ACLStrategy plugin
Policy grouping rules:
1) .Assign an authorization policy group to users
2). is api
span>Add authorization strategy grouping plugin.
3).Only users who have the api authorization policy group can call The api.
4). Authorization strategy grouping must be based on the authentication mechanism. The prerequisite for this strategy to take effect, api At least any auth authentication plugin must be enabled.
How to use:
1. Create a ACL plugin
As shown in the figure, create a group, set a whitelistopen, blacklist dev-test, and apply this plug-in to testACL this api .
2.Reverse verification
Because of< span class="s3">ACL must work with the authentication plug-in to take effect. We use the combination of basic authentication basic-auth + ACL for verification.
Previous section Basic authentication has been createdbasic-authUser and secret key:username=csOfBasic,password=testkongpwd.
We use the previous sectionbasic-authcreated consumeraccess:
basic-authuser and secret key:username= csOfBasic,password=testkongpwd
Back Message:{“message”:”You cannot consume this service”}
The user is a legitimate user(has passedbasic-authauthentication), but do not have permission to access testBasicAuth(http://10.110.2.3:8000/test) thisapi.
The authentication and authority of
kong are independent.
3. Assign users a open group
The users in the previous section cannot access because they do not belong to the policy group of ACL=open.
Now, we create an ACL group for the basic-auth user, as follows Figure:
You can also directly use the curl method to add ACL strategy< /p>
curl -X POST http://*.*.*.*:8001/consumers/consumerOfBasic/acls < /span>–data “group=open” //Note here consumerOfBasic and basic-authUser:username=csOfBasicthe difference.
4.Positive verification of legitimate users
Execute again and the verification is passed. The returned results are as follows: