Kong 插件ACL的使用方法(訪問控制列表黑名單)

原創 幽默龙 2020-07-08 12:31

 

 

---用Kong配置一個first-api服務
在安裝並啓動Kong之後,使用Kong的管理API端口8001添加一個名稱爲first-api的服務

curl -i -X POST \
--url http://localhost:8001/services/ \
--data 'name=first-api' \
--data 'url=http://jcca.tech/first'

HTTP/1.1 201 Created
Date: Tue, 23 Jun 2020 09:36:50 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/2.0.4
Content-Length: 293
X-Kong-Admin-Latency: 5

{"host":"jcca.tech","created_at":1592905010,"connect_timeout":60000,"id":"672bccd6-f72e-44dd-b601-dc13ba0c32fa","protocol":"http","name":"first-api","read_timeout":60000,"port":80,"path":"\/first","updated_at":1592905010,"retries":5,"write_timeout":60000,"tags":null,"client_certificate":null}r

-------添加一個路由(paths[]的值必須與first-api服務中的/v1/first-apis一致)

使first-api服務暴露出來以供用戶訪問,first-api服務沒必要添加多個路由。

curl -i -X POST \
--url http://localhost:8001/services/first-api/routes \
--data 'hosts[]=jcca.tech' \
--data 'paths[]=/first'

HTTP/1.1 201 Created
Date: Tue, 23 Jun 2020 09:38:42 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/2.0.4
Content-Length: 434
X-Kong-Admin-Latency: 7

{"id":"a852b4f5-fce4-4a59-a82b-c1993285770d","path_handling":"v0","paths":["\/first"],"destinations":null,"headers":null,"protocols":["http","https"],"methods":null,"snis":null,"service":{"id":"672bccd6-f72e-44dd-b601-dc13ba0c32fa"},"name":null,"strip_path":true,"preserve_host":false,"regex_priority":0,"updated_at":1592905122,"sources":null,"hosts":["jcca.tech"],"https_redirect_status_code":426,"tags":null,"created_at":1592905122}r

-------通過first-api服務的Path來驗證服務是否成功


curl -i -X GET \
--url http://localhost:8000/first\
--header 'Host: jcca.tech'

HTTP/1.1 200 
Content-Type: text/plain;charset=UTF-8
Content-Length: 31
Connection: keep-alive
Date: Tue, 23 Jun 2020 09:39:25 GMT
X-Kong-Upstream-Latency: 11
X-Kong-Proxy-Latency: 322
Via: kong/2.0.4

Hello World---------------first

-------通過first-api服務的Path來驗證路由是否成功

curl -i -X GET \
--url http://localhost:8001/services/first-api/routes

HTTP/1.1 200 OK
Date: Tue, 23 Jun 2020 09:41:28 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/2.0.4
Content-Length: 457
X-Kong-Admin-Latency: 2

{"next":null,"data":[{"id":"a852b4f5-fce4-4a59-a82b-c1993285770d","path_handling":"v0","paths":["\/first"],"destinations":null,"headers":null,"protocols":["http","https"],"methods":null,"snis":null,"service":{"id":"672bccd6-f72e-44dd-b601-dc13ba0c32fa"},"name":null,"strip_path":true,"preserve_host":false,"regex_priority":0,"updated_at":1592905122,"sources":null,"hosts":["jcca.tech"],"https_redirect_status_code":426,"tags":null,"created_at":1592905122}]}

爲first-api服務的路由{route_id}啓動Basic驗證插件
URL格式:http://localhost:8001/routes/{route_id}/plugins
curl -i -X POST \
--url http://localhost:8001/routes/a852b4f5-fce4-4a59-a82b-c1993285770d/plugins \
--data "name=basic-auth"  \
--data "config.hide_credentials=true"

HTTP/1.1 201 Created
Date: Tue, 23 Jun 2020 09:44:18 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/2.0.4
Content-Length: 297
X-Kong-Admin-Latency: 7

{"created_at":1592905458,"config":{"hide_credentials":true,"anonymous":null},"id":"c68dbdb9-4861-490a-8145-68b31118057e","service":null,"enabled":true,"protocols":["grpc","grpcs","http","https"],"name":"basic-auth","consumer":null,"route":{"id":"a852b4f5-fce4-4a59-a82b-c1993285770d"},"tags":null}

 

添加第1個username爲jack的消費者,{custom_id}參數可省略,此參數是個自定義唯一標識,
它作用是把消費者jack映射到另外一個數據庫上

curl -i -X POST \
--url http://localhost:8001/consumers/  \
--data "username=jack"
 

HTTP/1.1 201 Created
Date: Tue, 23 Jun 2020 09:45:50 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/2.0.4
Content-Length: 116
X-Kong-Admin-Latency: 5

{"custom_id":null,"created_at":1592905550,"id":"d071e5e1-e017-44d6-bc06-50cb7aa9ad8b","tags":null,"username":"jack"}

爲第1個用戶jack啓用Basic驗證插件
URL格式:http://localhost:8001/consumers/{username or consumer_id}/basic-auth

curl -i -X POST \
--url http://localhost:8001/consumers/jack/basic-auth \
--data "username=jack" \
--data "password=123456"

HTTP/1.1 201 Created
Date: Tue, 23 Jun 2020 09:57:41 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/2.0.4
Content-Length: 210
X-Kong-Admin-Latency: 6

{"created_at":1592906261,"consumer":{"id":"d071e5e1-e017-44d6-bc06-50cb7aa9ad8b"},"id":"b0c162d8-04e4-4df2-a70b-9e2ab7c0bc29","tags":null,"password":"c8fc1290af917665d0bb0e09500a2de6b1508829","username":"jack"}

在線base64編碼工具http://tool.oschina.net/encrypt?type=3
鍵-值對{username:password}字符串
jack:123456 左邊的鍵-值對字符串BASE64編碼結果爲:amFjazoxMjM0NTY=

使用用戶jack的Basic驗證方式訪問first 數據接口
curl -i -X GET \
--url http://localhost:8000/first \
--header "Authorization: Basic amFjazoxMjM0NTY=" \
--header 'Host: jcca.tech'

HTTP/1.1 200 
Content-Type: text/plain;charset=UTF-8
Content-Length: 31
Connection: keep-alive
Date: Wed, 24 Jun 2020 00:58:31 GMT
X-Kong-Upstream-Latency: 3
X-Kong-Proxy-Latency: 1
Via: kong/2.0.4

Hello World---------------firstroot

添加第2個username爲john的消費者,{custom_id}參數可省略,此參數是個自定義唯一標識,
它作用是把消費者john映射到另外一個數據庫上
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/consumers/  \
--data "username=john" \
--data "custom_id=abc12345"

HTTP/1.1 201 Created
Date: Wed, 24 Jun 2020 01:03:32 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/2.0.4
Content-Length: 122
X-Kong-Admin-Latency: 6

{"custom_id":"abc12345","created_at":1592960612,"id":"67b7abaf-cc01-4d78-8006-8d36fb46da11","tags":null,"username":"john"}

爲第2個用戶john啓用Basic驗證插件
URL格式:http://localhost:8001/consumers/{username or consumer_id}/basic-auth
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/consumers/john/basic-auth \
--data "username=john" \
--data "password=123456"
 

HTTP/1.1 201 Created
Date: Wed, 24 Jun 2020 01:04:59 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/2.0.4
Content-Length: 210
X-Kong-Admin-Latency: 6

{"created_at":1592960699,"consumer":{"id":"67b7abaf-cc01-4d78-8006-8d36fb46da11"},"id":"ca058e63-8d52-4d89-9317-77a082902cde","tags":null,"password":"5febf254a953961c96d7ceb868316a19b943ee28","username":"john"}

在線base64編碼工具http://tool.oschina.net/encrypt?type=3
鍵-值對{username:password}字符串
john:123456 左邊的鍵-值對字符串BASE64編碼結果爲:
am9objoxMjM0NTY=

使用用戶john的Basic驗證方式訪問first 數據接口
curl -i -X GET \
--url http://localhost:8000/first \
--header "Authorization: Basic am9objoxMjM0NTY=" \
--header 'Host: jcca.tech'

HTTP/1.1 200 
Content-Type: text/plain;charset=UTF-8
Content-Length: 31
Connection: keep-alive
Date: Wed, 24 Jun 2020 01:08:17 GMT
X-Kong-Upstream-Latency: 11
X-Kong-Proxy-Latency: 2
Via: kong/2.0.4

Hello World---------------first


添加第3個username爲cathy的消費者,{custom_id}參數可省略,此參數是個自定義唯一標識,
它作用是把消費者cathy映射到另外一個數據庫上

 curl -i -X POST \
--url http://localhost:8001/consumers/  \
--data "username=cathy"

HTTP/1.1 201 Created
Date: Wed, 24 Jun 2020 01:09:38 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/2.0.4
Content-Length: 117
X-Kong-Admin-Latency: 6

{"custom_id":null,"created_at":1592960978,"id":"98a8fcab-0a6b-4a0f-aea1-544e192571b7","tags":null,"username":"cathy"}

爲第3個用戶cathy啓用Basic驗證插件
URL格式:http://localhost:8001/consumers/{username or consumer_id}/basic-auth
curl -i -X POST \
--url http://localhost:8001/consumers/cathy/basic-auth \
--data "username=cathy" \
--data "password=123456"
 

HTTP/1.1 201 Created
Date: Wed, 24 Jun 2020 01:10:36 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/2.0.4
Content-Length: 211
X-Kong-Admin-Latency: 5

{"created_at":1592961036,"consumer":{"id":"98a8fcab-0a6b-4a0f-aea1-544e192571b7"},"id":"b6269ffc-50eb-40fe-957a-a5988551da06","tags":null,"password":"99579e578ced438e5d5959a9bc43b97ba7fb2667","username":"cathy"}r

在線base64編碼工具http://tool.oschina.net/encrypt?type=3
鍵-值對{username:password}字符串
[email protected]:123456 左邊的鍵-值對字符串BASE64編碼結果爲:
Y2F0aHk6MTIzNDU2
使用用戶cathy的Basic驗證方式訪問first數據接口curl -i -X GET \
--url http://localhost:8000/first \
--header "Authorization: Basic Y2F0aHk6MTIzNDU2" \
--header 'Host: jcca.tech'
 

HTTP/1.1 200 
Content-Type: text/plain;charset=UTF-8
Content-Length: 31
Connection: keep-alive
Date: Wed, 24 Jun 2020 01:15:09 GMT
X-Kong-Upstream-Latency: 8
X-Kong-Proxy-Latency: 257
Via: kong/2.0.4

Hello World---------------firstroot


爲first-api服務啓用ACL訪問控制列表插件,並且定義黑名單group3和group4
URL格式:http://localhost:8001/services/{service}/plugins


curl -i -X POST \
--url http://localhost:8001/services/first-api/plugins \
--data "name=acl"  \
--data "config.blacklist=blacklist_group1, blacklist_group2"
 

HTTP/1.1 201 Created
Date: Wed, 24 Jun 2020 01:19:06 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/2.0.4
Content-Length: 344
X-Kong-Admin-Latency: 7

{
	"created_at": 1592961546,
	"config": {
		"hide_groups_header": false,
		"blacklist": ["blacklist_group1, blacklist_group2"],
		"whitelist": null
	},
	"id": "d2820ca9-4634-4bb5-bdc0-b25c439be8c9",
	"service": {
		"id": "672bccd6-f72e-44dd-b601-dc13ba0c32fa"
	},
	"enabled": true,
	"protocols": ["grpc", "grpcs", "http", "https"],
	"name": "acl",
	"consumer": null,
	"route": null,
	"tags": null
}

爲first-api服務的路由{route_id}啓動ACL訪問控制列表插件,並且定義黑名單blacklist_group1,和blacklist_group2
URL格式:http://localhost:8001/routes/{route_id}/plugins 


curl -i -X POST \
--url http://localhost:8001/routes/a852b4f5-fce4-4a59-a82b-c1993285770d/plugins \
--data "name=acl"  \
--data "config.blacklist=blacklist_group1, blacklist_group2"


 

HTTP/1.1 201 Created
Date: Wed, 24 Jun 2020 01:22:18 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/2.0.4
Content-Length: 344
X-Kong-Admin-Latency: 7

{
	"created_at": 1592961738,
	"config": {
		"hide_groups_header": false,
		"blacklist": ["blacklist_group1, blacklist_group2"],
		"whitelist": null
	},
	"id": "1453eb6d-60f7-46da-af28-2166b439b40d",
	"service": null,
	"enabled": true,
	"protocols": ["grpc", "grpcs", "http", "https"],
	"name": "acl",
	"consumer": null,
	"route": {
		"id": "a852b4f5-fce4-4a59-a82b-c1993285770d"
	},
	"tags": null
}


如果建立黑名單列表blacklist_group1和blacklist_group2,只要沒把用戶jack、john和cathy任何一個人關聯到黑名單blacklist_group1,或者黑名單blacklist_group2
那麼以下命令依然可以訪問first服務:


-----------------消費者用戶jack- 的訪問接口的url如下-----------
curl -i -X GET \
--url http://localhost:8000/first \
--header "Authorization: Basic amFjazoxMjM0NTY=" \
--header 'Host: jcca.tech'

HTTP/1.1 200 
Content-Type: text/plain;charset=UTF-8
Content-Length: 31
Connection: keep-alive
Date: Wed, 24 Jun 2020 01:26:20 GMT
X-Kong-Upstream-Latency: 8
X-Kong-Proxy-Latency: 17
Via: kong/2.0.4

Hello World---------------firstroot

-----------------消費者用戶john- 的訪問接口的url如下-----------
curl -i -X GET \
--url http://localhost:8000/first \
--header "Authorization: Basic  am9objoxMjM0NTY=" \
--header 'Host: jcca.tech'

HTTP/1.1 200 
Content-Type: text/plain;charset=UTF-8
Content-Length: 31
Connection: keep-alive
Date: Wed, 24 Jun 2020 01:26:57 GMT
X-Kong-Upstream-Latency: 5
X-Kong-Proxy-Latency: 2
Via: kong/2.0.4

Hello World---------------first

-----------------消費者用戶cathy- 的訪問接口的url如下-----------
curl -i -X GET \
--url http://localhost:8000/first \
--header "Authorization: Basic Y2F0aHk6MTIzNDU2" \
--header 'Host: jcca.tech'

HTTP/1.1 200 
Content-Type: text/plain;charset=UTF-8
Content-Length: 31
Connection: keep-alive
Date: Wed, 24 Jun 2020 01:28:25 GMT
X-Kong-Upstream-Latency: 8
X-Kong-Proxy-Latency: 272
Via: kong/2.0.4

Hello World---------------first

有時間,我們需要把外部訪問的消費者做鑑權,所以就可以把黑名單組blacklist_group2關聯到消費者jack:
URL格式:http://localhost:8001/consumers/{consumer_id or username}/acls

curl -i -X POST \
--url http://localhost:8001/consumers/jack/acls \
--data "group=blacklist_group2"
 

HTTP/1.1 201 Created
Date: Wed, 24 Jun 2020 01:29:51 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/2.0.4
Content-Length: 165
X-Kong-Admin-Latency: 7

{"created_at":1592962191,"consumer":{"id":"d071e5e1-e017-44d6-bc06-50cb7aa9ad8b"},"id":"cd67bfa0-b376-49a5-af75-150acd70b9d5","group":"blacklist_group2","tags":null}

我們來看下黑名單組blacklist_group2關聯到消費者jack的訪問

-----------------消費者用戶jack- 的訪問接口的url如下-----------
curl -i -X GET \
--url http://localhost:8000/first \
--header "Authorization: Basic amFjazoxMjM0NTY=" \
--header 'Host: jcca.tech'

HTTP/1.1 403 Forbidden
Date: Wed, 24 Jun 2020 02:00:59 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Content-Length: 45
X-Kong-Response-Latency: 2
Server: kong/2.0.4

{"message":"You cannot consume this service"}

沒有加入黑名單的用戶john和 cathy依然可以訪問first服務

-----------------消費者用戶john- 的訪問接口的url如下-----------

curl -i -X GET \
--url http://localhost:8000/first \
--header "Authorization: Basic  am9objoxMjM0NTY=" \
--header 'Host: jcca.tech'

HTTP/1.1 200 
Content-Type: text/plain;charset=UTF-8
Content-Length: 31
Connection: keep-alive
Date: Wed, 24 Jun 2020 02:01:17 GMT
X-Kong-Upstream-Latency: 8
X-Kong-Proxy-Latency: 0
Via: kong/2.0.4

Hello World---------------firstroot

-----------------消費者用戶cathy- 的訪問接口的url如下-----------
curl -i -X GET \
--url http://localhost:8000/first \
--header "Authorization: Basic Y2F0aHk6MTIzNDU2" \
--header 'Host: jcca.tech'
 

HTTP/1.1 200 
Content-Type: text/plain;charset=UTF-8
Content-Length: 31
Connection: keep-alive
Date: Wed, 24 Jun 2020 02:05:05 GMT
X-Kong-Upstream-Latency: 8
X-Kong-Proxy-Latency: 1094
Via: kong/2.0.4

Hello World---------------first

 

 

 

發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

centos7源碼安裝kong分佈式網關實踐

一: 安裝openssl和pcre       yum -y install pcre-devel openssl openssl-devel    安裝git                 yum install git -y    

幽默龙 2020-07-08 12:31:24

Ubuntu 18.04安裝kong

本人是Ubuntu 18.04 操作系統,按照一步步執行下來沒有任何問題。 首先安裝postgresql數據庫 安裝postgresql sudo apt update sudo apt install postgresql postgr

幽默龙 2020-07-08 12:31:23

使用Docker安裝Kong - 玩轉Kong網關

一.安裝docker 如果有較舊的 Docker 版本稱爲 docker 或 docker-engine 。如果已安裝這些程序,請卸載它們以及相關的依賴項。 $ sudo yum remove docker \            

幽默龙 2020-07-08 12:31:23

centos6安裝kong

centos6安裝kong 0、創建postgres用戶 groupadd postgres useradd -g postgres postgres passwd postgres --修改postgres用戶密碼 1、下

ZHBXS 2020-07-04 07:08:20

讓kong獲取真實客戶端IP配置

修改kong配置文件 vim /usr/local/kong/.kong_env  修改屬性 real_ip_header = X-Forwarded-For # 從哪個header字段取真實IP real_ip_recursive

stone5751 2020-07-03 22:38:59

kubernet安裝kong的可視化面板konga

根據上一篇博客,我們已經安裝好kong,鏈接:https://blog.csdn.net/cyhelloyes/article/details/100316522 如果選擇的是開通雲平臺Postgres服務,這裏還需要創建konga數據庫

Idiomroot 2020-07-03 22:29:26

k8s安裝kong api網關

目錄 一、自建Postgres(在k8s上面部署) 二、開通雲平臺Postgres服務 三、測試kong部署是否正常,訪問admin接口,有數據返回即爲正常。   官方文檔https://docs.konghq.com/install/k

Idiomroot 2020-07-03 22:29:26

kong hmac 應用實踐

kong hmac 應用實踐 service 創建 curl -i -X POST --url http://127.0.0.1:8001/services/ --data 'name=lxy-service' --data 'u

gou12341234 2020-06-28 18:07:46

kong 集羣部署(混合模式 Hybrid Mode)

在1.x版本中,kong的集羣其實是通過運行多個實例,訪問同一個數據庫來實現的。具體表現爲 定時輪詢數據庫,獲取最新的 Services,Routes,Consumers,Plugins等信息,並緩存它們,直到下一次請求數據庫時

hhgfy 2020-06-25 00:11:52

在kong插件中使用redis

在開發kong自定義插件時,可能會面對需要多個worker共享一些信息或者接收外部的程序輸入的情況。而多進程共享信息常用的方式就是redis。 kong裏面已經包含了lua-resty-redis 這個redis連接庫,在插件代碼

hhgfy 2020-06-25 00:11:52

kong通過docker安裝自定義路由通配符插件

0).前提默認會使用docker 1).安裝postgres數據庫   使用docker命令拉取postgres數據庫鏡像(版本自定) docker pull postgres:9.6 2)使用docker命令拉取kong鏡像(版本自

AiDd124 2020-06-23 09:24:41

KONG網關 — KongA管理UI使用

文振熙 2020-06-03 10:36:43

網關服務KONG(二):admin-api使用指南

smqi 2020-05-30 20:55:59

網關服務KONG(一):安裝

smqi 2020-05-30 20:55:49

kong自定義插件的部署

小卒曹阿瞒 2020-05-30 18:09:27