In HarmonyOS Next development, the permission management and security of the ohpm-repo private repository are of vital importance. They are related to the security of enterprise code assets, the standardization of team collaboration, and the stability of project development. Next, we will delve into the permission management mechanism of ohpm-repo and share some suggestions for security optimization.
User Identity Authentication Mechanism of ohpm-repo
Public-private Key Authentication with ssh-keygen
In ohpm-repo, public-private key authentication is an important means to ensure user identity security. We use the ssh-keygen tool to generate a public-private key pair, providing a basis for user identity authentication. Execute the following command to generate it:
ssh-keygen -m PEM -t RSA -b 4096 -f <your_key_path>
Here, <your_key_path> specifies the name and storage path of the public and private keys. For example, if it is set to D:\path\my_key_path, the public and private keys will be stored as my_key_path.pub and my_key_path respectively. It is worth noting that the OHPM package manager only supports encrypted key authentication, so remember to set a password when generating the public-private key, which is equivalent to adding an extra lock to the key.
After generating the key, it needs to be configured at the ohpm-repo private repository management address. Log in to the management address, enter the personal center in the upper right corner of the homepage, select to add a public key, and paste the content of the public key file (<your_key_path>.pub) into the public key input box. In this way, when a user accesses the private repository through the ohpm command-line tool, the system will use the private key for identity verification, ensuring that only users with the corresponding private key can perform operations, greatly improving the security of authentication.
Administrator Permission Configuration
Administrators play an important role in ohpm-repo, being responsible for managing various affairs of the repository, such as user management and repository management. When ohpm-repo is launched for the first time, an administrator account will be created by default, but this account must change the password when logging in for the first time to ensure security.
The configuration of administrator permissions is not limited to setting the account password. In daily management, administrators need to reasonably allocate permissions according to the responsibilities and needs of team members. For example, for team members responsible for core business development, higher permissions can be granted, allowing them to publish and manage important third-party libraries; for newly joined members, only basic download permissions may be given, and as their work performance and responsibilities increase, the permissions can be gradually adjusted. Through such refined permission management, it can not only ensure that team members can carry out their work smoothly but also effectively control the access and operation of the repository, preventing potential security risks.
How to Control the Access Permissions of Packages?
access_token Mechanism Based on Token Authentication
ohpm-repo adopts the access_token mechanism based on Token authentication to control the access permissions of packages. When a user logs in to the ohpm-repo private repository management address, the system will generate an access_token. This access_token is like a temporary key. In subsequent operations, the user needs to carry this access_token to access and operate the corresponding package resources.
For example, when a user uses the ohpm command-line tool to perform package download or upload operations, the access_token will be sent to the server together with the request. After receiving the request, the server will verify the validity of the access_token. Only when the verification passes will the user be allowed to perform the corresponding operation. This mechanism ensures that only authorized users can access specific packages, effectively preventing illegal access. Moreover, the access_token usually has a certain validity period, and the user needs to obtain it again after it expires, further enhancing security.
User Group Permission Management
In addition to the access_token mechanism, user group permission management is also an important way to control package access permissions. Administrators can create different user groups according to the roles and responsibilities of team members and assign different permissions to each user group. For example, create a "Development Group" and grant this group read and write permissions for specific business-related packages; then create a "Testing Group" and only give them read-only permissions for test-related packages.
In actual operations, when a user joins a certain user group, they will automatically inherit the permissions of that group. In this way, by managing the permissions of user groups, administrators can conveniently manage the permissions of a large number of users in batches, improving the efficiency and accuracy of permission management. At the same time, when the responsibilities of team members change, administrators only need to adjust the permissions of the user group they belong to or transfer them to other user groups to quickly achieve permission adjustment, ensuring that the access permissions of packages are always in line with the actual needs and responsibilities of users.
Security Optimization: How to Prevent Unauthorized Access?
Enabling HTTPS
Enabling HTTPS is an important measure to prevent unauthorized access. In the config.yaml configuration file of ohpm-repo, HTTPS can be enabled by configuring the listen field. If the listen is configured with the https protocol, https_key and https_cert also need to be configured, which respectively specify the paths of the SSL certificate private key file and the certificate file.
For example:
listen: https://<ip of the machine where ohpm-repo is deployed>:8088
https_key:./ssl/server.key
https_cert:./ssl/server.crt
The following commands can be used to generate the certificate private key file and the certificate file (provided that the Secure Sockets Layer cryptographic library Openssl has been installed):
openssl genrsa -out server.key 4096
openssl req -new -x509 -days 3650 -key server.key -out server.crt
After enabling HTTPS, all data transmitted between the client and the server will be encrypted. Even if the data is intercepted during the transmission process, it is difficult for attackers to obtain the sensitive information in it, greatly improving the security of data transmission.
Configuring use_reverse_proxy for Proxy Access
Configuring use_reverse_proxy for proxy access is also an effective means to enhance security. In the config.yaml file, setting use_reverse_proxy to true means enabling the reverse proxy. At this time, the client IP address will be obtained from the x-forwarded-for field in the request header.
use_reverse_proxy: true
When using a reverse proxy, it should be noted that the x-forwarded-for value should be refreshed during the reverse proxy configuration (if there are multiple levels of proxies, only the outermost proxy configuration needs to refresh it) to prevent the x-forwarded-for data from being tampered with. For example, in the Nginx reverse proxy, the following command can be used to refresh the x-forwarded-for value:
proxy_set_header x-forwarded-for $remote_addr;
Through the reverse proxy, the real IP address of the server is hidden, and it is difficult for external attackers to directly obtain the server's information, reducing the risk of the server being attacked. At the same time, the reverse proxy can also filter and screen requests, allowing only legitimate requests to pass through, further improving the security of the system.
The permission management and security optimization of ohpm-repo is a comprehensive task, involving user identity authentication, package access permission control, and a variety of security protection measures. By reasonably applying these mechanisms and optimization suggestions, the security of ohpm-repo can be effectively enhanced, providing a reliable guarantee for HarmonyOS Next development.
Top comments (0)