Kong Gateway - 11 基于网关服务的ACL访问控制列表 黑名单
Kong Gateway - 11 基于网关服务的ACL访问控制列表 黑名单
同一服务名称 book 不允许即创建白名单访问控制列表又创建黑名单访问控制列表
启用服务的白名单&黑名单配置文件时,它们俩是不允许同时定义的,我们应该树立这样一种认知 不在黑名单中 即使没定义白名单,我们也把黑名单之外的所有用户归类为白名单用户
故ACL必须分两篇来发布,本范例中使用了
Kong Gateway - 01 基于网关服务的基本验证(Basic Authentication)
9种验证方式当中的1种方式而已,我们当然可以用剩余的8种验证方式之一来取代basic-auth,强调一点的是ACL必须与9种验证结合使用,不然book服务我们将不能消费访问它
用Kong配置一个book服务
在安装并启动Kong之后,使用Kong的管理API端口8001添加一个名称为book的服务
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/services/ \
--data 'name=book' \
--data 'url=http://contoso.com/v1/books'
HTTP/1.1 201 Created
Date: Thu, 10 May 2018 02:30:31 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.
{
"host": "contoso.com",
"created_at": 1525890631,
"connect_timeout": 60000,
"id": "dca12a5d-10c4-4bf9-8a49-500c3935cae5",
"protocol": "http",
"name": "book",
"read_timeout": 60000,
"port": 80,
"path": "/v1/books",
"updated_at": 1525890631,
"retries": 5,
"write_timeout": 60000
}
添加一个路由(paths[]的值必须与book服务中的/v1/books一致)
使book服务暴露出来以供用户访问,book服务没必要添加多个路由。
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/services/book/routes \
--data 'hosts[]=contoso.com' \
--data 'paths[]=/v1/books'
HTTP/1.1 201 Created
Date: Thu, 10 May 2018 02:30:49 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"created_at": 1525890649,
"strip_path": true,
"hosts": [
"contoso.com"
],
"preserve_host": false,
"regex_priority": 0,
"updated_at": 1525890649,
"paths": [
"/v1/books"
],
"service": {
"id": "dca12a5d-10c4-4bf9-8a49-500c3935cae5"
},
"methods": null,
"protocols": [
"http",
"https"
],
"id": "80569820-4d8c-4565-9c3c-b5e0475b0122" // {route_id} = id
}
[root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books \
--header 'Host: contoso.com'
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 244
Connection: keep-alive
Date: Thu, 10 May 2018 02:35:04 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 100
X-Kong-Proxy-Latency: 34
Via: kong/0.13.1
[
{
"id": 1,
"title": "Fashion That Changed the World",
"author": "Jennifer Croll"
},
{
"id": 2,
"title": "Brigitte Bardot - My Life in Fashion",
"author": "Henry-Jean Servat and Brigitte Bardot"
},
{
"id": 3,
"title": "The Fashion Image",
"author": "Thomas Werner"
}
]
[root@contoso ~]# curl -i -X GET \
--url http://localhost:8001/services/book/routes
HTTP/1.1 200 OK
Date: Thu, 10 May 2018 02:35:38 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"next": null,
"data": [
{
"created_at": 1525890649,
"strip_path": true,
"hosts": [
"contoso.com"
],
"preserve_host": false,
"regex_priority": 0,
"updated_at": 1525890649,
"paths": [
"/v1/books"
],
"service": {
"id": "dca12a5d-10c4-4bf9-8a49-500c3935cae5"
},
"methods": null,
"protocols": [
"http",
"https"
],
"id": "80569820-4d8c-4565-9c3c-b5e0475b0122" // {route_id} = id
}
]
}
--------------------------------------------------------------------------------
为book服务的路由{route_id}启动Basic验证插件
URL格式:http://localhost:8001/routes/{route_id}/plugins
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/routes/80569820-4d8c-4565-9c3c-b5e0475b0122/plugins \
--data "name=basic-auth" \
--data "config.hide_credentials=true"
HTTP/1.1 201 Created
Date: Thu, 10 May 2018 02:39:15 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"created_at": 1525919954000,
"config": {
"hide_credentials": true,
"anonymous": ""
},
"id": "1e8c30f2-282f-4401-8258-6e5dac2a6b54",
"enabled": true,
"route_id": "80569820-4d8c-4565-9c3c-b5e0475b0122",
"name": "basic-auth"
}
=========================================================================================
添加第1个username为jack的消费者,{custom_id}参数可省略,此参数是个自定义唯一标识,
它作用是把消费者jack映射到另外一个数据库上
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/consumers/ \
--data "username=jack"
HTTP/1.1 201 Created
Date: Thu, 10 May 2018 02:41:40 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"created_at": 1525920101000,
"username": "jack",
"id": "14af98df-237a-4555-bc00-580db0b26032"
}
为第1个用户jack启用Basic验证插件
URL格式:http://localhost:8001/consumers/{username or consumer_id}/basic-auth
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/consumers/jack/basic-auth \
--data "username=jack@hotmail.com" \
--data "password=123456"
HTTP/1.1 201 Created
Date: Thu, 10 May 2018 02:43:00 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"created_at": 1525920181000,
"id": "cbb0c2b4-cb85-4899-995a-6681cfdb400f",
"username": "jack@hotmail.com",
"password": "349cc2755232a4746d2973f3bcb87b1d3fa7be55",
"consumer_id": "14af98df-237a-4555-bc00-580db0b26032"
}
在线base64编码工具http://tool.oschina.net/encrypt?type=3
键-值对{username:password}字符串
jack@hotmail.com:123456 左边的键-值对字符串BASE64编码结果为:
amFja0Bob3RtYWlsLmNvbToxMjM0NTY=
使用用户jack的Basic验证方式访问书籍数据接口
[root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books/1 \
--header "Authorization: Basic amFja0Bob3RtYWlsLmNvbToxMjM0NTY=" \
--header 'Host: contoso.com'
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 77
Connection: keep-alive
Date: Thu, 10 May 2018 02:44:51 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 51
X-Kong-Proxy-Latency: 45
Via: kong/0.13.1
[{"id":1,"title":"Fashion That Changed the World","author":"Jennifer Croll"}]
=========================================================================================
添加第2个username为john的消费者,{custom_id}参数可省略,此参数是个自定义唯一标识,
它作用是把消费者john映射到另外一个数据库上
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/consumers/ \
--data "username=john" \
--data "custom_id=abc12345"
HTTP/1.1 201 Created
Date: Thu, 10 May 2018 02:47:29 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"custom_id": "abc12345",
"created_at": 1525920449000,
"username": "john",
"id": "73f0a0b2-1bf0-45fa-adbf-36b7fcde0929"
}
为第2个用户john启用Basic验证插件
URL格式:http://localhost:8001/consumers/{username or consumer_id}/basic-auth
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/consumers/john/basic-auth \
--data "username=john@hotmail.com" \
--data "password=123456"
HTTP/1.1 201 Created
Date: Thu, 10 May 2018 02:48:54 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"created_at": 1525920535000,
"id": "491a39df-d90a-4f42-933e-24662cfbac07",
"username": "john@hotmail.com",
"password": "b80b4aedd1a25a9803859f07b836f518541ab81e",
"consumer_id": "73f0a0b2-1bf0-45fa-adbf-36b7fcde0929"
}
在线base64编码工具http://tool.oschina.net/encrypt?type=3
键-值对{username:password}字符串
john@hotmail.com:123456 左边的键-值对字符串BASE64编码结果为:
am9obkBob3RtYWlsLmNvbToxMjM0NTY=
使用用户john的Basic验证方式访问书籍数据接口
[root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books/2 \
--header "Authorization: Basic am9obkBob3RtYWlsLmNvbToxMjM0NTY=" \
--header 'Host: contoso.com'
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 106
Connection: keep-alive
Date: Thu, 10 May 2018 02:50:35 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 25
X-Kong-Proxy-Latency: 40
Via: kong/0.13.1
[{"id":2,"title":"Brigitte Bardot - My Life in Fashion","author":"Henry-Jean Servat and Brigitte Bardot"}]
=========================================================================================
添加第3个username为cathy的消费者,{custom_id}参数可省略,此参数是个自定义唯一标识,
它作用是把消费者cathy映射到另外一个数据库上
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/consumers/ \
--data "username=cathy"
HTTP/1.1 201 Created
Date: Thu, 10 May 2018 02:52:07 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{"created_at":1525920728000,"username":"cathy","id":"3fdb9381-d7fd-4f1c-a7ce-f4ea86d9aae2"}
为第3个用户cathy启用Basic验证插件
URL格式:http://localhost:8001/consumers/{username or consumer_id}/basic-auth
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/consumers/cathy/basic-auth \
--data "username=cathy@hotmail.com" \
--data "password=123456"
HTTP/1.1 201 Created
Date: Thu, 10 May 2018 02:52:28 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"created_at": 1525920748000,
"id": "cca66a54-ed18-458f-8c7c-73ea935eecd9",
"username": "cathy@hotmail.com",
"password": "6cfa32217d05a53174453837799bf8f6a9a03aac",
"consumer_id": "3fdb9381-d7fd-4f1c-a7ce-f4ea86d9aae2"
}
在线base64编码工具http://tool.oschina.net/encrypt?type=3
键-值对{username:password}字符串
cathy@hotmail.com:123456 左边的键-值对字符串BASE64编码结果为:
Y2F0aHlAaG90bWFpbC5jb206MTIzNDU2
使用用户cathy的Basic验证方式访问书籍数据接口
[root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books/3 \
--header "Authorization: Basic Y2F0aHlAaG90bWFpbC5jb206MTIzNDU2" \
--header 'Host: contoso.com'
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 63
Connection: keep-alive
Date: Thu, 10 May 2018 02:53:26 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 38
X-Kong-Proxy-Latency: 31
Via: kong/0.13.1
[{"id":3,"title":"The Fashion Image","author":"Thomas Werner"}]
*****************************************************************************************
为book服务启用ACL访问控制列表插件,并且定义黑名单group3和group4
URL格式:http://localhost:8001/services/{service}/plugins
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/services/book/plugins \
--data "name=acl" \
--data "config.blacklist=group3, group4"
HTTP/1.1 201 Created
Date: Thu, 10 May 2018 03:03:15 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"created_at": 1525921395000,
"config": {
"blacklist": [
"group3",
"group4"
]
},
"id": "edcf403d-9bf4-46ae-84f3-cfccc34d56f1",
"enabled": true,
"service_id": "dca12a5d-10c4-4bf9-8a49-500c3935cae5",
"name": "acl"
}
为book服务的路由{route_id}启动ACL访问控制列表插件,并且定义黑名单group3和group4
URL格式:http://localhost:8001/routes/{route_id}/plugins
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/routes/80569820-4d8c-4565-9c3c-b5e0475b0122/plugins \
--data "name=acl" \
--data "config.blacklist=group3, group4"
HTTP/1.1 201 Created
Date: Thu, 10 May 2018 03:05:53 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"created_at": 1525921551000,
"config": {
"blacklist": [
"group3",
"group4"
]
},
"id": "ae051c27-340c-4e20-a440-9e32721a2a6d",
"enabled": true,
"route_id": "80569820-4d8c-4565-9c3c-b5e0475b0122",
"name": "acl"
}
即使建立黑名单列表group3和group4,只要没把用户jack、john和cathy任何一个人关联到黑名单group3或者黑名单group4
那么以下命令依然可以访问book服务:
curl -i -X GET \
--url http://localhost:8000/v1/books/1 \
--header "Authorization: Basic amFja0Bob3RtYWlsLmNvbToxMjM0NTY=" \
--header 'Host: contoso.com'
curl -i -X GET \
--url http://localhost:8000/v1/books/2 \
--header "Authorization: Basic am9obkBob3RtYWlsLmNvbToxMjM0NTY=" \
--header 'Host: contoso.com'
curl -i -X GET \
--url http://localhost:8000/v1/books/3 \
--header "Authorization: Basic Y2F0aHlAaG90bWFpbC5jb206MTIzNDU2" \
--header 'Host: contoso.com'
我们如何把不按照我们业务规则或者带攻击性的用户加入黑名单?
答:我们现在可以使用以下命令将黑名单组group4关联到消费者jack:
URL格式:http://localhost:8001/consumers/{consumer_id or username}/acls
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/consumers/jack/acls \
--data "group=group4"
HTTP/1.1 201 Created
Date: Thu, 10 May 2018 03:17:58 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"group": "group4",
"created_at": 1525922278000,
"id": "bf3d30cc-67c5-4b05-b6bf-7a75f551aa64",
"consumer_id": "14af98df-237a-4555-bc00-580db0b26032"
}
以下命令执行结果表明:加入白名单的用户jack有权访问书籍数据接口
在线base64编码工具http://tool.oschina.net/encrypt?type=3
键-值对{username:password}字符串
jack@hotmail.com:123456 左边的键-值对字符串BASE64编码结果为:
amFja0Bob3RtYWlsLmNvbToxMjM0NTY=
使用用户jack的Basic验证方式访问书籍数据接口
[root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books/1 \
--header "Authorization: Basic amFja0Bob3RtYWlsLmNvbToxMjM0NTY=" \
--header 'Host: contoso.com'
HTTP/1.1 403 Forbidden
Date: Thu, 10 May 2018 03:19:39 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: kong/0.13.1
{"message":"You cannot consume this service"}
没有加入黑名单的用户john依然可以访问book服务
以下命令执行结果表明:即没有加入白名单也没有加入黑名单用户组的用户无权访问书籍数据接口
键-值对{username:password}字符串
john@hotmail.com:123456 左边的键-值对字符串BASE64编码结果为:
am9obkBob3RtYWlsLmNvbToxMjM0NTY=
使用用户john的Basic验证方式访问书籍数据接口
[root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books/2 \
--header "Authorization: Basic am9obkBob3RtYWlsLmNvbToxMjM0NTY=" \
--header 'Host: contoso.com'
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 106
Connection: keep-alive
Date: Thu, 10 May 2018 03:22:35 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 23
X-Kong-Proxy-Latency: 0
Via: kong/0.13.1
[{"id":2,"title":"Brigitte Bardot - My Life in Fashion","author":"Henry-Jean Servat and Brigitte Bardot"}]
没有加入黑名单的用户cathy依然可以访问book服务
以下命令执行结果表明:即没有加入白名单也没有加入黑名单用户组的用户无权访问书籍数据接口
键-值对{username:password}字符串
cathy@hotmail.com:123456 左边的键-值对字符串BASE64编码结果为:
Y2F0aHlAaG90bWFpbC5jb206MTIzNDU2
使用用户cathy的Basic验证方式访问书籍数据接口
[root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books/3 \
--header "Authorization: Basic Y2F0aHlAaG90bWFpbC5jb206MTIzNDU2" \
--header 'Host: contoso.com'
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 63
Connection: keep-alive
Date: Thu, 10 May 2018 03:23:02 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 25
X-Kong-Proxy-Latency: 0
Via: kong/0.13.1
[{"id":3,"title":"The Fashion Image","author":"Thomas Werner"}]
如何使用命令将黑名单组group4到消费者jack的关联取消 ------ 删掉用户与黑名单之间关联让用户继续能够访问book服务
[root@contoso ~]# curl -i -X GET http://localhost:8001/consumers/jack/acls
HTTP/1.1 200 OK
Date: Thu, 10 May 2018 03:24:50 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{"total":1,"data":[{"group":"group4","created_at":1525922278000,"id":"bf3d30cc-67c5-4b05-b6bf-7a75f551aa64","consumer_id":"14af98df-237a-4555-bc00-580db0b26032"}]}
[root@contoso ~]# curl -i -X GET http://localhost:8001/consumers/jack/acls/bf3d30cc-67c5-4b05-b6bf-7a75f551aa64
HTTP/1.1 200 OK
Date: Thu, 10 May 2018 03:25:48 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{"group":"group4","created_at":1525922278000,"id":"bf3d30cc-67c5-4b05-b6bf-7a75f551aa64","consumer_id":"14af98df-237a-4555-bc00-580db0b26032"}
[root@contoso ~]# curl -i -X DELETE http://localhost:8001/consumers/jack/acls/bf3d30cc-67c5-4b05-b6bf-7a75f551aa64
HTTP/1.1 204 No Content
Date: Thu, 10 May 2018 03:26:00 GMT
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
// 此处虽然没有删除成功的提示,但确实已经删掉用户与黑名单之间关联
[root@contoso ~]#
[root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books/1 \
--header "Authorization: Basic amFja0Bob3RtYWlsLmNvbToxMjM0NTY=" \
--header 'Host: contoso.com'
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 77
Connection: keep-alive
Date: Thu, 10 May 2018 03:29:46 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 23
X-Kong-Proxy-Latency: 5
Via: kong/0.13.1
[{"id":1,"title":"Fashion That Changed the World","author":"Jennifer Croll"}]
// 本来关联存黑名单存在时jack是不允许访问book服务的,现在变成了又可以继续访问book这个服务了,即恢复用户的合法访问身份
[root@contoso ~]#
*****************************************************************************************
备注:以下方式虽然能让同1个服务同1个用户 同时关联白名单和黑名单 但这么干违背官网定义黑名单与白名单不能同时在配置文件里定义的原则,故不建议向下面这么做(假如首先定义了白名单group1和group2):
[root@contoso ~]# curl http://localhost:8001/plugins/93419daf-ec5f-455a-8404-e0105f3c540f
[root@contoso ~]# curl -i -X PATCH \
--url http://localhost:8001/plugins/93419daf-ec5f-455a-8404-e0105f3c540f \
--data "config.blacklist=group3, group4"
HTTP/1.1 200 OK
Date: Wed, 09 May 2018 15:28:05 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"created_at": 1525795744000,
"config": {
"blacklist": [
"group3",
"group4"
],
"whitelist": [
"group1",
"group2"
]
},
"id": "93419daf-ec5f-455a-8404-e0105f3c540f",
"enabled": true,
"service_id": "e55beddd-a9f1-4865-94ae-1b2e2bf4e6d5",
"name": "acl"
}
[root@contoso ~]# curl http://localhost:8001/plugins/da001489-1e0e-4235-b32d-624dfe9e5518
[root@contoso ~]# curl -i -X PATCH \
--url http://localhost:8001/plugins/da001489-1e0e-4235-b32d-624dfe9e5518 \
--data "config.blacklist=group3, group4"
HTTP/1.1 200 OK
Date: Wed, 09 May 2018 15:30:11 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"created_at": 1525795992000,
"config": {
"blacklist": [
"group3",
"group4"
],
"whitelist": [
"group1",
"group2"
]
},
"id": "da001489-1e0e-4235-b32d-624dfe9e5518",
"enabled": true,
"route_id": "cbcb0d5f-e95a-4114-8aa0-3f77283cc980",
"name": "acl"
}
现在可以使用以下命令将黑名单组group3关联到消费者jack:
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/consumers/jack/acls \
--data "group=group3"
HTTP/1.1 201 Created
Date: Wed, 09 May 2018 15:41:37 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"group": "group3",
"created_at": 1525880497000,
"id": "4af05fd8-816e-4151-b0fe-77300af200a4",
"consumer_id": "d81de922-1dab-4ec4-9a7c-91403b6b1d51"
}
[root@contoso ~]# curl -i -X GET http://localhost:8001/consumers/jack/acls
HTTP/1.1 200 OK
Date: Wed, 09 May 2018 16:06:21 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"total": 2,
"data": [
{
"group": "group1", // 白名单组
"created_at": 1525797101000,
"id": "b2534048-7f56-440b-87c0-da56e90590df",
"consumer_id": "d81de922-1dab-4ec4-9a7c-91403b6b1d51"
},
{
"group": "group3", // 黑名单组
"created_at": 1525880497000,
"id": "4af05fd8-816e-4151-b0fe-77300af200a4",
"consumer_id": "d81de922-1dab-4ec4-9a7c-91403b6b1d51"
}
]
}
当用户jack即关联到白名单又关联到黑名单时,那么用户jack就不能消费book服务
[root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books/3 \
--header "Authorization: Basic amFja0Bob3RtYWlsLmNvbToxMjM0NTY=" \
--header 'Host: contoso.com'
HTTP/1.1 403 Forbidden
Date: Wed, 09 May 2018 15:44:56 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: kong/0.13.1
{"message":"You cannot consume this service"}
————————————————
版权声明:本文为CSDN博主「zhengzizhi」的原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/zhengzizhi/article/details/80262757
Kong Gateway - 11 基于网关服务的ACL访问控制列表 黑名单的更多相关文章
- CCNA 之 十 ACL 访问控制列表
ACL 访问控制列表 ACL(Access Control List) 接入控制列表 ACL 的量大主要功能: 流量控制 匹配感兴趣流量 标准访问控制列表 只能根据源地址做过滤 针对曾哥协议采取相关动 ...
- 普通ACL访问控制列表
配置OSPF R1: R2: R3: R4: 在R1上查看OSPF的学习 测试R1与R4环回接口连通性 配置普通ACL访问控制列表: 先在R4配置密码用R1与R4建立telnet建立 密码huawei ...
- 高级ACL访问控制列表
实验拓扑: 配置: 基本配置做完之后搭建OSPF网络 R1: ospf 1 area 0 network 10.0.13.0 0.0.0.255 network 1.1.1.1 0.0.0.0 R2: ...
- [转载]ACM(访问控制模型),Security Identifiers(SID),Security Descriptors(安全描述符),ACL(访问控制列表),Access Tokens(访问令牌)
对于<windows核心编程>中的只言片语无法驱散心中的疑惑.就让MSDN中的解释给我们一盏明灯吧.如果要很详细的介绍,还是到MSDN仔细的看吧,我只是大体用容易理解的语言描述一下. wi ...
- ACL访问控制列表
acl是基于文件系统的,所以支不支持acl在于使用什么文件系统. FAT32文件系统不支持权限,也不区分大小写 如果一个分区不是安装系统时分的分区,是一个新的分区的话,默认是不支持acl CentOS ...
- 交换路由中期测验20181226(动态路由配置与重分发、NAT转换、ACL访问控制列表)
测试拓扑: 接口配置信息 HostName 接口 IP地址 网关 Server 0 Fa0 172.16.15.1/24 172.16.15.254 Server 1 Fa0 100.2.15.200 ...
- ensp,acl访问控制列表
ACL分类: 基本ACL 编号范围: 2000-2999 参数:源ip地址 高级ACL 编号范围: 3000-3999 参数:源ip地址,目的ip地址,源端口,目的端口等 二层ACL ...
- SpringCloud Alibaba实战(11:引入服务网关Gateway)
源码地址:https://gitee.com/fighter3/eshop-project.git 持续更新中-- 大家好,我是三分恶. 在前面的章节中,我们已经完成了服务间的调用.统一配置等等,在这 ...
- VLAN技术 & ACL访问控制
VLAN介绍与配置 VLAN概述 交换网络中的问题 VLAN(Virtual Local Area Network) 在物理网络上划分出逻辑网 ,对应OS模型第二层 VLAN划分不受端口物理位置限制, ...
随机推荐
- generic
是什么 算法实现时保有待定类型的参数. 为什么 一份代码用于多个算法(当算法中只数个类型不同的时候) 可重新性 很多常用算法和容器数据结构都可以type-generic的方式实现 why not 许多 ...
- kafka for centos7
https://blog.csdn.net/wqh8522/article/details/79163467
- linux下redis的部署
https://www.cnblogs.com/wangchunniu1314/p/6339416.html https://www.linuxidc.com/Linux/2017-09/146894 ...
- mysql--->innodb引擎什么时候表锁什么时候行锁?
mysql innodb引擎什么时候表锁什么时候行锁? InnoDB基于索引的行锁 InnoDB行锁是通过索引上的索引项来实现的,这一点MySQL与Oracle不同,后者是通过在数据中对相应数据行加锁 ...
- Selenium(一):元素定位
一.Selenium 8种定位方式 baidu.html <form id="form" name="f" action="/s" c ...
- demon病毒样本分析
1. 简介 该样本是前几周爆发的THINKPHP漏洞中,被批量上传的一个病毒样本.如图所示. 2. 分析 该样本未经混淆,加壳,所以直接拖到IDA中即可分析. 首先从main函数开始.做一些初始化的函 ...
- 删除我的电脑wps、百度网盘图标
删除我的电脑wps.百度网盘图标 删除下面子项 输入"计算机\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Expl ...
- 实验5: IOS的升级与恢复
实验5: IOS的升级与恢复 实验目的 通过本实验可以掌握 1) 掌握IOS 正常的情况下升级IOS2) IOS 丢失的情况下使用TFTP恢复IOS3) IOS 丢失的情况下使用X ...
- ATL的GUI程序设计(前言)
前言 也许,你是一个顽固的SDK簇拥者: 也许,你对MFC抱着无比排斥的态度,甚至像我一样对它几乎一无所知: 也许,你符合上面两条,而且正在寻求着一种出路: 也许,你找到了一条出路--WTL,但是仍然 ...
- Python趣味入门01:你真的了解Python么?
小牛叔倾情出品,史上更简单有趣的Python入门系列教程,用认真.上心的原创带你飞. 0.Why Python ? 什么入门用python,其实这和它的气质有关,根据CHM(计算机历史博物馆)网站介绍 ...