Skip to main content

Version: 3.2.14.4.1

Apply List-Based Access Control

Sometimes, you will require more precise access control than what authentication plugins offer. For example, you might want to keep a whitelist of consumers who can access your API. Now, a consumer must send an authenticated request and be on the whitelist (and not on the blacklist) to access the API.

This tutorial guides you in configuring precise access control by creating a consumer whitelist through the consumer-restriction plugin.

Prerequisites

  1. Install API7 Enterprise.
  2. Have a running API on the gateway group.
  3. Have a consumer with authentication enabled.

Restrict by Consumer Name

When a consumer makes an authenticated request, API7 Gateway passes on the consumer's name to the routes. So, the routes do not need to access the consumer's credentials directly, which is more user-friendly.

  1. Select Published Services of your gateway group from the side navigation bar, then select the service you want to configure, for example, httpbin with version 1.0.0.
  2. Select Plugins from the side navigation bar, then click Enable Plugin.
  3. Search for the consumer-restriction plugin, then click Enable.
  4. In the dialog box, do the following:
  • Add the following configuration to the JSON Editor:

    {
    "whitelist": [
    "Alice"
    ]
    }

    If you had followed the prerequisite tutorial, you would already have a consumer Alice with the key-auth plugin enabled.

  • Click Enable.

  1. Create a new consumer Lisa and enable the key-auth plugin with the following configuration to the JSON Editor:

    {
    "key": "secret-key2"
    }

Validate

Make a request to the service as the consumer Alice:

curl -i "http://127.0.0.1:9080/ip" -H "apikey: secret-key" 

You will see that the request is successful with a 200 OK response because the consumer Alice is in the whitelist.

Now, make a request to the service as the newly created consumer Lisa:

curl -i "http://127.0.0.1:9080/ip" -H "apikey: secret-key2" 

You will receive a 403 Forbidden response with the following request body as the consumer Lisa was not added to the whitelist:

{"message":"The consumer_name is forbidden."}

Additional Resource(s)


API7.ai Logo

API Management for Modern Architectures with Edge, API Gateway, Kubernetes, and Service Mesh.

Product

API7 Cloud

SOC2 Type IIISO 27001HIPAAGDPRRed Herring

Copyright © APISEVEN PTE. LTD 2019 – 2024. Apache, Apache APISIX, APISIX, and associated open source project names are trademarks of the

Apache Software Foundation