE UR, UM_USER UU WHERE UR.UM_ROLE_NAME=? AND UR.UM_TENANT_ID=? AND UU.UM_USER_NAME=? AND UU.UM_TENANT_ID=?
INSERT INTO UM_USER_ATTRIBUTE (UM_USER_ID, UM_ATTR_NAME, UM_ATTR_VALUE, UM_PROFILE_ID, UM_TENANT_ID) SELECT UM_ID, ?, ?, ?, ? FROM UM_USER WHERE UM_USER_NAME=? AND UM_TENANT_ID=?
wso2.org
详细步骤和配置请参阅