Skip to main content

Version: 3.2.9.5

Apply List-Based Access Control

Once authentication is enabled both on the API and consumer sides, consumers will gain access to all APIs using the same authentication plugin. However, in certain scenarios, it requires a more precise access control for APIs. This means that even if a consumer has enabled the appropriate authentication plugin, the consumer must also be on a whitelist to access the API. Each API will have its own distinct whitelist or blacklist.

This tutorial guides you through the process of creating a consumer whitelist to manage access control through the consumer-restriction plugin.

Prerequisites

  1. Obtain a user account with Super Admin or API Provider role.
  2. Publish a service.
  3. Set up API authentication.
  4. Manage consumer credentials.

Restricted by Consumer Name

When receiving an API request, API7 Enterprise extracts the credentials and looks up the consumer's name. Therefore, the route does not need to directly recognize the credentials. It uses the consumer's name, which is more user-friendly.

Since plugin configurations are not considered Runtime Configurations, you should modify it in the service template and then publish a new version to the gateway group.

  1. Select Services from the side navigation bar and then select Swagger Petstore.

  2. Select Plugins from the side navigation bar.

  3. In the Plugins field, search the consumer-restriction plugin.

  4. Click the Plus icon (+) and a dialog box appears.

  5. Apply the following configurations:

    {
    "whitelist": [
    "Alice"
    ]
    }
  6. Click Enable.

  7. You can also enable the consumer-restriction plugin at the service level to impact all routes if those routes share the same whitelist.

Validate

  1. Add a new consumer Lisa and enable the key-auth plugin with the following configuration.

    {
    "key": "secret-key2"
    }
  2. Use the key of Alice for the API requests:

    curl -i "http://127.0.0.1:9080/pet/1" -H "apikey: secret-key" 

    You should see the following output:

    HTTP/1.1 200 OK
    Content-Type: application/json; charset=utf-8
    Content-Length: 323
    Connection: keep-alive
    Date: Fri, 01 Sep 2023 07:00:09 GMT
    x-srv-trace: v=1;t=569591aa680bb202
    x-srv-span: v=1;s=b5cbb398895e3f13
    Access-Control-Allow-Origin: *
    X-RateLimit-Limit: 120
    X-RateLimit-Remaining: 119
    X-RateLimit-Reset: 1693551669
    ETag: W/"143-JIrwO+Sx1/7FTTpJ2ljwAfgaRCY"
    Vary: Accept-Encoding
    Server: APISIX/dev

    {
    "name": "Dog",
    "photoUrls": [
    "https://example.com/dog-1.jpg",
    "https://example.com/dog-2.jpg"
    ],
    "id": 1,
    "category": {
    "id": 1,
    "name": "pets"
    },
    "tags": [
    {
    "id": 1,
    "name": "friendly"
    },
    {
    "id": 2,
    "name": "smart"
    }
    ],
    "status": "available"
    }
  3. Use the key of Lisa for the API requests:

    curl -i "http://127.0.0.1:9080/pet/1" -H "apikey: secret-key2" 

    You should see the following output:

    HTTP/1.1 403 Forbidden
    Date: Fri, 01 Sep 2023 07:00:05 GMT
    Content-Type: text/plain; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Server: APISIX/dev

    {"message":"The consumer_name is forbidden."}

API7.ai Logo

API Management for Modern Architectures with Edge, API Gateway, Kubernetes, and Service Mesh.

Product

API7 Cloud

SOC2 Type IIISO 27001HIPAAGDPRRed Herring

Copyright © APISEVEN Ltd. 2019 – 2024. Apache, Apache APISIX, APISIX, and associated open source project names are trademarks of the

Apache Software Foundation