todo-service 在 Swagger 中测试API时返回 403

  • Choerodon平台版本:0.6.0

  • 运行环境(如localhost或k8s):localhost

  • 遇到问题时的前置条件:

  • 问题描述:

使用 Swagger 调用 todo-service 的 GET api /v1/tasks/{id} 时返回 403 错误,调用前已经成功登陆。


gateway-helper 服务中出现日志如下:

INFO [gateway-helper,74fe8947e0728af0,74fe8947e0728af0,false] 1 --- [  XNIO-3 task-7] i.c.g.h.p.RequestPermissionFilter        : error.permissionVerifier.permission, can't find request service route, request uri /todo/v1/tasks/1, zuulRoutes {event=ZuulRoute{id='null', path='/event/**', serviceId='event-store-service', url='null', stripPrefix=true, retryable=null, helperService='gateway-helper', sensitiveHeaders=[], sensitiveHeadersJson='null', customSensitiveHeaders=false}, devops=ZuulRoute{id='null', path='/devops/**', serviceId='devops-service', url='null', stripPrefix=true, retryable=null, helperService='null', sensitiveHeaders=[], sensitiveHeadersJson='null', customSensitiveHeaders=false}, iam=ZuulRoute{id='null', path='/iam/**', serviceId='iam-service', url='null', stripPrefix=true, retryable=null, helperService='null', sensitiveHeaders=[], sensitiveHeadersJson='null', customSensitiveHeaders=false}, oauth=ZuulRoute{id='null', path='/oauth/**', serviceId='oauth-server', url='null', stripPrefix=false, retryable=null, helperService='null', sensitiveHeaders=[], sensitiveHeadersJson='null', customSensitiveHeaders=false}, notify=ZuulRoute{id='null', path='/notify/**', serviceId='notification-service', url='null', stripPrefix=true, retryable=null, helperService='null', sensitiveHeaders=[], sensitiveHeadersJson='null', customSensitiveHeaders=false}, manager=ZuulRoute{id='null', path='/manager/**', serviceId='manager-service', url='null', stripPrefix=true, retryable=null, helperService='null', sensitiveHeaders=[], sensitiveHeadersJson='null', customSensitiveHeaders=false}, file=ZuulRoute{id='null', path='/file/**', serviceId='file-service', url='null', stripPrefix=true, retryable=null, helperService='null', sensitiveHeaders=[], sensitiveHeadersJson='null', customSensitiveHeaders=false}, org=ZuulRoute{id='null', path='/org/**', serviceId='organization-service', url='null', stripPrefix=true, retryable=null, helperService='null', sensitiveHeaders=[], sensitiveHeadersJson='null', customSensitiveHeaders=false}}

MySQL 中的 mgmt_route 表信息:

目前找不到是什么原因,请求框架组帮忙!

看看iam_service.iam_permission表里面有没有数据,有的话重启下gatewayhelper,没有的话

看iam-service日志里面,
iam_role 少了 level字段

iam_permission 少了level, resource两个字段

啥意思,数据库少了这两个字段吗?你们用的什么版本?

docker-compse里面的进行的版本和数据库初始化的脚本的版本不一致

我的 iam_permission 里没有数据,但是执行了那个 API 之后仍然没有数据:


api-gateway 里面有以下日志:

api-gateway_1      | 2018-09-21 11:36:09.701  INFO [api-gateway,b45fdc03a11c9892,b45fdc03a11c9892,false] 1 --- [ XNIO-3 task-14] i.c.gateway.filter.HeaderWrapperFilter   : Request get empty jwt , request uri: /manager/docs/permission/refresh/choerodon-todo-service method: PUT

Request get empty jwt

需要看manager-service和iam-service的日志了,调下手动刷的接口看看manager-service有没有log出如下信息:


如果manager发送成功,但是iam没有log,就是没接收到消息,那是kafka的问题
如果manager没有发消息,看下日志有没有啥报错信息
iam消费消息了但是没插入成功,贴一下log
还有你们用的是0.6.0吗?那个版本着实很老了,能不能升到0.9.0,好多代码都有变动了

parsePermission send message to kafka failed, RegisterInstancePayload{status=‘null’, appName=‘iam-service’, version=‘v1’, instanceAddress=‘null’, createTime=null} {}

这是我compose里面kafka服务的定义:

其实我们是跟着文档内容走的。。。那里面都是0.6.0和0.7.0的。。。。

你的manager-service有没有kafka连不上的异常日志?环境变量配置的kafka地址SPRING_KAFKA_BOOTSTRAP_SERVERS是否正确?这个异常信息就是发送消息到kafka失败了,调用了发送失败回调打印的日志

docker-compose exec manager-service bash
bash-4.3# env
spring.datasource.password=root
HOSTNAME=69fd6b86784a
spring.datasource.url=jdbc:mysql://mysql:3306/manager_service?useUnicode=true&characterEncoding=utf-8&useSSL=false
TERM=xterm
spring.cloud.bus.enabled=false
hystrix.stream.queue.enabled=false
eureka.client.serviceUrl.defaultZone=http://eureka-server:8000/eureka/
spring.kafka.bootstrap-servers=kafka-0:9092
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PWD=/
SHLVL=1
HOME=/root
spring.datasource.username=root
logging.level=WARN
spring.sleuth.stream.enabled=false
_=/usr/bin/env
bash-4.3#

kafka 服务应可以通讯了,iam_permission 里面也有数据了,我把 hostname: 127.0.0.1 去掉了。

但是调用 todo-service 的时候仍然是 403 错误:

iam_permission 里面已经刷新了 todo 相关的权限了

哦,那是kafka配错了。还403的话重启下gateway-helper

重启了,可还是报:

[ XNIO-3 task-1] i.c.g.h.p.RequestPermissionFilter : error.permissionVerifier.permission, can’t find request service route, request uri /todo/v1/tasks/1, zuulRoutes {event=ZuulRoute{id=‘null’, path=’/event/’, serviceId=‘event-store-service’, url=‘null’, stripPrefix=true, retryable=null, helperService=‘gateway-helper’, sensitiveHeaders=[], sensitiveHeadersJson=‘null’, customSensitiveHeaders=false}, devops=ZuulRoute{id=‘null’, path=’/devops/’, serviceId=‘devops-service’, url=‘null’, stripPrefix=true, retryable=null, helperService=‘null’, sensitiveHeaders=[], sensitiveHeadersJson=‘null’, customSensitiveHeaders=false}, iam=ZuulRoute{id=‘null’, path=’/iam/’, serviceId=‘iam-service’, url=‘null’, stripPrefix=true, retryable=null, helperService=‘null’, sensitiveHeaders=[], sensitiveHeadersJson=‘null’, customSensitiveHeaders=false}, oauth=ZuulRoute{id=‘null’, path=’/oauth/’, serviceId=‘oauth-server’, url=‘null’, stripPrefix=false, retryable=null, helperService=‘null’, sensitiveHeaders=[], sensitiveHeadersJson=‘null’, customSensitiveHeaders=false}, notify=ZuulRoute{id=‘null’, path=’/notify/’, serviceId=‘notification-service’, url=‘null’, stripPrefix=true, retryable=null, helperService=‘null’, sensitiveHeaders=[], sensitiveHeadersJson=‘null’, customSensitiveHeaders=false}, manager=ZuulRoute{id=‘null’, path=’/manager/’, serviceId=‘manager-service’, url=‘null’, stripPrefix=true, retryable=null, helperService=‘null’, sensitiveHeaders=[], sensitiveHeadersJson=‘null’, customSensitiveHeaders=false}, file=ZuulRoute{id=‘null’, path=’/file/’, serviceId=‘file-service’, url=‘null’, stripPrefix=true, retryable=null, helperService=‘null’, sensitiveHeaders=[], sensitiveHeadersJson=‘null’, customSensitiveHeaders=false}, org=ZuulRoute{id=‘null’, path=’/org/’, serviceId=‘organization-service’, url=‘null’, stripPrefix=true, retryable=null, helperService=‘null’, sensitiveHeaders=[], sensitiveHeadersJson=‘null’, customSensitiveHeaders=false}}

manager_service里面route表是有 todo-service这个路由吗?有的话看下config-service日志,看gateway-helper拉的什么配置

路由表 mgmt_route 是我手工插进去的路由信息。。目前是有的:

config-service 我这里是没有的。

没config-server拉不到配置啊,要部署配置中心的,你是本地部署吗,还是一键部署