You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2020/09/26 14:43:33 UTC
[GitHub] [apisix] Firstsawyou commented on a change in pull request #2265: doc: add `consumer-restriction` plugin to support `consumer` to subscribe to `service` documents

Firstsawyou commented on a change in pull request #2265:
URL: https://github.com/apache/apisix/pull/2265#discussion_r495463276



##########
File path: doc/zh-cn/plugins/consumer-restriction.md
##########
@@ -87,31 +93,138 @@ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f13
 }'
 ```
 
-## 测试插件
+**测试插件**
 
 jack1 访问:
 
 ```shell
-$ curl -u jack2019:123456 http://127.0.0.1:9080/index.html
+curl -u jack2019:123456 http://127.0.0.1:9080/index.html -i
 HTTP/1.1 200 OK
 ...
 ```
 
 jack2 访问:
 
 ```shell
-$ curl -u jack2020:123456 http://127.0.0.1:9080/index.html -i
+curl -u jack2020:123456 http://127.0.0.1:9080/index.html -i
 HTTP/1.1 403 Forbidden
 ...
-{"message":"You are not allowed"}
+{"message":"The consumer_name is forbidden."}
+```
+
+### 如何限制 `service_id`
+`service_id`方式需要与授权插件一起配合使用，这里以key-auth授权插件为例。
+
+1、创建两个 service
+
+```shell
+curl http://127.0.0.1:9080/apisix/admin/services/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+    "upstream": {
+        "nodes": {
+            "127.0.0.1:1980": 1
+        },
+        "type": "roundrobin"
+    },
+    "desc": "new service 001"
+}'
+
+curl http://127.0.0.1:9080/apisix/admin/services/2 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+    "upstream": {
+        "nodes": {
+            "127.0.0.1:1980": 1
+        },
+        "type": "roundrobin"
+    },
+    "desc": "new service 002"
+}'
+```
+
+2、在 `consumer` 上绑定 `consumer-restriction` 插件(需要与一个授权插件配合才能绑定),并添加 `service_id` 白名单列表
+
+```shell
+curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+    "username": "new_consumer",
+    "plugins": {
+    "key-auth": {
+        "key": "auth-jack"
+    },
+    "consumer-restriction": {
+           "type": "service_id",
+            "whitelist": [
+                "1"
+            ],
+            "rejected_code": 403
+        }
+    }
+}'
+```
+
+3、在 route 上开启 `key-auth` 插件并绑定 `service_id` 为`1`
+
+```shell
+curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+    "uri": "/index.html",
+    "upstream": {
+        "type": "roundrobin",
+        "nodes": {
+            "127.0.0.1:1980": 1
+        }
+    },
+    "service_id": 1,
+    "plugins": {
+         "key-auth": {
+        }
+    }
+}'
+```
+
+**测试插件**

Review comment:
       fixed.

##########
File path: doc/zh-cn/plugins/consumer-restriction.md
##########
@@ -87,31 +93,138 @@ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f13
 }'
 ```
 
-## 测试插件
+**测试插件**
 
 jack1 访问:
 
 ```shell
-$ curl -u jack2019:123456 http://127.0.0.1:9080/index.html
+curl -u jack2019:123456 http://127.0.0.1:9080/index.html -i
 HTTP/1.1 200 OK
 ...
 ```
 
 jack2 访问:
 
 ```shell
-$ curl -u jack2020:123456 http://127.0.0.1:9080/index.html -i
+curl -u jack2020:123456 http://127.0.0.1:9080/index.html -i
 HTTP/1.1 403 Forbidden
 ...
-{"message":"You are not allowed"}
+{"message":"The consumer_name is forbidden."}
+```
+
+### 如何限制 `service_id`
+`service_id`方式需要与授权插件一起配合使用，这里以key-auth授权插件为例。
+
+1、创建两个 service
+
+```shell
+curl http://127.0.0.1:9080/apisix/admin/services/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+    "upstream": {
+        "nodes": {
+            "127.0.0.1:1980": 1
+        },
+        "type": "roundrobin"
+    },
+    "desc": "new service 001"
+}'
+
+curl http://127.0.0.1:9080/apisix/admin/services/2 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+    "upstream": {
+        "nodes": {
+            "127.0.0.1:1980": 1
+        },
+        "type": "roundrobin"
+    },
+    "desc": "new service 002"
+}'
+```
+
+2、在 `consumer` 上绑定 `consumer-restriction` 插件(需要与一个授权插件配合才能绑定),并添加 `service_id` 白名单列表
+
+```shell
+curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+    "username": "new_consumer",
+    "plugins": {
+    "key-auth": {
+        "key": "auth-jack"
+    },
+    "consumer-restriction": {
+           "type": "service_id",
+            "whitelist": [
+                "1"
+            ],
+            "rejected_code": 403
+        }
+    }
+}'
+```
+
+3、在 route 上开启 `key-auth` 插件并绑定 `service_id` 为`1`
+
+```shell
+curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+    "uri": "/index.html",
+    "upstream": {
+        "type": "roundrobin",
+        "nodes": {
+            "127.0.0.1:1980": 1
+        }
+    },
+    "service_id": 1,
+    "plugins": {
+         "key-auth": {
+        }
+    }
+}'
+```
+
+**测试插件**
+
+```shell
+curl http://127.0.0.1:9080/index.html -H 'apikey: auth-jack' -i
+HTTP/1.1 200 OK
+...
+```
+
+4、在 route 上开启 `key-auth` 插件并绑定 `service_id` 为`2`
+
+```shell
+curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+    "uri": "/index.html",
+    "upstream": {
+        "type": "roundrobin",
+        "nodes": {
+            "127.0.0.1:1980": 1
+        }
+    },
+    "service_id": 2,
+    "plugins": {
+         "key-auth": {
+        }
+    }
+}'
+```
+
+**测试插件**

Review comment:
       fixed.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org