You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/01/17 17:47:34 UTC
[GitHub] [apisix] bzp2010 opened a new issue #6137: Proposal: support more access control for plugin's public API
bzp2010 opened a new issue #6137:
URL: https://github.com/apache/apisix/issues/6137
## Background
Current APISIX users can register public APIs when developing plugins, such as the `sign` API in the `jwt-auth` plugin and the `login` and other API in the `wolf-rbac` plugin. In the current design, users can control their access through API interceptor, which currently only support IP restrictions via the `ip-restriction` plugin and cannot apply more complex access patterns.
Therefore, we designed the `public-api` plugin, which incorporates the APIs from user plugins into the general HTTP request processing flow and supports the configuration of all plugins currently supported by APISIX.
## Scheme
### Configure schema
Name | Type | Requirement | Default | Description
-- | -- | -- | -- | --
uri | string | optional | | The URI registered for this public API (used when the user customizes the URI of the plugin's public API, i.e. a different URI than the one defined for the public API is used in general HTTP routing)
Imagine a scenario where we have a `custom-auth` plugin that provides a login interface at `/apisix/custom-auth/login`, and we want to provide this API at `/login`, so we can create a route with `uri = /login` and configure it with the `public-api` plugin where the `uri` will be configured as `/apisix/custom-auth/login`, so that when the user accesses `/login`, the request will be forwarded to the headler in the plugin.
### Principle
Currently, APISIX generates a special radixtree to handle route matching for the public API registered in the user's plugin, which is independent of the general HTTP request processing flow and takes precedence over matching. So we can't apply all the plugins to it, we need to adapt those plugins one by one.
Therefore, we need to modify the flow so that the general HTTP request route is matched before the plugin‘s public API, and when a route is matched and it has the `public-api` plugin enabled, it will call the appropriate plugin public API headler based on the plugin configuration or the URI of the current request.
This allows us to apply any plugin to a plugin public API and also allows the user to decide whether to allow the client to access a public API and what URI to use.
## Other
What are your ideas?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] spacewander edited a comment on issue #6137: Proposal: support more access control for plugin's public API
Posted by GitBox <gi...@apache.org>.
spacewander edited a comment on issue #6137:
URL: https://github.com/apache/apisix/issues/6137#issuecomment-1016016565
We can consider no longer exposing the public API by default (in another PR). People need to expose it with the public-api plugin.
Yes, I know it's a break change. But after this change, we can be safe by default.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] spacewander commented on issue #6137: Proposal: support more access control for plugin's public API
Posted by GitBox <gi...@apache.org>.
spacewander commented on issue #6137:
URL: https://github.com/apache/apisix/issues/6137#issuecomment-1016048364
No, you still need to match with the public API when the first match returns 404, if we don't remove the router.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] encanto-oss commented on issue #6137: Proposal: support more access control for plugin's public API
Posted by GitBox <gi...@apache.org>.
encanto-oss commented on issue #6137:
URL: https://github.com/apache/apisix/issues/6137#issuecomment-1015177700
This is a good improvement proposal and I want to give it a try.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] spacewander closed issue #6137: Proposal: support more access control for plugin's public API
Posted by GitBox <gi...@apache.org>.
spacewander closed issue #6137:
URL: https://github.com/apache/apisix/issues/6137
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] spacewander commented on issue #6137: Proposal: support more access control for plugin's public API
Posted by GitBox <gi...@apache.org>.
spacewander commented on issue #6137:
URL: https://github.com/apache/apisix/issues/6137#issuecomment-1016016565
We can consider no longer exposing the public API by default. People need to expose it with the public-api plugin.
Yes, I know it's a break change. But after this change, we can be safe by default.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] encanto-oss edited a comment on issue #6137: Proposal: support more access control for plugin's public API
Posted by GitBox <gi...@apache.org>.
encanto-oss edited a comment on issue #6137:
URL: https://github.com/apache/apisix/issues/6137#issuecomment-1015177700
@bzp2010 This is a good improvement proposal and I want to give it a try.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] bzp2010 commented on issue #6137: Proposal: support more access control for plugin's public API
Posted by GitBox <gi...@apache.org>.
bzp2010 commented on issue #6137:
URL: https://github.com/apache/apisix/issues/6137#issuecomment-1016029099
In fact when we adjust the `router.api.match` order from `init.lua` (prioritize HTTP route matching over api, which in some sense is not exposing the API by default), it is already not exposed by default. So maybe it can be done in this PR.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] encanto-oss edited a comment on issue #6137: Proposal: support more access control for plugin's public API
Posted by GitBox <gi...@apache.org>.
encanto-oss edited a comment on issue #6137:
URL: https://github.com/apache/apisix/issues/6137#issuecomment-1015177700
@bzp2010 This is a good improvement proposal and I will co-contribute to this.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] juzhiyuan commented on issue #6137: Proposal: support more access control for plugin's public API
Posted by GitBox <gi...@apache.org>.
juzhiyuan commented on issue #6137:
URL: https://github.com/apache/apisix/issues/6137#issuecomment-1015979418
Mailing List: https://lists.apache.org/thread/g25fz8ov3kjd2bf3fgrvtdcwxr2rk9kl
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] bzp2010 commented on issue #6137: Proposal: support more access control for plugin's public API
Posted by GitBox <gi...@apache.org>.
bzp2010 commented on issue #6137:
URL: https://github.com/apache/apisix/issues/6137#issuecomment-1017037474
## Update
These have already been completed
- Adjusting the order of route matching (The api match is still not completely removed from the worker access flow)
- Implementation of `public-api` plugin
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org