个人备案 网站名,建设公司官网的请示,江浦网站建设,十大营销策划公司排名什么是Secrets应用程序通常会通过使用专用的存储来存储敏感信息#xff0c;如连接字符串、密钥等。通常这需要建立一个密钥存储#xff0c;如Azure Key Vault、Hashicorp等#xff0c;并在那里存储应用程序级别的密钥。要访问这些密钥存储#xff0c;应用程序需要导入密钥存… 什么是Secrets应用程序通常会通过使用专用的存储来存储敏感信息如连接字符串、密钥等。通常这需要建立一个密钥存储如Azure Key Vault、Hashicorp等并在那里存储应用程序级别的密钥。要访问这些密钥存储应用程序需要导入密钥存储SDK并使用它访问这些密钥。这可能需要相当数量的模板代码这些代码与应用的实际业务领域无关因此在多云场景中可能会使用不同厂商特定的密钥存储这就成为一个更大的挑战。让开发人员在任何地方更容易访问应用程序密钥 Dapr 提供一个专用的密钥构建块 允许开发人员从一个存储获得密钥。使用 Dapr 的密钥存储构建块通常涉及以下内容设置一个特定的密钥存储解决方案的组件。在应用程序代码中使用 Dapr Secrets API 获取密钥。在Dapr的Component文件中引用密钥工作原理服务A调用 Dapr Secrets API提供要检索的Serects的名称和要查询的项名字。Dapr sidecar 从Secrets存储中检索指定的机密。Dapr sidecar 将Secrets信息返回给服务。Dapr目前支持的Secrets存储请见存储使用Secrets时应用程序与 Dapr sidecar 交互。sidecar 公开Secrets API。可以使用 HTTP 或 gRPC 调用 API。使用以下 URL 调用 HTTP APIhttp://localhost:dapr-port/v1.0/secrets/store-name/name?metadataURL 包含以下字段dapr-port 指定 Dapr sidecar 侦听的端口号。store-name 指定 Dapr Secrets存储的名称。name 指定要检索的密钥的名称。metadata 提供Secrets的其他信息。此段是可选的每个Secrets存储的元数据属性不同。有关元数据属性详细信息项目实战通过Dapr SDK获取secrets仍然使用FrontEnd项目并使用本地文件存储Secrets首先在默认component目录C:\Users\username\.dapr\components中新建文件secrets01.json声明密钥内容{RabbitMQConnectStr: amqp://admin:123456192.168.43.101:5672
}在此目录新建secrets01.yaml定义storeapiVersion: dapr.io/v1alpha1
kind: Component
metadata:name: secrets01
spec:type: secretstores.local.fileversion: v1metadata:- name: secretsFilevalue: C:\Users\username\.dapr\components\secrets01.json- name: nestedSeparatorvalue: :定义接口获取Secrets01的内容新建SecretsControllerusing Dapr.Client;using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Logging;using System.Collections.Generic;
using System.Threading.Tasks;namespace FrontEnd.Controllers
{[Route([controller])][ApiController]public class SecretsController : ControllerBase{private readonly ILoggerSecretsController _logger;private readonly DaprClient _daprClient;public SecretsController(ILoggerSecretsController logger, DaprClient daprClient){_logger logger;_daprClient daprClient;}[HttpGet]public async TaskActionResult GetAsync(){Dictionarystring, string secrets await _daprClient.GetSecretAsync(secrets01, RabbitMQConnectStr);return Ok(secrets);}}
}运行Frontenddapr run --dapr-http-port 3501 --app-port 5001 --app-id frontend dotnet .\FrontEnd\bin\Debug\net5.0\FrontEnd.dll验证此api获取成功通过IConfiguration访问SecretsDapr还提供了从IConfiguration中访问Secrets的方法首先引入nuget包Dapr.Extensions.Config在Program.cs中修改注册public static IHostBuilder CreateHostBuilder(string[] args) Host.CreateDefaultBuilder(args).ConfigureAppConfiguration(config {var daprClient new DaprClientBuilder().Build();var secretDescriptors new ListDaprSecretDescriptor { new DaprSecretDescriptor(RabbitMQConnectStr) };config.AddDaprSecretStore(secrets01, secretDescriptors, daprClient);}).ConfigureWebHostDefaults(webBuilder {webBuilder.UseStartupStartup().UseUrls(http://*:5001);});在SecretsController注入IConfigurationprivate readonly ILoggerSecretsController _logger;private readonly DaprClient _daprClient;private readonly IConfiguration _configuration;public SecretsController(ILoggerSecretsController logger, DaprClient daprClient, IConfiguration configuration){_logger logger;_daprClient daprClient;_configuration configuration;}在SecretsController中新增接口[HttpGet(get01)]public async TaskActionResult Get01Async(){return Ok(_configuration[RabbitMQConnectStr]);}调用接口获取数据成功其他组件引用SecretsDapr的其他组件同样可以引用Secrets我们以上节RabbitMQBinding为例修改rabbitbinding.yamlapiVersion: dapr.io/v1alpha1
kind: Component
metadata:name: RabbitBinding
spec:type: bindings.rabbitmqversion: v1metadata:- name: queueNamevalue: queue1- name: hostsecretKeyRef:name: RabbitMQConnectStrkey: RabbitMQConnectStr- name: durablevalue: true- name: deleteWhenUnusedvalue: false- name: ttlInSecondsvalue: 60- name: prefetchCountvalue: 0- name: exclusivevalue: false- name: maxPriorityvalue: 5
auth:secretStore: secrets01secretKeyRef元素引用指定的密钥。它将替换以前的 明文 值。 在 auth 中找到对应的secretStore。现在运行Frontenddapr run --dapr-http-port 3501 --app-port 5001 --app-id frontend dotnet .\FrontEnd\bin\Debug\net5.0\FrontEnd.dll在RabbitMQ Management中发送消息消费成功 APP info: FrontEnd.Controllers.RabbitBindingController[0]APP .............binding.............11122444限制Secrets访问权限我们可以在Dapr的默认配置文件C:\Users\username\.dapr\config.yaml中设置Secrets的访问权限现在我们尝试禁止secrets01的权限apiVersion: dapr.io/v1alpha1
kind: Configuration
metadata:name: daprConfig
spec:tracing:samplingRate: 1zipkin:endpointAddress: http://localhost:9411/api/v2/spanssecrets:scopes:- storeName: secrets01defaultAccess: deny设置之后Frontend会启动失败因为我们在Program.cs中设置了读取secrets01。 APP Unhandled exception. Dapr.DaprException: Secret operation failed: the Dapr endpoint indicated a failure. See InnerException for details.APP --- Grpc.Core.RpcException: Status(StatusCodePermissionDenied, Detailaccess denied by policy to get RabbitMQConnectStr from secrets01)APP at Dapr.Client.DaprClientGrpc.GetSecretAsync(String storeName, String key, IReadOnlyDictionary2 metadata, CancellationToken cancellationToken)APP --- End of inner exception stack trace ---APP at Dapr.Client.DaprClientGrpc.GetSecretAsync(String storeName, String key, IReadOnlyDictionary2 metadata, CancellationToken cancellationToken)APP at Dapr.Extensions.Configuration.DaprSecretStore.DaprSecretStoreConfigurationProvider.LoadAsync()APP at Dapr.Extensions.Configuration.DaprSecretStore.DaprSecretStoreConfigurationProvider.Load()APP at Microsoft.Extensions.Configuration.ConfigurationRoot..ctor(IList1 providers)APP at Microsoft.Extensions.Configuration.ConfigurationBuilder.Build()APP at Microsoft.Extensions.Hosting.HostBuilder.BuildAppConfiguration()APP at Microsoft.Extensions.Hosting.HostBuilder.Build()APP at FrontEnd.Program.Main(String[] args) in C:\demo\test\DaprBackEnd\FrontEnd\Program.cs:line 20我们可以修改配置让其允许apiVersion: dapr.io/v1alpha1
kind: Configuration
metadata:name: daprConfig
spec:tracing:samplingRate: 1zipkin:endpointAddress: http://localhost:9411/api/v2/spanssecrets:scopes:- storeName: secrets01defaultAccess: denyallowedSecrets: [RabbitMQConnectStr]重启Frontend成功以下表格列出了所有可能的访问权限配置ScenariosdefaultAccessallowedSecretsdeniedSecretspermission1 - Only default accessdeny/allowemptyemptydeny/allow2 - Default deny with allowed listdeny[“s1”]emptyonly “s1” can be accessed3 - Default allow with deneied listallowempty[“s1”]only “s1” cannot be accessed4 - Default allow with allowed listallow[“s1”]emptyonly “s1” can be accessed5 - Default deny with denied listdenyempty[“s1”]deny6 - Default deny/allow with both listsdeny/allow[“s1”][“s2”]only “s1” can be accessed相关文章Dapr实战一 基础概念与环境搭建Dapr .NET Core实战二 服务调用Dapr .NET Core实战三状态管理Dapr .NET 实战四发布和订阅Dapr .NET 实战五Actor
