Permission Management and Security Strategy Optimization of ohpm-repo in HarmonyOS Next

In the enterprise-level development of HarmonyOS Next, the security of the ohpm-repo private repository is of utmost importance. It not only concerns the protection of code assets but also affects the stability of the entire development process. Below, we will discuss in detail how to implement enterprise-level security strategies from aspects such as access control policy configuration, public-private key authentication, and security optimization and intrusion prevention to ensure the security of the ohpm-repo private repository and prevent unauthorized access.

How to Configure the Access Control Policy?

Bind the Private Repository through ohpm config set registry

When using ohpm-repo, the first step is to let the ohpm package manager know where to obtain the resources of the private repository. The ohpm config set registry command can be used to bind the private repository source. The repository source address is usually the address of store.config.server in the configuration file plus /repos/ohpm. For example:

ohpm config set registry http://192.168.1.100:8088/repos/ohpm

In this way, ohpm will search for and download dependent packages from the specified private repository, laying the foundation for subsequent access control.

How to Use access_token to Control the Access Permissions of Different Users? (Set Read-only/Writable Permissions)

ohpm-repo adopts the access_token mechanism to verify user identities and control access permissions. When a user logs in to the ohpm-repo private repository management address, the system will generate an access_token. On the server side, different permissions can be assigned to different access_tokens according to the user's role and permission settings.

For example, for ordinary developers, only read-only permissions need to be granted, and they can only download packages from the repository. In the server-side configuration, rules can be set to allow requests carrying the user's access_token for download operations to pass, while rejecting write operations such as uploading and deleting. For administrator users, their access_tokens can be granted writable permissions, allowing them to perform operations such as uploading, deleting, and modifying packages.

How to Assign Different Levels of Permissions to the Development Team? (User Management Based on groupmember)

User group management can be achieved through groupmember, so as to assign different levels of permissions to the development team. Administrators can create different user groups, such as the "Development Group", "Testing Group", and "Management Group".

For the "Development Group", they can be granted read and write permissions for project-related packages, allowing them to download and upload packages related to development tasks. The "Testing Group" can be granted only read-only permissions for downloading packages required for testing. The "Management Group" has the highest permissions and can perform operations such as user management and repository configuration management.

In the database of ohpm-repo, the groupmember table records the association relationship between users and groups. By managing the data in this table, the administrator adds users to the corresponding groups, and users will automatically inherit the permissions of that group. When a user's responsibilities change, the administrator only needs to adjust the user group the user belongs to, enabling dynamic management of permissions.

How to Use Public-Private Key Authentication to Protect the Security of the Repository?

How to Generate an SSH Key Pair Using ssh-keygen?

The ssh-keygen tool can be used to generate an SSH key pair. Execute the following command:

ssh-keygen -m PEM -t RSA -b 4096 -f <your_key_path>

Here, <your_key_path> specifies the name and storage path of the public key and the private key. For example, if it is set to D:\path\my_key_path, the public key and the private key will be stored as my_key_path.pub and my_key_path respectively. It should be noted that the OHPM package manager only supports encrypted key authentication, so a password should be set when generating the key to enhance security.

How to Bind the Public Key in ohpm-repo to Restrict Unauthorized Users from Publishing Packages?

After generating the public key, it needs to be bound at the ohpm-repo private repository management address. Log in to the management address, go to the personal center in the upper right corner of the homepage, select to add a new public key, and paste the content of the public key file (<your_key_path>.pub) into the public key input box.

After binding the public key, when a user performs sensitive operations such as publishing a package, ohpm-repo will verify whether the private key provided by the user matches the bound public key. Only if the match is successful will the user be allowed to perform the operation, thus restricting the behavior of unauthorized users from publishing packages.

How to Bind the Private Key for Secure Operations Using ohpm config set key_path?

When using ohpm to perform operations, the ohpm config set key_path command can be used to bind the private key. For example:

ohpm config set key_path D:\path\my_key_path

After binding the private key, when performing operations that require authentication, ohpm will automatically use this private key for authentication to ensure the security of the operations.

Security Optimization and Intrusion Prevention

How to Enable HTTPS to Prevent Data from Being Tampered with During Transmission? (Nginx Certificate Configuration Scheme)

Enabling HTTPS can effectively prevent data from being tampered with during transmission. In the config.yaml configuration file of ohpm-repo, configure listen as the https protocol, and configure https_key and https_cert:

listen: https://<ohpm-repo deployment machine ip>:8088
https_key:./ssl/server.key
https_cert:./ssl/server.crt

The following commands can be used to generate the certificate private key file and the certificate file:

openssl genrsa -out server.key 4096
openssl req -new -x509 -days 3650 -key server.key -out server.crt

At the same time, make corresponding configurations in Nginx. Add the following content to the Nginx configuration file:

server {
    listen 443 ssl;
    server_name your_domain.com;

    ssl_certificate /path/to/server.crt;
    ssl_certificate_key /path/to/server.key;

    location / {
        proxy_pass http://ohpm-repo-instances; 
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

In this way, all requests accessing ohpm-repo through Nginx will use the HTTPS protocol to ensure the security of data transmission.

How to Configure allow_remove_depended_packages: false to Prevent Accidental Deletion of Key Dependencies?

In the config.yaml configuration file of ohpm-repo, set allow_remove_depended_packages to false:

allow_remove_depended_packages: false

With this configuration, when an attempt is made to delete a key package that is depended on by other packages, ohpm-repo will reject the operation, thus preventing issues such as project build failures or other problems caused by accidentally deleting key dependencies.

How to Detect Abnormal Access through Log Analysis? (Automatically Detect Abnormal IPs in access.log and Block Them)

The access.log generated by ohpm-repo records user access information, including access time, access IP, accessed interface, etc. Scripts can be written or log analysis tools (such as the ELK Stack) can be used to automatically detect abnormal IPs in access.log.

For example, set rules that when an IP initiates a large number of abnormal requests (such as frequently trying to access non-existent interfaces) within a short period, it is determined as an abnormal IP. Then, through the configuration of the firewall or Nginx, the abnormal IP can be blocked to prevent it from continuing to access the repository, thereby ensuring the security of the repository.

Through the above permission management and security strategy optimization measures, a secure and reliable ohpm-repo private repository can be built, providing a solid guarantee for HarmonyOS Next development.