You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by "cverdela (via GitHub)" <gi...@apache.org> on 2023/04/06 03:48:51 UTC
[GitHub] [apisix] cverdela opened a new issue, #9249: help request: Upstream services need to return different information based on different consumers, how to put the consumer's username in the header
cverdela opened a new issue, #9249:
URL: https://github.com/apache/apisix/issues/9249
### Description
Upstream services need to return different information based on different consumers, how to put the consumer's username in the header
### Environment
- APISIX version (run `apisix version`):
- Operating system (run `uname -a`):
- OpenResty / Nginx version (run `openresty -V` or `nginx -V`):
- etcd version, if relevant (run `curl http://127.0.0.1:9090/v1/server_info`):
- APISIX Dashboard version, if relevant:
- Plugin runner version, for issues related to plugin runners:
- LuaRocks version, for installation issues (run `luarocks --version`):
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] cverdela commented on issue #9249: help request: Upstream services require different consumers to return different information on how to place their username in the header, and whether this header can be used as the username for casbin
Posted by "cverdela (via GitHub)" <gi...@apache.org>.
cverdela commented on issue #9249:
URL: https://github.com/apache/apisix/issues/9249#issuecomment-1508057019
`"key-auth": {},
"proxy-rewrite": {
"headers": {
"add": {
"tenant": "$consumer_group_id"
}
}
},
"authz-casbin": {
"model": "[request_definition]
r = sub, obj, act
[policy_definition]
p = sub, obj, act
[role_definition]
g = _, _
[policy_effect]
e = some(where (p.eft == allow))
[matchers]
m = (g(r.sub, p.sub) || keyMatch(r.sub, p.sub)) && keyMatch(r.obj, p.obj) && keyMatch(r.act, p.act)",
"policy": "p, *, web1, GET
p, admin, *, *
g, 1000, admin",
"username": "tenant"
}
},`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] cverdela commented on issue #9249: help request: Upstream services require different consumers to return different information on how to place their username in the header, and whether this header can be used as the username for casbin
Posted by "cverdela (via GitHub)" <gi...@apache.org>.
cverdela commented on issue #9249:
URL: https://github.com/apache/apisix/issues/9249#issuecomment-1504890686
You didn't understand what I meant
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] cverdela commented on issue #9249: help request: Upstream services require different consumers to return different information on how to place their username in the header, and whether this header can be used as the username for casbin
Posted by "cverdela (via GitHub)" <gi...@apache.org>.
cverdela commented on issue #9249:
URL: https://github.com/apache/apisix/issues/9249#issuecomment-1507772347
There are three consumers a, b, and c. A and b have the same organization as 1, and c has the same organization as 2. The authentication of a, b, and c needs to be different. When accessing the same upstream, a and b return 11, and c return 22. Upstream only returns based on the organizational judgment passed in the header, without consumer information
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] cverdela commented on issue #9249: help request: Upstream services require different consumers to return different information on how to place their username in the header, and whether this header can be used as the username for casbin
Posted by "cverdela (via GitHub)" <gi...@apache.org>.
cverdela commented on issue #9249:
URL: https://github.com/apache/apisix/issues/9249#issuecomment-1504811632
I'm not talking about authorization, but how to solve the problem of authorization and authentication at the same time
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Sn0rt commented on issue #9249: help request: Upstream services require different consumers to return different information on how to place their username in the header, and whether this header can be used as the username for casbin
Posted by "Sn0rt (via GitHub)" <gi...@apache.org>.
Sn0rt commented on issue #9249:
URL: https://github.com/apache/apisix/issues/9249#issuecomment-1504888379
are you read this https://apisix.apache.org/zh/docs/apisix/plugins/authz-casbin/ ?
maybe it's useful for you
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] cverdela commented on issue #9249: help request: Upstream services require different consumers to return different information on how to place their username in the header, and whether this header can be used as the username for casbin
Posted by "cverdela (via GitHub)" <gi...@apache.org>.
cverdela commented on issue #9249:
URL: https://github.com/apache/apisix/issues/9249#issuecomment-1507773000
And abc has different permission controls for different upstream
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] cverdela commented on issue #9249: help request: Upstream services require different consumers to return different information on how to place their username in the header, and whether this header can be used as the username for casbin
Posted by "cverdela (via GitHub)" <gi...@apache.org>.
cverdela commented on issue #9249:
URL: https://github.com/apache/apisix/issues/9249#issuecomment-1508045114
What is the execution order of the three plugins a, b and c? How to make them execute in the order of a, b, and c
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] cverdela commented on issue #9249: help request: Upstream services require different consumers to return different information on how to place their username in the header, and whether this header can be used as the username for casbin
Posted by "cverdela (via GitHub)" <gi...@apache.org>.
cverdela commented on issue #9249:
URL: https://github.com/apache/apisix/issues/9249#issuecomment-1508135479
`{
"name": "web1-rewrite",
"status": 1,
"methods": [
"GET",
"POST",
"PUT",
"DELETE",
"PATCH",
"HEAD",
"OPTIONS",
"CONNECT",
"TRACE",
"PURGE"
],
"priority": 0,
"labels": {},
"uri": "/web1/*",
"plugins": {
"proxy-rewrite": {
"_meta": {
"priority": 1
},
"headers": {
"set": {
"tenant": "$consumer_group_id"
}
}
},
"key-auth": {
"_meta": {
"priority": 2
}
},
"authz-casbin": {
"_meta": {
"priority": 0
},
"model": "[request_definition]
r = sub, obj, act
[policy_definition]
p = sub, obj, act
[role_definition]
g = _, _
[policy_effect]
e = some(where (p.eft == allow))
[matchers]
m = (g(r.sub, p.sub) || keyMatch(r.sub, p.sub)) && keyMatch(r.obj, p.obj) && keyMatch(r.act, p.act)",
"policy": "p, *, web1, GET
p, admin, *, *
g, 2080, admin",
"username": "tenant"
}
},
"upstream_id": "452002436731634371"
}`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] cverdela commented on issue #9249: help request: Upstream services require different consumers to return different information on how to place their username in the header, and whether this header can be used as the username for casbin
Posted by "cverdela (via GitHub)" <gi...@apache.org>.
cverdela commented on issue #9249:
URL: https://github.com/apache/apisix/issues/9249#issuecomment-1507774007
I need to prevent a from obtaining 22 through any means
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] help request: Upstream services require different consumers to return different information on how to place their username in the header, and whether this header can be used as the username for casbin [apisix]
Posted by "github-actions[bot] (via GitHub)" <gi...@apache.org>.
github-actions[bot] closed issue #9249: help request: Upstream services require different consumers to return different information on how to place their username in the header, and whether this header can be used as the username for casbin
URL: https://github.com/apache/apisix/issues/9249
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] cverdela commented on issue #9249: help request: Upstream services require different consumers to return different information on how to place their username in the header, and whether this header can be used as the username for casbin
Posted by "cverdela (via GitHub)" <gi...@apache.org>.
cverdela commented on issue #9249:
URL: https://github.com/apache/apisix/issues/9249#issuecomment-1504813827
In addition, identity information is passed to the upstream through the gateway, and the upstream returns different results according to different identities in the same route
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Sn0rt commented on issue #9249: help request: Upstream services require different consumers to return different information on how to place their username in the header, and whether this header can be used as the username for casbin
Posted by "Sn0rt (via GitHub)" <gi...@apache.org>.
Sn0rt commented on issue #9249:
URL: https://github.com/apache/apisix/issues/9249#issuecomment-1504473065
can you provider more info about the http body ?
casbin is responsible for authorization, not authentication. maybe you should process authorization by your self by Casbin.
of course , you can set http header by the proxy-rewrite plugin.
reference: https://apisix.apache.org/docs/apisix/plugins/proxy-rewrite/
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] help request: Upstream services require different consumers to return different information on how to place their username in the header, and whether this header can be used as the username for casbin [apisix]
Posted by "github-actions[bot] (via GitHub)" <gi...@apache.org>.
github-actions[bot] commented on issue #9249:
URL: https://github.com/apache/apisix/issues/9249#issuecomment-2053597921
This issue has been closed due to lack of activity. If you think that is incorrect, or the issue requires additional review, you can revive the issue at any time.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Sn0rt commented on issue #9249: help request: Upstream services require different consumers to return different information on how to place their username in the header, and whether this header can be used as the username for casbin
Posted by "Sn0rt (via GitHub)" <gi...@apache.org>.
Sn0rt commented on issue #9249:
URL: https://github.com/apache/apisix/issues/9249#issuecomment-1504899992
Can you give a specific example? I can't imagine your scene in one or two sentences
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] cverdela commented on issue #9249: help request: Upstream services require different consumers to return different information on how to place their username in the header, and whether this header can be used as the username for casbin
Posted by "cverdela (via GitHub)" <gi...@apache.org>.
cverdela commented on issue #9249:
URL: https://github.com/apache/apisix/issues/9249#issuecomment-1508060694
I want to use proxy rewrite to write consumer group information to the header, and then use casbin to confirm permissions. Upstream users can also obtain header information
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] cverdela commented on issue #9249: help request: Upstream services require different consumers to return different information on how to place their username in the header, and whether this header can be used as the username for casbin
Posted by "cverdela (via GitHub)" <gi...@apache.org>.
cverdela commented on issue #9249:
URL: https://github.com/apache/apisix/issues/9249#issuecomment-1508145395
I have 1 consumer group 2080. Jack is a consumer in 2080. I added the header as the ID of the consumer group using proxy rewrite, and verified the header using casbin. Surprisingly, the header. add implemented my idea, but the header. set failed
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] help request: Upstream services require different consumers to return different information on how to place their username in the header, and whether this header can be used as the username for casbin [apisix]
Posted by "github-actions[bot] (via GitHub)" <gi...@apache.org>.
github-actions[bot] commented on issue #9249:
URL: https://github.com/apache/apisix/issues/9249#issuecomment-2027013732
This issue has been marked as stale due to 350 days of inactivity. It will be closed in 2 weeks if no further activity occurs. If this issue is still relevant, please simply write any comment. Even if closed, you can still revive the issue at any time or discuss it on the dev@apisix.apache.org list. Thank you for your contributions.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org