Skip to main content

Version: 3.2.3.x

Allow List-Based Access Control for Consumers

Once authentication is enabled both on the API and consumer sides, consumers will gain access to all APIs using the same authentication plugin. However, in certain scenarios, a more precise access control for APIs is necessary. This means that even if a consumer has enabled the appropriate authentication plugin, they must also be on a whitelist to access the API. Each API will have its own distinct whitelist or blacklist. In this tutorial, you will be guided through the process of creating a consumer whitelist to manage access control. You will be using the consumer-restriction plugin.

Prerequisite(s)

  1. Obtain a User Account with Super Admin or API Provider Role.
  2. Complete Add Service from API Definition.
  3. Complete Set Up API Authentication.
  4. Complete Manage Consumer Credentials.

Restricted by Consumer Name

When API7 Enterprise Edition receives an API request, it extracts the credentials and looks up the consumer's name. Therefore, the route does not need to directly recognize the credentials; it simply uses the consumer's name, which is more user-friendly.

  1. Select Services > your target service. In this tutorial, the Swagger Petstore service (See Add Service from API Definition) will be used as an example.
  2. Select Routes > your target route. In this tutorial, the getPetById route will be used as an example.
  3. On the Plugins table of the route, click Add Plugin.
  4. Choose consumer-restriction as the plugin.
  5. Apply the following configuration to the JSON Editor. You must have the tom consumer ready(See Manage Consumer Credentials):
{
"whitelist": [
"tom"
]
}
  1. Click Add.
  2. You can also apply the consumer-restriction plugin at the service level to impact all routes, provided they can share the same whitelist.

Validate

Create a new consumer lisa and add the key-auth plugin to lisa that applies the following configuration (See Manage Consumer Credentials):

{
"key": "secret-key2"
}

Use tom's key for API requests:

curl -i "http://127.0.0.1:9080/pet/1" -H "apikey: secret-key" 

Responded to the request normally:

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 323
Connection: keep-alive
Date: Fri, 01 Sep 2023 07:00:09 GMT
x-srv-trace: v=1;t=569591aa680bb202
x-srv-span: v=1;s=b5cbb398895e3f13
Access-Control-Allow-Origin: *
X-RateLimit-Limit: 120
X-RateLimit-Remaining: 119
X-RateLimit-Reset: 1693551669
ETag: W/"143-JIrwO+Sx1/7FTTpJ2ljwAfgaRCY"
Vary: Accept-Encoding
Server: APISIX/dev

{
"name": "Dog",
"photoUrls": [
"https://example.com/dog-1.jpg",
"https://example.com/dog-2.jpg"
],
"id": 1,
"category": {
"id": 1,
"name": "pets"
},
"tags": [
{
"id": 1,
"name": "friendly"
},
{
"id": 2,
"name": "smart"
}
],
"status": "available"
}

Use lisa's key for API requests:

curl -i "http://127.0.0.1:9080/pet/1" -H "apikey: secret-key2" 

By limiting the requested user to tom, you will receive the HTTP/1.1 403 Forbidden response

HTTP/1.1 403 Forbidden
Date: Fri, 01 Sep 2023 07:00:05 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: APISIX/dev

{"message":"The consumer_name is forbidden."}

API7.ai Logo

API Management for Modern Architectures with Edge, API Gateway, Kubernetes, and Service Mesh.

Product

API7 Cloud

SOC2 Type IIISO 27001HIPAAGDPRRed Herring

Copyright © APISEVEN PTE. LTD 2019 – 2025. Apache, Apache APISIX, APISIX, and associated open source project names are trademarks of the

Apache Software Foundation