Apply List-Based Access Control

Sometimes, you will require more precise access control than what authentication plugins offer. For example, you might want to keep a whitelist of consumers who can access your API. Now, a consumer must send an authenticated request and be on the whitelist (and not on the blacklist) to access the API.

This tutorial guides you in configuring precise access control by creating a consumer whitelist through the consumer-restriction plugin.

Prerequisites

1. Complete the Manage Consumer Credentials tutorial and have a published service and a consumer with authentication enabled.

Restrict by Consumer Name

When a consumer makes an authenticated request, API7 Enterprise passes on the consumer's name to the routes. So, the routes do not need to access the consumer's credentials directly, which is more user-friendly.

Dashboard

1. Select the service to configure consumer restriction.

2. Select Plugins from the side navigation bar.

3. In the Plugins field, search for the consumer-restriction plugin.

4. Click the Plus icon (+).

5. In the dialog box that appeared, add the following configuration to the JSON Editor:

   {
     "whitelist": [
       "Alice"
     ]
   }

   If you had followed the prerequisite tutorial, you would already have a consumer Alice with the key-auth plugin enabled.

6. Click Enable.

7. Create a new consumer Lisa and enable the key-auth plugin.

8. Add the following configuration to the JSON Editor:

   {
       "key": "secret-key2"
   }

ADC

The configuration below enables the consumer-restriction plugin and creates a new consumer Lisa:

adc.yaml

services:
  - name: httpbin Service
    upstream:
      name: default
      scheme: http
      nodes:
        - host: httpbin.org
          port: 80
          weight: 100
    plugins:
      consumer-restriction:
        _meta:
          disable: false
        whitelist:
          - Alice
      key-auth:
        _meta:
          disable: false
    routes:
      - uris:
          - /ip
        name: api-security-ip
        methods:
          - GET
consumers:
  - username: Alice
    plugins:
      key-auth:
        _meta:
          disable: false
        key: secret-key
  - username: Lisa
    plugins:
      key-auth:
        _meta:
          disable: false
        key: secret-key-2

Synchronize the configuration to API7 Enterprise:

adc sync -f adc.yaml

Validate

Make a request to the service as the consumer Alice:

curl -i "http://127.0.0.1:9080/ip" -H "apikey: secret-key" 

You will see that the request is successful with a 200 OK response because the consumer Alice is in the whitelist.

Now, make a request to the service as the newly created consumer Lisa:

curl -i "http://127.0.0.1:9080/ip" -H "apikey: secret-key2" 

You will receive a 403 Forbidden response with the following request body as the consumer Lisa was not added to the whitelist:

{"message":"The consumer_name is forbidden."}

Additional Resource(s)

• Key Concepts
  • Services
  • Routes
  • Plugins
  • Consumers
• API Security
  • Set up API authentication
• API Consumption
  • Manage consumer credentials