There must be some misunderstanding. 1. User use export api to export a config file (like apisix_condig.bak) from source apisix. (We cannot guarantee that users will not modify this file) 2. User use import api to import this file to his new apisix.
It's not for the risk when transporting. It's for avoid modifing config file by human. fregie https://github.com/fregie ________________________________ From: Ming Wen <wenm...@apache.org> Sent: Wednesday, May 26, 2021 9:24:26 AM To: dev@apisix.apache.org <dev@apisix.apache.org> Subject: Re: [feature]apisix-dashboard: Config export and import,for migrate apisix. I think `https` can resolve both of them. Thanks, Ming Wen, Apache APISIX PMC Chair Twitter: _WenMing zh fregie <fregi...@gmail.com> 于2021年5月26日周三 上午8:22写道: > Using checksum to avoid the config file exported being tampered > intentionally or unintentionally.This may cause unexpected errors. > Encryption is just avoid security problems caused by config file > disclosure.in fact,I don't think encrytion is necessary. > ________________________________ > From: Ming Wen <wenm...@apache.org> > Sent: Wednesday, May 26, 2021 8:01:26 AM > To: dev@apisix.apache.org <dev@apisix.apache.org> > Subject: Re: [feature]apisix-dashboard: Config export and import,for > migrate apisix. > > Why do we need sum and secret? Don't reinvent the http protocol > > fregie zh <fregi...@gmail.com>于2021年5月25日 周二下午11:52写道: > > > Checksum is for integrity,not security.And I did not consider security > when > > designing this feature. > > If we need consider security,I suggest adding a `secret` and give up > > checksum,using AEAD (like AES-256-GCM) to encrypt data,this can > guarantees > > integrity and security at the same time. > > > > Peter Zhu <sta...@apache.org> 于2021年5月25日周二 下午11:29写道: > > > > > Hi @fregie > > > > > > I had reviewed your PR, the way import and export are OK. > > > But I recommend we can add a `secret` parameter in this API. Then we > can > > > add the `secret` field into the checksum. > > > This may improve security IMO. > > > > > > Best Regards! > > > > > > JunXu Chen <chenju...@apache.org> 于2021年5月25日周二 下午6:50写道: > > > > > > > hi @fregie > > > > > > > > OpenAPI is a popular api interface specification, the route > > export/import > > > > feature compatible with OpenAPI is to facilitate users to import > their > > > > business APIs to APISIX. > > > > > > > > I accept that they are two different features. Wait for opinions from > > > > others. > > > > > > > > > > > > > > > > On Sat, 22 May 2021 at 15:03, Zhiyuan Ju <juzhiy...@apache.org> > wrote: > > > > > > > > > Hi, > > > > > > > > > > This mail is discussing the ManagerAPI, could anyone take a look at > > > this > > > > > discuss? > > > > > > > > > > fregie zh <fregi...@gmail.com>于2021年5月19日 周三上午11:25写道: > > > > > > > > > > > > > > > > > > > That sounds good. Can you design the field that we need in the > > JSON > > > > > > object? > > > > > > > > > > > > > I don't get it.you mean response a json body?Then how can a user > > > import > > > > > > this json?Copy and paste?And I think we have to make sure that > the > > > > > > configuration hasn't been tampered with,to avoid unexpected > > mistakes. > > > > > > > > > > > > If the field in the old version but we delete it in the new > > version. > > > > What > > > > > > > we should do ? > > > > > > > > > > > > > I have considered this question.We need to do forward > > compatibility > > > > and > > > > > > backward compatibility in the later version.We can't expect > changes > > > in > > > > > the > > > > > > future,so we can't do compatibility in the current version. > > > > > > But,we can add test cases to avoid configure not compatible. > > > > > > > > > > > > There are already routing-related data import and export, and it > is > > > > > > > compatible with OpenAPI. > > > > > > > Could we implement this feature on this basis? > > > > > > > > > > > > > This feature is very different from route export/import,I don't > > > think > > > > > it's > > > > > > a good idea implement this feature on it.Maybe we can consider > > > merging > > > > > > these two feature into one. > > > > > > And I don't know what purpose is the route export/import > > feature?And > > > > why > > > > > it > > > > > > need to compatible with openAPI?Can you please explain this for > me? > > > > > > > > > > > > > > > > > > There are already routing-related data import and export, and it > is > > > > > > > compatible with OpenAPI. > > > > > > > Could we implement this feature on this basis? > > > > > > > > > > > > > > On Fri, 14 May 2021 at 15:22, Peter Zhu <sta...@apache.org> > > wrote: > > > > > > > > Hello, > > > > > > > > > > > > > > > > That sounds good. Can you design the field that we need in > the > > > JSON > > > > > > > object? > > > > > > > > And there is a situation that we should take care of. If the > > > field > > > > in > > > > > > the > > > > > > > > old version but we delete it in the new version. What we > should > > > do > > > > ? > > > > > > > > > > > > > > > > Best regards! > > > > > > > > > > > > > > > > fregie zh <xiaohao950...@live.com> 于2021年5月14日周五 下午2:34写道: > > > > > > > > > > > > > > > > > 👋 Hi,everyone. > > > > > > > > > I proposal to add a new feature of apisix-dashbord,config > > > export > > > > > and > > > > > > > > > import.This feature is to migrate the configuration in > > > different > > > > > > > > > environments. > > > > > > > > > I plan to add two api to manager-api: > > > > > > > > > > > > > > > > > > /apisix/admin/migrate/export: > > > > > > > > > Epxort all related config in a json object,then add a 4 > bytes > > > > > > checksum > > > > > > > to > > > > > > > > > end,as a file to download. > > > > > > > > > > > > > > > > > > /apisix/admin/migrate/import: > > > > > > > > > Upload the file exported,check file integrity,check is > there > > > any > > > > > > > conflict > > > > > > > > > with current config. > > > > > > > > > if there is any conflict: > > > > > > > > > By default,return a error and all conflicted items. > > > > > > > > > Mode == skip,write all items not conflicted. > > > > > > > > > Mode == overwrite,write all items imported. > > > > > > > > > > > > > > > > > > What do you think of this feature? > > > > > > > > > > > -- > > > > > 来自 琚致远 > > > > > > > > > > > > > > > -- > Thanks, > Ming Wen, Apache APISIX PMC Chair > Twitter: _WenMing >
