You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by bz...@apache.org on 2022/01/05 03:50:12 UTC
[apisix-website] branch master updated: docs: add authing blog (#832)
This is an automated email from the ASF dual-hosted git repository.
bzp2010 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix-website.git
The following commit(s) were added to refs/heads/master by this push:
new 58cf46e docs: add authing blog (#832)
58cf46e is described below
commit 58cf46e9439fcd696dfcd0dfca6daee05a5cc1ae
Author: yilinzeng <36...@users.noreply.github.com>
AuthorDate: Wed Jan 5 11:50:04 2022 +0800
docs: add authing blog (#832)
---
...-APISIX-not-affected-by-NGINX-CVE-2021-23017.md | 2 +-
.../blog/2021/06/28/why-we-need-Apache-APISIX.md | 4 +-
...ina-Weibo-API-gateway-based-on-Apache-APISIX.md | 30 +--
.../blog/2021/07/21/Apache-APISIX-Kubernetes.md | 2 +-
...apisix-to-improve-the-observability-of-nginx.md | 2 +-
.../08/18/Auth-with-Casbin-in-Apache-APISIX.md | 2 +-
...onnect-Plugin-for-Centralized-Authentication.md | 4 +-
website/blog/2021/08/30/weekly-report.md | 2 +-
website/blog/2021/09/07/iQIYI-usercase.md | 2 +-
.../blog/2021/09/13/china-mobile-cloud-usercase.md | 2 +-
website/blog/2021/09/15/weekly-report.md | 2 +-
website/blog/2021/10/09/apisix-ingress-techblog.md | 6 +-
website/blog/2021/10/26/APISIX-Ingress.md | 4 +-
.../blog/2021/12/15/deploy-apisix-in-kubernetes.md | 2 +-
.../blog/2021/12/16/apisix-with-rocketmq-meetup.md | 4 +-
.../12/24/apisix-integrate-openwhisk-plugin.md | 2 +-
.../blog/2021/12/30/apisix-proxy-grpc-service.md | 2 +-
website/blog/2022/01/04/authing.md | 255 ++++++++++++++++++++
.../2022/01/04/authing.md | 257 +++++++++++++++++++++
19 files changed, 549 insertions(+), 37 deletions(-)
diff --git a/website/blog/2021/06/07/Apache-APISIX-not-affected-by-NGINX-CVE-2021-23017.md b/website/blog/2021/06/07/Apache-APISIX-not-affected-by-NGINX-CVE-2021-23017.md
index 947109e..ac3c7e1 100644
--- a/website/blog/2021/06/07/Apache-APISIX-not-affected-by-NGINX-CVE-2021-23017.md
+++ b/website/blog/2021/06/07/Apache-APISIX-not-affected-by-NGINX-CVE-2021-23017.md
@@ -37,7 +37,7 @@ are all implemented by Apache APISIX instead of the built-in mechanism of NGINX,
## Apache APISIX
-Apache APISIX is a dynamic, real-time, high-performance API gateway that provides rich traffic management features such as load balancing, dynamic upstream, grayscale publishing, service meltdown , authentication , observability and so on.
+Apache APISIX is a dynamic, real-time, high-performance API gateway that provides rich traffic management features such as load balancing, dynamic upstream, canary release, service meltdown , authentication , observability and so on.
You can use Apache APISIX to handle traditional north-south traffic, as well as east-west traffic between services.
diff --git a/website/blog/2021/06/28/why-we-need-Apache-APISIX.md b/website/blog/2021/06/28/why-we-need-Apache-APISIX.md
index 1b2542e..2da70cd 100644
--- a/website/blog/2021/06/28/why-we-need-Apache-APISIX.md
+++ b/website/blog/2021/06/28/why-we-need-Apache-APISIX.md
@@ -68,7 +68,7 @@ When we have few tools at hand, we always have to compromise between functionali
As you can see, these are NGINX drawbacks, such as NGINX's low activity community. While we could invest more resources at the corporate level, his community is really unfriendly, and how unfriendly is it? As you can see in the picture above, the NGINX repository in Github is only a mirror, the issue function is closed, it is impossible to submit an issue, and even if you submit a PR the official will not merge it.
-In addition, NGINX is weak in its own routing, for example, I want to do grayscale based on a request parameter such as id, you will find that NGINX is completely unable to achieve. So we can see a lot of small open source systems, as long as the above grayscale scenario is solved, it can be an independent open source project. In addition, gRPC calls are becoming more and more popular in microservice calls, but NGINX support for it is only "simple to use".
+In addition, NGINX is weak in its own routing, for example, I want to do canary release based on a request parameter such as id, you will find that NGINX is completely unable to achieve. So we can see a lot of small open source systems, as long as the above canary release scenario is solved, it can be an independent open source project. In addition, gRPC calls are becoming more and more popular in microservice calls, but NGINX support for it is only "simple to use".
Finally, the NGINX cluster management, almost every Internet vendor has its own NGINX configuration management system, although the system is similar but there is no unified solution, more than a decade has been blank.
@@ -136,7 +136,7 @@ You may be wondering if APISIX is going to support so many scenarios. Here I wil
-For traditional LB and API Gateway scenarios, APISIX has the advantage of going from static to all dynamic, no more reloads, as many tech companies start with a half hour NGINX reload. The aforementioned grayscale scenario of moduloing based on request id can be easily done in APISIX using fine-grained routing.
+For traditional LB and API Gateway scenarios, APISIX has the advantage of going from static to all dynamic, no more reloads, as many tech companies start with a half hour NGINX reload. The aforementioned canary release scenario of moduloing based on request id can be easily done in APISIX using fine-grained routing.
diff --git a/website/blog/2021/07/14/the-road-to-customization-of-Sina-Weibo-API-gateway-based-on-Apache-APISIX.md b/website/blog/2021/07/14/the-road-to-customization-of-Sina-Weibo-API-gateway-based-on-Apache-APISIX.md
index 789d038..11b00ff 100644
--- a/website/blog/2021/07/14/the-road-to-customization-of-Sina-Weibo-API-gateway-based-on-Apache-APISIX.md
+++ b/website/blog/2021/07/14/the-road-to-customization-of-Sina-Weibo-API-gateway-based-on-Apache-APISIX.md
@@ -27,7 +27,7 @@ The whole process is long and inefficient, and cannot meet the trend of low-code
After some research, we chose the closest to the expected cloud-based micro-services API gateway: Apache APISIX.
-1. Based on Nginx, the technology stack is unified before and after the grayscale upgrade, security, stability, etc. are guaranteed.
+1. Based on Nginx, the technology stack is unified before and after the canary release upgrade, security, stability, etc. are guaranteed.
1. Built-in unified control surface, unified management of multiple proxy services.
1. Dynamic API call, you can complete the common resource modifications in real time, compared to the traditional Nginx configuration + reload way progress is obvious.
1. Rich routing options to meet the needs of Sina Weibo routing.
@@ -42,7 +42,7 @@ In the actual business situation, we cannot use Apache APISIX directly for the f
1. Apache APISIX does not support SaaS multi-tenancy, and there are many upper-layer applications that actually need to be operated and maintained, and each business line development or operation and maintenance student only needs to manage and maintain their own rules, upstreams and other rules, which are not associated with each other.
1. When the routing rules are published online, they need fast roll back support if problems arise.
-1. When creating or editing existing routing rules, we are not so sure about publishing them directly to the wire, and then we need it to be able to support grayscale publishing to a specified gateway instance for simulation or local testing.
+1. When creating or editing existing routing rules, we are not so sure about publishing them directly to the wire, and then we need it to be able to support canary release to a specified gateway instance for simulation or local testing.
1. The need for API gateways to be able to support Consul KV-style service registration and discovery mechanisms.
None of these requirements are currently supported built-in by Apache APISIX, so custom development is the only way to make Apache APISIX truly usable within Weibo.
@@ -89,38 +89,38 @@ The internal processing flow of a single route roll back is shown in the followi
We need to create version database storage for each release of a single route. This way, when we do a full release after the audit, each release will generate a version number and the corresponding full configuration data; then the version list grows. When we need to roll back, go to the version list and select a corresponding version to rollback; in a sense, the roll back is actually a special form of full release.
-### Support Grayscale Release
+### Support Canary Release
-Our custom-developed grayscale release feature is different from what the community generally understands as grayscale release, and is less risky compared to full deployment. When a change to a routing rule is large, we can choose to publish and take effect only on a specific limited number of gateway instances, instead of publishing and taking effect on all gateway instances, thus reducing the scope of the release, lowering the risk, and enabling fast trial and error.
+Our custom-developed canary release feature is different from what the community generally understands as canary release, and is less risky compared to full deployment. When a change to a routing rule is large, we can choose to publish and take effect only on a specific limited number of gateway instances, instead of publishing and taking effect on all gateway instances, thus reducing the scope of the release, lowering the risk, and enabling fast trial and error.
-Although grayscale release is a low-frequency behavior, there is still a state transition between it and full volume release.
+Although canary release is a low-frequency behavior, there is still a state transition between it and full volume release.
-
+
-When the percentage of gray release decreases to 0%, it is the state of full release; when the gray release rises to 100%, it is the next full release, and this is its state transition.
-The full grayscale publishing feature requires some API support exposed on the gateway instance in addition to the administrative backend support.
+When the percentage of canary release decreases to 0%, it is the state of full release; when the canary release rises to 100%, it is the next full release, and this is its state transition.
+The full canary release feature requires some API support exposed on the gateway instance in addition to the administrative backend support.
-
+
-The above screenshot shows the screenshot when operating Grayscale Publishing to select a specific gateway instance.
+The above screenshot shows the screenshot when operating canary release to select a specific gateway instance.
-The full grayscale publishing feature requires some API support exposed on the gateway instance in addition to the administrative backend support.
+The full canary release feature requires some API support exposed on the gateway instance in addition to the administrative backend support.
-
+
-Grayscale publishing API fixed URI, the unified path is /admin/services/gray/{SAAS_ID}/ routes. Different HTTP Method presents different business meanings, POST means create, DELETE means to stop grayscale, GET means to view.
+Canary release API fixed URI, the unified path is /admin/services/gray/{SAAS_ID}/ routes. Different HTTP Method presents different business meanings, POST means create, DELETE means to stop canary release, GET means to view.
#### Activation Process
-An API is published from the gateway level, and after receiving the data the worker process checks the legitimacy of the data sent, and the legitimate data is broadcast to all worker processes via events. Then the grayscale publishing API is called and the grayscale rules are added and take effect when the next request is processed.
+An API is published from the gateway level, and after receiving the data the worker process checks the legitimacy of the data sent, and the legitimate data is broadcast to all worker processes via events. Then the canary release API is called and the canary release rules are added and take effect when the next request is processed.
#### Deactivation Process
-The deactivation process is basically the same as the grayscale distribution process. The API for grayscale distribution is called by the DELETE method and broadcasted to all work processes. If it exists in the route table, delete it and try to restore it from the ETCD. If the grayscale is deactivated, make sure that the original ETCD can be restored without affecting the normal service.
+The deactivation process is basically the same as the canary release distribution process. The API for canary release distribution is called by the DELETE method and broadcasted to all work processes. If it exists in the route table, delete it and try to restore it from the ETCD. If the canary release is deactivated, make sure that the original ETCD can be restored without affecting the normal service.
### Support Fast Import
diff --git a/website/blog/2021/07/21/Apache-APISIX-Kubernetes.md b/website/blog/2021/07/21/Apache-APISIX-Kubernetes.md
index 1801574..b372934 100644
--- a/website/blog/2021/07/21/Apache-APISIX-Kubernetes.md
+++ b/website/blog/2021/07/21/Apache-APISIX-Kubernetes.md
@@ -35,7 +35,7 @@ He is also the author of Kubernetes Hands-on and Docker Core Knowledge.
## About Apache APISIX
-Apache APISIX is a dynamic, real-time, high-performance open source API gateway that provides rich traffic management features such as load balancing, dynamic upstream, grayscale publishing, service fusion, authentication, observability, etc. Apache APISIX can help enterprises quickly and securely handle API and microservice traffic, including gateways, Kubernetes Ingress and Service Grid.
+Apache APISIX is a dynamic, real-time, high-performance open source API gateway that provides rich traffic management features such as load balancing, dynamic upstream, canary release, service fusion, authentication, observability, etc. Apache APISIX can help enterprises quickly and securely handle API and microservice traffic, including gateways, Kubernetes Ingress and Service Grid.
Apache APISIX has been used by hundreds of enterprises worldwide to handle business-critical traffic, including finance, Internet, manufacturing, retail, carriers, and more, such as NASA, the European Union's Digital Factory, China Airlines, China Mobile, Tencent, Huawei, Weibo, NetEase, Shell, 360, Taikang, and Nespresso Tea.
diff --git a/website/blog/2021/08/06/using-apache-apisix-to-improve-the-observability-of-nginx.md b/website/blog/2021/08/06/using-apache-apisix-to-improve-the-observability-of-nginx.md
index 57e5b45..722f570 100644
--- a/website/blog/2021/08/06/using-apache-apisix-to-improve-the-observability-of-nginx.md
+++ b/website/blog/2021/08/06/using-apache-apisix-to-improve-the-observability-of-nginx.md
@@ -93,7 +93,7 @@ The table shows a comparison of Apache APISIX and Nginx features. Apache APISIX
### Apache APISIX Introduction
-Apache APISIX is a dynamic, real-time, high-performance API gateway that provides load balancing, dynamic upstream, grayscale publishing, service meltdown, authentication, observability, and other rich traffic management features. Apache APISIX is also the world's most active open source API gateway project, and is a production-ready, high-performance gateway. Hundreds of enterprises around the world have used Apache APISIX to handle business-critical traffic, covering finance, Internet, [...]
+Apache APISIX is a dynamic, real-time, high-performance API gateway that provides load balancing, dynamic upstream, canary release, service meltdown, authentication, observability, and other rich traffic management features. Apache APISIX is also the world's most active open source API gateway project, and is a production-ready, high-performance gateway. Hundreds of enterprises around the world have used Apache APISIX to handle business-critical traffic, covering finance, Internet, manuf [...]
### Apache APISIX Solution
diff --git a/website/blog/2021/08/18/Auth-with-Casbin-in-Apache-APISIX.md b/website/blog/2021/08/18/Auth-with-Casbin-in-Apache-APISIX.md
index 2721e6e..dbd5737 100644
--- a/website/blog/2021/08/18/Auth-with-Casbin-in-Apache-APISIX.md
+++ b/website/blog/2021/08/18/Auth-with-Casbin-in-Apache-APISIX.md
@@ -19,7 +19,7 @@ tags: [Practical Case]
### Apache APISIX
-[Apache APISIX](https://github.com/apache/apisix) is a dynamic, real-time, high-performance API gateway that provides load balancing, dynamic upstream, grayscale publishing, fine-grained routing, flow and speed limiting, service degradation, service meltdown, authentication, observability, and hundreds of other features. You can use Apache APISIX for traditional north-south traffic, as well as east-west traffic between services, or as a [k8s ingress controller](https://github.com/apache/ [...]
+[Apache APISIX](https://github.com/apache/apisix) is a dynamic, real-time, high-performance API gateway that provides load balancing, dynamic upstream, canary release, fine-grained routing, flow and speed limiting, service degradation, service meltdown, authentication, observability, and hundreds of other features. You can use Apache APISIX for traditional north-south traffic, as well as east-west traffic between services, or as a [k8s ingress controller](https://github.com/apache/apisix [...]
### Casbin
diff --git a/website/blog/2021/08/25/Using-the-Apache-APISIX-OpenID-Connect-Plugin-for-Centralized-Authentication.md b/website/blog/2021/08/25/Using-the-Apache-APISIX-OpenID-Connect-Plugin-for-Centralized-Authentication.md
index 0261e65..491f1c6 100644
--- a/website/blog/2021/08/25/Using-the-Apache-APISIX-OpenID-Connect-Plugin-for-Centralized-Authentication.md
+++ b/website/blog/2021/08/25/Using-the-Apache-APISIX-OpenID-Connect-Plugin-for-Centralized-Authentication.md
@@ -19,7 +19,7 @@ tags: [Practical Case]
## What is Apache APISIX
-[Apache APISIX](https://apisix.apache.org/) is a dynamic, real-time, high-performance API gateway that provides rich traffic management features such as load balancing, dynamic upstream, grayscale publishing, service meltdown, authentication, observability, and more. Apache APISIX's OpenID Connect plug-in supports OpenID, which allows users to replace authentication from traditional authentication mode to centralized authentication mode.
+[Apache APISIX](https://apisix.apache.org/) is a dynamic, real-time, high-performance API gateway that provides rich traffic management features such as load balancing, dynamic upstream, canary release, service meltdown, authentication, observability, and more. Apache APISIX's OpenID Connect plug-in supports OpenID, which allows users to replace authentication from traditional authentication mode to centralized authentication mode.
## What is authentication
@@ -249,7 +249,7 @@ Okta is a customizable, secure centralized authentication solution. Okta can add
## About Apache APISIX
-Apache APISIX is a dynamic, real-time, high-performance API gateway that provides load balancing, dynamic upstream, grayscale publishing, service meltdown, authentication, observability, and other rich traffic management features. You can use Apache APISIX for traditional north-south traffic, as well as east-west traffic between services, or as a [Kubernetes Ingress Controller](https://github.com/apache/apisix-ingress-controller).
+Apache APISIX is a dynamic, real-time, high-performance API gateway that provides load balancing, dynamic upstream, canary release, service meltdown, authentication, observability, and other rich traffic management features. You can use Apache APISIX for traditional north-south traffic, as well as east-west traffic between services, or as a [Kubernetes Ingress Controller](https://github.com/apache/apisix-ingress-controller).
Hundreds of enterprises worldwide have used Apache APISIX to handle business-critical traffic, covering finance, Internet, manufacturing, retail, carriers, and more, such as NASA, the EU's Digital Factory, China Airlines, China Mobile, Tencent, Huawei, Sina Weibo, NetEase, Ke, 360, Taikang, Nayuki, and more.
diff --git a/website/blog/2021/08/30/weekly-report.md b/website/blog/2021/08/30/weekly-report.md
index a7e80c4..945a0fe 100644
--- a/website/blog/2021/08/30/weekly-report.md
+++ b/website/blog/2021/08/30/weekly-report.md
@@ -82,7 +82,7 @@ We've also put together some issues for those new to the community! If you are i
## Recommended blog posts of the week
-- [Centralized Authentication with the OpenID Connect Plugin for Apache APISIX](https://apisix.apache.org/blog/2021/08/25/Using-the-Apache-APISIX-OpenID-Connect-Plugin-for-Centralized-Authentication/): Apache APISIX is a dynamic, real-time, high-performance API gateway that provides rich traffic management features such as load balancing, dynamic upstream, grayscale publishing, service meltdown, authentication, observability, etc. Apache APISIX not only supports plug-in dynamic changes a [...]
+- [Centralized Authentication with the OpenID Connect Plugin for Apache APISIX](https://apisix.apache.org/blog/2021/08/25/Using-the-Apache-APISIX-OpenID-Connect-Plugin-for-Centralized-Authentication/): Apache APISIX is a dynamic, real-time, high-performance API gateway that provides rich traffic management features such as load balancing, dynamic upstream, canary release, service meltdown, authentication, observability, etc. Apache APISIX not only supports plug-in dynamic changes and Apa [...]
- [Why did APISIX choose the Nginx + Lua technology stack?](https://apisix.apache.org/blog/2021/08/25/Why-Apache-APISIX-chose-Nginx-and-Lua): Provides the historical background and advantages of the Nginx + Lua technology stack chosen by APISIX, noting that " High performance + flexibility" is what makes APISIX stand out from other gateways.
diff --git a/website/blog/2021/09/07/iQIYI-usercase.md b/website/blog/2021/09/07/iQIYI-usercase.md
index 014fe9b..b539531 100644
--- a/website/blog/2021/09/07/iQIYI-usercase.md
+++ b/website/blog/2021/09/07/iQIYI-usercase.md
@@ -80,7 +80,7 @@ When the instance changes, the corresponding node is first unlogged from Consul
The gateway is multi-location deployment, build a set of multi-location backup link in advance, at the same time suggest the user back-end service is also multi-location deployment nearby. Then the user creates an API service on the Skywalker Gateway platform, the Controller deploys the API routing on the entire DC gateway cluster, and the business domain defaults to CNAME on the unified gateway domain name.
-It provides multi-local access, disaster preparedness and handoff capability for business directly, and also supports user-defined resolution routing. For the user’s own fault-cut flow, blue-green deployment, gray-scale publishing needs, users can use the uuid domain name to customize the resolution of routing configuration, but also to support the back-end service discovery custom scheduling.
+It provides multi-local access, disaster preparedness and handoff capability for business directly, and also supports user-defined resolution routing. For the user’s own fault-cut flow, blue-green deployment, canary release needs, users can use the uuid domain name to customize the resolution of routing configuration, but also to support the back-end service discovery custom scheduling.
### Scenario 5: Multi-site Multi-level Disaster Tolerance
diff --git a/website/blog/2021/09/13/china-mobile-cloud-usercase.md b/website/blog/2021/09/13/china-mobile-cloud-usercase.md
index d01c89f..ba009ac 100644
--- a/website/blog/2021/09/13/china-mobile-cloud-usercase.md
+++ b/website/blog/2021/09/13/china-mobile-cloud-usercase.md
@@ -66,7 +66,7 @@ Here we first give you a brief description of the current Object Storage EOS nod
-The control plane has several main services, including the autopilot service Manager, the observable system Observer, and the chaos engineering fault injection module Checker. there is also an additional overall interaction orchestration system Orchestrator and a grayscale publishing platform Publisher.
+The control plane has several main services, including the autopilot service Manager, the observable system Observer, and the chaos engineering fault injection module Checker. there is also an additional overall interaction orchestration system Orchestrator and a canary release platform Publisher.
diff --git a/website/blog/2021/09/15/weekly-report.md b/website/blog/2021/09/15/weekly-report.md
index 3645ec9..4989858 100644
--- a/website/blog/2021/09/15/weekly-report.md
+++ b/website/blog/2021/09/15/weekly-report.md
@@ -121,7 +121,7 @@ The Apache APISIX project website and the issue on Github have accumulated a wea
## About Apache APISIX
-Apache APISIX is a dynamic, real-time, high-performance open source API gateway that provides rich traffic management features such as load balancing, dynamic upstream, grayscale publishing, service meltdown, authentication, observability, etc. Apache APISIX helps enterprises quickly and securely handle API and microservice traffic, including gateways, Kubernetes Ingress and Service Grid.
+Apache APISIX is a dynamic, real-time, high-performance open source API gateway that provides rich traffic management features such as load balancing, dynamic upstream, canary release, service meltdown, authentication, observability, etc. Apache APISIX helps enterprises quickly and securely handle API and microservice traffic, including gateways, Kubernetes Ingress and Service Grid.
Apache APISIX has been used by hundreds of enterprises worldwide to handle business-critical traffic, including finance, Internet, manufacturing, retail, carriers, and more, such as NASA, the European Union's Digital Factory, China Airlines, China Mobile, Tencent, Huawei, Weibo, NetEase, Shell, 360, Taikang, and Nespresso Tea.
diff --git a/website/blog/2021/10/09/apisix-ingress-techblog.md b/website/blog/2021/10/09/apisix-ingress-techblog.md
index a416cdb..c17c8b1 100644
--- a/website/blog/2021/10/09/apisix-ingress-techblog.md
+++ b/website/blog/2021/10/09/apisix-ingress-techblog.md
@@ -34,7 +34,7 @@ We mentioned earlier that APISIX Ingress uses Apache APISIX as the data surface
-Apache APISIX is the top open source project of the Apache Foundation and is currently the most active open source gateway project. As a dynamic, real-time, high-performance open source API gateway, Apache APISIX provides rich traffic management features such as load balancing, dynamic upstream, grayscale publishing, service meltdown, authentication, observability, and more.
+Apache APISIX is the top open source project of the Apache Foundation and is currently the most active open source gateway project. As a dynamic, real-time, high-performance open source API gateway, Apache APISIX provides rich traffic management features such as load balancing, dynamic upstream, canary release, service meltdown, authentication, observability, and more.
Apache APISIX helps enterprises handle API and microservice traffic quickly and securely with features such as flow-limiting authentication, logging security features, and support for rich custom plug-ins. There are also currently relevant integrations with many open source projects such as Apache SkyWalking, Prometheus and other such components.
@@ -44,7 +44,7 @@ Since I am involved in the development and maintenance of both APISIX Ingress an
### Configuration level
-In APISIX Ingress, we have added some rich and flexible configurations, such as grayscale deployment through a single configuration file. However, in K8s Ingress Nginx, you need at least two Ingress resource files to achieve the above effect.
+In APISIX Ingress, we have added some rich and flexible configurations, such as canary release deployment through a single configuration file. However, in K8s Ingress Nginx, you need at least two Ingress resource files to achieve the above effect.
### Richness
@@ -148,7 +148,7 @@ Configure `subset` and `weight` in `backends` to split the incoming user request
-With the above two steps, it is very easy to slice and dice traffic proportionally to achieve scenarios like grayscale publishing.
+With the above two steps, it is very easy to slice and dice traffic proportionally to achieve scenarios like canary release.
For more details, please refer to: [Traffic Segmentation in Apache APISIX Ingress Controller](https://www.apiseven.com/zh/blog/traffic-split-in-apache-apisix-ingress-controller).
### Practice Scenario 2: Configuring Authentication
diff --git a/website/blog/2021/10/26/APISIX-Ingress.md b/website/blog/2021/10/26/APISIX-Ingress.md
index a725a72..d741829 100644
--- a/website/blog/2021/10/26/APISIX-Ingress.md
+++ b/website/blog/2021/10/26/APISIX-Ingress.md
@@ -32,7 +32,7 @@ As you can see in the figure above, APISIX Ingress is deployed in a Kubernetes c
We mentioned earlier that APISIX Ingress uses Apache APISIX as the actual data plane to carry business traffic, so what is Apache APISIX?
-Apache APISIX is the top open source project of the Apache Foundation and the most active open source gateway project, and is currently certified as a trusted open source project by the China Academy of Information and Communications Technology. As a dynamic, real-time, high-performance open source API gateway, Apache APISIX provides rich traffic management features such as load balancing, dynamic upstream, grayscale publishing, service meltdown, authentication, observability, and more.
+Apache APISIX is the top open source project of the Apache Foundation and the most active open source gateway project, and is currently certified as a trusted open source project by the China Academy of Information and Communications Technology. As a dynamic, real-time, high-performance open source API gateway, Apache APISIX provides rich traffic management features such as load balancing, dynamic upstream, canary release, service meltdown, authentication, observability, and more.
@@ -104,7 +104,7 @@ Most of these contributions come from community members using APISIX Ingress to
- Admission Hook
- Ingress' own Prometheus Metrics
- mTLs
-- Improvements to the grayscale function
+- Improvements to the canary release function
- Additional product documentation
More features [click here to view](https://github.com/apache/apisix-ingress-controller/#readme).
diff --git a/website/blog/2021/12/15/deploy-apisix-in-kubernetes.md b/website/blog/2021/12/15/deploy-apisix-in-kubernetes.md
index 7112f53..c047989 100644
--- a/website/blog/2021/12/15/deploy-apisix-in-kubernetes.md
+++ b/website/blog/2021/12/15/deploy-apisix-in-kubernetes.md
@@ -23,7 +23,7 @@ tags: [Technology]
<!--truncate-->
-Apache APISIX is a dynamic, real-time, high-performance open source API gateway that provides rich traffic management features such as load balancing, dynamic upstream, grayscale publishing, service meltdown, authentication, observability, and more.
+Apache APISIX is a dynamic, real-time, high-performance open source API gateway that provides rich traffic management features such as load balancing, dynamic upstream, canary release, service meltdown, authentication, observability, and more.
And Kubernetes, an open source system for automatically deploying, scaling, and managing containerized applications, is designed to provide users with support for automatic deployment **across host clusters**, scaling, and related features such as running application containers. Here we have compiled two easy-to-follow installation ideas on how to quickly deploy Apache APISIX in K8s and present related information via Dashboard.
diff --git a/website/blog/2021/12/16/apisix-with-rocketmq-meetup.md b/website/blog/2021/12/16/apisix-with-rocketmq-meetup.md
index d876f18..0759f5e 100644
--- a/website/blog/2021/12/16/apisix-with-rocketmq-meetup.md
+++ b/website/blog/2021/12/16/apisix-with-rocketmq-meetup.md
@@ -54,7 +54,7 @@ In this lightning talk, we will demonstrate how to run Go and Rust code inside A
This talk will provide a repeatable understanding of WASM, including its advantages and limitations, and how to introduce WASM into your own system.
-### The road to grayscale and cloud-native governance for Zhengcaiyun messaging middleware
+### The road to canary release and cloud-native governance for Zhengcaiyun messaging middleware
#### Speaker
@@ -64,7 +64,7 @@ Lin Zeng, the person in charge of Zhengcaiyun infrastructure platform, mainly re
This sharing will introduce how RocketMQ helps Zhengcaiyun companies to cope with the complex cloud and island hybrid cloud scenario of government procurement business.
-This presentation will provide a full understanding of how to use RocketMQ for grayscale and traffic staining, delayed message personalization, and the implementation of RocketMQ-based cloud-native operational transformation and other practical experience sharing.
+This presentation will provide a full understanding of how to use RocketMQ for canary release and traffic staining, delayed message personalization, and the implementation of RocketMQ-based cloud-native operational transformation and other practical experience sharing.
### Building a Better Kubernetes Ingress Controller
diff --git a/website/blog/2021/12/24/apisix-integrate-openwhisk-plugin.md b/website/blog/2021/12/24/apisix-integrate-openwhisk-plugin.md
index f35c92b..3d7223b 100644
--- a/website/blog/2021/12/24/apisix-integrate-openwhisk-plugin.md
+++ b/website/blog/2021/12/24/apisix-integrate-openwhisk-plugin.md
@@ -30,7 +30,7 @@ In this article, we will introduce `openwhisk`, a new plug-in for Apache APISIX,
### Apache APISIX
-[Apache APISIX](https://apisix.apache.org/) is a dynamic, real-time, high-performance API gateway that provides rich traffic management features such as load balancing, dynamic upstream, grayscale publishing, service fusion, authentication, observability, etc. Apache APISIX not only supports plug-in dynamic changes and hot-plugging, but also has many useful plug-ins.
+[Apache APISIX](https://apisix.apache.org/) is a dynamic, real-time, high-performance API gateway that provides rich traffic management features such as load balancing, dynamic upstream, canary release, service fusion, authentication, observability, etc. Apache APISIX not only supports plug-in dynamic changes and hot-plugging, but also has many useful plug-ins.
### Apache OpenWhisk
diff --git a/website/blog/2021/12/30/apisix-proxy-grpc-service.md b/website/blog/2021/12/30/apisix-proxy-grpc-service.md
index a6b0f3e..f59a23d 100644
--- a/website/blog/2021/12/30/apisix-proxy-grpc-service.md
+++ b/website/blog/2021/12/30/apisix-proxy-grpc-service.md
@@ -27,7 +27,7 @@ tags: [Technology]
### Apache APISIX
-[Apache APISIX](https://apisix.apache.org/) is a dynamic, real-time, high-performance API gateway that provides load balancing, dynamic upstream, grayscale publishing, service fusion, authentication, observability, and other rich traffic management features. Apache APISIX not only supports dynamic change and hot-plugging of plug-ins, but also has a rich library of plug-in resources.
+[Apache APISIX](https://apisix.apache.org/) is a dynamic, real-time, high-performance API gateway that provides load balancing, dynamic upstream, canary release, service fusion, authentication, observability, and other rich traffic management features. Apache APISIX not only supports dynamic change and hot-plugging of plug-ins, but also has a rich library of plug-in resources.
### gRPC
diff --git a/website/blog/2022/01/04/authing.md b/website/blog/2022/01/04/authing.md
new file mode 100644
index 0000000..6bfd2ea
--- /dev/null
+++ b/website/blog/2022/01/04/authing.md
@@ -0,0 +1,255 @@
+---
+title: "Using Apache APISIX and Authing to implement Centralized Authentication Management"
+authors:
+ - name: "Xinxin Zhu"
+ title: "Author"
+ url: "https://github.com/starsz"
+ image_url: "https://avatars.githubusercontent.com/u/25628854?v=4"
+ - name: "Yilin Zeng"
+ title: "Technical Writer"
+ url: "https://github.com/yzeng25"
+ image_url: "https://avatars.githubusercontent.com/u/36651058?v=4"
+keywords:
+- Apache APISIX
+- Authing
+- OpenID
+- Authentication
+- Ecosystem
+description: This article describes the detailed steps for interfacing Apache APISIX and Authing.
+tags: [Technology]
+---
+
+> This article describes the detailed steps for interfacing Apache APISIX and Authing.
+
+<!--truncate-->
+
+
+
+## Introduction
+
+### About Apache APISIX
+
+[Apache APISIX](https://github.com/apache/apisix) is a dynamic, real-time, high-performance API gateway that provides rich traffic management features such as load balancing, dynamic upstream, canary release, service meltdown, authentication, observability, etc. Apache APISIX not only supports dynamic plug-in changes and hot-plugging, but also has a number of useful plug-ins.OpenID Connect Plug-in for Apache APISIX With support for the OpenID Connect protocol, users can use this plug-in [...]
+
+### About Authing
+
+[Authing](https://www.authing.cn/) is the first developer-centered full-scene identity cloud product in China, integrating all mainstream identity protocols and providing complete and secure user authentication and access management services for enterprises and developers. With "API First" as the cornerstone of the product, all common functions in the identity field are modularly encapsulated, and all capabilities are APIed to developers through a full-scene programming language SDK. At [...]
+
+## What is Centralized Authentication
+
+### Traditional Authentication Mode
+
+In the traditional authentication mode, each back-end application service needs to develop separate functions to support the authentication function, such as interacting with the identity provider and obtaining the user's identity information.
+
+
+
+### Centralized Identity Authentication Mode
+
+Unlike the traditional authentication mode, the centralized authentication mode takes the user authentication out of the application service. Take Apache APISIX as an example, the process of centralized authentication is shown in the figure above: first, the user initiates a request, and then the front gateway is responsible for the user authentication process, interfacing with the identity provider and sending an authorization request to the identity provider. The identity provider retu [...]
+
+
+
+### Advantages of Centralized Identity Authentication Mode
+
+Compared with the traditional authentication mode, the centralized authentication mode has the following advantages.
+
+1. Simplify the application development process, reduce the development of application workload and maintenance costs, and avoid repeated development of authentication logic for each application.
+2. Improve business security, centralized authentication mode at the gateway level can intercept unauthenticated requests in time to protect back-end applications.
+
+At the same time, combined with Authing's powerful authentication management functions, the following functions can be achieved.
+
+1. Lifecycle management of authentication services through the console, including creation, enablement, disablement, etc.
+2. Real-time, visual application monitoring, including: the number of interface requests, interface call latency and interface error information, and real-time alarm notification.
+3. Centralized logging to easily view user login, logout, and information about adjustments and modifications to the application.
+
+More details can be found in [Authing Access Gateway](https://www.authing.cn/gateway-integration).
+
+## How to implement Centralized Identity Authentication using Apache APISIX and Authing
+
+### Step 1: Configure Authing
+
+1. Login to your Authing account, select Build your own app and fill in the app name and authentication address. If you do not have an Authing account, please visit [Authing](https://www.authing.cn/), click on "Login/Register" in the upper right corner to register an Authing account.
+ 
+
+2. Click Create to create an Authing application.
+ 
+
+3. During the authentication process, Authing will reject callback URLs other than the configured ones. Since this is a local test, the login callback URL and the logout callback URL are both set to the APISIX access address http://127.0.0.1:9080/.
+ 
+
+4. Create user (optional). On the user list page, create a user with the account password user1/user1, and you can set whether to allow access to the application in the "User Information - Authorization Management" page (the default is to allow).
+ 
+ 
+
+5. Visit the application page for the following configuration, which is required when configuring Apache APISIX OpenID Connect.
+ 1. App ID: OAuth client ID, i.e. the ID of the application, corresponding to `client_id` and `{YOUR_CLIENT_ID}` below.
+ 2. App secret: OAuth client secret, i.e. the application key. Corresponds to `client_secret` and `{YOUR_CLIENT_SECRET}` below.
+ 3. Service_discovery_address: The address of the application service discovery. Corresponds to `{YOUR_DISCOVERY}` below.
+ 
+
+### Step 2: Install Apache APISIX
+
+You can install Apache APISIX in a variety of ways including source packages, Docker, Helm Chart, etc.
+
+#### Install dependencies
+
+The Apache APISIX runtime environment requires dependencies on NGINX and etcd.
+
+Before installing Apache APISIX, please install dependencies according to the operating system you are using. We provide the dependencies installation instructions for CentOS7, Fedora 31 and 32, Ubuntu 16.04 and 18.04, Debian 9 and 10, and macOS. Please refer to [Install Dependencies](https://apisix.apache.org/docs/apisix/install-dependencies/) for more details.
+
+#### Installation via RPM Package (CentOS 7)
+
+This installation method is suitable for CentOS 7; please run the following command to install Apache APISIX.
+
+```shell
+sudo yum install -y https://github.com/apache/apisix/releases/download/2.7/apisix-2.7-0.x86_64.rpm
+```
+
+#### Installation via Docker
+
+Please refer to [Installing Apache APISIX with Docker](https://hub.docker.com/r/apache/apisix).
+
+#### Installation via Helm Chart
+
+Please refer to [Installing Apache APISIX with Helm Chart](https://github.com/apache/apisix-helm-chart).
+
+#### Installation via source release
+
+1. Create a directory named `apisix-2.7`.
+
+```shell
+mkdir apisix-2.7
+```
+
+2. Download Apache APISIX Release source package.
+
+```shell
+wget https://downloads.apache.org/apisix/2.7/apache-apisix-2.7-src.tgz
+```
+
+You can also download the Apache APISIX release source package from the Apache APISIX website. The [Apache APISIX Official Website - Download Page](https://apisix.apache.org/downloads/) also provides source packages for Apache APISIX, APISIX Dashboard, and APISIX Ingress Controller.
+
+3. Unzip the Apache APISIX Release source package.
+
+```shell
+tar zxvf apache-apisix-2.7-src.tgz -C apisix-2.7
+```
+
+4. Install the runtime-dependent Lua libraries.
+
+```shell
+# Switch to the apisix-2.7 directory
+cd apisix-2.7
+# Create dependencies
+make deps
+```
+
+#### Initializing Dependencies
+
+Run the following command to initialize the NGINX configuration file and etcd.
+
+```shell
+# initialize NGINX config file and etcd
+make init
+```
+
+### Step 3: Start Apache APISIX and configure route
+
+1. Run the following command to start Apache APISIX.
+
+ ```shell
+ apisix start
+ ```
+
+2. Create routes and configure the OpenID Connect plug-in. the OpenID Connect configuration list is as follows.
+
+|Field|Default Value|Description|
+|:--------|:--------|:---------------|
+|client_id|N/A|OAuth client ID|
+|client_secret|N/A|OAuth client secret key|
+|discovery|N/A|Service discovery endpoints for identity providers|
+|scope|openid|Need to access resource scope|
+|relm|apisix|Specify the WWW-Authenticate response header authentication information|
+|bearer_only|false|Whether to check the token in the request header|
+|logout_path|/logout|Logout URI|
+|redirect_uri|request_uri|The URI that the identity provider bounces back to, defaulting to the request address|
+|timeout|3|Request timeout time in seconds|
+|ssl_verify|false|Whether the identity provider's checksum ssl certificate|
+|introspection_endpoint|N/A|The URL of the identity provider's token authentication endpoint, which will be extracted from the discovery response if left blank.|
+|introspection_endpoint_auth_method|client_secret_basic|Name of the authentication method for token introspection|
+|public_key|N/A|Public key for authentication token|
+|token_signing_alg_values_expected|N/A|Algorithm for authentication tokens|
+|set_access_token_header|true|Whether to carry the access token in the request header|
+|access_token_in_authorization_header|false|The access token is placed in the Authorization header when true, and in the X-Access-Token header when false.|
+|set_id_token_header|false|No to carry the ID token to the X-ID-Token request header|
+|set_userinfo_header|false|Whether to carry user information in the X-Userinfo request header|
+
+The following code example creates a route through the Apache APISIX Admin API, setting the route upstream to [httpbin.org](http://httpbin.org). `httpbin.org` is a simple backend service for receiving and responding to requests, the `get` page of `httpbin.org` will be used below, refer to [http bin get](http://httpbin.org/#/HTTP_Methods/get_get).
+
+For specific configuration items, please refer to [Apache APISIX OpenID Connect Plugin](https://apisix.apache.org/zh/docs/apisix/plugins/openid-connect/).
+
+```shell
+curl -XPOST 127.0.0.1:9080/apisix/admin/routes -H "X-Api-Key: edd1c9f034335f136f87ad84b625c8f1" -d '{
+ "uri":"/*",
+ "plugins":{
+ "openid-connect":{
+ "client_id":"{YOUR_CLIENT_ID}",
+ "client_secret":"{YOUR_CLIENT_SECRET}",
+ "discovery":"https://{YOUR_DISCOVERY}",
+ "scope":"openid profile",
+ "bearer_only":false,
+ "realm":"apisix",
+ "introspection_endpoint_auth_method":"client_secret_post",
+ "redirect_uri":"http://127.0.0.1:9080/"
+ }
+ },
+ "upstream":{
+ "type":"roundrobin",
+ "nodes":{
+ "httpbin.org:80":1
+ }
+ }
+}'
+```
+
+### Step 4: Access Apache APISIX
+
+1. Visit "http://127.0.0.1:9080/get" and the page is redirected to the Authing login page as the OpenID Connect plugin is already enabled (this page can be customized in the Authing console under "Applications - Branding").
+ 
+
+2. Enter the password for the user's account registered with Authing, or the user user1/user1 created in Step 1, and click Login to log in to the Authing account.
+
+3. After a successful login, you can successfully access the get page in httpbin.org. The httpbin.org/get page will return the requested data as follows.
+
+ ```shell
+ ...
+ "X-Access-Token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InFqeU55aVdVd2NhbUFxdEdVRUNCeFNsTWxQSWtTR2N1NmkyZzhEUk1OSGsifQ.eyJqdGkiOiJjTy16a0pCS0NSRFlHR2kyWkJhY0oiLCJzdWIiOiI2MWM5OGFmOTg0MjI4YWU0OTYyMDU4NTIiLCJpYXQiOjE2NDA1OTg4NTgsImV4cCI6MTY0MTgwODQ1OCwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSIsImlzcyI6Imh0dHBzOi8vYXBpc2l4LmF1dGhpbmcuY24vb2lkYyIsImF1ZCI6IjYxYzk4M2M0YjI4NzdkNDg2OWRkOGFjYiJ9.l2V8vDWcCObB1LjIhKs2ARG4J7WuB-0c-bnYZG2GP2zcpl6PMAPcId2B76CaXCU58ajGcfRmOlWJ67UaHrfWKv8IM4vcYN1gwhKdo [...]
+ "X-Id-Token": "eyJhdF9oYXNoIjoiRl8tRjZaUVgtWVRDNEh0TldmcHJmUSIsImJpcnRoZGF0ZSI6bnVsbCwiZmFtaWx5X25hbWUiOm51bGwsImdlbmRlciI6IlUiLCJnaXZlbl9uYW1lIjpudWxsLCJpc3MiOiJodHRwczpcL1wvYXBpc2l4LmF1dGhpbmcuY25cL29pZGMiLCJwaWN0dXJlIjoiaHR0cHM6XC9cL2ZpbGVzLmF1dGhpbmcuY29cL2F1dGhpbmctY29uc29sZVwvZGVmYXVsdC11c2VyLWF2YXRhci5wbmciLCJwcmVmZXJyZWRfdXNlcm5hbWUiOm51bGwsInVwZGF0ZWRfYXQiOiIyMDIxLTEyLTI3VDA5OjU0OjE3Ljc3M1oiLCJ3ZWJzaXRlIjpudWxsLCJ6b25laW5mbyI6bnVsbCwibmFtZSI6bnVsbCwiaWF0IjoxNjQwNTk4ODU4LCJua [...]
+ "X-Userinfo": "eyJ3ZWJzaXRlIjpudWxsLCJ6b25laW5mbyI6bnVsbCwibmFtZSI6bnVsbCwicHJvZmlsZSI6bnVsbCwibmlja25hbWUiOm51bGwsInN1YiI6IjYxYzk4YWY5ODQyMjhhZTQ5NjIwNTg1MiIsImxvY2FsZSI6bnVsbCwiYmlydGhkYXRlIjpudWxsLCJmYW1pbHlfbmFtZSI6bnVsbCwiZ2VuZGVyIjoiVSIsImdpdmVuX25hbWUiOm51bGwsIm1pZGRsZV9uYW1lIjpudWxsLCJwaWN0dXJlIjoiaHR0cHM6XC9cL2ZpbGVzLmF1dGhpbmcuY29cL2F1dGhpbmctY29uc29sZVwvZGVmYXVsdC11c2VyLWF2YXRhci5wbmciLCJwcmVmZXJyZWRfdXNlcm5hbWUiOm51bGwsInVwZGF0ZWRfYXQiOiIyMDIxLTEyLTI3VDA5OjU0OjE3Ljc3M1oifQ=="
+ ...
+ ```
+
+ **X-Access-Token**: Apache APISIX puts the access token obtained from the user provider into the `X-Access-Token` request header, optionally in the Authorization request header via `access_token_in_authorization_header` in the plugin configuration.
+
+ 
+
+ **X-Id-Token**: Apache APISIX puts the ID token obtained from the user provider into the X-Id-Token request header after base64 encoding, which can be enabled or disabled by `set_id_token_header` in the plugin configuration.
+
+ 
+
+ **X-Userinfo**: Apache APISIX puts the user information obtained from the user provider into X-Userinfo after encoding it in base64. You can choose whether to enable this feature by using `set_userinfo_header` in the plugin configuration.
+
+ 
+
+ As you can see, Apache APISIX will carry `X-Access-Token`, `X-Id-Token` and `X-Userinfo` request headers to the upstream. The upstream can parse these headers to get the user ID information and the user metadata.
+
+4. In the "Audit Log - User Behavior Log" in the Authing console, you can observe that user1 login information.
+ 
+
+## Summary
+
+This article describes the detailed steps for interfacing Apache APISIX with Authing.
+
+Apache APISIX is not only committed to maintaining its own high performance, but also has always attached great importance to the construction of open source ecology. At present, Apache APISIX has 10+ authentication authorization-related plug-ins that support interfacing with mainstream authentication authorization services in the industry.
+
+If you have a need to interface to other authentication authorities, visit Apache APISIX's [GitHub](https://github.com/apache/apisix/issues) and leave your suggestions via issue; or subscribe to Apache APISIX's [mailing list](https://apisix.apache.org/zh/docs/general/subscribe-guide) to express your thoughts via email.
diff --git a/website/i18n/zh/docusaurus-plugin-content-blog/2022/01/04/authing.md b/website/i18n/zh/docusaurus-plugin-content-blog/2022/01/04/authing.md
new file mode 100644
index 0000000..028ef3a
--- /dev/null
+++ b/website/i18n/zh/docusaurus-plugin-content-blog/2022/01/04/authing.md
@@ -0,0 +1,257 @@
+---
+title: "Apache APISIX 结合 Authing 实现集中式身份认证管理"
+authors:
+ - name: "朱欣欣"
+ title: "Author"
+ url: "https://github.com/starsz"
+ image_url: "https://avatars.githubusercontent.com/u/25628854?v=4"
+ - name: "曾奕霖"
+ title: "Technical Writer"
+ url: "https://github.com/yzeng25"
+ image_url: "https://avatars.githubusercontent.com/u/36651058?v=4"
+keywords:
+- Apache APISIX
+- Authing
+- OpenID
+- Authentication
+- 插件
+description: 本文为大家描述了 Apache APISIX 和 Authing 对接的详细操作步骤,通过阅读本文,大家对于在 Apache APISIX 中使用 Authing 有了更清晰的理解。
+tags: [Technology]
+---
+
+> 本文为大家描述了 Apache APISIX 和 Authing 对接的详细操作步骤,通过阅读本文,大家会对于在 Apache APISIX 中使用 Authing 有更清晰的理解。
+
+<!--truncate-->
+
+
+
+## 项目介绍
+
+### 关于 Apache APISIX
+
+[Apache APISIX](https://github.com/apache/apisix) 是一个动态、实时、高性能的 API 网关,提供负载均衡、动态上游、灰度发布、服务熔断、身份认证、可观测性等丰富的流量管理功能。Apache APISIX 不仅支持插件动态变更和热插拔,而且拥有众多实用的插件。Apache APISIX 的 OpenID Connect 插件支持 OpenID Connect 协议,用户可以使用该插件让 Apache APISIX 对接 Authing 服务,作为集中式认证网关部署于企业中。
+
+### 关于 Authing
+
+[Authing](https://www.authing.cn/) 是国内首款以开发者为中心的全场景身份云产品,集成了所有主流身份认证协议,为企业和开发者提供完善安全的用户认证和访问管理服务。以「API First」作为产品基石,把身份领域所有常用功能都进行了模块化的封装,通过全场景编程语言 SDK 将所有能力 API 化提供给开发者。同时,用户可以灵活的使用 Authing 开放的 RESTful APIs 进行功能拓展,满足不同企业不同业务场景下的身份管理需求。
+
+## 什么是集中式身份认证
+
+### 传统身份认证
+
+在传统认证模式下,各个后端应用服务需要单独开发功能以支持身份认证功能,例如与身份提供商进行交互、获取用户的身份信息等功能。
+
+
+
+### 集中式身份认证
+
+与传统认证模式不同,集中身份认证模式把用户认证从应用服务中抽离了出来。以 Apache APISIX 为例,集中认证的流程如上图所示:首先由用户发起请求(request),然后由前置的网关负责用户认证流程,与身份提供方对接,向身份提供方发送身份认证(authorization)请求。身份提供方返回用户身份信息(user info)。网关完成用户身份识别后,将用户身份信息通过请求头的形式转发至后端应用。
+
+
+
+### 集中式身份认证的优点
+
+相比较传统认证模式,集中认证模式下有如下优点:
+
+1. 简化应用开发流程,降低开发应用工作量和维护成本,避免各个应用重复开发身份认证逻辑。
+2. 提高业务的安全性,集中身份认证模式在网关层面能够及时拦截未经身份认证的请求,保护后端的应用。
+
+同时结合 Authing 强大的身份认证管理功能,可实现如下功能:
+
+1. 通过控制台对身份认证服务进行生命周期管理,包括创建、启用、禁用等。
+2. 提供实时、可视化的应用监控,包括:接口请求次数、接口调用延迟和接口错误信息,并且进行实时告警通知。
+3. 集中式日志,可以方便地查看用户登录、登出以及对应用的调整和修改信息。
+
+更多具体内容可参考 [Authing 应用集成网关](https://www.authing.cn/gateway-integration)。
+
+## 如何使用
+
+### 步骤一:配置 Authing
+
+1. 登录 Authing 账号,选择自建应用,并填入应用名称和认证地址。如果你没有 Authing 账号,请访问 [Authing 官网](https://www.authing.cn/),单击右上角 “登录/注册”,注册一个 Authing 账号。
+ 
+
+2. 单击“创建”,创建一个 Authing 应用。
+ 
+
+3. 设置登录和登出的跳转 URL。在认证过程中,Authing 将会拒绝除配置以外的回调 URL,由于本次为本地测试,所以将登录回调 URL 和登出回调 URL 都设置为 APISIX 访问地址 http://127.0.0.1:9080/ 。
+ 
+
+4. 创建用户(可选)。在用户列表页面,创建用户,账号密码分别为 user1/user1,并且可以在「用户信息-授权管理」页面中设置是否允许应用的访问(默认为允许)。
+ 
+ 
+
+5. 访问应用页面,获取以下配置,配置 Apache APISIX OpenID Connect 时需要提供这些信息:
+ 1. App ID: OAuth client ID,即应用的 ID。与下文的 `client_id` 和 `{YOUR_CLIENT_ID}` 对应。
+ 2. App secret:OAuth client secret,即应用密钥。与下文的 `client_secret` 和 `{YOUR_CLIENT_SECRET}` 对应。
+ 3. 服务发现地址:应用服务发现的地址。与下文的 `{YOUR_DISCOVERY}` 对应。
+ 
+
+### 步骤二:安装 Apache APISIX
+
+你可以通过源码包、Docker、Helm Chart 等多种方式来安装 Apache APISIX。
+
+#### 安装依赖
+
+Apache APISIX 的运行环境需要依赖 NGINX 和 etcd,所以在安装 Apache APISIX 前,请根据您使用的操作系统安装对应的依赖。我们提供了 CentOS7、Fedora 31 & 32 、Ubuntu 16.04 & 18.04、 Debian 9 & 10 和 MacOS 上的依赖安装操作步骤,详情请参考[安装依赖](https://apisix.apache.org/zh/docs/apisix/install-dependencies/)。
+
+通过 Docker 或 Helm Chart 安装 Apache APISIX 时,已经包含了所需的 NGINX 和 etcd,请参照各自对应的文档。
+
+#### 通过 RPM 包安装(CentOS 7)
+
+这种安装方式适用于 CentOS 7 操作系统,请运行以下命令安装 Apache APISIX。
+
+```shell
+sudo yum install -y https://github.com/apache/apisix/releases/download/2.7/apisix-2.7-0.x86_64.rpm
+```
+
+#### 通过 Docker 安装
+
+详情请参考:[使用 Docker 安装 Apache APISIX](https://hub.docker.com/r/apache/apisix)。
+
+#### 通过 Helm Chart 安装
+
+详情请参考:[使用 Helm Chart 安装 Apache APISIX](https://github.com/apache/apisix-helm-chart)。
+
+#### 通过源码包安装
+
+1. 创建一个名为 `apisix-2.7` 的目录:
+
+ ```shell
+ mkdir apisix-2.7
+ ```
+
+2. 下载 Apache APISIX Release 源码包:
+
+ ```shell
+ wget https://downloads.apache.org/apisix/2.7/apache-apisix-2.7-src.tgz
+ ```
+
+ 您也可以通过 Apache APISIX 官网下载 Apache APISIX Release 源码包。 Apache APISIX 官网也提供了 Apache APISIX、APISIX Dashboard 和 APISIX Ingress Controller 的源码包,详情请参考 [Apache APISIX 官网-下载页](https://apisix.apache.org/zh/downloads)。
+
+3. 解压 Apache APISIX Release 源码包:
+
+ ```shell
+ tar zxvf apache-apisix-2.7-src.tgz -C apisix-2.7
+ ```
+
+4. 安装运行时依赖的 Lua 库:
+
+ ```shell
+ # 切换到 apisix-2.7 目录
+ cd apisix-2.7
+ # 创建依赖
+ make deps
+ ```
+
+#### 初始化依赖
+
+运行以下命令初始化 NGINX 配置文件和 etcd。
+
+```shell
+# initialize NGINX config file and etcd
+make init
+```
+
+### 步骤三:启动 Apache APISIX 并配置对应的路由
+
+1. 运行以下命令,启动 Apache APISIX。
+
+ ```shell
+ apisix start
+ ```
+
+2. 创建路由并配置 OpenID Connect 插件。OpenID Connect 配置列表如下。
+
+|字段|默认值|使用说明|
+|:--------|:--------|:---------------|
+|client_id|N/A|OAuth 客户端 ID|
+|client_secret|N/A|OAuth 客户端密钥|
+|discovery|N/A|身份提供商的服务发现端点|
+|scope|openid|需要访问资源范围|
+|relm|apisix|指定 WWW-Authenticate 响应头验证信息|
+|bearer_only|false|是否检查请求头中的 token|
+|logout_path|/logout|登出的 URI|
+|redirect_uri|request_uri|身份提供商跳转回来的 URI,默认为请求地址|
+|timeout|3|请求超时时间,单位为秒|
+|ssl_verify|false|是否身份提供商的校验 ssl 证书|
+|introspection_endpoint|N/A|身份提供商的令牌验证端点的 URL,不填则将从 discovery 响应中提取。|
+|introspection_endpoint_auth_method|client_secret_basic|令牌自省的认证方法名称|
+|public_key|N/A|验证令牌的公钥|
+|token_signing_alg_values_expected|N/A|验证令牌的算法|
+|set_access_token_header|true|是否在请求头中携带 access token|
+|access_token_in_authorization_header|false|true 时将 access token 放置在 Authorization 头中,false 时将 access token 放置在 X-Access-Token 头中。|
+|set_id_token_header|false|是否将 ID token 携带至 X-ID-Token 请求头|
+|set_userinfo_header|false|是否将用户信息携带至 X-Userinfo 请求头|
+
+以下代码示例通过 Apache APISIX Admin API 进行创建路由,设置路由的上游为 [httpbin.org](http://httpbin.org)。`httpbin.org` 是一个简单的用于接收请求和响应请求的后端服务,下文将使用 `httpbin.org` 的 `get` 页面,参考 [http bin get](http://httpbin.org/#/HTTP_Methods/get_get)。
+
+具体配置项请参考 [Apache APISIX OpenID Connect Plugin](https://apisix.apache.org/zh/docs/apisix/plugins/openid-connect/)。
+
+```shell
+curl -XPOST 127.0.0.1:9080/apisix/admin/routes -H "X-Api-Key: edd1c9f034335f136f87ad84b625c8f1" -d '{
+ "uri":"/*",
+ "plugins":{
+ "openid-connect":{
+ "client_id":"{YOUR_CLIENT_ID}",
+ "client_secret":"{YOUR_CLIENT_SECRET}",
+ "discovery":"https://{YOUR_DISCOVERY}",
+ "scope":"openid profile",
+ "bearer_only":false,
+ "realm":"apisix",
+ "introspection_endpoint_auth_method":"client_secret_post",
+ "redirect_uri":"http://127.0.0.1:9080/"
+ }
+ },
+ "upstream":{
+ "type":"roundrobin",
+ "nodes":{
+ "httpbin.org:80":1
+ }
+ }
+}'
+```
+
+### 步骤四:访问 Apache APISIX
+
+1. 访问 "http://127.0.0.1:9080/get",由于已经开启了 OpenID Connect 插件,所以页面被重定向到 Authing 登录页面(可在 Authing 控制台中 「应用-品牌化」对该页面进行定制)。
+ 
+
+2. 输入用户在 Authing 注册的账号密码,或者在步骤一中创建的用户 user1/user1 ,单击“登录”,登录 Authing 账户。
+
+3. 登录成功之后,能成功访问到 httpbin.org 中的 get 页面。该 httpbin.org/get 页面将返回请求的数据如下:
+
+ ```shell
+ ...
+ "X-Access-Token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InFqeU55aVdVd2NhbUFxdEdVRUNCeFNsTWxQSWtTR2N1NmkyZzhEUk1OSGsifQ.eyJqdGkiOiJjTy16a0pCS0NSRFlHR2kyWkJhY0oiLCJzdWIiOiI2MWM5OGFmOTg0MjI4YWU0OTYyMDU4NTIiLCJpYXQiOjE2NDA1OTg4NTgsImV4cCI6MTY0MTgwODQ1OCwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSIsImlzcyI6Imh0dHBzOi8vYXBpc2l4LmF1dGhpbmcuY24vb2lkYyIsImF1ZCI6IjYxYzk4M2M0YjI4NzdkNDg2OWRkOGFjYiJ9.l2V8vDWcCObB1LjIhKs2ARG4J7WuB-0c-bnYZG2GP2zcpl6PMAPcId2B76CaXCU58ajGcfRmOlWJ67UaHrfWKv8IM4vcYN1gwhKdo [...]
+ "X-Id-Token": "eyJhdF9oYXNoIjoiRl8tRjZaUVgtWVRDNEh0TldmcHJmUSIsImJpcnRoZGF0ZSI6bnVsbCwiZmFtaWx5X25hbWUiOm51bGwsImdlbmRlciI6IlUiLCJnaXZlbl9uYW1lIjpudWxsLCJpc3MiOiJodHRwczpcL1wvYXBpc2l4LmF1dGhpbmcuY25cL29pZGMiLCJwaWN0dXJlIjoiaHR0cHM6XC9cL2ZpbGVzLmF1dGhpbmcuY29cL2F1dGhpbmctY29uc29sZVwvZGVmYXVsdC11c2VyLWF2YXRhci5wbmciLCJwcmVmZXJyZWRfdXNlcm5hbWUiOm51bGwsInVwZGF0ZWRfYXQiOiIyMDIxLTEyLTI3VDA5OjU0OjE3Ljc3M1oiLCJ3ZWJzaXRlIjpudWxsLCJ6b25laW5mbyI6bnVsbCwibmFtZSI6bnVsbCwiaWF0IjoxNjQwNTk4ODU4LCJua [...]
+ "X-Userinfo": "eyJ3ZWJzaXRlIjpudWxsLCJ6b25laW5mbyI6bnVsbCwibmFtZSI6bnVsbCwicHJvZmlsZSI6bnVsbCwibmlja25hbWUiOm51bGwsInN1YiI6IjYxYzk4YWY5ODQyMjhhZTQ5NjIwNTg1MiIsImxvY2FsZSI6bnVsbCwiYmlydGhkYXRlIjpudWxsLCJmYW1pbHlfbmFtZSI6bnVsbCwiZ2VuZGVyIjoiVSIsImdpdmVuX25hbWUiOm51bGwsIm1pZGRsZV9uYW1lIjpudWxsLCJwaWN0dXJlIjoiaHR0cHM6XC9cL2ZpbGVzLmF1dGhpbmcuY29cL2F1dGhpbmctY29uc29sZVwvZGVmYXVsdC11c2VyLWF2YXRhci5wbmciLCJwcmVmZXJyZWRfdXNlcm5hbWUiOm51bGwsInVwZGF0ZWRfYXQiOiIyMDIxLTEyLTI3VDA5OjU0OjE3Ljc3M1oifQ=="
+ ...
+ ```
+
+ 其中:
+
+ **X-Access-Token**:Apache APISIX 将从用户提供商获取到的 access token 放入 X-Access-Token 请求头,可以通过插件配置中的 `access_token_in_authorization_header` 来选择是否放入 Authorization 请求头中。
+
+ 
+
+ **X-Id-Token**:Apache APISIX 将从用户提供商获取到的 ID token 通过 base64 编码之后放入 X-Id-Token 请求头,可以通过插件配置中的 `set_id_token_header` 来选择是否开启该功能,默认为为开启状态。
+
+ 
+
+ **X-Userinfo**: Apache APISIX 将从用户提供商获取到的用户信息,通过 base64 编码之后放入 X-Userinfo,你可以通过插件配置中的 `set_userinfo_header` 来选择是否开启该功能,默认为开启状态。
+
+ 
+
+ 由此可以看到,Apache APISIX 将会携带 `X-Access-Token`、`X-Id-Token` 和 `X-Userinfo` 三个请求头传递至上游。上游可以通过解析这几个头部,从而获取到用户 ID 信息和用户的元数据。
+
+4. 在 Authing 控制台中的 「审计日志-用户行为日志」中可以观察到 user1 的登录信息。
+ 
+
+## 总结
+
+本文为大家描述了 Apache APISIX 和 Authing 对接的详细操作步骤,通过阅读本文,大家对于在 Apache APISIX 中使用 Authing 有了更清晰的理解。
+
+Apache APISIX 不仅致力于保持自身的高性能,也一直非常重视开源生态的建设。目前 Apache APISIX 已经拥有了 10+ 个认证授权相关的插件,支持与业界主流的认证授权服务对接。
+
+如果你有对接其他认证授权的需求,不妨访问 Apache APISIX 的 [GitHub](https://github.com/apache/apisix/issues),通过 issue 留下你的建议;或订阅 Apache APISIX 的[邮件列表](https://apisix.apache.org/zh/docs/general/subscribe-guide),通过邮件表达你的想法。