yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #9626 from id/fix-enable-authz-cache-by-default 

fix: enable authorization cache by default
This commit is contained in:
Zaiming (Stone) Shi 2023-01-13 07:39:38 +01:00 committed by GitHub
parent 6b75077c47 f90c41f769
commit b40ce0fc2d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 69 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
apps/emqx/src/emqx_hocon.erl
View File

@ -21,7 +21,8 @@
format_path/1, format_path/1,
check/2, check/2,
format_error/1, format_error/1,
format_error/2 format_error/2,
make_schema/1
]). ]).
%% @doc Format hocon config field path to dot-separated string in iolist format. %% @doc Format hocon config field path to dot-separated string in iolist format.
@ -79,6 +80,9 @@ format_error({_Schema, [#{kind := K} = First | Rest] = All}, Opts) when
format_error(_Other, _) -> format_error(_Other, _) ->
false. false.
make_schema(Fields) ->
#{roots => Fields, fields => #{}}.
%% Ensure iolist() %% Ensure iolist()
iol(B) when is_binary(B) -> B; iol(B) when is_binary(B) -> B;
iol(A) when is_atom(A) -> atom_to_binary(A, utf8); iol(A) when is_atom(A) -> atom_to_binary(A, utf8);

54
apps/emqx/src/emqx_schema.erl
View File

@ -114,6 +114,7 @@
-export([namespace/0, roots/0, roots/1, fields/1, desc/1, tags/0]). -export([namespace/0, roots/0, roots/1, fields/1, desc/1, tags/0]).
-export([conf_get/2, conf_get/3, keys/2, filter/1]). -export([conf_get/2, conf_get/3, keys/2, filter/1]).
-export([server_ssl_opts_schema/2, client_ssl_opts_schema/1, ciphers_schema/1]). -export([server_ssl_opts_schema/2, client_ssl_opts_schema/1, ciphers_schema/1]).
-export([authz_fields/0]).
-export([sc/2, map/2]). -export([sc/2, map/2]).
-elvis([{elvis_style, god_modules, disable}]). -elvis([{elvis_style, god_modules, disable}]).
@ -326,31 +327,7 @@ fields("stats") ->
)} )}
]; ];
fields("authorization") -> fields("authorization") ->
[ authz_fields();
{"no_match",
sc(
hoconsc:enum([allow, deny]),
#{
default => allow,
required => true,
desc => ?DESC(fields_authorization_no_match)
}
)},
{"deny_action",
sc(
hoconsc:enum([ignore, disconnect]),
#{
default => ignore,
required => true,
desc => ?DESC(fields_authorization_deny_action)
}
)},
{"cache",
sc(
ref(?MODULE, "cache"),
#{}
)}
];
fields("cache") -> fields("cache") ->
[ [
{"enable", {"enable",
@ -2091,6 +2068,33 @@ do_default_ciphers(_) ->
%% otherwise resolve default ciphers list at runtime %% otherwise resolve default ciphers list at runtime
[]. [].
authz_fields() ->
[
{"no_match",
sc(
hoconsc:enum([allow, deny]),
#{
default => allow,
required => true,
desc => ?DESC(fields_authorization_no_match)
}
)},
{"deny_action",
sc(
hoconsc:enum([ignore, disconnect]),
#{
default => ignore,
required => true,
desc => ?DESC(fields_authorization_deny_action)
}
)},
{"cache",
sc(
ref(?MODULE, "cache"),
#{}
)}
].
%% @private return a list of keys in a parent field %% @private return a list of keys in a parent field
-spec keys(string(), hocon:config()) -> [string()]. -spec keys(string(), hocon:config()) -> [string()].
keys(Parent, Conf) -> keys(Parent, Conf) ->

1
apps/emqx_authz/etc/emqx_authz.conf
View File

@ -1,6 +1,7 @@
authorization { authorization {
deny_action = ignore deny_action = ignore
no_match = allow no_match = allow
cache = { enable = true }
sources = [ sources = [
{ {
type = file type = file

6
apps/emqx_authz/src/emqx_authz_api_settings.erl
View File

@ -64,7 +64,7 @@ schema("/authorization/settings") ->
}. }.
ref_authz_schema() -> ref_authz_schema() ->
proplists:delete(sources, emqx_conf_schema:fields("authorization")). emqx_schema:authz_fields().
settings(get, _Params) -> settings(get, _Params) ->
{200, authorization_settings()}; {200, authorization_settings()};
@ -83,4 +83,6 @@ settings(put, #{
{200, authorization_settings()}. {200, authorization_settings()}.
authorization_settings() -> authorization_settings() ->
maps:remove(<<"sources">>, emqx:get_raw_config([authorization], #{})). C = maps:remove(<<"sources">>, emqx:get_raw_config([authorization], #{})),
Schema = emqx_hocon:make_schema(emqx_schema:authz_fields()),
hocon_tconf:make_serializable(Schema, C, #{}).

2
apps/emqx_authz/src/emqx_authz_api_sources.erl
View File

@ -449,7 +449,7 @@ is_ok(ResL) ->
get_raw_sources() -> get_raw_sources() ->
RawSources = emqx:get_raw_config([authorization, sources], []), RawSources = emqx:get_raw_config([authorization, sources], []),
Schema = #{roots => emqx_authz_schema:fields("authorization"), fields => #{}}, Schema = emqx_hocon:make_schema(emqx_authz_schema:authz_fields()),
Conf = #{<<"sources">> => RawSources}, Conf = #{<<"sources">> => RawSources},
#{<<"sources">> := Sources} = hocon_tconf:make_serializable(Schema, Conf, #{}), #{<<"sources">> := Sources} = hocon_tconf:make_serializable(Schema, Conf, #{}),
merge_default_headers(Sources). merge_default_headers(Sources).

40
apps/emqx_authz/src/emqx_authz_schema.erl
View File

@ -36,7 +36,8 @@
tags/0, tags/0,
fields/1, fields/1,
validations/0, validations/0,
desc/1 desc/1,
authz_fields/0
]). ]).
-export([ -export([
@ -74,23 +75,7 @@ tags() ->
roots() -> []. roots() -> [].
fields("authorization") -> fields("authorization") ->
Types = [?R_REF(Type) || Type <- type_names()], authz_fields();
UnionMemberSelector =
fun
(all_union_members) -> Types;
%% must return list
({value, Value}) -> [select_union_member(Value)]
end,
[
{sources,
?HOCON(
?ARRAY(?UNION(UnionMemberSelector)),
#{
default => [],
desc => ?DESC(sources)
}
)}
];
fields(file) -> fields(file) ->
authz_common_fields(file) ++ authz_common_fields(file) ++
[{path, ?HOCON(string(), #{required => true, desc => ?DESC(path)})}]; [{path, ?HOCON(string(), #{required => true, desc => ?DESC(path)})}];
@ -492,3 +477,22 @@ select_union_member_loop(TypeValue, [Type | Types]) ->
false -> false ->
select_union_member_loop(TypeValue, Types) select_union_member_loop(TypeValue, Types)
end. end.
authz_fields() ->
Types = [?R_REF(Type) || Type <- type_names()],
UnionMemberSelector =
fun
(all_union_members) -> Types;
%% must return list
({value, Value}) -> [select_union_member(Value)]
end,
[
{sources,
?HOCON(
?ARRAY(?UNION(UnionMemberSelector)),
#{
default => [],
desc => ?DESC(sources)
}
)}
].

4
apps/emqx_conf/src/emqx_conf_schema.erl
View File

@ -947,8 +947,8 @@ fields("log_burst_limit") ->
)} )}
]; ];
fields("authorization") -> fields("authorization") ->
emqx_schema:fields("authorization") ++ emqx_schema:authz_fields() ++
emqx_authz_schema:fields("authorization"). emqx_authz_schema:authz_fields().
desc("cluster") -> desc("cluster") ->
?DESC("desc_cluster"); ?DESC("desc_cluster");

2
changes/v5.0.15/fix-9626.en.md Normal file
View File

@ -0,0 +1,2 @@
Return authorization settings with default values.
The authorization cache is enabled by default, but due to the missing default value in `GET` response of `/authorization/settings`, it seemed to be disabled from the dashboard.

3
changes/v5.0.15/fix-9626.zh.md Normal file
View File

@ -0,0 +1,3 @@
为授权设置 API 返回默认值。
授权缓存默认为开启,但是在此修复前,因为默认值在 `/authorization/settings` 这个 API 的返回值中缺失,
使得在仪表盘配置页面中看起来是关闭了。