Allow List-Based Access Control for Consumers
Once authentication is enabled both on the API and consumer sides, consumers will gain access to all APIs using the same authentication plugin. However, in certain scenarios, a more precise access control for APIs is necessary. This means that even if a consumer has enabled the appropriate authentication plugin, they must also be on a whitelist to access the API. Each API will have its own distinct whitelist or blacklist.
In this tutorial, you will be guided through the process of creating a consumer whitelist to manage access control. You will be using the consumer-restriction
plugin.
Prerequisite(s)
- Obtain a User Account with Super Admin or API Provider Role.
- Complete Add Service from API Definition.
- Complete Set Up API Authentication.
- Complete Manage Consumer Credentials.
Restricted by Consumer Name
When API7 Enterprise Edition receives an API request, it extracts the credentials and looks up the consumer's name. Therefore, the route does not need to directly recognize the credentials; it simply uses the consumer's name, which is more user-friendly.
- Select Services > your target service. In this tutorial, the
Swagger Petstore
service (See Add Service from API Definition) will be used as an example. - Select Routes > your target route. In this tutorial, the
getPetById
route will be used as an example. - On the Plugins table of the route, click Add Plugin.
- Choose
consumer-restriction
as the plugin. - Apply the following configuration to the JSON Editor. You must have the
tom
consumer ready(See Manage Consumer Credentials):
{
"whitelist": [
"tom"
]
}
- Click Add.
- You can also apply the
consumer-restriction
plugin at the service level to impact all routes, provided they can share the same whitelist.
Validate
Create a new consumer lisa
and add the key-auth
plugin to lisa
that applies the following configuration (See Manage Consumer Credentials):
{
"key": "secret-key2"
}
Use tom
's key for API requests:
curl -i "http://127.0.0.1:9080/pet/1" -H "apikey: secret-key"
Responded to the request normally:
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 323
Connection: keep-alive
Date: Fri, 01 Sep 2023 07:00:09 GMT
x-srv-trace: v=1;t=569591aa680bb202
x-srv-span: v=1;s=b5cbb398895e3f13
Access-Control-Allow-Origin: *
X-RateLimit-Limit: 120
X-RateLimit-Remaining: 119
X-RateLimit-Reset: 1693551669
ETag: W/"143-JIrwO+Sx1/7FTTpJ2ljwAfgaRCY"
Vary: Accept-Encoding
Server: APISIX/dev
{
"name": "Dog",
"photoUrls": [
"https://example.com/dog-1.jpg",
"https://example.com/dog-2.jpg"
],
"id": 1,
"category": {
"id": 1,
"name": "pets"
},
"tags": [
{
"id": 1,
"name": "friendly"
},
{
"id": 2,
"name": "smart"
}
],
"status": "available"
}
Use lisa
's key for API requests:
curl -i "http://127.0.0.1:9080/pet/1" -H "apikey: secret-key2"
By limiting the requested user to tom
, you will receive the HTTP/1.1 403 Forbidden response
HTTP/1.1 403 Forbidden
Date: Fri, 01 Sep 2023 07:00:05 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: APISIX/dev
{"message":"The consumer_name is forbidden."}