2
0

deploy.md 10 KB

中文

There are two ways to deploy the system: using Docker or manually.

The default login method is password-based, and if you want to log in with LDAP, please refer to the LDAP Configuration Guide.

A. Docker Environment Deployment

1. Required Environment

  • Docker
  • Docker Compose
  • Node.js 12+
  • npm

2. Building the Docker Image

cd path/to/wolf
bash bin/build-all.sh 0.1.10

After a successful build, you can view the image using the following command:

docker images |grep wolf

The output should look similar to this:

igeeky/wolf-agent         0.1.10              c8013cdbc95d        1 hours ago         101MB
igeeky/wolf-agent         latest              c8013cdbc95d        7 hours ago         101MB
igeeky/wolf-server        0.1.10              25ee3cb46296        7 hours ago         143MB
igeeky/wolf-server        latest              25ee3cb46296        7 hours ago         143MB

3.Starting the Docker Image with Docker Compose

For instructions, please refer to: Quick Start with Docker.

B.Manual deployment

1.Initializing the database

You can choose between PostgreSQL and MySQL databases, and we recommend using PostgreSQL.

PostgreSQL
  • Installing PostgreSQL

You can find the installation method by searching on Google.

  • Create accounts and databases

To create the wolfroot user and wolf database (with custom username and password if needed), log in to the PostgreSQL database with a PostgreSQL account and execute the following script:

CREATE USER wolfroot WITH PASSWORD '123456';
CREATE DATABASE wolf with owner=wolfroot ENCODING='UTF8';
GRANT ALL PRIVILEGES ON DATABASE wolf to wolfroot;
  • Creation tables

Creating database tables using scripts

\i path/to/wolf/server/script/db-psql.sql;

To view the created table, run the following command:

\d

The output should look similar to this, indicating a successful creation of the database table:

               List of relations
 Schema |       Name        |   Type   |  Owner
--------+-------------------+----------+----------
 public | access_log        | table    | wolfroot
 public | access_log_id_seq | sequence | wolfroot
 public | application       | table    | wolfroot
 public | category          | table    | wolfroot
 public | category_id_seq   | sequence | wolfroot
 public | permission        | table    | wolfroot
 public | resource          | table    | wolfroot
 public | resource_id_seq   | sequence | wolfroot
 public | role              | table    | wolfroot
 public | user              | table    | wolfroot
 public | user_id_seq       | sequence | wolfroot
 public | user_role         | table    | wolfroot
(12 rows)
MySQL
  • Installing MySQL

Please search for the installation method on your own.

  • Create Accounts and Databases

Login to the MySQL database using a MySQL account and run the following script to create the wolfroot user and wolf database (change the username and password as needed):

create database `wolf` CHARACTER SET utf8mb4;
grant DELETE,EXECUTE,INSERT,SELECT,UPDATE
on wolf.* to wolfroot@'127.0.0.1' IDENTIFIED BY '123456';
grant DELETE,EXECUTE,INSERT,SELECT,UPDATE
on wolf.* to wolfroot@'localhost' IDENTIFIED BY '123456';
FLUSH PRIVILEGES;
use wolf;
  • Creating Tables

Create the database tables using the following script:

source path/to/wolf/server/script/db-mysql.sql;

Run the following command to view the created tables:

show tables;

The output should be similar to the following, indicating that the database tables have been successfully created:


+----------------+
| Tables_in_wolf |
+----------------+
| access_log     |
| application    |
| category       |
| oauth_code     |
| oauth_token    |
| permission     |
| resource       |
| role           |
| user           |
| user_role      |
+----------------+
10 rows in set (0.01 sec)

2.Server Configuration Items

  • The main configuration parameters of the server are as follows:

    • RBAC_ROOT_PASSWORD: The default password for the root and admin accounts. The default value is 123456.
    • RBAC_TOKEN_KEY: A key used to encrypt the user token. It is highly recommended to set this value.
    • WOLF_CRYPT_KEY: A key used to encrypt the application secret and OAuth2 login user ID keys.
    • RBAC_TOKEN_EXPIRE_TIME: The expiration time of the token returned by the Agent login interface. The default is 30 days and the unit is seconds.
    • CONSOLE_TOKEN_EXPIRE_TIME: The expiration time of the token returned by the Console login interface. The default is 30 days and the unit is seconds.
    • CONSOLE_LOGIN_WITH_CAPTCHA: Controls whether Captcha verification is used for Console login. If the console is deployed on a public network, it is recommended to enable this feature to improve security. The environment variable can be set to yes or no, with a default value of no.
    • RBAC_SQL_URL: The link to the database. The default value is postgres://wolfroot:123456@127.0.0.1:5432/wolf.
    • RBAC_REDIS_URL: The link to the redis cache. The default value is redis://127.0.0.1:6379/0.
    • MEM_CACHE_BY_REDIS: Use redis as the object cache. The default is no. When deploying a multi-node wolf service, you can use redis as the object cache to resolve cache inconsistency issues.
    • RBAC_USE_RADIX_TREE_ROUTING: When set to yes, it uses radixtree for RBAC access route matching. The default is no. radixtree is a more complex routing matching method that supports various complex wildcard matches.

3.Starting the Server

Please install node and npm yourself.

  • Starting the Service

    # Set the initial password for wolf's root and admin accounts.
    export RBAC_ROOT_PASSWORD=123456
    # Set the Token encryption key, for system security, it is highly recommended that you change this value.
    export RBAC_TOKEN_KEY=THE-NEW-TOKEN-KEY
    # Set the Secret encryption key, for system security, it is highly recommended that you change this value.
    export WOLF_CRYPT_KEY=THE-NEW-CRYPT-KEY
    # Please make the changes according to the user and database you have created.
    export RBAC_SQL_URL=postgres://wolfroot:123456@127.0.0.1:5432/wolf
    # Please modify it according to the actual configuration of redis.
    export RBAC_REDIS_URL=redis://127.0.0.1:6379/0
    
    cd path/to/wolf/server
    # Installation dependencies (executed on first boot)
    npm install
    # Initiate service procedures.
    npm run start
    

If the service starts successfully, you should see output similar to the following:

listen at 0.0.0.0:12180 success!

The following are some initialized system account output information

4.Start the Console

cd path/to/wolf/console
# Installation dependencies (executed on first boot)
npm install
# Start the console.
cnpm run dev

After compiling the Console, if it starts successfully, you should see an output similar to the following:

 DONE  Compiled successfully in 1000ms

  App running at:
  - Local:   http://localhost:12188/
  - Network: http://192.168.x.x:12188/

You can now access the Console using the root account. The password is 123456 or the one you specified when starting the server with the RBAC_ROOT_PASSWORD environment variable.

5.Configuring the Agent

Note: If you are using the apisix gateway, you may prefer to use the wolf-rbac plugin for apisix instead of using an Agent. This plugin also acts as an Agent.

  • Installing OpenResty

Please search for the installation method yourself.

  • Create applications in the Console, along with corresponding users, roles, permissions, resources, etc.

  • Add the Agent configuration to nginx.conf (or the sub-configurations that it contains). The following configuration assumes that the Wolf code is located in the /opt directory:

    # The following configuration is within the HTTP node.
    
    lua_code_cache on;
    client_max_body_size 5m;
    client_body_buffer_size 256k;
    lua_package_path "/opt/wolf/agent/lua/?.lua;;";
    
    server {
    # Apply external address, port. If you need to configure the domain name, you need to configure it here as well.
    listen   12182;
    server_name localhost;
    
    	# If it is a restful interface, you need to customize the json format that is returned without permissions. This needs to be coordinated with the front-end.
    location = /wolf/rbac/no_permission {
        content_by_lua_block {
            ngx.status = 200;
            ngx.header["Content-Type"] = "application/json; charset=utf-8";
            local args, err = ngx.req.get_uri_args()
            local reason = args.reason or "unknown reason"
            ngx.say(string.format([[ {"ok": false, "reason": "%s"} ]], reason))
        }
    }
    
    location /wolf/rbac {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header REMOTE-HOST $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    		# rbac server address. If the server is not local, please change the IP address to the actual address.
        proxy_pass   http://127.0.0.1:12180;
    }
    
    # Clear the content-length of response
    header_filter_by_lua_file /opt/wolf/agent/lua/header_filter.lua;
    # filter, add infobar to the page
    body_filter_by_lua_file /opt/wolf/agent/lua/body_filter.lua;
    
    # proxy for application
    location / {
        # $appID,You need to set an application ID that is already configured in Wolf-Server.
        set $appID appIDInWolfServer;
        # access check
        access_by_lua_file /opt/wolf/agent/lua/access_check.lua;
    
        #proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header REMOTE-HOST $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    
        # The real address and port of the APP that requires privileged access control
        proxy_pass http://127.0.0.1:12184;
    }
    }
    

6.Startup the Agent(Nginx)

# Test.
path/to/nginx/sbin/nginx -t
# Startup
path/to/nginx/sbin/nginx 

Once started, you can access the application at http://127.0.0.1:12182. You will need to enter a username and password to access the application.