Apply List-Based Access Control
Sometimes, you will require more precise access control than what authentication plugins offer. For example, you might want to keep a whitelist of consumers who can access your API. Now, a consumer must send an authenticated request and be on the whitelist (and not on the blacklist) to access the API.
This tutorial guides you in configuring precise access control by creating a consumer whitelist through the consumer-restriction
plugin.
Prerequisites
- Install API7 Enterprise.
- Have a running API on the gateway group.
- Have a consumer with authentication enabled.
Restrict by Consumer Name
When a consumer makes an authenticated request, API7 Gateway passes on the consumer's name to the routes. So, the routes do not need to access the consumer's credentials directly, which is more user-friendly.
- Dashboard
- ADC
- Ingress Controller
- Select Published Services of your gateway group from the side navigation bar, then select the service you want to configure, for example,
httpbin API
with version1.0.0
. - Select Plugins from the side navigation bar, then click Enable Plugin.
- Search for the
consumer-restriction
plugin, then click Enable. - In the dialog box, do the following:
Add the following configuration to the JSON Editor:
{
"whitelist": [
"Alice"
]
}If you had followed the prerequisite tutorial, you would already have a consumer
Alice
with thekey-auth
plugin enabled.Click Enable.
Create a new consumer
Lisa
and enable thekey-auth
plugin with the following configuration to the JSON Editor:{
"key": "secret-key2"
}
The configuration below enables the consumer-restriction
plugin and creates a new consumer Lisa
:
services:
- name: httpbin Service
upstream:
name: default
scheme: http
nodes:
- host: httpbin.org
port: 80
weight: 100
plugins:
consumer-restriction:
_meta:
disable: false
whitelist:
- Alice
key-auth:
_meta:
disable: false
routes:
- uris:
- /ip
name: api-security-ip
methods:
- GET
consumers:
- username: Alice
plugins:
key-auth:
_meta:
disable: false
key: secret-key
- username: Lisa
plugins:
key-auth:
_meta:
disable: false
key: secret-key-2
Synchronize the configuration to API7 Gateway:
adc sync -f adc.yaml
Create a Kubernetes manifest file to configure another consumer lisa
:
apiVersion: apisix.apache.org/v2
kind: ApisixConsumer
metadata:
name: lisa
# namespace: api7 # replace with your namespace
spec:
authParameter:
keyAuth:
value:
key: "secret-key2"
For consumer restriction, since the ApisixService custom resource is not yet available, you can configure the consumer-restriction
plugin on the ApisixRoute:
apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
name: httpbin-route
# namespace: api7 # replace with your namespace
spec:
http:
- name: httpbin-route
match:
paths:
- /ip
methods:
- GET
backends:
- serviceName: httpbin
servicePort: 80
plugins:
- name: consumer-restriction
enable: true
config:
whitelist:
- alice
Apply the configurations to your cluster:
kubectl apply -f consumer2.yaml -f httpbin-route.yaml
Validate
Make a request to the service as the consumer Alice
:
curl -i "http://127.0.0.1:9080/ip" -H "apikey: secret-key"
You will see that the request is successful with a 200 OK
response because the consumer Alice
is in the whitelist.
Now, make a request to the service as the newly created consumer Lisa
:
curl -i "http://127.0.0.1:9080/ip" -H "apikey: secret-key2"
You will receive a 403 Forbidden
response with the following request body as the consumer Lisa
was not added to the whitelist:
{"message":"The consumer_name is forbidden."}
Additional Resource(s)
- Key Concepts
- API Security
- API Consumption