You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2020/03/13 04:40:35 UTC
[GitHub] [incubator-apisix] sshniro opened a new issue #1243: request help:
How to white-list consumers for the Keyauth plugin
sshniro opened a new issue #1243: request help: How to white-list consumers for the Keyauth plugin
URL: https://github.com/apache/incubator-apisix/issues/1243
### Issue description
Is there a way to limit the users who are permitted to use a route via the key auth plugin? Currently, it allows all consumers to access a route, if the key auth is enabled.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-apisix] soulsoul commented on issue #1243: request help:
How to white-list consumers for the Keyauth plugin
Posted by GitBox <gi...@apache.org>.
soulsoul commented on issue #1243: request help: How to white-list consumers for the Keyauth plugin
URL: https://github.com/apache/incubator-apisix/issues/1243#issuecomment-601490838
@sshniro yes. the key-auth plugin only support basic authentication, for enhance the security , we can use some other plugin to provide auxiliary capacity on business. we maybe not make individual plugin too fat . right ?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-apisix] sshniro edited a comment on issue #1243: request
help: How to white-list consumers for the Keyauth plugin
Posted by GitBox <gi...@apache.org>.
sshniro edited a comment on issue #1243: request help: How to white-list consumers for the Keyauth plugin
URL: https://github.com/apache/incubator-apisix/issues/1243#issuecomment-603065789
Yes, Agree @soulsoul
I think this can be a separate Access Control Plugin.
This is the scenario I have and I assume this can be a common scenario as well.
We are proxying device data through REST and MQTT and we provide a token to the device. The problem with the current implementation is, if the device has a valid token/key then it can publish data to any routes. We need a way to control it.
@membphis This is how the implementation will look like this:
```bash
curl http://127.0.0.1:9080/apisix/admin/consumers -X PUT -d '
{
"username": "device1",
"plugins": {
"key-auth": {
"key": "keytodeviceone"
}
}
}'
curl http://127.0.0.1:9080/apisix/admin/routes/1 ' -X PUT -d '
{
"uri": "/device1publishroute",
"id": 1,
"plugins": {
"key-auth": {},
"acl-plugin": ['device1', 'device2', 'user1', 'user2']
},
"upstream": {
"type": "roundrobin",
"nodes": {
"39.97.63.215:80": 1
}
}
}'
```
The ACL plugins should be executed after the keyauth plugin.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-apisix] sshniro edited a comment on issue #1243: request
help: How to white-list consumers for the Keyauth plugin
Posted by GitBox <gi...@apache.org>.
sshniro edited a comment on issue #1243: request help: How to white-list consumers for the Keyauth plugin
URL: https://github.com/apache/incubator-apisix/issues/1243#issuecomment-603065789
Yes, Agree @soulsoul
I think this can be a separate Access Control Plugin.
This is the scenario I have and I assume this can be a common scenario as well.
We are proxying device data through REST and MQTT and we provide a token to the device. The problem with the current implementation is, if the device has a valid token/key then it can publish data to any routes. We need a way to control it.
@membphis This is how the implementation will look like this:
```bash
curl http://127.0.0.1:9080/apisix/admin/consumers -X PUT -d '
{
"username": "device1",
"plugins": {
"key-auth": {
"key": "keytodeviceone"
}
}
}'
curl http://127.0.0.1:9080/apisix/admin/routes/1 ' -X PUT -d '
{
"uri": "/securedPublishRoute",
"id": 1,
"plugins": {
"key-auth": {},
"acl-plugin": ['device1', 'device2', 'user1', 'user2']
},
"upstream": {
"type": "roundrobin",
"nodes": {
"39.97.63.215:80": 1
}
}
}'
```
The ACL plugins should be executed after the keyauth plugin.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-apisix] sshniro commented on issue #1243: request help:
How to white-list consumers for the Keyauth plugin
Posted by GitBox <gi...@apache.org>.
sshniro commented on issue #1243: request help: How to white-list consumers for the Keyauth plugin
URL: https://github.com/apache/incubator-apisix/issues/1243#issuecomment-601250472
Thanks, Is it okay to extend the plugin to restrict to specific consumers? It can enhance the security and flexibility of the key-auth plugin?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-apisix] membphis commented on issue #1243: request help:
How to white-list consumers for the Keyauth plugin
Posted by GitBox <gi...@apache.org>.
membphis commented on issue #1243: request help: How to white-list consumers for the Keyauth plugin
URL: https://github.com/apache/incubator-apisix/issues/1243#issuecomment-601479898
Can you provide an example of how to solve this problem?
If a Keyauth plugin is used by a non-whitelisted consumer, will the current request be rejected?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-apisix] sshniro commented on issue #1243: request help:
How to white-list consumers for the Keyauth plugin
Posted by GitBox <gi...@apache.org>.
sshniro commented on issue #1243: request help: How to white-list consumers for the Keyauth plugin
URL: https://github.com/apache/incubator-apisix/issues/1243#issuecomment-603065789
Yes, Agree @soulsoul
I think this can be a separate Access Control Plugin.
This is the scenario I have and I assume this can be a common scenario as well.
We are proxying device data through REST and MQTT and we provide a token to the device. The problem with the current implementation is, if the device has a valid token/key then it can publish data to any routes. We need a way to control it.
@membphis This is how the implementation will look like this:
```bash
curl http://127.0.0.1:9080/apisix/admin/consumers -X PUT -d '
{
"username": "device1",
"plugins": {
"key-auth": {
"key": "keytodeviceone"
}
}
}'
curl http://127.0.0.1:9080/apisix/admin/routes/1 ' -X PUT -d '
{
"uri": "/device1publishroute",
"id": 1,
"plugins": {
"key-auth": {},
"acl-plugin": ['device1', 'device2']
},
"upstream": {
"type": "roundrobin",
"nodes": {
"39.97.63.215:80": 1
}
}
}'
```
The ACL plugins should be executed after the keyauth plugin.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-apisix] sshniro closed issue #1243: request help: How to
white-list consumers for the Keyauth plugin
Posted by GitBox <gi...@apache.org>.
sshniro closed issue #1243: request help: How to white-list consumers for the Keyauth plugin
URL: https://github.com/apache/incubator-apisix/issues/1243
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-apisix] membphis commented on issue #1243: request help:
How to white-list consumers for the Keyauth plugin
Posted by GitBox <gi...@apache.org>.
membphis commented on issue #1243: request help: How to white-list consumers for the Keyauth plugin
URL: https://github.com/apache/incubator-apisix/issues/1243#issuecomment-603252306
> @membphis This is how the implementation will look like this:
It looks good to me. @moonming What do you think?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-apisix] soulsoul commented on issue #1243: request help:
How to white-list consumers for the Keyauth plugin
Posted by GitBox <gi...@apache.org>.
soulsoul commented on issue #1243: request help: How to white-list consumers for the Keyauth plugin
URL: https://github.com/apache/incubator-apisix/issues/1243#issuecomment-599024448
so you can use some other plugin on your business . not just one keyauth plugin.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-apisix] sshniro commented on issue #1243: request help:
How to white-list consumers for the Keyauth plugin
Posted by GitBox <gi...@apache.org>.
sshniro commented on issue #1243: request help: How to white-list consumers for the Keyauth plugin
URL: https://github.com/apache/incubator-apisix/issues/1243#issuecomment-600535175
I did not understand the last statement, are you suggesting to use a custom plugin instead of the keyauth plugin?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-apisix] sshniro commented on issue #1243: request help:
How to white-list consumers for the Keyauth plugin
Posted by GitBox <gi...@apache.org>.
sshniro commented on issue #1243: request help: How to white-list consumers for the Keyauth plugin
URL: https://github.com/apache/incubator-apisix/issues/1243#issuecomment-604293334
Hi @moonming , @membphis I found a similar request by another user as well! #1062
But has a bigger scope of grouping consumers, and also extending it to jwt auth plugin as well.
I will be developing this plugin independently for our project's security requirements. Do let me know if this is a useful addition to APISIX as well. If so I can contribute the codebase to APISIX as well.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-apisix] membphis commented on issue #1243: request help:
How to white-list consumers for the Keyauth plugin
Posted by GitBox <gi...@apache.org>.
membphis commented on issue #1243: request help: How to white-list consumers for the Keyauth plugin
URL: https://github.com/apache/incubator-apisix/issues/1243#issuecomment-604357396
@sshniro Yes, it is a useful feature for APISIX. Welcome PR ^_^
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-apisix] membphis commented on issue #1243: request help:
How to white-list consumers for the Keyauth plugin
Posted by GitBox <gi...@apache.org>.
membphis commented on issue #1243: request help: How to white-list consumers for the Keyauth plugin
URL: https://github.com/apache/incubator-apisix/issues/1243#issuecomment-600939290
The current mechanism does not support this limitation.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services