码迷,mamicode.com
首页 > 其他好文 > 详细

Kong Gateway - 11 基于网关服务的ACL访问控制列表 黑名单

时间:2020-02-26 22:39:05      阅读:86      评论:0      收藏:0      [点我收藏+]

标签:list   regex   set   不能   apach   upstream   post   ***   编码工具   

Kong Gateway - 11 基于网关服务的ACL访问控制列表 黑名单

同一服务名称 book 不允许即创建白名单访问控制列表又创建黑名单访问控制列表

启用服务的白名单&黑名单配置文件时,它们俩是不允许同时定义的,我们应该树立这样一种认知 不在黑名单中 即使没定义白名单,我们也把黑名单之外的所有用户归类为白名单用户

故ACL必须分两篇来发布,本范例中使用了

Kong Gateway - 01 基于网关服务的基本验证(Basic Authentication)
9种验证方式当中的1种方式而已,我们当然可以用剩余的8种验证方式之一来取代basic-auth,强调一点的是ACL必须与9种验证结合使用,不然book服务我们将不能消费访问它
用Kong配置一个book服务
在安装并启动Kong之后,使用Kong的管理API端口8001添加一个名称为book的服务
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/services/ \
--data ‘name=book‘ \
--data ‘url=http://contoso.com/v1/books‘

HTTP/1.1 201 Created
Date: Thu, 10 May 2018 02:30:31 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.

{
"host": "contoso.com",
"created_at": 1525890631,
"connect_timeout": 60000,
"id": "dca12a5d-10c4-4bf9-8a49-500c3935cae5",
"protocol": "http",
"name": "book",
"read_timeout": 60000,
"port": 80,
"path": "/v1/books",
"updated_at": 1525890631,
"retries": 5,
"write_timeout": 60000
}


添加一个路由(paths[]的值必须与book服务中的/v1/books一致)
使book服务暴露出来以供用户访问,book服务没必要添加多个路由。
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/services/book/routes \
--data ‘hosts[]=contoso.com‘ \
--data ‘paths[]=/v1/books‘

HTTP/1.1 201 Created
Date: Thu, 10 May 2018 02:30:49 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
"created_at": 1525890649,
"strip_path": true,
"hosts": [
"contoso.com"
],
"preserve_host": false,
"regex_priority": 0,
"updated_at": 1525890649,
"paths": [
"/v1/books"
],
"service": {
"id": "dca12a5d-10c4-4bf9-8a49-500c3935cae5"
},
"methods": null,
"protocols": [
"http",
"https"
],
"id": "80569820-4d8c-4565-9c3c-b5e0475b0122" // {route_id} = id
}


[root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books \
--header ‘Host: contoso.com‘

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 244
Connection: keep-alive
Date: Thu, 10 May 2018 02:35:04 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 100
X-Kong-Proxy-Latency: 34
Via: kong/0.13.1

[
{
"id": 1,
"title": "Fashion That Changed the World",
"author": "Jennifer Croll"
},
{
"id": 2,
"title": "Brigitte Bardot - My Life in Fashion",
"author": "Henry-Jean Servat and Brigitte Bardot"
},
{
"id": 3,
"title": "The Fashion Image",
"author": "Thomas Werner"
}
]


[root@contoso ~]# curl -i -X GET \
--url http://localhost:8001/services/book/routes

HTTP/1.1 200 OK
Date: Thu, 10 May 2018 02:35:38 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
"next": null,
"data": [
{
"created_at": 1525890649,
"strip_path": true,
"hosts": [
"contoso.com"
],
"preserve_host": false,
"regex_priority": 0,
"updated_at": 1525890649,
"paths": [
"/v1/books"
],
"service": {
"id": "dca12a5d-10c4-4bf9-8a49-500c3935cae5"
},
"methods": null,
"protocols": [
"http",
"https"
],
"id": "80569820-4d8c-4565-9c3c-b5e0475b0122" // {route_id} = id
}
]
}


--------------------------------------------------------------------------------

为book服务的路由{route_id}启动Basic验证插件
URL格式:http://localhost:8001/routes/{route_id}/plugins
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/routes/80569820-4d8c-4565-9c3c-b5e0475b0122/plugins \
--data "name=basic-auth" \
--data "config.hide_credentials=true"

HTTP/1.1 201 Created
Date: Thu, 10 May 2018 02:39:15 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
"created_at": 1525919954000,
"config": {
"hide_credentials": true,
"anonymous": ""
},
"id": "1e8c30f2-282f-4401-8258-6e5dac2a6b54",
"enabled": true,
"route_id": "80569820-4d8c-4565-9c3c-b5e0475b0122",
"name": "basic-auth"
}


=========================================================================================

添加第1个username为jack的消费者,{custom_id}参数可省略,此参数是个自定义唯一标识,
它作用是把消费者jack映射到另外一个数据库上
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/consumers/ \
--data "username=jack"

HTTP/1.1 201 Created
Date: Thu, 10 May 2018 02:41:40 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
"created_at": 1525920101000,
"username": "jack",
"id": "14af98df-237a-4555-bc00-580db0b26032"
}


为第1个用户jack启用Basic验证插件
URL格式:http://localhost:8001/consumers/{username or consumer_id}/basic-auth
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/consumers/jack/basic-auth \
--data "username=jack@hotmail.com" \
--data "password=123456"

HTTP/1.1 201 Created
Date: Thu, 10 May 2018 02:43:00 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
"created_at": 1525920181000,
"id": "cbb0c2b4-cb85-4899-995a-6681cfdb400f",
"username": "jack@hotmail.com",
"password": "349cc2755232a4746d2973f3bcb87b1d3fa7be55",
"consumer_id": "14af98df-237a-4555-bc00-580db0b26032"
}


在线base64编码工具http://tool.oschina.net/encrypt?type=3
键-值对{username:password}字符串
jack@hotmail.com:123456 左边的键-值对字符串BASE64编码结果为:
amFja0Bob3RtYWlsLmNvbToxMjM0NTY=
使用用户jack的Basic验证方式访问书籍数据接口
[root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books/1 \
--header "Authorization: Basic amFja0Bob3RtYWlsLmNvbToxMjM0NTY=" \
--header ‘Host: contoso.com‘

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 77
Connection: keep-alive
Date: Thu, 10 May 2018 02:44:51 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 51
X-Kong-Proxy-Latency: 45
Via: kong/0.13.1

[{"id":1,"title":"Fashion That Changed the World","author":"Jennifer Croll"}]

=========================================================================================
添加第2个username为john的消费者,{custom_id}参数可省略,此参数是个自定义唯一标识,
它作用是把消费者john映射到另外一个数据库上
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/consumers/ \
--data "username=john" \
--data "custom_id=abc12345"

HTTP/1.1 201 Created
Date: Thu, 10 May 2018 02:47:29 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
"custom_id": "abc12345",
"created_at": 1525920449000,
"username": "john",
"id": "73f0a0b2-1bf0-45fa-adbf-36b7fcde0929"
}


为第2个用户john启用Basic验证插件
URL格式:http://localhost:8001/consumers/{username or consumer_id}/basic-auth
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/consumers/john/basic-auth \
--data "username=john@hotmail.com" \
--data "password=123456"

HTTP/1.1 201 Created
Date: Thu, 10 May 2018 02:48:54 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
"created_at": 1525920535000,
"id": "491a39df-d90a-4f42-933e-24662cfbac07",
"username": "john@hotmail.com",
"password": "b80b4aedd1a25a9803859f07b836f518541ab81e",
"consumer_id": "73f0a0b2-1bf0-45fa-adbf-36b7fcde0929"
}


在线base64编码工具http://tool.oschina.net/encrypt?type=3
键-值对{username:password}字符串
john@hotmail.com:123456 左边的键-值对字符串BASE64编码结果为:
am9obkBob3RtYWlsLmNvbToxMjM0NTY=
使用用户john的Basic验证方式访问书籍数据接口
[root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books/2 \
--header "Authorization: Basic am9obkBob3RtYWlsLmNvbToxMjM0NTY=" \
--header ‘Host: contoso.com‘

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 106
Connection: keep-alive
Date: Thu, 10 May 2018 02:50:35 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 25
X-Kong-Proxy-Latency: 40
Via: kong/0.13.1

[{"id":2,"title":"Brigitte Bardot - My Life in Fashion","author":"Henry-Jean Servat and Brigitte Bardot"}]

=========================================================================================
添加第3个username为cathy的消费者,{custom_id}参数可省略,此参数是个自定义唯一标识,
它作用是把消费者cathy映射到另外一个数据库上
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/consumers/ \
--data "username=cathy"

HTTP/1.1 201 Created
Date: Thu, 10 May 2018 02:52:07 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{"created_at":1525920728000,"username":"cathy","id":"3fdb9381-d7fd-4f1c-a7ce-f4ea86d9aae2"}


为第3个用户cathy启用Basic验证插件
URL格式:http://localhost:8001/consumers/{username or consumer_id}/basic-auth
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/consumers/cathy/basic-auth \
--data "username=cathy@hotmail.com" \
--data "password=123456"

HTTP/1.1 201 Created
Date: Thu, 10 May 2018 02:52:28 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
"created_at": 1525920748000,
"id": "cca66a54-ed18-458f-8c7c-73ea935eecd9",
"username": "cathy@hotmail.com",
"password": "6cfa32217d05a53174453837799bf8f6a9a03aac",
"consumer_id": "3fdb9381-d7fd-4f1c-a7ce-f4ea86d9aae2"
}


在线base64编码工具http://tool.oschina.net/encrypt?type=3
键-值对{username:password}字符串
cathy@hotmail.com:123456 左边的键-值对字符串BASE64编码结果为:
Y2F0aHlAaG90bWFpbC5jb206MTIzNDU2
使用用户cathy的Basic验证方式访问书籍数据接口
[root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books/3 \
--header "Authorization: Basic Y2F0aHlAaG90bWFpbC5jb206MTIzNDU2" \
--header ‘Host: contoso.com‘

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 63
Connection: keep-alive
Date: Thu, 10 May 2018 02:53:26 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 38
X-Kong-Proxy-Latency: 31
Via: kong/0.13.1

[{"id":3,"title":"The Fashion Image","author":"Thomas Werner"}]

*****************************************************************************************


为book服务启用ACL访问控制列表插件,并且定义黑名单group3和group4
URL格式:http://localhost:8001/services/{service}/plugins
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/services/book/plugins \
--data "name=acl" \
--data "config.blacklist=group3, group4"

HTTP/1.1 201 Created
Date: Thu, 10 May 2018 03:03:15 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
"created_at": 1525921395000,
"config": {
"blacklist": [
"group3",
"group4"
]
},
"id": "edcf403d-9bf4-46ae-84f3-cfccc34d56f1",
"enabled": true,
"service_id": "dca12a5d-10c4-4bf9-8a49-500c3935cae5",
"name": "acl"
}


为book服务的路由{route_id}启动ACL访问控制列表插件,并且定义黑名单group3和group4
URL格式:http://localhost:8001/routes/{route_id}/plugins
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/routes/80569820-4d8c-4565-9c3c-b5e0475b0122/plugins \
--data "name=acl" \
--data "config.blacklist=group3, group4"

HTTP/1.1 201 Created
Date: Thu, 10 May 2018 03:05:53 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
"created_at": 1525921551000,
"config": {
"blacklist": [
"group3",
"group4"
]
},
"id": "ae051c27-340c-4e20-a440-9e32721a2a6d",
"enabled": true,
"route_id": "80569820-4d8c-4565-9c3c-b5e0475b0122",
"name": "acl"
}

即使建立黑名单列表group3和group4,只要没把用户jack、john和cathy任何一个人关联到黑名单group3或者黑名单group4
那么以下命令依然可以访问book服务:

curl -i -X GET \
--url http://localhost:8000/v1/books/1 \
--header "Authorization: Basic amFja0Bob3RtYWlsLmNvbToxMjM0NTY=" \
--header ‘Host: contoso.com‘


curl -i -X GET \
--url http://localhost:8000/v1/books/2 \
--header "Authorization: Basic am9obkBob3RtYWlsLmNvbToxMjM0NTY=" \
--header ‘Host: contoso.com‘


curl -i -X GET \
--url http://localhost:8000/v1/books/3 \
--header "Authorization: Basic Y2F0aHlAaG90bWFpbC5jb206MTIzNDU2" \
--header ‘Host: contoso.com‘


我们如何把不按照我们业务规则或者带攻击性的用户加入黑名单?
答:我们现在可以使用以下命令将黑名单组group4关联到消费者jack:
URL格式:http://localhost:8001/consumers/{consumer_id or username}/acls
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/consumers/jack/acls \
--data "group=group4"

HTTP/1.1 201 Created
Date: Thu, 10 May 2018 03:17:58 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
"group": "group4",
"created_at": 1525922278000,
"id": "bf3d30cc-67c5-4b05-b6bf-7a75f551aa64",
"consumer_id": "14af98df-237a-4555-bc00-580db0b26032"
}


以下命令执行结果表明:加入白名单的用户jack有权访问书籍数据接口
在线base64编码工具http://tool.oschina.net/encrypt?type=3
键-值对{username:password}字符串
jack@hotmail.com:123456 左边的键-值对字符串BASE64编码结果为:
amFja0Bob3RtYWlsLmNvbToxMjM0NTY=
使用用户jack的Basic验证方式访问书籍数据接口
[root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books/1 \
--header "Authorization: Basic amFja0Bob3RtYWlsLmNvbToxMjM0NTY=" \
--header ‘Host: contoso.com‘

HTTP/1.1 403 Forbidden
Date: Thu, 10 May 2018 03:19:39 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: kong/0.13.1

{"message":"You cannot consume this service"}

没有加入黑名单的用户john依然可以访问book服务
以下命令执行结果表明:即没有加入白名单也没有加入黑名单用户组的用户无权访问书籍数据接口
键-值对{username:password}字符串
john@hotmail.com:123456 左边的键-值对字符串BASE64编码结果为:
am9obkBob3RtYWlsLmNvbToxMjM0NTY=
使用用户john的Basic验证方式访问书籍数据接口
[root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books/2 \
--header "Authorization: Basic am9obkBob3RtYWlsLmNvbToxMjM0NTY=" \
--header ‘Host: contoso.com‘

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 106
Connection: keep-alive
Date: Thu, 10 May 2018 03:22:35 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 23
X-Kong-Proxy-Latency: 0
Via: kong/0.13.1

[{"id":2,"title":"Brigitte Bardot - My Life in Fashion","author":"Henry-Jean Servat and Brigitte Bardot"}]


没有加入黑名单的用户cathy依然可以访问book服务
以下命令执行结果表明:即没有加入白名单也没有加入黑名单用户组的用户无权访问书籍数据接口
键-值对{username:password}字符串
cathy@hotmail.com:123456 左边的键-值对字符串BASE64编码结果为:
Y2F0aHlAaG90bWFpbC5jb206MTIzNDU2
使用用户cathy的Basic验证方式访问书籍数据接口
[root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books/3 \
--header "Authorization: Basic Y2F0aHlAaG90bWFpbC5jb206MTIzNDU2" \
--header ‘Host: contoso.com‘

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 63
Connection: keep-alive
Date: Thu, 10 May 2018 03:23:02 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 25
X-Kong-Proxy-Latency: 0
Via: kong/0.13.1

[{"id":3,"title":"The Fashion Image","author":"Thomas Werner"}]


如何使用命令将黑名单组group4到消费者jack的关联取消 ------ 删掉用户与黑名单之间关联让用户继续能够访问book服务
[root@contoso ~]# curl -i -X GET http://localhost:8001/consumers/jack/acls
HTTP/1.1 200 OK
Date: Thu, 10 May 2018 03:24:50 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{"total":1,"data":[{"group":"group4","created_at":1525922278000,"id":"bf3d30cc-67c5-4b05-b6bf-7a75f551aa64","consumer_id":"14af98df-237a-4555-bc00-580db0b26032"}]}
[root@contoso ~]# curl -i -X GET http://localhost:8001/consumers/jack/acls/bf3d30cc-67c5-4b05-b6bf-7a75f551aa64
HTTP/1.1 200 OK
Date: Thu, 10 May 2018 03:25:48 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{"group":"group4","created_at":1525922278000,"id":"bf3d30cc-67c5-4b05-b6bf-7a75f551aa64","consumer_id":"14af98df-237a-4555-bc00-580db0b26032"}
[root@contoso ~]# curl -i -X DELETE http://localhost:8001/consumers/jack/acls/bf3d30cc-67c5-4b05-b6bf-7a75f551aa64
HTTP/1.1 204 No Content
Date: Thu, 10 May 2018 03:26:00 GMT
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
// 此处虽然没有删除成功的提示,但确实已经删掉用户与黑名单之间关联
[root@contoso ~]#
[root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books/1 \
--header "Authorization: Basic amFja0Bob3RtYWlsLmNvbToxMjM0NTY=" \
--header ‘Host: contoso.com‘

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 77
Connection: keep-alive
Date: Thu, 10 May 2018 03:29:46 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 23
X-Kong-Proxy-Latency: 5
Via: kong/0.13.1

[{"id":1,"title":"Fashion That Changed the World","author":"Jennifer Croll"}]

// 本来关联存黑名单存在时jack是不允许访问book服务的,现在变成了又可以继续访问book这个服务了,即恢复用户的合法访问身份
[root@contoso ~]#

*****************************************************************************************


备注:以下方式虽然能让同1个服务同1个用户 同时关联白名单和黑名单 但这么干违背官网定义黑名单与白名单不能同时在配置文件里定义的原则,故不建议向下面这么做(假如首先定义了白名单group1和group2):

[root@contoso ~]# curl http://localhost:8001/plugins/93419daf-ec5f-455a-8404-e0105f3c540f
[root@contoso ~]# curl -i -X PATCH \
--url http://localhost:8001/plugins/93419daf-ec5f-455a-8404-e0105f3c540f \
--data "config.blacklist=group3, group4"

HTTP/1.1 200 OK
Date: Wed, 09 May 2018 15:28:05 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
    "created_at": 1525795744000,
    "config": {
        "blacklist": [
            "group3",
            "group4"
        ],
        "whitelist": [
            "group1",
            "group2"
        ]
    },
    "id": "93419daf-ec5f-455a-8404-e0105f3c540f",
    "enabled": true,
    "service_id": "e55beddd-a9f1-4865-94ae-1b2e2bf4e6d5",
    "name": "acl"
}


[root@contoso ~]# curl http://localhost:8001/plugins/da001489-1e0e-4235-b32d-624dfe9e5518
[root@contoso ~]# curl -i -X PATCH \
--url http://localhost:8001/plugins/da001489-1e0e-4235-b32d-624dfe9e5518 \
--data "config.blacklist=group3, group4"

HTTP/1.1 200 OK
Date: Wed, 09 May 2018 15:30:11 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
    "created_at": 1525795992000,
    "config": {
        "blacklist": [
            "group3",
            "group4"
        ],
        "whitelist": [
            "group1",
            "group2"
        ]
    },
    "id": "da001489-1e0e-4235-b32d-624dfe9e5518",
    "enabled": true,
    "route_id": "cbcb0d5f-e95a-4114-8aa0-3f77283cc980",
    "name": "acl"
}


现在可以使用以下命令将黑名单组group3关联到消费者jack:
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/consumers/jack/acls \
--data "group=group3"
HTTP/1.1 201 Created
Date: Wed, 09 May 2018 15:41:37 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
    "group": "group3",
    "created_at": 1525880497000,
    "id": "4af05fd8-816e-4151-b0fe-77300af200a4",
    "consumer_id": "d81de922-1dab-4ec4-9a7c-91403b6b1d51"
}


[root@contoso ~]# curl -i -X GET http://localhost:8001/consumers/jack/acls
HTTP/1.1 200 OK
Date: Wed, 09 May 2018 16:06:21 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
    "total": 2,
    "data": [
        {
            "group": "group1",     // 白名单组
            "created_at": 1525797101000,
            "id": "b2534048-7f56-440b-87c0-da56e90590df",
            "consumer_id": "d81de922-1dab-4ec4-9a7c-91403b6b1d51"
        },
        {
            "group": "group3",     // 黑名单组
            "created_at": 1525880497000,
            "id": "4af05fd8-816e-4151-b0fe-77300af200a4",
            "consumer_id": "d81de922-1dab-4ec4-9a7c-91403b6b1d51"
        }
    ]
}

当用户jack即关联到白名单又关联到黑名单时,那么用户jack就不能消费book服务
[root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books/3 \
--header "Authorization: Basic amFja0Bob3RtYWlsLmNvbToxMjM0NTY=" \
--header ‘Host: contoso.com‘

HTTP/1.1 403 Forbidden
Date: Wed, 09 May 2018 15:44:56 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: kong/0.13.1

{"message":"You cannot consume this service"}
————————————————
版权声明:本文为CSDN博主「zhengzizhi」的原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/zhengzizhi/article/details/80262757

Kong Gateway - 11 基于网关服务的ACL访问控制列表 黑名单

标签:list   regex   set   不能   apach   upstream   post   ***   编码工具   

原文地址:https://www.cnblogs.com/fqnb001/p/12369490.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!