wolf-rbac
是一个基于APISIX认证及授权(rbac)插件,它需要与 consumer
一起配合才能工作。同时需要添加 wolf-rbac
到一个 service
或 route
中。
rbac功能由wolf提供, 有关wolf的更多信息, 请参考wolf文档。
git clone https://github.com/iGeeky/apisix-plugin-rbac
cd apisix-plugin-rbac
cp lua/wolf-rbac.lua /usr/local/apisix/lua/apisix/plugins
# 开发模式, 直接拷贝到源代码目录.
cp lua/wolf-rbac.lua path/to/incubator-apisix/lua/apisix/plugins/
修改配置文件 /usr/local/apisix/conf/config.yaml
, 添加wolf-rbac
到plugins
中.
- wolf-rbac
修改完成后, 请重启apisix.
server
: 设置wolf-server
的访问地址, 默认为:http://127.0.0.1:10080
.appid
: 设置应用id, 该应用id, 应该是在wolf-console中已经添加的应用id.
docker run -ti --rm -p 10095:10090 igeeky/restful-demo:latest
- 创建一个 consumer 对象,并设置插件
wolf-rbac
的值。
curl http://127.0.0.1:9080/apisix/admin/consumers -X PUT -d '
{
"username":"wolf_rbac",
"plugins":{
"wolf-rbac":{
"server":"http://127.0.0.1:10080",
"appid":"restful"
}
},
"desc":"wolf-rbac"
}'
你可以使用浏览器打开 dashboard:http://127.0.0.1:9080/apisix/dashboard/
,通过 web 界面来完成上面的操作,先增加一个 consumer:
然后在 consumer 页面中添加 wolf-rbac 插件:
注意: 上面填写的appid
需要在wolf控制中已经存在的.
- 创建 Upstream
curl http://127.0.0.1:9080/apisix/admin/upstreams/1 -X PUT -d '
{
"desc":"restful",
"nodes":{"127.0.0.1:10095":1},
"type":"roundrobin"
}'
- 创建 Route 或 Service 对象,并开启
wolf-rbac
插件。
curl http://127.0.0.1:9080/apisix/admin/routes/1 -X PUT -d '
{
"methods": ["GET"],
"uri": "/*",
"plugins": {
"wolf-rbac": {}
},
"upstream_id": 1
}'
如果通过命令行,无法创建成功, 或无法生效, 请使用apisix-dashboard进行添加.
下面的appid
, username
, password
必须为wolf系统中真实存在的.
- 以POST application/json方式登陆.
curl http://127.0.0.1:9080/apisix/plugin/wolf-rbac/login -i \
-H "Content-Type: application/json" \
-d '{"appid": "restful", "username":"test", "password":"user-password"}'
HTTP/1.1 200 OK
Date: Wed, 24 Jul 2019 10:33:31 GMT
Content-Type: text/plain
Transfer-Encoding: chunked
Connection: keep-alive
Server: APISIX web server
{"rbac_token":"V1#restful#eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6NzQ5LCJ1c2VybmFtZSI6InRlc3QiLCJtYW5hZ2VyIjoiIiwiYXBwaWQiOiJyZXN0ZnVsIiwiaWF0IjoxNTc4ODIzNzQ3LCJleHAiOjE1Nzk0Mjg1NDd9.4rGPHv9hWPZ4G0p2F82gQciY8WIE2qdYNvAT_22X_Co","user_info":{"nickname":"test","username":"test","id":"749"}}
- 以POST x-www-form-urlencoded方式登陆
curl http://127.0.0.1:9080/apisix/plugin/wolf-rbac/login -i \
-H "Content-Type: application/x-www-form-urlencoded" \
-d 'appid=restful&username=test&password=user-password'
- 缺少 token
curl http://127.0.0.1:9080/api/user/list -i
HTTP/1.1 401 Unauthorized
...
{"message":"Missing rbac token in request"}
- token 放到请求头(Authorization)中:
curl http://127.0.0.1:9080/api/user/list \
-H 'Authorization: V1#restful#eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6NzQ5LCJ1c2VybmFtZSI6InRlc3QiLCJtYW5hZ2VyIjoiIiwiYXBwaWQiOiJyZXN0ZnVsIiwiaWF0IjoxNTc4ODIzNzQ3LCJleHAiOjE1Nzk0Mjg1NDd9.4rGPHv9hWPZ4G0p2F82gQciY8WIE2qdYNvAT_22X_Co' -i
HTTP/1.1 200 OK
{....}
- token 放到请求头(x-rbac-token)中:
curl http://127.0.0.1:9080/api/user/list \
-H 'x-rbac-token: V1#restful#eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6NzQ5LCJ1c2VybmFtZSI6InRlc3QiLCJtYW5hZ2VyIjoiIiwiYXBwaWQiOiJyZXN0ZnVsIiwiaWF0IjoxNTc4ODIzNzQ3LCJleHAiOjE1Nzk0Mjg1NDd9.4rGPHv9hWPZ4G0p2F82gQciY8WIE2qdYNvAT_22X_Co' -i
HTTP/1.1 200 OK
{....}
- token 放到请求参数中:
curl 'http://127.0.0.1:9080/api/user/list?rbac_token=V1%23restful%23eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6NzQ5LCJ1c2VybmFtZSI6InRlc3QiLCJtYW5hZ2VyIjoiIiwiYXBwaWQiOiJyZXN0ZnVsIiwiaWF0IjoxNTc4ODIzNzQ3LCJleHAiOjE1Nzk0Mjg1NDd9.4rGPHv9hWPZ4G0p2F82gQciY8WIE2qdYNvAT_22X_Co' -i
HTTP/1.1 200 OK
{....}
- token 放到 cookie 中:
curl http://127.0.0.1:9080/api/user/list \
--cookie x-rbac-token=V1#restful#eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6NzQ5LCJ1c2VybmFtZSI6InRlc3QiLCJtYW5hZ2VyIjoiIiwiYXBwaWQiOiJyZXN0ZnVsIiwiaWF0IjoxNTc4ODIzNzQ3LCJleHAiOjE1Nzk0Mjg1NDd9.4rGPHv9hWPZ4G0p2F82gQciY8WIE2qdYNvAT_22X_Co -i
HTTP/1.1 200 OK
{....}