我的书签
添加书签
移除书签Authenticate requests from Dapr using token authentication
For some building blocks such as pub/sub, service invocation and input bindings, Dapr communicates with an app over HTTP or gRPC. To enable the application to authenticate requests that are arriving from the Dapr sidecar, you can configure Dapr to send an API token as a header (in HTTP requests) or metadata (in gRPC requests).
Dapr 使用 JWT 令牌进行 API 身份验证。
为了配置 API 身份验证,需要先使用任意 JWT 令牌兼容工具(如) 和 secret 来生成您的令牌。
Configure app API token authentication in Dapr
令牌认证配置在 Kubernetes 和 自托管 Dapr deployments 下稍有不同:
To rotate the configured token, simply set the APP_API_TOKEN environment variable to the new value and restart the daprd process.
Kubernetes
在 Kubernetes deployment 里,Dapr 借助 Kubernetes secrets store 保存 JWT 令牌。 Start by creating a new secret:
kubectl create secret generic app-api-token --from-literal=token=<token>
To indicate to Dapr to use the token in the secret when sending requests to the app, add an annotation to your Deployment template spec:
annotations:dapr.io/enabled: "true"
When deployed, the Dapr Sidecar Injector automatically creates a secret reference and injects the actual value into APP_API_TOKEN environment variable.
To rotate the configured token in self-hosted, simply set the APP_API_TOKEN environment variable to the new value and restart the daprd process.
Kubernetes
然后将其 apply 到每个命名空间:
kubectl apply --file token-secret.yaml --namespace <namespace-name>
为了让 Dapr 开始使用新令牌,需要对你的每个 deployment 进行滚动升级:
Authenticating requests from Dapr
Once app token authentication is configured in Dapr, all requests coming from Dapr include the token:
In case of HTTP, inspect the incoming request for presence of parameter in HTTP header:
gRPC
When using gRPC protocol, inspect the incoming calls for the API token on the gRPC metadata:
dapr-api-token[0].
containers:- name: mycontainerimage: myregistry/myappenvFrom:name: app-api-token
自托管
在自托管模式下,您可以将令牌设置为应用程序的环境变量 :
相关链接
- Learn about
- Learn HowTo Enable API token authentication in Dapr
