api哪个键是查询

TL;DR: Passwords are for humans, API keys for automated tasks or applications. Using API keys, you don’t have to worry about expiring passwords or multi-factor authentication in your automation. But make sure to keep those API keys secret.

TL; DR：密码是用于人类的密码，API密钥是用于自动任务或应用程序的密码。使用API密钥，您不必担心自动化中的密码过期或多因素身份验证。但是请确保对这些API密钥保密。

Computers are good at doing things automatically. Take for example a CI/CD pipeline. You push some code changes to your source code repository. That triggers a build to check that your changes are good. When you merge the changes, another build runs, and the build artifacts get stored in an artifact repository. Maybe the new artifacts are deployed right away to some integration system, where an integration test suite runs additional checks, ensuring that your changes don’t break anything around them. And if you’re daring, the new artifacts get deployed to the production systems automatically as well.

计算机擅长自动处理事务。以CI / CD管道为例。您将一些代码更改推送到源代码存储库。这将触发构建以检查您的更改是否正确。当您合并更改时，将运行另一个构建，并将构建工件存储在工件存储库中。也许新的工件会立即部署到某个集成系统，在该系统中，集成测试套件会运行其他检查，以确保您所做的更改不会破坏周围的任何内容。而且，如果您胆敢，新的工件也会自动部署到生产系统中。

That kind of automation requires many computers to work together. The CI/CD system is running somewhere, waiting for its pipelines to be triggered. The source code repository is running elsewhere, but it’s hooked up somehow to the CI/CD system. When a pipeline gets triggered, the tasks defined by that pipeline are executed on worker nodes, which are separate from the CI/CD master nodes. The artifact repository is located yet elsewhere, as are the integration and production systems.

这种自动化需要许多计算机一起工作。 CI / CD系统正在某处运行，等待其管道被触发。源代码存储库在其他地方运行，但已以某种方式连接到CI / CD系统。触发管道后，该管道定义的任务将在工作节点上执行，该工作节点与CI / CD主节点分开。工件存储库位于其他位置，集成和生产系统也位于其他位置。

Let’s say you merge some code changes, and a build starts on some worker node. That worker node now has to pull the current code from the source code repository. But the source code repository will not hand out the code to just any computer that asks for it. The worker node needs to present some credentials, to prove that it is allowed to pull the code. No problem, you’ve configured those in the pipeline, along with the location of the source code repository. After the build, the worker node has to upload the results to the artifact repository. But the artifact repository will not accept files from just any computer that sends them. Again, the worker node needs to present some (other) credentials, to prove that it is allowed to upload artifacts. No problem, you’ve configured those in the pipeline as well.

假设您合并了一些代码更改，并且构建在某个工作程序节点上开始。现在，该工作程序节点必须从源代码存储库中提取当前代码。但是源代码存储库不会将代码仅分发给任何要求它的计算机。工作节点需要提供一些凭证，以证明允许其提取代码。没问题，您已经在管道中配置了它们以及源代码存储库的位置。构建之后，工作程序节点必须将结果上传到工件存储库。但是，工件存储库不会仅接受来自发送文件的任何计算机的文件。同样，工作节点需要提供一些(其他)凭据，以证明允许其上传工件。没问题，您已经在管道中配置了它们。

So, what is the problem? It’s the type of credentials you configure.

那么，有什么问题呢？这是您配置的凭据的类型。

普通的旧密码 (Plain Old Passwords)

In the good old days, you’d create user accounts in the various backends that need to be accessed, and configure the respective usernames and passwords in the automation. Such user accounts do not represent a person, they’re called functional or technical user accounts. And for some time, that used to be good enough.

在过去的好日子里，您将在需要访问的各种后端中创建用户帐户，并在自动化中配置相应的用户名和密码。这样的用户帐户并不代表一个人，它们被称为功能或技术用户帐户。一段时间以来，这足够好了。

Humans are notoriously bad at choosing good passwords and keeping them secret. To counteract this weakness, many organisations started to enforce security policies around passwords and login. These security policies apply to functional accounts as well as personal accounts. Minimum password length, range of characters, forbidden re-use of previous passwords, those are policies which don’t get in the way of automation. But there are others…

众所周知，人类在选择好的密码并将其保密方面很糟糕。为了弥补这一弱点，许多组织开始实施围绕密码和登录的安全策略。这些安全策略适用于功能帐户以及个人帐户。最小密码长度，字符范围，禁止重复使用以前的密码，这些是不会妨碍自动化的策略。但是还有其他……

强制更改密码 (Mandatory Password Changes)

One common practice is to require periodic password changes. There’s a debate or two whether that makes sense, but you might not be in a position to define the security policies. If your employer decides that passwords expire every 90 days, you’ll have to change them four to five times a year. And if those passwords are configured in automated tasks, you have to reconfigure each task, four to five times a year. With DevOps pushing for ever more automation, this turns from a minor nuisance into a major one. You can relieve the burden somewhat with a secure password store like Vault, but it remains a nuisance.

一种常见的做法是要求定期更改密码。这是否有意义尚有两场辩论，但您可能无法定义安全策略。如果您的雇主决定密码每90天过期一次，则您每年必须更改四到五次。而且，如果在自动任务中配置了这些密码，则您必须每年重新配置每个任务四到五次。随着DevOps推动越来越多的自动化，这已从微小的麻烦变成了重大的麻烦。您可以使用Vault这样的安全密码存储来减轻负担，但这仍然很麻烦。

There’s another little problem with changing passwords. The moment you change a password, all the automated tasks using the old password are broken, until you get around to reconfiguring them. This can be avoided, at the cost of having two functional accounts per backend. Let’s call them green and blue, and assume that all tasks are currently configured with the green account and password. A few days before the green password expires, you reset the blue password. That gives you time to reconfigure all tasks to use the blue account and password, instead of the green one. Once you’re through with that, just let the green password expire. And a few weeks later, you repeat the procedure in the other direction.

更改密码还有另一个小问题。更改密码的那一刻，所有使用旧密码的自动化任务都会中断，直到您可以重新配置它们为止。可以避免这种情况，但每个后端都有两个功能帐户。让我们将它们称为green和blue ，并假设所有任务当前都使用绿色帐户和密码进行配置。绿色密码到期前几天，您需要重置蓝色密码。这样您就有时间重新配置所有任务，以使用蓝色帐户和密码，而不是绿色帐户和密码。完成后，只需让绿色密码过期即可。几周后，您朝另一个方向重复该过程。

两要素认证 (Two Factor Authentication)

Because passwords can be guessed, espied, or tricked out of users, it is good security practice to require at least a second factor for login. For example a smartcard that you have to put into a reader, or a token generator that shows a different number every minute, or a mobile phone to which a code number is sent when you log in. Or something biometric, like a retinal scan.

由于密码可能会被用户猜测，隐瞒或欺骗，因此优良的安全做法是要求至少有第二个登录因素。例如，您必须将其放入阅读器中的智能卡，或者每分钟显示不同数字的令牌生成器，或者在登录时向其发送密码的移动电话。或者进行生物识别(例如视网膜扫描) 。

This extra level of security is called two-factor authentication (2FA) or multi-factor authentication (MFA). It makes the password by itself pretty much useless. If you were planning to configure the password in an automated task, you’re screwed. MFA was invented to ensure that the rightful owner of the account is present in person when the password is being used, and automation is the opposite of being present in person. There is no way for a CI/CD pipeline or other automated tasks to pass MFA. If there was, it’d be a security hole that needs to be fixed.

这种额外的安全性称为两因素身份验证(2FA)或多因素身份验证(MFA)。它使密码本身几乎无用。如果您打算在自动任务中配置密码，那么您会很麻烦。发明MFA的目的是确保使用密码时亲自出现帐户的合法所有者，而自动化则与亲自出现相反。 CI / CD管道或其他自动化任务无法通过MFA。如果有的话，那将是一个安全漏洞，需要修复。

So, passwords are not that great for use in automation. Let’s take a step back and look at the problem on an abstract level.

因此，密码不是很适合用于自动化。让我们退后一步，从抽象的角度看问题。

认证与授权 (Authentication and Authorization)

You’ve probably read or heard the abbreviation “auth” more than once. Depending on context, it stands for Authentication, for Authorization, or both. There is a Medium story that discusses the difference. Simply put:

您可能已经多次阅读或听到过缩写“ auth” 。根据上下文，它表示身份验证，授权或两者。有一个中等的故事，讨论了区别。简单的说：

Authentication (authn) establishes who or what is accessing the system.

身份验证( authn )确定谁在访问系统。
Authorization (authz) decides whether an access is allowed or denied.

授权( authz )决定是允许还是拒绝访问。

The concepts are somewhat intertwined, and frequently mixed up. That’s because in order to decide whether an access is allowed or denied, it is often necessary to know who or what is trying to access. For example, the Basic Authentication scheme introduced with HTTP/1.0 responds to a challenge WWW-Authenticate by sending authentication information in a header called Authorization. The server then uses that header to authorize the request, so who’s to say the name is wrong?

这些概念有些交织在一起，并且经常混杂在一起。这是因为为了确定是允许还是拒绝访问，通常需要知道尝试访问的对象或对象。例如，HTTP / 1.0引入的基本身份验证方案通过在称为Authorization的标头中发送身份验证信息来响应质询WWW-Authenticate 。然后，服务器使用该标头来授权请求，那么谁说这个名字是错误的呢？

Passwords are generally considered a weak form of authentication, because some people choose weak passwords, might be observed while typing them, or can be tricked into telling them on the telephone. Multi-factor authentication or additional challenge-response questions were invented to strengthen the authentication provided by a username and password. They’re designed to make sure that it’s the genuine user logging in, and not some crook or bot who just got hold of or guessed the user’s password.

密码通常被认为是身份验证的一种弱形式，因为某些人选择了弱密码，可能会在键入密码时发现它们，或者可能被诱骗在电话上告诉他们。发明了多因素身份验证或其他质询-响应问题，以加强由用户名和密码提供的身份验证。他们旨在确保登录的是真正的用户，而不是某些骗子或僵尸程序刚刚抓住或猜测了用户的密码。

But automated tasks are bots. Users who set up an automated task intentionally delegate some authority to that task. So they need a way for the task to authenticate automatically, while giving the system reasonable certainty that this is happening with the user’s approval. Configuring username and password is at best a rather crude way to achieve that. The task isn’t the user, and it doesn’t need the full authority of the user. And exactly there is the middle ground between security requirements and technical requirements: Instead of configuring user credentials and working around MFA, automated tasks should be configured with task credentials that have limited authority, but allow for single-factor authentication.

但是自动化任务是机器人。设置自动任务的用户有意将某些权限委派给该任务。因此，他们需要一种方法来使任务自动进行身份验证，同时使系统具有一定的确定性，即这种行为是在用户的认可下发生的。配置用户名和密码充其量只是实现它的一种相当粗略的方法。任务不是用户，并且不需要用户的完全权限。确实在安全性要求和技术要求之间存在中间立场：与其配置用户凭据并解决MFA，不应该使用权限受限但允许单因素身份验证的任务凭据来配置自动化任务。

API密钥 (API Keys)

API keys are task credentials. They’re created by request of a user, and they are bound to that user’s account. When creating or looking up API keys, multi-factor authentication can and should be enforced. An API key is generated by the backend system that’s going to accept it. It is a long and unwieldy string, like a very strong password. But it cannot be used for logging in as a user, nor for creating new API keys. It is only accepted as an authentication token by the APIs of the backend system that created it. Those APIs are called over a network, typically with HTTP requests. When the API key is accepted, authorization of the requested action is based on the permissions granted to the user owning the API key. The action gets executed, logged and audited as if requested by that user. Knowledge of the API key (and username, in some implementations) is the single factor that authenticates the task as acting on behalf of the user.

API密钥是任务凭证。它们是根据用户的请求创建的，并且已绑定到该用户的帐户。创建或查找API密钥时，可以并且应该强制执行多重身份验证。一个API密钥是由将接受它的后端系统生成的。它是一个长而笨拙的字符串，就像一个很强的密码。但是它不能用于以用户身份登录，也不能用于创建新的API密钥。它仅由创建它的后端系统的API接受为身份验证令牌。这些API通常通过HTTP请求通过网络调用。接受API密钥后，所请求操作的授权将基于授予拥有API密钥的用户的权限。该操作将被执行，记录和审核，就像该用户的请求一样。 API密钥(在某些实现中为用户名)的知识是对任务进行身份验证以代表用户的唯一因素。

You don’t type an API key, ever. When you configure an API key for a CI/CD pipeline, you copy&paste it. When you have a dedicated machine for running automated tasks, maybe you store the API key in a file and upload that to the machine. The transfer of API keys can be protected by MFA, just like creation or lookup. It’s typically a manual step, performed by a human. Make sure to use encrypted connections when transferring API keys, either by file or by copy&paste.

您永远不会键入API密钥。当您为CI / CD管道配置API密钥时，您将其复制并粘贴。如果您有一台专用的机器来运行自动化任务，则可以将API密钥存储在文件中，然后将其上载到该机器。就像创建或查找一样，MFA可以保护API密钥的传输。这通常是由人工执行的手动步骤。传输API密钥时，请确保通过文件或通过复制和粘贴使用加密的连接。

Don’t transfer API keys into untrusted environments. API keys need to be kept secret. If you put an API key into a mobile app, and publish that in an app store, everyone can download the app, extract the API key, and call the API with it. The same problem exists with container images. Even build args which don’t get stored in the image layers are exposed through the docker history. (I fell into that trap myself.

api哪个键是查询_api键是什么意思相关推荐

oracle 外键子查询,外键、联合查询、子查询
1.外键: 增加外键创建表的时候增加外键:在所有的表字段之后,使用foreign key(外键字段) references 外部表(主键字段) 在新增表之后增加外键:修改表结构,使用alter ta ...
MySQL无法创建外键、查询外键的属性
MySQL存储引擎--MyISAM与InnoDB区别 - 上善若水,水善利万物而不争. - CSDN博客 http://blog.csdn.net/xifeijian/article/details ...
plsql查看主键_Oracle 查询主键和索引
ORACLE: 1.查主键名称: select * from user_constraints where table_name = 'AAA' and constraint_type ='P'; 查 ...
oracle查询一张表的主键,Oracle查询表主键、外键
Oracle查询表主键.外键 1. 查找表的所有索引(包括索引名,类型,构成列) select t.*,i.index_type from user_ind_columns t,user_indexe ...
mysql多表连接索引_MySQL多表查询之外键、表连接、子查询、索引
一.外键: 1.什么是外键 2.外键语法 3.外键的条件 4.添加外键 5.删除外键 1.什么是外键: 主键:是唯一标识一条记录,不能有重复的,不允许为空,用来保证数据完整性外键:是另一表的主键, ...
数据蒋堂 | 用HBase做高性能键值查询？
作者:蒋步星来源:数据蒋堂本文共1400字,建议阅读9分钟.本文与你探讨HBase做高性能键值查询的可行性. 最近碰到几家用户在使用HBase或者试图使用HBase来做高性能查询,场景也比较类似, ...
数据库学习笔记6--MySQL多表查询之外键、表连接、子查询、索引
本章主要内容: 一.外键二.表连接三.子查询四.索引一.外键: 1.什么是外键 2.外键语法 3.外键的条件 4.添加外键 5.删除外键 1.什么是外键: 主键:是唯一标识一条记录,不能有重复 ...
linux 查询线程是否结束_批量随机键值查询测试
[摘要] 当数据量巨大时,使用大批量随机键值集获取对应记录集合,不仅仅考验数据库软件本身,更在于程序员对数据的理解!如何在硬件资源有限的情况下将性能发挥到极致?点击:批量随机键值查询测试,来乾学院一探 ...
mysql外键关联查询_MySQL外键约束和多表联查
一.创建外键 #测试数据表 # 教师表,主表 CREATE TABLE teacher( id INT PRIMARY KEY AUTO_INCREMENT, name varchar(20), ag ...

api哪个键是查询_api键是什么意思