Apply List-Based Access Control

Once authentication is enabled both on the API and consumer sides, consumers will gain access to all APIs using the same authentication plugin. However, in certain scenarios, it requires a more precise access control for APIs. This means that even if a consumer has enabled the appropriate authentication plugin, the consumer must also be on a whitelist to access the API. Each API will have its own distinct whitelist or blacklist.

This tutorial guides you through the process of creating a consumer whitelist to manage access control through the consumer-restriction plugin.

Prerequisites

1. Obtain a user account with Super Admin or API Provider role.
2. Publish a service.
3. Set up API authentication.
4. Manage consumer credentials.

Restricted by Consumer Name

When receiving an API request, API7 Enterprise extracts the credentials and looks up the consumer's name. Therefore, the route does not need to directly recognize the credentials. It uses the consumer's name, which is more user-friendly.

Since plugin configurations are not considered Runtime Configurations, you should modify it in the service template and then publish a new version to the gateway group.

1. Select Services from the side navigation bar and then select Swagger Petstore.

2. Select Plugins from the side navigation bar.

3. In the Plugins field, search the consumer-restriction plugin.

4. Click the Plus icon (+) and a dialog box appears.

5. Apply the following configurations:

   {
     "whitelist": [
       "Alice"
     ]
   }

6. Click Enable.

7. You can also enable the consumer-restriction plugin at the service level to impact all routes if those routes share the same whitelist.

Validate

1. Add a new consumer Lisa and enable the key-auth plugin with the following configuration.

   {
     "key": "secret-key2"
   }

2. Use the key of Alice for the API requests:

   curl -i "http://127.0.0.1:9080/pet/1" -H "apikey: secret-key" 

   You should see the following output:

   HTTP/1.1 200 OK
   Content-Type: application/json; charset=utf-8
   Content-Length: 323
   Connection: keep-alive
   Date: Fri, 01 Sep 2023 07:00:09 GMT
   x-srv-trace: v=1;t=569591aa680bb202
   x-srv-span: v=1;s=b5cbb398895e3f13
   Access-Control-Allow-Origin: *
   X-RateLimit-Limit: 120
   X-RateLimit-Remaining: 119
   X-RateLimit-Reset: 1693551669
   ETag: W/"143-JIrwO+Sx1/7FTTpJ2ljwAfgaRCY"
   Vary: Accept-Encoding
   Server: APISIX/dev
   
   {
     "name": "Dog",
     "photoUrls": [
       "https://example.com/dog-1.jpg",
       "https://example.com/dog-2.jpg"
     ],
     "id": 1,
     "category": {
       "id": 1,
       "name": "pets"
     },
     "tags": [
       {
         "id": 1,
         "name": "friendly"
       },
       {
         "id": 2,
         "name": "smart"
       }
     ],
     "status": "available"
   }

3. Use the key of Lisa for the API requests:

   curl -i "http://127.0.0.1:9080/pet/1" -H "apikey: secret-key2" 

   You should see the following output:

   HTTP/1.1 403 Forbidden
   Date: Fri, 01 Sep 2023 07:00:05 GMT
   Content-Type: text/plain; charset=utf-8
   Transfer-Encoding: chunked
   Connection: keep-alive
   Server: APISIX/dev
   
   {"message":"The consumer_name is forbidden."}