Skip to main content

Version: 3.3.0

Apply List-Based Access Control

Sometimes, you will require more precise access control than what authentication plugins offer. For example, you might want to keep a whitelist of consumers who can access your API. Now, a consumer must send an authenticated request and be on the whitelist (and not on the blacklist) to access the API.

note

Consider if the API Portal is a better solution before implementing consumer-based access control.

This tutorial guides you in configuring precise access control by creating a consumer whitelist through the consumer-restriction plugin.

Prerequisites

  1. Install API7 Enterprise.
  2. Have a running API on the gateway group.
  3. Have a consumer with credentials.

Apply Consumer Whitelist

When a consumer makes an authenticated request, API7 Gateway passes on the consumer's name to the routes. So, the routes do not need to access the consumer's credentials directly, which is more user-friendly.

  1. Select Published Services of your gateway group from the side navigation bar, then select the service you want to configure, for example, httpbin with version 1.0.0.
  2. Select Plugins from the side navigation bar, then click Enable Plugin.
  3. Search for the Consumer Restriction Plugin, then click Enable.
  4. In the dialog box, do the following:
  • Add the following configuration to the JSON Editor:

    {
    "whitelist": [
    "Alice"
    ]
    }

    If you had followed the prerequisite tutorial, you would already have a consumer Alice with key authentication credentials.

  • Click Enable.

  1. Create a new consumer Lisa with key authentication credential where Key is lisa-key.

Validate

Make a request to the service as the consumer Alice:

curl -i "http://127.0.0.1:9080/ip" -H "apikey: alice-primary-key" 

You will see that the request is successful with a 200 OK response because the consumer Alice is in the whitelist.

Now, make a request to the service as the newly created consumer Lisa:

curl -i "http://127.0.0.1:9080/ip" -H "apikey: lisa-key" 

You will receive a 403 Forbidden response with the following request body as the consumer Lisa was not added to the whitelist:

{"message":"The consumer_name is forbidden."}

Apply Consumer Blacklist

The consumer-restriction plugin prioritizes the blacklist over the whitelist when determining access.

  1. Select Published Services of your gateway group from the side navigation bar, then select the service you want to configure, for example, httpbin with version 1.0.0.
  2. Select Plugins from the side navigation bar, then click Enable Plugin.
  3. Search for the consumer-restriction plugin, then click Enable.
  4. In the dialog box, do the following:
  • Add the following configuration to the JSON Editor:

    {
    "blacklist": [
    "Lisa"
    ]
    }

    If you had followed the prerequisite tutorial, you would already have a consumer Alice with key authentication credentials.

  • Click Enable.

  1. Create a new consumer Lisa with key authentication credential where Key is lisa-key.

Validate

Make a request to the service as the consumer Alice:

curl -i "http://127.0.0.1:9080/ip" -H "apikey: alice-primary-key" 

You will see that the request is successful with a 200 OK response because the consumer Alice is not in the blacklist.

Now, make a request to the service as the newly created consumer Lisa:

curl -i "http://127.0.0.1:9080/ip" -H "apikey: lisa-key" 

You will receive a 403 Forbidden response with the following request body as the consumer Lisa was added to the blacklist:

{"message":"The consumer_name is forbidden."}

Additional Resources


API7.ai Logo

API Management for Modern Architectures with Edge, API Gateway, Kubernetes, and Service Mesh.

Product

API7 Cloud

SOC2 Type IIISO 27001HIPAAGDPRRed Herring

Copyright © APISEVEN PTE. LTD 2019 – 2024. Apache, Apache APISIX, APISIX, and associated open source project names are trademarks of the

Apache Software Foundation