From: Bill Erickson Date: Tue, 22 Nov 2022 19:46:23 +0000 (-0500) Subject: Redis accounts list X-Git-Url: https://old-git.evergreen-ils.org/?a=commitdiff_plain;h=9b8713616091fe139bc37f48ee24f20ff4000ab0;p=working%2FOpenSRF.git Redis accounts list Signed-off-by: Bill Erickson --- diff --git a/bin/opensrf-perl.pl.in b/bin/opensrf-perl.pl.in index 89cf565..9103b8c 100755 --- a/bin/opensrf-perl.pl.in +++ b/bin/opensrf-perl.pl.in @@ -25,11 +25,11 @@ use OpenSRF::Utils::SettingsClient; use OpenSRF::Transport::Listener; use OpenSRF::Utils; use OpenSRF::Utils::Config; -use Redis; my $opt_service = undef; my $opt_config = "@CONF_DIR@/opensrf_core.xml"; my $opt_pid_dir = "@PID_DIR@/run/opensrf"; +my $opt_bus_accounts = "@CONF_DIR@/redis-accounts.txt"; my $opt_no_daemon = 0; my $opt_settings_pause = 0; my $opt_localhost = 0; @@ -73,6 +73,7 @@ my $hostname = $ENV{OSRF_HOSTNAME} || hostfqdn(); GetOptions( 'service=s' => \$opt_service, 'config=s' => \$opt_config, + 'bus-accounts=s' => \$opt_bus_accounts, 'pid-dir=s' => \$opt_pid_dir, 'no-daemon' => \$opt_no_daemon, 'settings-startup-pause=i' => \$opt_settings_pause, @@ -627,39 +628,9 @@ sub do_reset_message_bus { my $domain = ref $router ? $router->{domain} : $router; my $port = $conf->bootstrap->port; - # This redis connection uses the "default" account, which has - # access to all actions and keys so it can act as the admin. - my @connect_args = (server => "$domain:$port"); + msg("Resetting bus accounts for domain $domain"); - my $redis = Redis->new(@connect_args) or - die "Cannot connect to Redis instance at @connect_args\n"; - - # Clear all the data - msg("Clearing all data from message bus: @connect_args"); - $redis->flushall; - - my $username = $conf->bootstrap->username; - my $password = $conf->bootstrap->passwd; - - msg("Applying bus access for $username"); - - $redis->acl('SETUSER', $username, 'reset'); - $redis->acl('SETUSER', $username, 'on', ">$password"); - - my @perms = qw/ - -@all - +lpop - +blpop - +rpush - +del - ~opensrf:router:* - ~opensrf:service:* - ~opensrf:client:* - /; - - $redis->acl('SETUSER', $username, @perms); - - $redis->quit; + system("cat $opt_bus_accounts | redis-cli -h $domain -p $port > /dev/null"); } } diff --git a/examples/opensrf_core.xml.example b/examples/opensrf_core.xml.example index 8c99cf8..24ddeb0 100644 --- a/examples/opensrf_core.xml.example +++ b/examples/opensrf_core.xml.example @@ -89,7 +89,7 @@ vim:et:ts=2:sw=2: public.localhost - opensrf + gateway password 5222 LOCALSTATEDIR/log/gateway.log diff --git a/examples/redis-accounts.example.txt b/examples/redis-accounts.example.txt new file mode 100644 index 0000000..f9ad292 --- /dev/null +++ b/examples/redis-accounts.example.txt @@ -0,0 +1,34 @@ + +SET comment "opensrf clients can perform all opensrf-level actions" +SET COMMENT "opensrf accounts send requets to opensrf:router:* queues" +SET COMMENT "opensrf accounts send replies to opensrf:client:* queues" +SET COMMENT "opensrf accounts lpop requests from their opensrf:servivce: queue." +SET COMMENT "TODO: separate Listener vs Drone accounts to prevent Drones / standalone clients from accessing opensrf:service:*" + +ACL SETUSER opensrf reset +ACL SETUSER opensrf on >password +ACL SETUSER opensrf -@all +lpop +blpop +rpush +del ~opensrf:router:* ~opensrf:service:* ~opensrf:client:* + +SET comment "routers lpop requests from their own opensrf:router:* queues" +SET comment "routers send requests to opensrf:service:* queues" +SET comment "routers send replies to opensrf:client:* queues" + +ACL SETUSER router reset +ACL SETUSER router on >password +ACL SETUSER router -@all +lpop +blpop +rpush +del ~opensrf:router:* ~opensrf:service:* ~opensrf:client:* + +SET comment "gateway accounts send request to opensrf:router:* queues" +SET comment "gateway accounts send subsequent, stateful requests to opensrf:client:* queues" + +ACL SETUSER gateway reset +ACL SETUSER gateway on >password +ACL SETUSER gateway -@all +lpop +blpop +rpush +del ~opensrf:router:* ~opensrf:client:* + +SET comment "admin can do anything" + +ACL SETUSER admin reset +ACL SETUSER admin on >password +ACL SETUSER admin +@all ~* &* + +DEL comment +