oathkeeper 동작 확인

2026-01-28 20:07:52 +09:00
parent 39594f8e21
commit ff17259117
9 changed files with 368 additions and 68 deletions
--- a/docker/ory/oathkeeper/entrypoint.sh
+++ b/docker/ory/oathkeeper/entrypoint.sh
@@ -19,4 +19,20 @@ export RULES_FILE

 echo "[oathkeeper] APP_ENV=$APP_ENV_VALUE rules=$RULES_FILE"

-exec /bin/sh -c "oathkeeper serve proxy -c /etc/config/oathkeeper/oathkeeper.yml 2>&1 | tee /var/log/oathkeeper/access.log"
+RULES_ACTIVE="/etc/config/oathkeeper/rules.active.json"
+if [ ! -f "$RULES_FILE" ]; then
+  echo "[oathkeeper] rules file not found: $RULES_FILE"
+  exit 1
+fi
+cp "$RULES_FILE" "$RULES_ACTIVE"
+
+LOG_DIR="/var/log/oathkeeper"
+LOG_FILE="${LOG_DIR}/access.log"
+mkdir -p "$LOG_DIR"
+if ! touch "$LOG_FILE" 2>/dev/null; then
+  echo "[oathkeeper] log file not writable: $LOG_FILE"
+  ls -ld "$LOG_DIR" || true
+  exit 1
+fi
+
+exec /bin/sh -c "oathkeeper serve proxy -c /etc/config/oathkeeper/oathkeeper.yml 2>&1 | tee \"$LOG_FILE\""
--- a/docker/ory/oathkeeper/oathkeeper.yml
+++ b/docker/ory/oathkeeper/oathkeeper.yml
@@ -14,7 +14,7 @@ errors:

 access_rules:
  repositories:
-    - file://${RULES_FILE:-/etc/config/oathkeeper/rules.json}
+    - file:///etc/config/oathkeeper/rules.active.json

 authenticators:
  noop:
@@ -34,6 +34,13 @@ authorizers:
    enabled: true
    config:
      remote: http://keto:4466/check
+      payload: |
+        {
+          "namespace": "permissions",
+          "object": "{{ print .Request.URL.Path }}",
+          "relation": "access",
+          "subject_id": "{{ print .Subject }}"
+        }

 mutators:
  noop:
--- a/docker/ory/oathkeeper/rules.active.json
+++ b/docker/ory/oathkeeper/rules.active.json
@@ -0,0 +1,92 @@
+[
+  {
+    "id": "public-health",
+    "description": "공개 헬스체크",
+    "match": {
+      "url": "http://<.*>/health",
+      "methods": ["GET"]
+    },
+    "upstream": {
+      "url": "http://baron_backend:3000"
+    },
+    "authenticators": [
+      { "handler": "noop" }
+    ],
+    "authorizer": { "handler": "allow" },
+    "mutators": [
+      { "handler": "noop" }
+    ]
+  },
+  {
+    "id": "public-preflight",
+    "description": "CORS preflight",
+    "match": {
+      "url": "http://<.*>/api/v1/<.*>",
+      "methods": ["OPTIONS"]
+    },
+    "upstream": {
+      "url": "http://baron_backend:3000"
+    },
+    "authenticators": [
+      { "handler": "noop" }
+    ],
+    "authorizer": { "handler": "allow" },
+    "mutators": [
+      { "handler": "noop" }
+    ]
+  },
+  {
+    "id": "public-auth",
+    "description": "인증/회원가입 등 공개 엔드포인트",
+    "match": {
+      "url": "http://<.*>/api/v1/auth/<.*>",
+      "methods": ["GET", "POST", "OPTIONS"]
+    },
+    "upstream": {
+      "url": "http://baron_backend:3000"
+    },
+    "authenticators": [
+      { "handler": "noop" }
+    ],
+    "authorizer": { "handler": "allow" },
+    "mutators": [
+      { "handler": "noop" }
+    ]
+  },
+  {
+    "id": "backend-command",
+    "description": "Command 요청은 Backend로 전달 (Audit 강제)",
+    "match": {
+      "url": "http://<.*>/api/v1/<.*>",
+      "methods": ["POST", "PUT", "PATCH", "DELETE"]
+    },
+    "upstream": {
+      "url": "http://baron_backend:3000"
+    },
+    "authenticators": [
+      { "handler": "cookie_session" }
+    ],
+    "authorizer": { "handler": "remote_json" },
+    "mutators": [
+      { "handler": "noop" }
+    ]
+  },
+  {
+    "id": "backend-query",
+    "description": "Backend Query (admin/dev 포함)",
+    "match": {
+      "url": "http://<.*>/api/v1/<.*>",
+      "methods": ["GET"]
+    },
+    "upstream": {
+      "url": "http://baron_backend:3000"
+    },
+    "authenticators": [
+      { "handler": "cookie_session" }
+    ],
+    "authorizer": { "handler": "remote_json" },
+    "mutators": [
+      { "handler": "noop" }
+    ]
+  }
+]