feat(sys): init oss app policy;

labring · Apr 14, 2022 · 72d76fc · 72d76fc
1 parent c33d7e2
commit 72d76fc
Show file tree

Hide file tree

Showing 7 changed files with 99 additions and 11 deletions.
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -55,9 +55,9 @@
   "rest-client.environmentVariables": {
     "$shared": {},
     "test": {
-      "base_url": "http://127.0.0.1:9000",
-      "user": "test",
-      "passwd": "test"
+      "base_url": "http://console.local-dev.host:8080",
+      "user": "root",
+      "passwd": "abc123"
     },
     "storage": {
       "base_url": "http://localhost:9001"

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -21,7 +21,8 @@ services:
       - laf_shared_network
 
   system-server:
-    image: node:16-alpine
+    # image: node:16-alpine
+    build: ./packages/system-server
     user: root
     working_dir: /app
     environment:
@@ -39,8 +40,8 @@ services:
       STORAGE_SERVICE_API_ENTRYPOINT: http://storage-service:9010
       STORAGE_SERVICE_SECRET: Rewrite_Your_Own_Secret_Salt_abcdefg1234567
       STORAGE_SERVICE_DEPLOY_HOST: fs.local-dev.host:8080 # `*.local-dev.host` always resolved to 127.0.0.1, used to local development
-      MINIO_KEY: minio-root-user
-      MINIO_SECRET: minio-root-password
+      MINIO_ACCESS_KEY: minio-root-user
+      MINIO_ACCESS_SECRET: minio-root-password
       MINIO_INTERNAL_ENDPOINT: http://oss:9000
       MINIO_EXTERNAL_ENDPOINT: http://oss.local-dev.host:8080
       DEBUG_BIND_HOST_APP_PATH: '${PWD}/packages/app-service'
@@ -68,6 +69,7 @@ services:
     environment:
       DEPLOY_DOMAIN: "*.local-dev.host" # `*.local-dev.host` always resolved to 127.0.0.1, used to local development
       DEPLOY_FS_DOMAIN: "*.fs.local-dev.host"
+      DEPLOY_OSS_DOMAIN: "oss.local-dev.host"
       SYS_CLIENT_HOST: console.local-dev.host
       DOCS_HOST: docs.local-dev.host
     volumes:
@@ -83,7 +85,7 @@ services:
       - laf_shared_network
 
   oss:
-    image: 'bitnami/minio:2022.4.9'
+    image: 'bitnami/minio:2022.4.12'
     environment:
       - MINIO_ROOT_USER=minio-root-user
       - MINIO_ROOT_PASSWORD=minio-root-password

diff --git a/packages/system-server/http/oss.http b/packages/system-server/http/oss.http
@@ -0,0 +1,38 @@
+
+@token={{login.response.body.$.data.access_token}}
+@appid=00000000-0000-0000-0000-000000000000
+
+### admin login
+# @name login
+
+POST {{base_url}}/sys-api/account/login HTTP/1.1
+Content-Type: application/json
+
+{
+  "username": "{{user}}",
+  "password": "{{passwd}}"
+}
+
+### Get bucket list
+
+GET {{base_url}}/sys-api/apps/{{appid}}/oss/buckets
+Content-Type: application/json
+Authorization: Bearer {{token}}
+
+
+### Create a bucket
+
+POST {{base_url}}/sys-api/apps/{{appid}}/oss/buckets
+Content-Type: application/json
+Authorization: Bearer {{token}}
+
+{
+  "bucket": "test-for-create-bucket",
+  "mode": "public-read"
+}
+
+
+### Delete a bucket
+
+DELETE  {{base_url}}/sys-api/apps/{{appid}}/oss/buckets/test-for-create-bucket
+Authorization: Bearer {{token}}
diff --git a/packages/system-server/src/api/init.ts b/packages/system-server/src/api/init.ts
@@ -6,9 +6,12 @@ import { hashPassword } from "../utils/hash"
 import { ApplicationStruct, getApplicationByAppid, publishApplicationPackages } from "./application"
 import { ApplicationService } from "./service"
 import * as fs from "fs"
+import * as path from 'path'
 import { ApplicationImporter } from "../lib/importer"
 import { publishFunctions } from "./function"
 import { publishAccessPolicies } from "./policy"
+import { generatePassword } from "../utils/rand"
+import { MinioAgent } from "./oss"
 
 /**
  * Initialize APIs
@@ -79,11 +82,12 @@ export class InitializerApi {
         db_name: db_config.database,
         db_user: db_config.username,
         db_password: db_config.password,
-        server_secret_salt: Config.SYS_SERVER_SECRET_SALT
+        server_secret_salt: Config.SYS_SERVER_SECRET_SALT,
+        oss_access_secret: generatePassword(64, true, false)
       },
       runtime: {
         image: Config.APP_SERVICE_IMAGE,
-        resources: { 
+        resources: {
           req_cpu: '100',
           req_memory: '256',
           limit_cpu: '1000',
@@ -96,6 +100,15 @@ export class InitializerApi {
       updated_at: new Date()
     }
 
+    // create oss user
+    const oss = await MinioAgent.New()
+    if (false === await oss.createUser(data.appid, data.config.oss_access_secret)) {
+      throw new Error('create oss user failed')
+    }
+    if (false === await oss.setUserPolicy(data.appid, Config.MINIO_CONFIG.user_policy)) {
+      throw new Error('set policy to oss user failed')
+    }
+
     // save it
     const ret = await db.collection(Constants.cn.applications)
       .insertOne(data as any)
@@ -113,7 +126,7 @@ export class InitializerApi {
     const importer = new ApplicationImporter(app, data)
 
     importer.parse()
-    
+
     await importer.import()
 
     await publishFunctions(app)
@@ -130,4 +143,13 @@ export class InitializerApi {
     const app = await getApplicationByAppid(appid)
     await ApplicationService.start(app)
   }
+
+  /**
+   * create app user policy
+   */
+  static async initAppUserPolicy() {
+    const oss = await MinioAgent.New()
+    const policy_path = path.resolve(__dirname, '../../user-policy.json')
+    await oss.createUserPolicy(Config.MINIO_CONFIG.user_policy, policy_path)
+  }
 }
diff --git a/packages/system-server/src/config.ts b/packages/system-server/src/config.ts
@@ -192,7 +192,8 @@ export default class Config {
       endpoint: {
         internal: internal_endpoint,
         external: external_endpoint
-      }
+      },
+      user_policy: process.env.MINIO_USER_POLICY || 'owner_by_prefix'
     }
   }
 

diff --git a/packages/system-server/src/init.ts b/packages/system-server/src/init.ts
@@ -31,6 +31,10 @@ async function main() {
     account_id = account._id
   }
 
+  // create app user policy
+  await InitializerApi.initAppUserPolicy()
+  logger.info('init app user policy')
+
   // create system extension server app
   const app = await getApplicationByAppid(SYSTEM_EXTENSION_APPID)
   if (!app) {

diff --git a/packages/system-server/user-policy.json b/packages/system-server/user-policy.json
@@ -0,0 +1,21 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+      {
+          "Effect": "Allow",
+          "Action": [
+              "s3:GetBucketPolicy",
+              "s3:GetObject",
+              "s3:ListBucket",
+              "s3:ListBucketMultipartUploads",
+              "s3:ListMultipartUploadParts",
+              "s3:PutObject",
+              "s3:DeleteObject",
+              "s3:GetBucketLocation"
+          ],
+          "Resource": [
+              "arn:aws:s3:::${aws:username}-*"
+          ]
+      }
+  ]
+}