Using checksum to avoid the config file exported being tampered intentionally or unintentionally.This may cause unexpected errors. Encryption is just avoid security problems caused by config file disclosure.in fact,I don't think encrytion is necessary. ________________________________ From: Ming Wen <wenm...@apache.org> Sent: Wednesday, May 26, 2021 8:01:26 AM To: dev@apisix.apache.org <dev@apisix.apache.org> Subject: Re: [feature]apisix-dashboard: Config export and import,for migrate apisix.
Why do we need sum and secret? Don't reinvent the http protocol fregie zh <fregi...@gmail.com>于2021年5月25日 周二下午11:52写道: > Checksum is for integrity,not security.And I did not consider security when > designing this feature. > If we need consider security,I suggest adding a `secret` and give up > checksum,using AEAD (like AES-256-GCM) to encrypt data,this can guarantees > integrity and security at the same time. > > Peter Zhu <sta...@apache.org> 于2021年5月25日周二 下午11:29写道: > > > Hi @fregie > > > > I had reviewed your PR, the way import and export are OK. > > But I recommend we can add a `secret` parameter in this API. Then we can > > add the `secret` field into the checksum. > > This may improve security IMO. > > > > Best Regards! > > > > JunXu Chen <chenju...@apache.org> 于2021年5月25日周二 下午6:50写道: > > > > > hi @fregie > > > > > > OpenAPI is a popular api interface specification, the route > export/import > > > feature compatible with OpenAPI is to facilitate users to import their > > > business APIs to APISIX. > > > > > > I accept that they are two different features. Wait for opinions from > > > others. > > > > > > > > > > > > On Sat, 22 May 2021 at 15:03, Zhiyuan Ju <juzhiy...@apache.org> wrote: > > > > > > > Hi, > > > > > > > > This mail is discussing the ManagerAPI, could anyone take a look at > > this > > > > discuss? > > > > > > > > fregie zh <fregi...@gmail.com>于2021年5月19日 周三上午11:25写道: > > > > > > > > > > > > > > > > That sounds good. Can you design the field that we need in the > JSON > > > > > object? > > > > > > > > > > > I don't get it.you mean response a json body?Then how can a user > > import > > > > > this json?Copy and paste?And I think we have to make sure that the > > > > > configuration hasn't been tampered with,to avoid unexpected > mistakes. > > > > > > > > > > If the field in the old version but we delete it in the new > version. > > > What > > > > > > we should do ? > > > > > > > > > > > I have considered this question.We need to do forward > compatibility > > > and > > > > > backward compatibility in the later version.We can't expect changes > > in > > > > the > > > > > future,so we can't do compatibility in the current version. > > > > > But,we can add test cases to avoid configure not compatible. > > > > > > > > > > There are already routing-related data import and export, and it is > > > > > > compatible with OpenAPI. > > > > > > Could we implement this feature on this basis? > > > > > > > > > > > This feature is very different from route export/import,I don't > > think > > > > it's > > > > > a good idea implement this feature on it.Maybe we can consider > > merging > > > > > these two feature into one. > > > > > And I don't know what purpose is the route export/import > feature?And > > > why > > > > it > > > > > need to compatible with openAPI?Can you please explain this for me? > > > > > > > > > > > > > > > There are already routing-related data import and export, and it is > > > > > > compatible with OpenAPI. > > > > > > Could we implement this feature on this basis? > > > > > > > > > > > > On Fri, 14 May 2021 at 15:22, Peter Zhu <sta...@apache.org> > wrote: > > > > > > > Hello, > > > > > > > > > > > > > > That sounds good. Can you design the field that we need in the > > JSON > > > > > > object? > > > > > > > And there is a situation that we should take care of. If the > > field > > > in > > > > > the > > > > > > > old version but we delete it in the new version. What we should > > do > > > ? > > > > > > > > > > > > > > Best regards! > > > > > > > > > > > > > > fregie zh <xiaohao950...@live.com> 于2021年5月14日周五 下午2:34写道: > > > > > > > > > > > > > > > 👋 Hi,everyone. > > > > > > > > I proposal to add a new feature of apisix-dashbord,config > > export > > > > and > > > > > > > > import.This feature is to migrate the configuration in > > different > > > > > > > > environments. > > > > > > > > I plan to add two api to manager-api: > > > > > > > > > > > > > > > > /apisix/admin/migrate/export: > > > > > > > > Epxort all related config in a json object,then add a 4 bytes > > > > > checksum > > > > > > to > > > > > > > > end,as a file to download. > > > > > > > > > > > > > > > > /apisix/admin/migrate/import: > > > > > > > > Upload the file exported,check file integrity,check is there > > any > > > > > > conflict > > > > > > > > with current config. > > > > > > > > if there is any conflict: > > > > > > > > By default,return a error and all conflicted items. > > > > > > > > Mode == skip,write all items not conflicted. > > > > > > > > Mode == overwrite,write all items imported. > > > > > > > > > > > > > > > > What do you think of this feature? > > > > > > > > > -- > > > > 来自 琚致远 > > > > > > > > > > -- Thanks, Ming Wen, Apache APISIX PMC Chair Twitter: _WenMing
