KONGAPI配置权限

kong支持的验证plugin

KONG有很多插件，权限认证的，安全保护的，流量控制的，还有一些功能型的。权限配置主要讲的就是Authentication里的三种常用的方法：

BasicAuth：HTTP的基本认证，也是最初始的用户名，密码认证的方式，实现原理为在http传输的header里增加Authorization: Basic base64encode(username+":"+password)

KeyAuth：关键字认证，也就是请求里需要带设置的关键字，比如你设置关键字为apikey，然后设置key值为:7788，那么发送请求时在header里带上apikey:7788，就能访问通过

HmacAuth：hmac算法认证，也就是请求里带关键字和时间信息并通过算签名和签名比较验证请求的数据是否合法

Plugin

所有的附加功能都是插件，也就是在路由过程中的基本处理逻辑

查看所有的插件：curl -i 10.10.30.70:8001/plugins

{"next":null,"data":[{"created_at":1626857621,"id":"4d2a0e09-2b8e-482e-8e90-5ac74f4a608f","tags":null,"enabled":false,"protocols":["grpc","grpcs","http","https"],"name":"hmac-auth","consumer":null,"service":null,"route":{"id":"36f30105-7578-47e6-837d-dd5bd80aa4ec"},"config":{"clock_skew":300,"validate_request_body":false,"enforce_headers":["date","digest"],"algorithms":["hmac-sha256"],"anonymous":null, "hide_credentials":false}}, {"created_at":1626941697,"id":"9f9fc883-81b1-48bd-aa7a-cf09a7f3dbac","tags":null,"enabled":true,"protocols":["grpc","grpcs","http","https"],"name":"basic-auth","consumer":null,"service":null,"route":{"id":"36f30105-7578-47e6-837d-dd5bd80aa4ec"},"config":{"hide_credentials":false,"anonymous":null}},{"created_at":1626857173,"id":"aa5ca5d4-1fd3-4814-b101-0917a86a3b5c","tags":null,"enabled":false, "protocols":["grpc","grpcs","http","https"],"name":"key-auth","consumer":null,"service":null,"route":{"id":"36f30105-7578-47e6-837d-dd5bd80aa4ec"},"config":{"key_in_query":true,"key_names":["apikey"],"key_in_header":true,"run_on_preflight":true,"anonymous":null,"hide_credentials":false,"key_in_body":false}}]}

查看路由相关的插件：curl -i 10.10.30.70:8001/routes/36f30105-7578-47e6-837d-dd5bd80aa4ec/plugins

{"next":null,"data":[{"created_at":1626857621,"id":"4d2a0e09-2b8e-482e-8e90-5ac74f4a608f","tags":null,"enabled":false,"protocols":["grpc","grpcs","http","https"],"name":"hmac-auth","consumer":null,"service":null,"route":{"id":"36f30105-7578-47e6-837d-dd5bd80aa4ec"},"config":{"clock_skew":300,"validate_request_body":false,"enforce_headers":["date","digest"],"algorithms":["hmac-sha256"],"anonymous":null, "hide_credentials":false}}, {"created_at":1626941697,"id":"9f9fc883-81b1-48bd-aa7a-cf09a7f3dbac","tags":null,"enabled":true,"protocols":["grpc","grpcs","http","https"],"name":"basic-auth","consumer":null,"service":null,"route":{"id":"36f30105-7578-47e6-837d-dd5bd80aa4ec"},"config":{"hide_credentials":false,"anonymous":null}},{"created_at":1626857173,"id":"aa5ca5d4-1fd3-4814-b101-0917a86a3b5c","tags":null,"enabled":false, "protocols":["grpc","grpcs","http","https"],"name":"key-auth","consumer":null,"service":null,"route":{"id":"36f30105-7578-47e6-837d-dd5bd80aa4ec"},"config":{"key_in_query":true,"key_names":["apikey"],"key_in_header":true,"run_on_preflight":true,"anonymous":null,"hide_credentials":false,"key_in_body":false}}]}

Consumers

访问KONG的user，创建的插件都需要有个（多个）对应user，

查看所有的用户：curl -i 10.10.30.70:8001/consumers

{"next":null,"data":[{"custom_id":"testcon","created_at":1626856685,"id":"66568c54-7e9d-444f-a758-61960e3f0ade","tags":[],"username":"testcon"},{"custom_id":null,"created_at":1626857685,"id":"d1e00360-c6e5-474f-a27a-b9394532a3a6","tags":[],"username":"alice"},{"custom_id":"wshi","created_at":1625037677,"id":"f328a420-5b4d-476c-8e75-0e03d0a39d4c","tags":[],"username":"wshi"}]}

Basic Auth:

增加插件

curl -i -X POST 10.10.30.70:8001/routes/fd3140c5-6e39-4bed-a258-85b9b3439444/plugins --data name=basic-auth

{"created_at":1626943071,"id":"54eb888e-5272-4412-9c7b-1ab581adf45d","tags":null,"enabled":true,"protocols":["grpc","grpcs","http","https"],"name":"basic-auth","consumer":null,"service":null,"route":{"id":"fd3140c5-6e39-4bed-a258-85b9b3439444"},"config":{"hide_credentials":false,"anonymous":null}}

增加用户

curl -X POST 10.10.30.70:8001/consumers --data username="basicauth"

{"custom_id":null,"created_at":1626946140,"id":"cfdccd25-8d1e-4862-b6ea-5783ce97c669","tags":null,"username":"basicauth"}

增加用户相关的认证方式

curl -X POST 10.10.30.70:8001/consumers/cfdccd25-8d1e-4862-b6ea-5783ce97c669/basic-auth --data username="basicauth" --data password="basicauthpwd"

{"created_at":1626946610,"id":"22046ce2-5c02-40dd-9e8c-b380e4b30d3a","tags":null,"username":"basicauth","password":"2d09216b79edb18878e4c028c078a4fdb33a109f","consumer":{"id":"cfdccd25-8d1e-4862-b6ea-5783ce97c669"}}

验证basicauth的访问

POSTMAN访问验证

用post发送命令的时候注意：

1，选择Authorization的type是Basic Auth；

2，Username使用之前设置的basicauth填写，Password使用之前设置的basicauthpwd填写；

3，选择GET进行http的命令发送，获得相应的结果。

如果直接使用没有授权的访问方式，结果如下：

curl -i 10.10.30.70:8000/comments

{ "message":"Unauthorized"}

如果使用basic授权的方式则可获得结果

curl -i 10.10.30.70:8000/comments -H 'authorization: Basic YmFzaWNhdXRoOmJhc2ljYXV0aHB3ZA=='

HTTP/1.1 200 OKContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunked

……

Key Auth：

增加插件

curl -i -X POST 10.10.30.70:8001/routes/fd3140c5-6e39-4bed-a258-85b9b3439444/plugins --data name=key-auth

{"created_at":1626943016,"id":"e2666906-787b-4d60-95ed-282d4cc565b9","tags":null,"enabled":true,"protocols":["grpc","grpcs","http","https"],"name":"key-auth","consumer":null,"service":null,"route":{"id":"fd3140c5-6e39-4bed-a258-85b9b3439444"},"config":{"key_in_query":true,"key_names":["apikey"],"key_in_header":true,"run_on_preflight":true,"anonymous":null,"hide_credentials":false,"key_in_body":false}}

增加用户

curl -X POST 10.10.30.70:8001/consumers --data username="keyauth"

{"custom_id":null,"created_at":1626947773,"id":"b0b8eb11-2ce7-463c-98f4-5f2473344dcb","tags":null,"username":"keyauth"}

增加用户相关的认证方式

curl -X POST 10.10.30.70:8001/consumers/b0b8eb11-2ce7-463c-98f4-5f2473344dcb/key-auth --data key="testapikey"

{"created_at":1626947936,"id":"e7cd28fd-4563-4f47-945f-942d7482e1c9","tags":null,"ttl":null,"key":"testapikey","consumer":{"id":"b0b8eb11-2ce7-463c-98f4-5f2473344dcb"}}

验证keyauth的访问

curl -i 10.10.30.70:8000/comments -H "apikey:testapikey"

HTTP/1.1 200 OKContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveDate: Thu, 22 Jul 2021 10:01:42 GMT

……

Hmac Auth：

增加插件

curl -H "Content-Type: application/json" -X POST 10.10.30.70:8001/routes/fd3140c5-6e39-4bed-a258-85b9b3439444/plugins --data '{"name":"hmac-auth","config":{"enforce_headers":["date","digest"],"algorithms":["hmac-sha256"],"validate_request_body":false}}'

{"created_at":1626943970,"id":"86880aa2-5be8-450d-a03a-bfe026526b8b","tags":null,"enabled":true,"protocols":["grpc","grpcs","http","https"],"name":"hmac-auth","consumer":null,"service":null,"route":{"id":"fd3140c5-6e39-4bed-a258-85b9b3439444"},"config":{"clock_skew":300,"validate_request_body":false, "enforce_headers":["date","digest"], "algorithms":["hmac-sha256"],"anonymous":null,"hide_credentials":false}}

增加用户

curl -X POST 10.10.30.70:8001/consumers --data username="hmacauth"

{"custom_id":null,"created_at":1626948220,"id":"838e9f3c-dfba-4a66-b333-61c4e832b8c8","tags":null,"username":"hmacauth"}

增加用户相关的认证方式

curl -X POST 10.10.30.70:8001/consumers/838e9f3c-dfba-4a66-b333-61c4e832b8c8/hmac-auth --data username="testhmac" --data secret="testhmacsec"

{"created_at":1626948389,"id":"9e6f5fe0-b79b-4277-a493-58553e125477","tags":null,"username":"testhmac","secret":"testhmacsec","consumer":{"id":"838e9f3c-dfba-4a66-b333-61c4e832b8c8"}}

验证hmacauth的访问

url: http://10.10.30.70:8000/comments

request headers:  {

  "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) snap Chromium/76.0.3809.87 Chrome/76.0.3809.87 Safari/537.36",

  "Authorization": "hmac username=\"testhmac\", algorithm=\"hmac-sha256\", headers=\"date digest\", signature=\"P9EcFIfCLjLLxSknW9nug8N5sUZO0Wxu7LBOisERt0g=\"",

  "Digest": "SHA-256=t7xiM51A3GOHmRy4H2jpLgnrkIPr1fyWoKiHlcCsXYE=",

  "Date": "Thu, 22 Jul 2021 10:15:55 GMT"

}

JWT：

增加插件

curl -H "Content-Type: application/json" -X POST 10.10.30.70:8001/routes/fd3140c5-6e39-4bed-a258-85b9b3439444/plugins

--data '{"name":"jwt","enabled":false}}'

增加用户

curl -X POST 10.10.30.70:8001/consumers --data username="jwtauth"

{"custom_id":null,"created_at":1626948220,"id":"838e9f3c-dfba-4a66-b333-61c4e832b8c8","tags":null,"username":"jwtauth"}

增加用户相关的认证方式

curl

-X POST

10.10.30.70:8001/consumers/838e9f3c-dfba-4a66-b333-61c4e832b8c8

--data algorithm="HS256" --data key="S9uNDL9Lrra16i2Y" --data secret="zoX6puR46zOJNd2V"

验证jwt的访问

url: http://10.10.30.70:8000/comments

curl -X POST \

  http://10.10.30.70:8000/hechong/account/qry \

  -H 'authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaXNzIjoiUzl1TkRMOUxycmExNmkyWSIsImlhdCI6MTUxNjIzOTAyMn0.Di5Mr1QJ4s91u4IUMj9dnnFKXqet95nkvDo-6jimjec' \

  -H 'cache-control: no-cache' \

  -H 'content-type: application/json' \