dapr
/
docs
mirror of https://github.com/dapr/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'mfussell-sec-patch' of https://github.com/msfussell/docs into mfussell-sec-patch

This commit is contained in:
Mark Fussell 2022-03-03 17:15:22 -08:00
parent 6f43a29637 f80e561cae
commit 632632ce11
3 changed files with 14 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
daprdocs/content/en/developing-applications/building-blocks/service-invocation/service-invocation-namespaces.md
View File

@ -6,24 +6,26 @@ weight: 1000
description: "Call between services deployed to different namespaces"
---
This article describes how you can call between services deployed to different namespaces. By default, you can invoke services within the *same* namespaces by simply referencing the app ID (`nodeapp`):
This article describes how you can call between services deployed to different namespaces. By default, you can invoke services within the *same* namespace by simply referencing the app ID (`nodeapp`):
```sh
localhost:3500/v1.0/invoke/nodeapp/method/neworder
```
Service invocation also supports calls across namespaces. On all supported hosting platforms, Dapr app IDs conform to a valid FQDN format that includes the target namespace. You can therefore specify both the app ID (`nodeapp`) in addition to the namespace the app runs in (`production`). For example to call the `neworder` method on the `nodeapp`, in the `production` namespace would be like this;
Service invocation also supports calls across namespaces. On all supported hosting platforms, Dapr app IDs conform to a valid FQDN format that includes the target namespace. You can therefore specify both the app ID (`nodeapp`) in addition to the namespace the app runs in (`production`). For example to call the `neworder` method on the `nodeapp`, in the `production` namespace would look like this:
```sh
localhost:3500/v1.0/invoke/nodeapp.production/method/neworder
```
When using service invocation to call an application in a namespace you qualify it with the namespace. This is especially useful in cross namespace calls in a Kubernetes cluster. As another example, calling the `ping` method on `myapp` which is scoped to the `production` namespace would be like this;
When using service invocation to call an application in a namespace you qualify it with the namespace. This is especially useful in cross namespace calls in a Kubernetes cluster. As another example, calling the `ping` method on `myapp` which is scoped to the `production` namespace would look like this:
```bash
https://localhost:3500/v1.0/invoke/myapp.production/method/ping
```
And calling the same `ping` method using a curl command from an external DNS address, in this case `api.demo.dapr.team` and supplying the Dapr API token for authentication would be like this;
**Example 3**
Call the same `ping` method as example 2 using a curl command from an external DNS address (in this case, `api.demo.dapr.team`) and supply the Dapr API token for authentication:
MacOS/Linux:
```

2
daprdocs/content/en/developing-applications/building-blocks/service-invocation/service-invocation-overview.md
View File

@ -41,7 +41,7 @@ Service invocation provides several features to make it easy for you to call met
### Namespace scoping
Applications can be scoped to namespaces for deployment and security and you can call between services deployed to different namespaces. For more information read the [Service invocation across namespaces]({{< ref "service-invocation-namespaces.md" >}}) article.
Applications can be scoped to namespaces for deployment and security, and you can call between services deployed to different namespaces. For more information, read the [Service invocation across namespaces]({{< ref "service-invocation-namespaces.md" >}}) article.
### Service-to-service security

10
daprdocs/content/en/operations/components/component-scopes.md
View File

@ -72,11 +72,15 @@ In this example, the Redis component is only accessible to Dapr instances runnin
{{< /tabs >}}
Note: It is possible to have the component YAML applied to namespace "A" *reference* the implementation in namespace "B". For example, a component YAML for Redis in namespace "production-A" can set the Redis host address to point to the Redis instance deployed in namespace "production-B". See [Configure Pub/Sub components with multiple namespaces]({{< ref "pubsub-namespaces.md" >}}) for an example.
{{% alert title="Note" color="primary" %}}
The component YAML applied to namespace "A" can *reference* the implementation in namespace "B". For example, a component YAML for Redis in namespace "production-A" can point the Redis host address to the Redis instance deployed in namespace "production-B".
See [Configure Pub/Sub components with multiple namespaces]({{< ref "pubsub-namespaces.md" >}}) for an example.
{{% /alert %}}
## Application access to components with scopes
Developers and operators might want to limit access for one database to a certain application, or a specific set of applications.
To achieve this, Dapr allows you to specify `scopes` on the component YAML. Application scopes added to a component limit only the applications with specific IDs to be able to use the component.
Developers and operators might want to limit access to one database from a certain application, or a specific set of applications.
To achieve this, Dapr allows you to specify `scopes` on the component YAML. Application scopes added to a component limit only the applications with specific IDs from using the component.
The following example shows how to give access to two Dapr enabled apps, with the app IDs of `app1` and `app2` to the Redis component named `statestore` which itself is in the `production` namespace