---用Kong配置一個first-api服務
在安裝並啓動Kong之後,使用Kong的管理API端口8001添加一個名稱爲first-api的服務
curl -i -X POST \
--url http://localhost:8001/services/ \
--data 'name=first-api' \
--data 'url=http://jcca.tech/first'
HTTP/1.1 201 Created
Date: Tue, 23 Jun 2020 09:36:50 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/2.0.4
Content-Length: 293
X-Kong-Admin-Latency: 5
{"host":"jcca.tech","created_at":1592905010,"connect_timeout":60000,"id":"672bccd6-f72e-44dd-b601-dc13ba0c32fa","protocol":"http","name":"first-api","read_timeout":60000,"port":80,"path":"\/first","updated_at":1592905010,"retries":5,"write_timeout":60000,"tags":null,"client_certificate":null}r
-------添加一個路由(paths[]的值必須與first-api服務中的/v1/first-apis一致)
使first-api服務暴露出來以供用戶訪問,first-api服務沒必要添加多個路由。
curl -i -X POST \
--url http://localhost:8001/services/first-api/routes \
--data 'hosts[]=jcca.tech' \
--data 'paths[]=/first'
HTTP/1.1 201 Created
Date: Tue, 23 Jun 2020 09:38:42 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/2.0.4
Content-Length: 434
X-Kong-Admin-Latency: 7
{"id":"a852b4f5-fce4-4a59-a82b-c1993285770d","path_handling":"v0","paths":["\/first"],"destinations":null,"headers":null,"protocols":["http","https"],"methods":null,"snis":null,"service":{"id":"672bccd6-f72e-44dd-b601-dc13ba0c32fa"},"name":null,"strip_path":true,"preserve_host":false,"regex_priority":0,"updated_at":1592905122,"sources":null,"hosts":["jcca.tech"],"https_redirect_status_code":426,"tags":null,"created_at":1592905122}r
-------通過first-api服務的Path來驗證服務是否成功
curl -i -X GET \
--url http://localhost:8000/first\
--header 'Host: jcca.tech'
HTTP/1.1 200
Content-Type: text/plain;charset=UTF-8
Content-Length: 31
Connection: keep-alive
Date: Tue, 23 Jun 2020 09:39:25 GMT
X-Kong-Upstream-Latency: 11
X-Kong-Proxy-Latency: 322
Via: kong/2.0.4
Hello World---------------first
-------通過first-api服務的Path來驗證路由是否成功
curl -i -X GET \
--url http://localhost:8001/services/first-api/routes
HTTP/1.1 200 OK
Date: Tue, 23 Jun 2020 09:41:28 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/2.0.4
Content-Length: 457
X-Kong-Admin-Latency: 2
{"next":null,"data":[{"id":"a852b4f5-fce4-4a59-a82b-c1993285770d","path_handling":"v0","paths":["\/first"],"destinations":null,"headers":null,"protocols":["http","https"],"methods":null,"snis":null,"service":{"id":"672bccd6-f72e-44dd-b601-dc13ba0c32fa"},"name":null,"strip_path":true,"preserve_host":false,"regex_priority":0,"updated_at":1592905122,"sources":null,"hosts":["jcca.tech"],"https_redirect_status_code":426,"tags":null,"created_at":1592905122}]}
爲first-api服務的路由{route_id}啓動Basic驗證插件
URL格式:http://localhost:8001/routes/{route_id}/plugins
curl -i -X POST \
--url http://localhost:8001/routes/a852b4f5-fce4-4a59-a82b-c1993285770d/plugins \
--data "name=basic-auth" \
--data "config.hide_credentials=true"
HTTP/1.1 201 Created
Date: Tue, 23 Jun 2020 09:44:18 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/2.0.4
Content-Length: 297
X-Kong-Admin-Latency: 7
{"created_at":1592905458,"config":{"hide_credentials":true,"anonymous":null},"id":"c68dbdb9-4861-490a-8145-68b31118057e","service":null,"enabled":true,"protocols":["grpc","grpcs","http","https"],"name":"basic-auth","consumer":null,"route":{"id":"a852b4f5-fce4-4a59-a82b-c1993285770d"},"tags":null}
添加第1個username爲jack的消費者,{custom_id}參數可省略,此參數是個自定義唯一標識,
它作用是把消費者jack映射到另外一個數據庫上
curl -i -X POST \
--url http://localhost:8001/consumers/ \
--data "username=jack"
HTTP/1.1 201 Created
Date: Tue, 23 Jun 2020 09:45:50 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/2.0.4
Content-Length: 116
X-Kong-Admin-Latency: 5
{"custom_id":null,"created_at":1592905550,"id":"d071e5e1-e017-44d6-bc06-50cb7aa9ad8b","tags":null,"username":"jack"}
爲第1個用戶jack啓用Basic驗證插件
URL格式:http://localhost:8001/consumers/{username or consumer_id}/basic-auth
curl -i -X POST \
--url http://localhost:8001/consumers/jack/basic-auth \
--data "username=jack" \
--data "password=123456"
HTTP/1.1 201 Created
Date: Tue, 23 Jun 2020 09:57:41 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/2.0.4
Content-Length: 210
X-Kong-Admin-Latency: 6
{"created_at":1592906261,"consumer":{"id":"d071e5e1-e017-44d6-bc06-50cb7aa9ad8b"},"id":"b0c162d8-04e4-4df2-a70b-9e2ab7c0bc29","tags":null,"password":"c8fc1290af917665d0bb0e09500a2de6b1508829","username":"jack"}
在線base64編碼工具http://tool.oschina.net/encrypt?type=3
鍵-值對{username:password}字符串
jack:123456 左邊的鍵-值對字符串BASE64編碼結果爲:amFjazoxMjM0NTY=
使用用戶jack的Basic驗證方式訪問first 數據接口
curl -i -X GET \
--url http://localhost:8000/first \
--header "Authorization: Basic amFjazoxMjM0NTY=" \
--header 'Host: jcca.tech'
HTTP/1.1 200
Content-Type: text/plain;charset=UTF-8
Content-Length: 31
Connection: keep-alive
Date: Wed, 24 Jun 2020 00:58:31 GMT
X-Kong-Upstream-Latency: 3
X-Kong-Proxy-Latency: 1
Via: kong/2.0.4
Hello World---------------firstroot
添加第2個username爲john的消費者,{custom_id}參數可省略,此參數是個自定義唯一標識,
它作用是把消費者john映射到另外一個數據庫上
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/consumers/ \
--data "username=john" \
--data "custom_id=abc12345"
HTTP/1.1 201 Created
Date: Wed, 24 Jun 2020 01:03:32 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/2.0.4
Content-Length: 122
X-Kong-Admin-Latency: 6
{"custom_id":"abc12345","created_at":1592960612,"id":"67b7abaf-cc01-4d78-8006-8d36fb46da11","tags":null,"username":"john"}
爲第2個用戶john啓用Basic驗證插件
URL格式:http://localhost:8001/consumers/{username or consumer_id}/basic-auth
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/consumers/john/basic-auth \
--data "username=john" \
--data "password=123456"
HTTP/1.1 201 Created
Date: Wed, 24 Jun 2020 01:04:59 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/2.0.4
Content-Length: 210
X-Kong-Admin-Latency: 6
{"created_at":1592960699,"consumer":{"id":"67b7abaf-cc01-4d78-8006-8d36fb46da11"},"id":"ca058e63-8d52-4d89-9317-77a082902cde","tags":null,"password":"5febf254a953961c96d7ceb868316a19b943ee28","username":"john"}
在線base64編碼工具http://tool.oschina.net/encrypt?type=3
鍵-值對{username:password}字符串
john:123456 左邊的鍵-值對字符串BASE64編碼結果爲:
am9objoxMjM0NTY=
使用用戶john的Basic驗證方式訪問first 數據接口
curl -i -X GET \
--url http://localhost:8000/first \
--header "Authorization: Basic am9objoxMjM0NTY=" \
--header 'Host: jcca.tech'
HTTP/1.1 200
Content-Type: text/plain;charset=UTF-8
Content-Length: 31
Connection: keep-alive
Date: Wed, 24 Jun 2020 01:08:17 GMT
X-Kong-Upstream-Latency: 11
X-Kong-Proxy-Latency: 2
Via: kong/2.0.4
Hello World---------------first
添加第3個username爲cathy的消費者,{custom_id}參數可省略,此參數是個自定義唯一標識,
它作用是把消費者cathy映射到另外一個數據庫上
curl -i -X POST \
--url http://localhost:8001/consumers/ \
--data "username=cathy"
HTTP/1.1 201 Created
Date: Wed, 24 Jun 2020 01:09:38 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/2.0.4
Content-Length: 117
X-Kong-Admin-Latency: 6
{"custom_id":null,"created_at":1592960978,"id":"98a8fcab-0a6b-4a0f-aea1-544e192571b7","tags":null,"username":"cathy"}
爲第3個用戶cathy啓用Basic驗證插件
URL格式:http://localhost:8001/consumers/{username or consumer_id}/basic-auth
curl -i -X POST \
--url http://localhost:8001/consumers/cathy/basic-auth \
--data "username=cathy" \
--data "password=123456"
HTTP/1.1 201 Created
Date: Wed, 24 Jun 2020 01:10:36 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/2.0.4
Content-Length: 211
X-Kong-Admin-Latency: 5
{"created_at":1592961036,"consumer":{"id":"98a8fcab-0a6b-4a0f-aea1-544e192571b7"},"id":"b6269ffc-50eb-40fe-957a-a5988551da06","tags":null,"password":"99579e578ced438e5d5959a9bc43b97ba7fb2667","username":"cathy"}r
在線base64編碼工具http://tool.oschina.net/encrypt?type=3
鍵-值對{username:password}字符串
[email protected]:123456 左邊的鍵-值對字符串BASE64編碼結果爲:
Y2F0aHk6MTIzNDU2
使用用戶cathy的Basic驗證方式訪問first數據接口curl -i -X GET \
--url http://localhost:8000/first \
--header "Authorization: Basic Y2F0aHk6MTIzNDU2" \
--header 'Host: jcca.tech'
HTTP/1.1 200
Content-Type: text/plain;charset=UTF-8
Content-Length: 31
Connection: keep-alive
Date: Wed, 24 Jun 2020 01:15:09 GMT
X-Kong-Upstream-Latency: 8
X-Kong-Proxy-Latency: 257
Via: kong/2.0.4
Hello World---------------firstroot
爲first-api服務啓用ACL訪問控制列表插件,並且定義黑名單group3和group4
URL格式:http://localhost:8001/services/{service}/plugins
curl -i -X POST \
--url http://localhost:8001/services/first-api/plugins \
--data "name=acl" \
--data "config.blacklist=blacklist_group1, blacklist_group2"
HTTP/1.1 201 Created
Date: Wed, 24 Jun 2020 01:19:06 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/2.0.4
Content-Length: 344
X-Kong-Admin-Latency: 7
{
"created_at": 1592961546,
"config": {
"hide_groups_header": false,
"blacklist": ["blacklist_group1, blacklist_group2"],
"whitelist": null
},
"id": "d2820ca9-4634-4bb5-bdc0-b25c439be8c9",
"service": {
"id": "672bccd6-f72e-44dd-b601-dc13ba0c32fa"
},
"enabled": true,
"protocols": ["grpc", "grpcs", "http", "https"],
"name": "acl",
"consumer": null,
"route": null,
"tags": null
}
爲first-api服務的路由{route_id}啓動ACL訪問控制列表插件,並且定義黑名單blacklist_group1,和blacklist_group2
URL格式:http://localhost:8001/routes/{route_id}/plugins
curl -i -X POST \
--url http://localhost:8001/routes/a852b4f5-fce4-4a59-a82b-c1993285770d/plugins \
--data "name=acl" \
--data "config.blacklist=blacklist_group1, blacklist_group2"
HTTP/1.1 201 Created
Date: Wed, 24 Jun 2020 01:22:18 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/2.0.4
Content-Length: 344
X-Kong-Admin-Latency: 7
{
"created_at": 1592961738,
"config": {
"hide_groups_header": false,
"blacklist": ["blacklist_group1, blacklist_group2"],
"whitelist": null
},
"id": "1453eb6d-60f7-46da-af28-2166b439b40d",
"service": null,
"enabled": true,
"protocols": ["grpc", "grpcs", "http", "https"],
"name": "acl",
"consumer": null,
"route": {
"id": "a852b4f5-fce4-4a59-a82b-c1993285770d"
},
"tags": null
}
如果建立黑名單列表blacklist_group1和blacklist_group2,只要沒把用戶jack、john和cathy任何一個人關聯到黑名單blacklist_group1,或者黑名單blacklist_group2
那麼以下命令依然可以訪問first服務:
-----------------消費者用戶jack- 的訪問接口的url如下-----------
curl -i -X GET \
--url http://localhost:8000/first \
--header "Authorization: Basic amFjazoxMjM0NTY=" \
--header 'Host: jcca.tech'
HTTP/1.1 200
Content-Type: text/plain;charset=UTF-8
Content-Length: 31
Connection: keep-alive
Date: Wed, 24 Jun 2020 01:26:20 GMT
X-Kong-Upstream-Latency: 8
X-Kong-Proxy-Latency: 17
Via: kong/2.0.4
Hello World---------------firstroot
-----------------消費者用戶john- 的訪問接口的url如下-----------
curl -i -X GET \
--url http://localhost:8000/first \
--header "Authorization: Basic am9objoxMjM0NTY=" \
--header 'Host: jcca.tech'
HTTP/1.1 200
Content-Type: text/plain;charset=UTF-8
Content-Length: 31
Connection: keep-alive
Date: Wed, 24 Jun 2020 01:26:57 GMT
X-Kong-Upstream-Latency: 5
X-Kong-Proxy-Latency: 2
Via: kong/2.0.4
Hello World---------------first
-----------------消費者用戶cathy- 的訪問接口的url如下-----------
curl -i -X GET \
--url http://localhost:8000/first \
--header "Authorization: Basic Y2F0aHk6MTIzNDU2" \
--header 'Host: jcca.tech'
HTTP/1.1 200
Content-Type: text/plain;charset=UTF-8
Content-Length: 31
Connection: keep-alive
Date: Wed, 24 Jun 2020 01:28:25 GMT
X-Kong-Upstream-Latency: 8
X-Kong-Proxy-Latency: 272
Via: kong/2.0.4
Hello World---------------first
有時間,我們需要把外部訪問的消費者做鑑權,所以就可以把黑名單組blacklist_group2關聯到消費者jack:
URL格式:http://localhost:8001/consumers/{consumer_id or username}/acls
curl -i -X POST \
--url http://localhost:8001/consumers/jack/acls \
--data "group=blacklist_group2"
HTTP/1.1 201 Created
Date: Wed, 24 Jun 2020 01:29:51 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/2.0.4
Content-Length: 165
X-Kong-Admin-Latency: 7
{"created_at":1592962191,"consumer":{"id":"d071e5e1-e017-44d6-bc06-50cb7aa9ad8b"},"id":"cd67bfa0-b376-49a5-af75-150acd70b9d5","group":"blacklist_group2","tags":null}
我們來看下黑名單組blacklist_group2關聯到消費者jack的訪問
-----------------消費者用戶jack- 的訪問接口的url如下-----------
curl -i -X GET \
--url http://localhost:8000/first \
--header "Authorization: Basic amFjazoxMjM0NTY=" \
--header 'Host: jcca.tech'
HTTP/1.1 403 Forbidden
Date: Wed, 24 Jun 2020 02:00:59 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Content-Length: 45
X-Kong-Response-Latency: 2
Server: kong/2.0.4
{"message":"You cannot consume this service"}
沒有加入黑名單的用戶john和 cathy依然可以訪問first服務
-----------------消費者用戶john- 的訪問接口的url如下-----------
curl -i -X GET \
--url http://localhost:8000/first \
--header "Authorization: Basic am9objoxMjM0NTY=" \
--header 'Host: jcca.tech'
HTTP/1.1 200
Content-Type: text/plain;charset=UTF-8
Content-Length: 31
Connection: keep-alive
Date: Wed, 24 Jun 2020 02:01:17 GMT
X-Kong-Upstream-Latency: 8
X-Kong-Proxy-Latency: 0
Via: kong/2.0.4
Hello World---------------firstroot
-----------------消費者用戶cathy- 的訪問接口的url如下-----------
curl -i -X GET \
--url http://localhost:8000/first \
--header "Authorization: Basic Y2F0aHk6MTIzNDU2" \
--header 'Host: jcca.tech'
HTTP/1.1 200
Content-Type: text/plain;charset=UTF-8
Content-Length: 31
Connection: keep-alive
Date: Wed, 24 Jun 2020 02:05:05 GMT
X-Kong-Upstream-Latency: 8
X-Kong-Proxy-Latency: 1094
Via: kong/2.0.4
Hello World---------------first