确保请求来自 docker-compose 网络中的另一个容器
[英]Make sure a request is coming from another container in the network in docker-compose
问题描述
Sometimes simple task seems to be more complex.
有时,简单的任务似乎更复杂。 It's what I am facing right now.这就是我现在面临的。
I am developing an e-commerce API.我正在开发电子商务 API。 The app has a microservice based architecture.该应用程序具有基于微服务的架构。 So, Order , Product , Payment and Auth these are different microservices.因此, Order 、 Product 、 Payment和Auth这些是不同的微服务。 Each has it's own database.每个都有自己的数据库。
These microservices communicate each other over http restful apis .这些微服务通过http restful apis相互通信。 So If a user places an order it talk to payment microservice to get generated checksum so that he can make payment.因此,如果用户下订单,它会与支付微服务通信以获取生成的校验和,以便他可以付款。 Payment microservice talks to Order to place an order.支付微服务与Order对话以下Order 。
Order microservice places an order and returns details to payment.订单微服务下订单并将详细信息返回到付款。 No problem.没问题。
But after placing order, Product quantity must be reduced.但下单后,产品数量必须减少。 I don't have any API to reduce product quantity.我没有任何 API 来减少产品数量。 I don't want to have one.我不想拥有一个。
Because, a product is only can be modified by its supplier.因为,产品只能由其供应商修改。 Supplier, indeed, can alter his product, but for this he passes his jwt .供应商确实可以改变他的产品,但为此他传递了他的jwt 。
If I make an API to alter product quantity, anyone can hit the api and reduce the quantity.如果我制作一个 API 来改变产品数量,任何人都可以点击 api 并减少数量。
So, one solution can be an API that is only accessible by microservices.因此,一种解决方案可以是只能由微服务访问的 API。
How can I know that the call is coming from a microservice?我怎么知道调用来自微服务?
Should I create some hash and pass it while interacting with other microservice?我应该创建一些hash并在与其他微服务交互时传递它吗?
Docker-compose.yml Docker-compose.yml
version: '3'
services:
users:
build: './users'
ports:
- '4001:3000'
volumes:
- './users:/src/'
products:
build: './products'
ports:
- '4002:3000'
volumes:
- './products:/src/'
orders:
build: './orders'
ports:
- '4003:3000'
volumes:
- './orders:/src/'
payments:
build: './payments'
ports:
- '4004:3000'
volumes:
- './payments:/src/'
Dockerfile文件
#User node js official image as a parent image
FROM node
ADD package.json /tmp/package.json
RUN cd /tmp && npm install
RUN mkdir -p /src && cp -a /tmp/node_modules /src/
COPY . /src
WORKDIR /src
RUN npm install
EXPOSE 3000
CMD npm start
1 个解决方案
解决方案1
0 2020-01-24 08:20:04
I am going to give a more broader perspective to the problem.我将对这个问题给出更广阔的视角。
What you are trying to do can be solved using RBAC(Role based access control) which any application which has different category of users and access permissions need.您尝试做的事情可以使用 RBAC(基于角色的访问控制)来解决,任何具有不同用户类别和访问权限的应用程序都需要这种方法。 In your case by the description three category of users are present在您的情况下,根据描述存在三类用户
- Buyers买家
- Suppliers供应商
- Administrator行政人员
Each category of users have different set of access permissions buyers least to Administrators all access.每个类别的用户都有不同的访问权限集,买家最少,管理员所有访问权限。
The general idea is when the user authenticates it gets a token based on which group he belongs.一般的想法是,当用户进行身份验证时,它会根据他所属的组获取令牌。 The token contains access privileges.令牌包含访问权限。 The token is passed on to all the subsequent api endpoints.令牌被传递到所有后续的 api 端点。 The token defines what the user is capable of doing.令牌定义了用户能够做什么。 So in your case if the product service has an endpoint to reduce quantity only Admin or supplier would have permission to do that.因此,在您的情况下,如果产品服务具有减少数量的端点,则只有管理员或供应商有权这样做。 You can use OAuth based authorization framework.您可以使用基于 OAuth 的授权框架。
References参考
- https://elang2.github.io/myblog/posts/2018-09-29-Role-Based-Access-Control-MicroServices.html https://elang2.github.io/myblog/posts/2018-09-29-Role-Based-Access-Control-MicroServices.html
- https://dzone.com/articles/simple-secure-role-based-access-control-rbac-for-r https://dzone.com/articles/simple-secure-role-based-access-control-rbac-for-r
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.