You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/08/19 02:06:11 UTC
[GitHub] [apisix-ingress-controller] hesamhamdarsi opened a new issue, #1254: bug: Restrictions for users(consumers) who are defined in namespaces that include hyphen(-) in their name do not work
hesamhamdarsi opened a new issue, #1254:
URL: https://github.com/apache/apisix-ingress-controller/issues/1254
### Current Behavior
let's say we define the "consumer1" in namespace "aaa" . the restriction rules (method, apikey) in apisixRoute CRD like the following works as expected:
```yml
- name: consumer-restriction
enable: true
config:
allowed_by_methods:
- user: "aaa_consumer1"
methods:
- "GET"
```
user is able to send the GET request, but not other methods (as expected)
```sh
GET:
curl https://httpbin.apisix.<DOMAIN>/anything -H 'apikey: <consumer1_key>' -i
HTTP/2 200
Post:
curl https://httpbin.apisix.<DOMAIN>/anything -H 'apikey: <consumer1_key>' -d ' ' -i
HTTP/2 403
```
but as soon as we define the consumer in a namespace like "aaa-bbb" that includes hyphen symbol in it's name, the rule doesn't work as we expect:
```yml
- name: consumer-restriction
enable: true
config:
allowed_by_methods:
- user: "aaa-bbb_consumer1"
methods:
- "GET"
```
user has full access on any method:
```sh
GET:
curl https://httpbin.apisix.<DOMAIN>/anything -H 'apikey: <consumer1_key>' -i
HTTP/2 200
Post:
curl https://httpbin.apisix.<DOMAIN>/anything -H 'apikey: <consumer1_key>' -d ' ' -i
HTTP/2 200
```
### Expected Behavior
_No response_
### Error Logs
_No response_
### Steps to Reproduce
1. Run apisix-ingress-controller using helm chart (chart version: 0.9.3, appVersion: 1.4.1) --> latest version on helm repo
2. create the same consumer once in "aaa" and once in "aaa-bbb" namespaces
3. create a route to httpbin service and enable <consumer-restriction> plugin
4. add restriction rules like allowed_by_methods, whitelist and blacklist for the specific user
5. check the behaviour of consumer in namespace with hyphen include with the other one
### Environment
- APISIX version : 2.14.1 , Image: 2.15.0-alpine
- Operating system : Linux
- OpenResty / Nginx version : openresty/1.19.9.1
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-ingress-controller] github-actions[bot] commented on issue #1254: bug: Restrictions for users(consumers) who are defined in namespaces that include hyphen(-) in their name do not work
Posted by "github-actions[bot] (via GitHub)" <gi...@apache.org>.
github-actions[bot] commented on issue #1254:
URL: https://github.com/apache/apisix-ingress-controller/issues/1254#issuecomment-1510016376
This issue has been closed due to lack of activity. If you think that is incorrect, or the issue requires additional review, you can revive the issue at any time.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-ingress-controller] tao12345666333 commented on issue #1254: bug: Restrictions for users(consumers) who are defined in namespaces that include hyphen(-) in their name do not work
Posted by GitBox <gi...@apache.org>.
tao12345666333 commented on issue #1254:
URL: https://github.com/apache/apisix-ingress-controller/issues/1254#issuecomment-1228587391
@hesamhamdarsi please check the reply 👆
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-ingress-controller] github-actions[bot] commented on issue #1254: bug: Restrictions for users(consumers) who are defined in namespaces that include hyphen(-) in their name do not work
Posted by "github-actions[bot] (via GitHub)" <gi...@apache.org>.
github-actions[bot] commented on issue #1254:
URL: https://github.com/apache/apisix-ingress-controller/issues/1254#issuecomment-1472978039
This issue has been marked as stale due to 90 days of inactivity. It will be closed in 30 days if no further activity occurs. If this issue is still relevant, please simply write any comment. Even if closed, you can still revive the issue at any time or discuss it on the dev@apisix.apache.org list. Thank you for your contributions.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-ingress-controller] tao12345666333 commented on issue #1254: bug: Restrictions for users(consumers) who are defined in namespaces that include hyphen(-) in their name do not work
Posted by GitBox <gi...@apache.org>.
tao12345666333 commented on issue #1254:
URL: https://github.com/apache/apisix-ingress-controller/issues/1254#issuecomment-1354323615
https://github.com/apache/apisix/issues/7825 already have one
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-ingress-controller] tao12345666333 commented on issue #1254: bug: Restrictions for users(consumers) who are defined in namespaces that include hyphen(-) in their name do not work
Posted by GitBox <gi...@apache.org>.
tao12345666333 commented on issue #1254:
URL: https://github.com/apache/apisix-ingress-controller/issues/1254#issuecomment-1220160208
please add a test case to cover this one, thanks @AlinsRan @lingsamuel
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-ingress-controller] AlinsRan commented on issue #1254: bug: Restrictions for users(consumers) who are defined in namespaces that include hyphen(-) in their name do not work
Posted by GitBox <gi...@apache.org>.
AlinsRan commented on issue #1254:
URL: https://github.com/apache/apisix-ingress-controller/issues/1254#issuecomment-1228303526
e2e: https://github.com/apache/apisix-ingress-controller/blob/master/test/e2e/suite-plugins/suite-plugins-security/consumer-restriction.go#L215
ns: https://github.com/apache/apisix-ingress-controller/blob/master/test/e2e/scaffold/scaffold.go#L38
This scenario has been covered.
In e2e, the default ns format is `ingress-apisix-e2e-tests-xxx-xxx`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-ingress-controller] AlinsRan commented on issue #1254: bug: Restrictions for users(consumers) who are defined in namespaces that include hyphen(-) in their name do not work
Posted by GitBox <gi...@apache.org>.
AlinsRan commented on issue #1254:
URL: https://github.com/apache/apisix-ingress-controller/issues/1254#issuecomment-1229624848
Yeah, the following configurations are actually used in e2e:
```yaml
plugins:
- name: consumer-restriction
enable: true
config:
whitelist:
- ingress_apisix_e2e_tests_xxx_xxx_jack1
```
In fact, the expectation should be as follows:
```yaml
plugins:
- name: consumer-restriction
enable: true
config:
whitelist:
- ingress-apisix-e2e-tests-xxx-xxx_jack1
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-ingress-controller] github-actions[bot] commented on issue #1254: bug: Restrictions for users(consumers) who are defined in namespaces that include hyphen(-) in their name do not work
Posted by GitBox <gi...@apache.org>.
github-actions[bot] commented on issue #1254:
URL: https://github.com/apache/apisix-ingress-controller/issues/1254#issuecomment-1328409401
This issue has been marked as stale due to 90 days of inactivity. It will be closed in 30 days if no further activity occurs. If this issue is still relevant, please simply write any comment. Even if closed, you can still revive the issue at any time or discuss it on the dev@apisix.apache.org list. Thank you for your contributions.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-ingress-controller] hesamhamdarsi commented on issue #1254: bug: Restrictions for users(consumers) who are defined in namespaces that include hyphen(-) in their name do not work
Posted by GitBox <gi...@apache.org>.
hesamhamdarsi commented on issue #1254:
URL: https://github.com/apache/apisix-ingress-controller/issues/1254#issuecomment-1229150987
Hi again,
The scenario @AlinsRan is shared have a section where all "-" will be replaced by "_" (in apisixConsumer probably because of the tracking consumers to they key, user/pass, etc) and then you injected this automatically in your unit test.
https://sourcegraph.com/github.com/apache/apisix-ingress-controller@master/-/blob/pkg/types/apisix/v1/types.go?L538#tab=references
So in your unit test, the namespace format is automatically aaa_bbb, while in reality we have to manually specify the namespace.
if you want to have a real test case, I suggest using statically defined namespace in apisixRoute test.
so instead of this test case:
```yaml
plugins:
- name: consumer-restriction
enable: true
config:
whitelist:
- "%s"
```
use this one manually (like in real scenario) and see if it works:
```yaml
plugins:
- name: consumer-restriction
enable: true
config:
whitelist:
- ingress-apisix-e2e-tests-xxx-xxx_ jack1
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-ingress-controller] tao12345666333 commented on issue #1254: bug: Restrictions for users(consumers) who are defined in namespaces that include hyphen(-) in their name do not work
Posted by GitBox <gi...@apache.org>.
tao12345666333 commented on issue #1254:
URL: https://github.com/apache/apisix-ingress-controller/issues/1254#issuecomment-1229669169
In fact this is because APISIX does not allow consumer usernames to contain `-`
https://github.com/apache/apisix/blob/1aa45caf2fa59e5f7add70db0439eda20cf59eb8/apisix/schema_def.lua#L713
We first need to modify the schema in APISIX
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-ingress-controller] tao12345666333 commented on issue #1254: bug: Restrictions for users(consumers) who are defined in namespaces that include hyphen(-) in their name do not work
Posted by GitBox <gi...@apache.org>.
tao12345666333 commented on issue #1254:
URL: https://github.com/apache/apisix-ingress-controller/issues/1254#issuecomment-1354322326
@hesamhamdarsi as I said https://github.com/apache/apisix-ingress-controller/issues/1254#issuecomment-1229669169
Do you want to file an issue to [apache/apisix](https://github.com/apache/apisix) project?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-ingress-controller] github-actions[bot] closed issue #1254: bug: Restrictions for users(consumers) who are defined in namespaces that include hyphen(-) in their name do not work
Posted by "github-actions[bot] (via GitHub)" <gi...@apache.org>.
github-actions[bot] closed issue #1254: bug: Restrictions for users(consumers) who are defined in namespaces that include hyphen(-) in their name do not work
URL: https://github.com/apache/apisix-ingress-controller/issues/1254
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org