-
Notifications
You must be signed in to change notification settings - Fork 98
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #521 from WeBankBlockchain/lab-dev
3.0.1 dev=>lab
- Loading branch information
Showing
6 changed files
with
338 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,190 @@ | ||
| # WeBASE管理台账号说明文档 | ||
|
|
||
| 在WeBASE v3.0.1后,WeBASE管理台支持账户注册,并在账户中增加了更多的账户信息,支持冻结、有效期等功能。 | ||
|
|
||
| ## 账户注册说明 | ||
|
|
||
| 账户注册包含两个方式: | ||
| - 通过管理员直接在“账号管理”页面中,点击“新增账号”按钮进行添加账户; | ||
| - 通过登录页面下方的“注册”按钮,填写表单后提交注册开发者账户或普通用户账户的申请; | ||
| - 注册后的账号需要管理员在“账号管理”中对新注册的用户进行“解冻”后,用户才能登录该账号; | ||
|
|
||
| 注册时需要填入包含账号名、密码、邮箱、邮箱验证码、手机号等必填信息信息,还包含身份证号、真名、联系地址、备注等信息。 | ||
| - 其中填写邮箱后,会发送随机的4位数字验证码到接收邮箱。只有填入了正确的验证码才能完成注册。验证码将在5min后失效 | ||
| - 账号默认的有效期是一年,管理员可以通过账号列表中的“修改信息”按钮,延长账号的有效期; | ||
|
|
||
| ### 账号管理 | ||
|
|
||
| 普通用户、开发者用户、管理员用户: | ||
| - 通过点击页面右上角的账户名,在下拉菜单中点击“修改信息”,即可修改个人相关信息; | ||
|
|
||
| 管理员: | ||
| - 在“账号管理”页面中,点击“新增账号”按钮进行添加账户; | ||
| - 在“账号管理”页面,查看各个账号的信息,身份证、手机号、姓名的信息会进行脱敏展示; | ||
| - 在“账号管理”页面,点击列表中的“修改信息”按钮,可以获取用户的信息详情并进行修改操作。如账户续期、账户手机号修改等; | ||
| - 在“账号管理”页面,点击列表中的“冻结/解冻”按钮,可以将账户进行冻结或解冻的操作。新注册的普通账户、开发者默认处于冻结状态;需要管理员解冻后才能正常使用; | ||
| - 在“账号管理”页面,点击列表中“修改密码”按钮,可以直接重置账户的密码; | ||
| - 在“账号管理”页面,点击列表中“删除”按钮,可以将账户注销;注销为不可逆操作,该账户标记为“注销”,不可登录或继续使用; | ||
|
|
||
| ## 账户信息加密说明 | ||
|
|
||
| ### 信息加密 | ||
|
|
||
| 用户注册后,密码会多层不可逆加密保存到数据库。而个人信息中身份证、手机号、真名等信息会使用AES+自定义秘钥进行加密。 | ||
|
|
||
| 密码 | ||
| - 前端通过密码进行哈希操作传到后台 | ||
| - 后台接收哈希后,通过SpringSecurityCrypto中的BCryptPasswordEncoder,对该密码哈希进行不可逆加密 | ||
|
|
||
| 个人信息: | ||
| - 身份证、真名会通过对称加密保存到db; | ||
| - 手机号、身份证、真名在前端展示时会做脱敏展示。 | ||
|
|
||
| ### 登录及访问口令鉴权 | ||
|
|
||
| 登录时,用户需要输入随机的验证码进行人机确认后才能输入账号密码进行登录。 | ||
| - 登录的验证码通过一个随机因子生成随机4位数字,并生成对应的数字图片,将图片返回到前端登录页面。 | ||
|
|
||
| 密码加密传输到后台,后台通过SpringSecurity判断密码是否与用户的密码匹配。 | ||
| - 确认匹配且验证码正确则登录成功,返回用户token,该token为用户访问后台的口令 | ||
|
|
||
| 用户访问页面需要用到口令token,每次访问会刷新token并刷新有效期。token在不使用的情况下,会在30分钟后失效,届时则需要重新登录。 | ||
|
|
||
| ### 个人隐私协议 | ||
|
|
||
| 在resource中提供privacy.txt,其中为个人隐私协议,需要用户在注册账户时确认并勾选同意隐私协议 | ||
|
|
||
| ## 接口及其分类 | ||
|
|
||
| 接口文档位于:https://webasedoc.readthedocs.io/zh_CN/latest/docs/WeBASE-Node-Manager/interface.html | ||
|
|
||
| 权限分为普通账户权限、开发者权限、管理员权限三种,管理员可以访问所有接口,开发者与普通账户仅能访问部分接口 | ||
|
|
||
| **普通用户权限** | ||
| - get /account/pictureCheckCode | ||
| - put /passwordUpdate | ||
| - get /log/list/{pageNumber}/{pageSize} | ||
| - get /mailServer/config/{serverId} | ||
| - get /mailServer/config/list | ||
| - get /alert/{ruleId} | ||
| - get /alert/list | ||
| - get /block/blockList/{groupId}/{pageNumber}/{pageSize} | ||
| - get /block/blockByNumber/{groupId}/{blockNumber} | ||
| - get /block/search/{groupId}/{input} | ||
| - get /cert/list | ||
| - get /cert/sdk/{frontId} | ||
| - get /cert/sdk/zip/{frontId} | ||
| - get /cert/ | ||
| - get /config/version | ||
| - get /config/ipPort | ||
| - get /config/isDeployedModifyEnable | ||
| - get /config/list | ||
| - get /config/auth | ||
| - get /abi/list/{groupId}/{pageNumber}/{pageSize} | ||
| - get /abi/list/all/{groupId}/{pageNumber}/{pageSize} | ||
| - get /abi/{abiId} | ||
| - get /warehouse/list | ||
| - get /warehouse/ | ||
| - get /warehouse/folder | ||
| - get /warehouse/item | ||
| - get /warehouse/folder/list | ||
| - get /warehouse/item/list | ||
| - get /contract/contractList | ||
| - get /contract/contractId | ||
| - post /contract/findByPartOfBytecodeBin | ||
| - get /contract/contractList/all/light | ||
| - post /contract/contractPath/list/{groupId} | ||
| - post /contract/contractList/multiPath | ||
| - post /contract/findCns | ||
| - post /contract/findCnsList | ||
| - get /contract/liquid/check/{frontId} | ||
| - get /chain/monitorInfo/{frontId} | ||
| - get /event/newBlockEvent/list/{groupId}/{pageNumber}/{pageSize} | ||
| - get /event/contractEvent/list/{groupId}/{pageNumber}/{pageSize} | ||
| - get /event/contractInfo/{groupId}/{type}/{contractAddress} | ||
| - get /event/listAddress/{groupId} | ||
| - get /external/account/list/{groupId}/{pageNumber}/{pageSize} | ||
| - get /external/contract/list/{groupId}/{pageNumber}/{pageSize} | ||
| - get /external/account/list/all/{groupId}/{pageNumber}/{pageSize} | ||
| - get /external/contract/list/all/{groupId}/{pageNumber}/{pageSize} | ||
| - get /external/deployAddress/{groupId}/{contractAddress} | ||
| - get /front/refresh | ||
| - get /front/find | ||
| - delete /front/{frontId} | ||
| - get /front/isWasm/{frontId}/{groupId} | ||
| - get /group/encrypt/{groupId} | ||
| - get /group/general/{groupId} | ||
| - get /group/all | ||
| - get /group/{"/all/invalidIncluded/{pageNumber}/{pageSize}","/all/invalidIncluded"} | ||
| - get /group/all/{groupStatus} | ||
| - get /group/transDaily/{groupId} | ||
| - get /group/update | ||
| - delete /group/{groupId} | ||
| - get /group/detail/{groupId} | ||
| - get /method/findById/{groupId}/{methodId} | ||
| - get /monitor/userList/{groupId} | ||
| - get /monitor/interfaceList/{groupId} | ||
| - get /monitor/transList/{groupId} | ||
| - get /monitor/unusualUserList/{groupId}/{pageNumber}/{pageSize} | ||
| - get /monitor/unusualContractList/{groupId}/{pageNumber}/{pageSize} | ||
| - get /node/nodeList/{groupId}/{pageNumber}/{pageSize} | ||
| - get /node/nodeInfo/{groupId} | ||
| - get /node/nodeInfo/{groupId}/{nodeId} | ||
| - put /node/description | ||
| - get /node/city/list | ||
| - get /stat/ | ||
| - get /transaction/transList/{groupId}/{pageNumber}/{pageSize} | ||
| - get /transaction/transactionReceipt/{groupId}/{transHash} | ||
| - get /transaction/transInfo/{groupId}/{transHash} | ||
| - post /transaction/signMessageHash | ||
| - get /user/userList/{groupId}/{pageNumber}/{pageSize} | ||
|
|
||
|
|
||
| **开发者权限** | ||
| - post /abi/ | ||
| - put /abi/ | ||
| - delete /abi/{abiId} | ||
| - post /contract/save | ||
| - delete /contract/{groupId}/{contractId} | ||
| - post /contract/deploy | ||
| - post /contract/transaction | ||
| - post /contract/contractPath | ||
| - delete /contract/batch/path | ||
| - post /contract/registerCns | ||
| - post /contract/copy | ||
| - get /contract/listManager/{groupId}/{contractAddress} | ||
| - post /contract/liquid/compile | ||
| - post /contract/liquid/compile/check | ||
| - post /event/eventLogs/list | ||
| - get /front/refresh/status | ||
| - get /front/groupInfo | ||
| - post /method/add | ||
| - post /user/userInfo | ||
| - post /user/bind | ||
| - put /user/userInfo | ||
| - post /user/import | ||
| - post /user/importPem | ||
| - post /user/importP12 | ||
| - post /user/exportPem | ||
| - post /user/exportP12 | ||
| - post /user/export/{userId} | ||
| - post /user/bind/privateKey | ||
| - post /user/bind/privateKey/pem | ||
| - post /user/bind/privateKey/p12 | ||
|
|
||
| **管理员权限** | ||
| - get /role/roleList?{pageNumber}&{pageSize}&{roleId}&{roleName} | ||
| - post /account/accountInfo | ||
| - put /account/accountInfo | ||
| - get /account/accountList/{pageNumber}/{pageSize} | ||
| - delete /account/{account} | ||
| - put /log/ | ||
| - put /mailServer/config | ||
| - post /alert/mail/test/{toMailAddress} | ||
| - put /alert/ | ||
| - put /alert/toggle | ||
| - post /cert/ | ||
| - delete /cert/ | ||
| - post /front/new | ||
| - put /group/description | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,130 @@ | ||
| # 配置WeBASE的HTTPS | ||
|
|
||
| 在WeBASE v3.0.1后,WeBASE管理台(WeBASE-Web)支持 节点管理服务WeBASE-Node-Manager 的连接采用SSL(HTTPS)的方式。 | ||
|
|
||
| ## HTTPS配置方法 | ||
|
|
||
| 由于 节点前置WeBASE-Front 用于连接节点,一般 WeBASE-Front 与 节点管理服务WeBASE-Node-Manager 都处于内网,因此二者连接多数直接使用HTTP方式。 | ||
|
|
||
| 节点管理服务WeBASE-Node-Manager 与 WeBASE管理台(WeBASE-Web) 是后台服务与前端网页的连接,本章节提供的HTTPS配置方法就是这两者服务之间的HTTPS配置。 | ||
|
|
||
| ### 1. 生成SSL证书 | ||
|
|
||
|
|
||
| 生成一个SSL的自签发证书,需要使用openssl完成以下步骤: | ||
| 1. 生成RSA私钥.key | ||
| 2. 生成证书请求.csr | ||
| 3. 生成自签发证书.crt | ||
| 4. 转为pkcs12格式,并设置密码为123456 | ||
|
|
||
| 如果linux中没有安装openssl,需要安装。以CentOS为例:`yum install openssl openssl-devel -y` | ||
|
|
||
| ```bash | ||
| ### 生成一个RSA私钥, server.key | ||
| openssl genrsa -out server.key 2048 | ||
|
|
||
| ### 生成一个证书请求 server.csr | ||
| # 字段解读 | ||
| # C字段:Country,单位所在国家,为两位数的国家缩写,如:CN 表示中国; | ||
| # ST 字段:State/Province,单位所在州或省; | ||
| # L 字段:Locality,单位所在城市/或县区; | ||
| # O 字段:Organization,此网站的单位名称; | ||
| # OU 字段:Organization Unit,下属部门名称,也常常用于显示其他证书相关信息,如证书类型,证书产品名称或身份验证类型或验证内容等; | ||
| # CN 字段:Common Name,网站的域名;例:adf.com 或IP | ||
| openssl req -new -key server.key -out server.csr -subj "/C=CN/ST=GuangDong/L=ShenZhen/O=WeBank/OU=WeBASE/CN=webaseweb" | ||
|
|
||
| ### 自己签发证书 server.crt | ||
| #如果服务器私钥与证书均由自己生成,则无法获取服务器中级CA证书,在使用自签名的临时证书时,浏览器会在地址处提示证书的颁发机构是未知的 | ||
| openssl x509 -req -days 365 -signkey server.key -in server.csr -out server.crt | ||
|
|
||
| ### 转换为pkcs12格式 server.p12 | ||
| ### 因为在Java中使用证书,需要转换一下格式) | ||
| ### 输入命令后会提示输入证书的密码,可以设置为123456或自定义密码;该密码后续会在配置中用到 | ||
|
|
||
| # -export:这个选项指定了一个PKCS#12文件将会被创建 | ||
| # -clcerts:仅仅输出客户端证书,不输出CA证书 | ||
| # -in filename:指定私钥和证书读取的文件,默认为标准输入。必须为PEM格式 | ||
| # -inkey filename:指定私钥文件的位置。如果没有被指定,私钥必须在-in filename中指定 | ||
| # -out filename:指定输出的pkcs12文件,默认为标准输出 | ||
| openssl pkcs12 -export -clcerts -in server.crt -inkey server.key -out server.pkcs12 | ||
| # 或者 | ||
| openssl pkcs12 -export -clcerts -in server.crt -inkey server.key -out server.p12 | ||
| ``` | ||
|
|
||
| 把生成的`server.pkcs12`文件,粘贴到节点管理服务的resources目录下(或者打包后的dist/conf/目录下),并把pkcs12证书的密码(如123456)输入到配置文件中。 | ||
|
|
||
| ### 2. 节点管理服务WeBASE-Node-Manager | ||
|
|
||
| 在v3.0.1后,节点管理服务在配置文件application.yml中加入了springboot ssl的配置,我们需要 | ||
| - 修改application.yml配置文件的spring中加上`ssl`的配置,并设置`enable`为`true`,将`key-store-password`的密码改为生成密钥时的密码 | ||
| - 复制上文密钥文件,粘贴到节点管理服务的resources目录下(或者打包后的dist/conf/目录下), | ||
|
|
||
| 修改conf/application.yml中server的配置,以pkcs12证书为例 | ||
| ```yaml | ||
|
|
||
| #server config | ||
| server: | ||
| port: 5001 | ||
| servlet: | ||
| context-path: /WeBASE-Node-Manager | ||
| # https | ||
| ssl: | ||
| key-store-type: pkcs12 | ||
| key-store: classpath:server.pkcs12 | ||
| # pkcs12证书的密码 | ||
| key-store-password: 123456 | ||
| # 默认false,不启用SSL。改为true即可启用 | ||
| enabled: true | ||
|
|
||
|
|
||
| ``` | ||
|
|
||
| ### 3. WeBASE管理台(WeBASE-Web) | ||
|
|
||
| WeBASE管理台连接启用HTTPS的节点管理服务无需修改源码,在前端的nginx.conf配置文件中加上SSL的配置,即可实现HTTPS连接。 | ||
|
|
||
| 修改nginx.conf,将WeBASE管理台的server配置中加上如下的ssl的配置 | ||
| ```conf | ||
| # 上文生成的.crt证书文件 | ||
| ssl_certificate /data/home/webase/webase-node-mgr/conf/server.crt; | ||
| # 上文生成的.key私钥文件 | ||
| ssl_certificate_key /data/home/webase/webase-node-mgr/conf/server.key; | ||
| # SSL详细配置 | ||
| ssl_session_cache shared:SSL:10m; | ||
| ssl_session_timeout 120m; | ||
| ssl_prefer_server_ciphers on; | ||
| ssl_session_tickets off; | ||
| ssl_stapling_verify on; | ||
| ``` | ||
|
|
||
| 在nginx.conf的完整例子如下: | ||
| ```conf | ||
| # ...略过上文 | ||
| server { | ||
| listen 5000 ssl; | ||
| server_name 127.0.0.1; | ||
| ################ 此处为ssl相关配置 ############## | ||
| ssl_certificate /data/home/webase/webase-node-mgr/conf/server.crt; | ||
| ssl_certificate_key /data/home/webase/webase-node-mgr/conf/server.key; | ||
| ssl_session_cache shared:SSL:10m; | ||
| ssl_session_timeout 120m; | ||
| ssl_prefer_server_ciphers on; | ||
| ssl_session_tickets off; | ||
| ssl_stapling_verify on; | ||
| ############## 此处为ssl相关配置 ############## | ||
| location / { | ||
| # default pc page url | ||
| root /data/home/webase/webase-web; | ||
| ... | ||
| } | ||
| ... | ||
| # ...略过下文 | ||
| } | ||
| ``` | ||
|
|
||
| 通过nginx -c nginx.conf -s reload即可加载新配置 | ||
|
|
||
| 如果配置了nginx的SSL后,启动nginx报错提示TLS模块确实,可在互联网中搜索错误提示的内容,将nginx的tls模块设置为启用,并尝试重启WeBASE管理台的nginx即可。 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1 @@ | ||
| v3.0.0 | ||
| v3.0.1 |