Kong 实现服务访问控制
文章目录
- 前提
- 第一步:为服务和路由开启 key-auth 插件
- 第二步:创建消费则添加自定义 key
- 第三步:测试 key-auth 插件是否成功
- 第四步:为服务和路由开启 ACL 插件
- 第五步:消费者加入白名单
- 第六步:测试 ACL + key-auth
前提
你已经正确创建了一个 Kong,并添加了两个服务(本文基于 DB 模式,无 DB 模式可参考本文)。
本文服务的访问控制基于 Kong 插件 key-auth + ACL 实现,现在开始。
Kong 相关链接 github、安装 Kong
第一步:为服务和路由开启 key-auth 插件
服务开启
curl -X POST http://10.20.11.117:8001/services/67f7e680-2da2-4200-8963-96ef05243ca3/plugins --data "name=key-auth"
返回结果
{"created_at":1570761632,"config":{"key_names":["apikey"],"run_on_preflight":true,"anonymous":null,"hide_credentials":false,"key_in_body":false},"id":"eb321ca9-d5cd-464c-8396-9f2d661dd81a","service":{"id":"67f7e680-2da2-4200-8963-96ef05243ca3"},"name":"key-auth","protocols":["grpc","grpcs","http","https"],"enabled":true,"run_on":"first","consumer":null,"route":null,"tags":null}
路由开启
curl -X POST http://10.20.11.117:8001/routes/d017bca0-889b-431d-9fc8-8ac6b9a0b203/plugins --data "name=key-auth"
返回结果
{"created_at":1570761690,"config":{"key_names":["apikey"],"run_on_preflight":true,"anonymous":null,"hide_credentials":false,"key_in_body":false},"id":"495b9757-f9b0-4f3a-b0b3-7e9e3f1ef157","service":null,"name":"key-auth","protocols":["grpc","grpcs","http","https"],"enabled":true,"run_on":"first","consumer":null,"route":{"id":"d017bca0-889b-431d-9fc8-8ac6b9a0b203"},"tags":null}
第二步:创建消费则添加自定义 key
创建消费者
curl -X POST http://10.20.11.117:8001/consumers --data "username=test"
返回结果
{"custom_id":null,"created_at":1570761720,"id":"5c140f36-8075-436d-a025-0181645159a0","tags":null,"username":"test"}
创建自定义 Key
curl -X POST http://10.20.11.117:8001/consumers/test/key-auth/ --data "key=test_api_key_json"
返回结果
{"key":"test_api_key_json","created_at":1570761733,"consumer":{"id":"5c140f36-8075-436d-a025-0181645159a0"},"id":"8784fe3d-59f7-4c83-ac27-57e434132f17"}
第三步:测试 key-auth 插件是否成功
不携带 key 访问
curl -i -X GET --url http://10.20.11.117:8000/demo2 --header --data "name=sss"
返回
{"message":"No API key found in request"}
携带 key 访问
curl -i -X GET --url http://10.20.11.117:8000/demo2 --header --data "name=sss"
返回
success from dubbo v2.7: Hello word, response from provider: 172.17.0.7:27880
截止到此 key-auth 开启成功
第四步:为服务和路由开启 ACL 插件
为服务开启
curl -X POST http://10.20.11.117:8001/services/67f7e680-2da2-4200-8963-96ef05243ca3/plugins \
--data "name=acl" \
--data "config.whitelist=group1" \
--data "config.whitelist=group2" \
--data "config.hide_groups_header=true"
返回值
{"created_at":1570761812,"config":{"hide_groups_header":true,"blacklist":null,"whitelist":["group1","group2"]},"id":"21d8c944-82aa-4e19-8a28-80f7f35ff738","service":{"id":"67f7e680-2da2-4200-8963-96ef05243ca3"},"name":"acl","protocols":["grpc","grpcs","http","https"],"enabled":true,"run_on":"first","consumer":null,"route":null,"tags":null}
为路由开启
curl -X POST http://10.20.11.117:8001/routes/d017bca0-889b-431d-9fc8-8ac6b9a0b203/plugins \
--data "name=acl" \
--data "config.whitelist=group1" \
--data "config.whitelist=group2" \
--data "config.hide_groups_header=true"
返回值
{"created_at":1570761891,"config":{"hide_groups_header":true,"blacklist":null,"whitelist":["group1","group2"]},"id":"18de98a2-2402-4a30-9918-a5b3fa6ff951","service":null,"name":"acl","protocols":["grpc","grpcs","http","https"],"enabled":true,"run_on":"first","consumer":null,"route":{"id":"d017bca0-889b-431d-9fc8-8ac6b9a0b203"},"tags":null}
解释一下本条命令,本条命令在开启 ACL 插件的同时还创建了两个白名单分别是:group1、group2
第五步:消费者加入白名单
执行:
curl -X POST http://10.20.11.117:8001/consumers/test/acls --data "group=group1"
curl -X POST http://10.20.11.117:8001/consumers/test/acls --data "group=group2"
返回:
{"group":"group1","created_at":1570761918,"consumer":{"id":"5c140f36-8075-436d-a025-0181645159a0"},"id":"e0c05bde-abde-4b8f-a2bc-8cd6a223586d"}
{"group":"group2","created_at":1570761920,"consumer":{"id":"5c140f36-8075-436d-a025-0181645159a0"},"id":"15c7dbd1-4c0c-4562-996a-68731444c40d"}
第六步:测试 ACL + key-auth
访问服务
curl -i -X GET --url http://10.20.11.117:8000/demo2 --header "apikey: test_api_key_json" --data "name=sss"
此时,test 已进入白名单使用 test 用户的 key 一个可以访问服务
返回
success from dubbo v2.7: Hello word, response from provider: 172.17.0.7:27880
假设我们此时再次创建一个消费者并添加自定义 key 确不加入白名单,结果如下:
curl -X POST http://10.20.11.117:8001/consumers --data "username=andy"
curl -X POST http://10.20.11.117:8001/consumers/andy/key-auth/ --data "key=andy_api_key_json"
curl -i -X GET --url http://10.20.11.117:8000/demo2 --header "apikey: andy_api_key_json" --data "name=sss"
返回值
{"message":"You cannot consume this service"}
解释上方代码块内容:先创建了一个消费者叫做 andy,然后为这个消费者创建了一个自定义 key 叫做 andy_api_key_json,最后拿着这个 key 去访问服务,因为这个消费者没有加入白名单所有理所当然的不能访问抛出了 {"message":"You cannot consume this service"}