You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/03/02 06:47:40 UTC
[GitHub] [apisix-ingress-controller] FesonX opened a new issue #895: request help: account permission isolation based on etcd url prefix
FesonX opened a new issue #895:
URL: https://github.com/apache/apisix-ingress-controller/issues/895
### Issue description
The APISIX use etcd as config center with url prefix like '/apisix'.
It support limited role control like admin or viewer.
Means that:
1. Different teams can only use one account for api management.
2. Or use multiple apisix deployment with multiple account without a central dashboard to manage.
I have checked the data in etcd, looks like:
```
/apisix/plugin_configs/
init_dir
/apisix/plugin_metadata/
init_dir
/apisix/plugins/
init_dir
/apisix/proto/
init_dir
/apisix/routes/
init_dir
/apisix/routes/3b5e18a7
{"name":"ingress_local.httpbin.org_\/","desc":"Created by apisix-ingress-controller, DO NOT modify it manually","upstream_id":"d1ce4b4f","host":"local.httpbin.org","priority":0,"labels":{"managed-by":"apisix-ingress-controller"},"status":1,"uris":["\/","\/*"],"update_time":1646125717,"id":"3b5e18a7","create_time":1646124473}
```
If we treat `/apisix/*` as admin scope, if no other project, then it equals `/apisix/default/*` which will not make a breaking change.
If project added, `/apisix/projectName/*` can be used for different projects(or teams) with different accounts.
Each account can only access its own apis.
And the admin account is able to manage all the apis.
### Environment
- your apisix-ingress-controller version (output of apisix-ingress-controller version --long):
> apache/apisix-ingress-controller:1.4.0
- your Kubernetes cluster version (output of kubectl version):
> Server Version: version.Info{Major:"1", Minor:"22+", GitVersion:"v1.22.3-aliyun.1", GitCommit:"2d7fa03ee32075acb101bc7286176439c3edddf1", GitTreeState:"clean", BuildDate:"2022-01-18T14:15:16Z", GoVersion:"go1.16.9", Compiler:"gc", Platform:"linux/amd64"}
- if you run apisix-ingress-controller in Bare-metal environment, also show your OS version (uname -a):
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-ingress-controller] tao12345666333 commented on issue #895: request help: account permission isolation based on etcd url prefix
Posted by GitBox <gi...@apache.org>.
tao12345666333 commented on issue #895:
URL: https://github.com/apache/apisix-ingress-controller/issues/895#issuecomment-1056944636
This is not the goal of this project.
The permissions isolation that is concerned in this project is based on Kubernetes' RBAC approach.
The content in your issue can be solved by deploying multiple sets of APISIX and adding different etcd prefixes to them.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-ingress-controller] tao12345666333 closed issue #895: request help: account permission isolation based on etcd url prefix
Posted by GitBox <gi...@apache.org>.
tao12345666333 closed issue #895:
URL: https://github.com/apache/apisix-ingress-controller/issues/895
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org