Kong Gateway - 11 基于网关服务的ACL访问控制列表 黑名单

同一服务名称 book 不允许即创建白名单访问控制列表又创建黑名单访问控制列表

启用服务的白名单&黑名单配置文件时,它们俩是不允许同时定义的,我们应该树立这样一种认知 不在黑名单中 即使没定义白名单,我们也把黑名单之外的所有用户归类为白名单用户

故ACL必须分两篇来发布,本范例中使用了

Kong Gateway - 01 基于网关服务的基本验证(Basic Authentication)
9种验证方式当中的1种方式而已,我们当然可以用剩余的8种验证方式之一来取代basic-auth,强调一点的是ACL必须与9种验证结合使用,不然book服务我们将不能消费访问它
用Kong配置一个book服务
在安装并启动Kong之后,使用Kong的管理API端口8001添加一个名称为book的服务
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/services/ \
--data 'name=book' \
--data 'url=http://contoso.com/v1/books'

HTTP/1.1 201 Created
Date: Thu, 10 May 2018 02:30:31 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.

{
"host": "contoso.com",
"created_at": 1525890631,
"connect_timeout": 60000,
"id": "dca12a5d-10c4-4bf9-8a49-500c3935cae5",
"protocol": "http",
"name": "book",
"read_timeout": 60000,
"port": 80,
"path": "/v1/books",
"updated_at": 1525890631,
"retries": 5,
"write_timeout": 60000
}

添加一个路由(paths[]的值必须与book服务中的/v1/books一致)
使book服务暴露出来以供用户访问,book服务没必要添加多个路由。
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/services/book/routes \
--data 'hosts[]=contoso.com' \
--data 'paths[]=/v1/books'

HTTP/1.1 201 Created
Date: Thu, 10 May 2018 02:30:49 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
"created_at": 1525890649,
"strip_path": true,
"hosts": [
"contoso.com"
],
"preserve_host": false,
"regex_priority": 0,
"updated_at": 1525890649,
"paths": [
"/v1/books"
],
"service": {
"id": "dca12a5d-10c4-4bf9-8a49-500c3935cae5"
},
"methods": null,
"protocols": [
"http",
"https"
],
"id": "80569820-4d8c-4565-9c3c-b5e0475b0122" // {route_id} = id
}

[root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books \
--header 'Host: contoso.com'

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 244
Connection: keep-alive
Date: Thu, 10 May 2018 02:35:04 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 100
X-Kong-Proxy-Latency: 34
Via: kong/0.13.1

[
{
"id": 1,
"title": "Fashion That Changed the World",
"author": "Jennifer Croll"
},
{
"id": 2,
"title": "Brigitte Bardot - My Life in Fashion",
"author": "Henry-Jean Servat and Brigitte Bardot"
},
{
"id": 3,
"title": "The Fashion Image",
"author": "Thomas Werner"
}
]

[root@contoso ~]# curl -i -X GET \
--url http://localhost:8001/services/book/routes

HTTP/1.1 200 OK
Date: Thu, 10 May 2018 02:35:38 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
"next": null,
"data": [
{
"created_at": 1525890649,
"strip_path": true,
"hosts": [
"contoso.com"
],
"preserve_host": false,
"regex_priority": 0,
"updated_at": 1525890649,
"paths": [
"/v1/books"
],
"service": {
"id": "dca12a5d-10c4-4bf9-8a49-500c3935cae5"
},
"methods": null,
"protocols": [
"http",
"https"
],
"id": "80569820-4d8c-4565-9c3c-b5e0475b0122" // {route_id} = id
}
]
}

--------------------------------------------------------------------------------

为book服务的路由{route_id}启动Basic验证插件
URL格式:http://localhost:8001/routes/{route_id}/plugins
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/routes/80569820-4d8c-4565-9c3c-b5e0475b0122/plugins \
--data "name=basic-auth" \
--data "config.hide_credentials=true"

HTTP/1.1 201 Created
Date: Thu, 10 May 2018 02:39:15 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
"created_at": 1525919954000,
"config": {
"hide_credentials": true,
"anonymous": ""
},
"id": "1e8c30f2-282f-4401-8258-6e5dac2a6b54",
"enabled": true,
"route_id": "80569820-4d8c-4565-9c3c-b5e0475b0122",
"name": "basic-auth"
}

=========================================================================================

添加第1个username为jack的消费者,{custom_id}参数可省略,此参数是个自定义唯一标识,
它作用是把消费者jack映射到另外一个数据库上
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/consumers/ \
--data "username=jack"

HTTP/1.1 201 Created
Date: Thu, 10 May 2018 02:41:40 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
"created_at": 1525920101000,
"username": "jack",
"id": "14af98df-237a-4555-bc00-580db0b26032"
}

为第1个用户jack启用Basic验证插件
URL格式:http://localhost:8001/consumers/{username or consumer_id}/basic-auth
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/consumers/jack/basic-auth \
--data "username=jack@hotmail.com" \
--data "password=123456"

HTTP/1.1 201 Created
Date: Thu, 10 May 2018 02:43:00 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
"created_at": 1525920181000,
"id": "cbb0c2b4-cb85-4899-995a-6681cfdb400f",
"username": "jack@hotmail.com",
"password": "349cc2755232a4746d2973f3bcb87b1d3fa7be55",
"consumer_id": "14af98df-237a-4555-bc00-580db0b26032"
}

在线base64编码工具http://tool.oschina.net/encrypt?type=3
键-值对{username:password}字符串
jack@hotmail.com:123456 左边的键-值对字符串BASE64编码结果为:
amFja0Bob3RtYWlsLmNvbToxMjM0NTY=
使用用户jack的Basic验证方式访问书籍数据接口
[root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books/1 \
--header "Authorization: Basic amFja0Bob3RtYWlsLmNvbToxMjM0NTY=" \
--header 'Host: contoso.com'

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 77
Connection: keep-alive
Date: Thu, 10 May 2018 02:44:51 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 51
X-Kong-Proxy-Latency: 45
Via: kong/0.13.1

[{"id":1,"title":"Fashion That Changed the World","author":"Jennifer Croll"}]

=========================================================================================
添加第2个username为john的消费者,{custom_id}参数可省略,此参数是个自定义唯一标识,
它作用是把消费者john映射到另外一个数据库上
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/consumers/ \
--data "username=john" \
--data "custom_id=abc12345"

HTTP/1.1 201 Created
Date: Thu, 10 May 2018 02:47:29 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
"custom_id": "abc12345",
"created_at": 1525920449000,
"username": "john",
"id": "73f0a0b2-1bf0-45fa-adbf-36b7fcde0929"
}

为第2个用户john启用Basic验证插件
URL格式:http://localhost:8001/consumers/{username or consumer_id}/basic-auth
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/consumers/john/basic-auth \
--data "username=john@hotmail.com" \
--data "password=123456"

HTTP/1.1 201 Created
Date: Thu, 10 May 2018 02:48:54 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
"created_at": 1525920535000,
"id": "491a39df-d90a-4f42-933e-24662cfbac07",
"username": "john@hotmail.com",
"password": "b80b4aedd1a25a9803859f07b836f518541ab81e",
"consumer_id": "73f0a0b2-1bf0-45fa-adbf-36b7fcde0929"
}

在线base64编码工具http://tool.oschina.net/encrypt?type=3
键-值对{username:password}字符串
john@hotmail.com:123456 左边的键-值对字符串BASE64编码结果为:
am9obkBob3RtYWlsLmNvbToxMjM0NTY=
使用用户john的Basic验证方式访问书籍数据接口
[root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books/2 \
--header "Authorization: Basic am9obkBob3RtYWlsLmNvbToxMjM0NTY=" \
--header 'Host: contoso.com'

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 106
Connection: keep-alive
Date: Thu, 10 May 2018 02:50:35 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 25
X-Kong-Proxy-Latency: 40
Via: kong/0.13.1

[{"id":2,"title":"Brigitte Bardot - My Life in Fashion","author":"Henry-Jean Servat and Brigitte Bardot"}]

=========================================================================================
添加第3个username为cathy的消费者,{custom_id}参数可省略,此参数是个自定义唯一标识,
它作用是把消费者cathy映射到另外一个数据库上
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/consumers/ \
--data "username=cathy"

HTTP/1.1 201 Created
Date: Thu, 10 May 2018 02:52:07 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{"created_at":1525920728000,"username":"cathy","id":"3fdb9381-d7fd-4f1c-a7ce-f4ea86d9aae2"}

为第3个用户cathy启用Basic验证插件
URL格式:http://localhost:8001/consumers/{username or consumer_id}/basic-auth
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/consumers/cathy/basic-auth \
--data "username=cathy@hotmail.com" \
--data "password=123456"

HTTP/1.1 201 Created
Date: Thu, 10 May 2018 02:52:28 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
"created_at": 1525920748000,
"id": "cca66a54-ed18-458f-8c7c-73ea935eecd9",
"username": "cathy@hotmail.com",
"password": "6cfa32217d05a53174453837799bf8f6a9a03aac",
"consumer_id": "3fdb9381-d7fd-4f1c-a7ce-f4ea86d9aae2"
}

在线base64编码工具http://tool.oschina.net/encrypt?type=3
键-值对{username:password}字符串
cathy@hotmail.com:123456 左边的键-值对字符串BASE64编码结果为:
Y2F0aHlAaG90bWFpbC5jb206MTIzNDU2
使用用户cathy的Basic验证方式访问书籍数据接口
[root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books/3 \
--header "Authorization: Basic Y2F0aHlAaG90bWFpbC5jb206MTIzNDU2" \
--header 'Host: contoso.com'

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 63
Connection: keep-alive
Date: Thu, 10 May 2018 02:53:26 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 38
X-Kong-Proxy-Latency: 31
Via: kong/0.13.1

[{"id":3,"title":"The Fashion Image","author":"Thomas Werner"}]

*****************************************************************************************

为book服务启用ACL访问控制列表插件,并且定义黑名单group3和group4
URL格式:http://localhost:8001/services/{service}/plugins
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/services/book/plugins \
--data "name=acl" \
--data "config.blacklist=group3, group4"

HTTP/1.1 201 Created
Date: Thu, 10 May 2018 03:03:15 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
"created_at": 1525921395000,
"config": {
"blacklist": [
"group3",
"group4"
]
},
"id": "edcf403d-9bf4-46ae-84f3-cfccc34d56f1",
"enabled": true,
"service_id": "dca12a5d-10c4-4bf9-8a49-500c3935cae5",
"name": "acl"
}

为book服务的路由{route_id}启动ACL访问控制列表插件,并且定义黑名单group3和group4
URL格式:http://localhost:8001/routes/{route_id}/plugins
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/routes/80569820-4d8c-4565-9c3c-b5e0475b0122/plugins \
--data "name=acl" \
--data "config.blacklist=group3, group4"

HTTP/1.1 201 Created
Date: Thu, 10 May 2018 03:05:53 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
"created_at": 1525921551000,
"config": {
"blacklist": [
"group3",
"group4"
]
},
"id": "ae051c27-340c-4e20-a440-9e32721a2a6d",
"enabled": true,
"route_id": "80569820-4d8c-4565-9c3c-b5e0475b0122",
"name": "acl"
}

即使建立黑名单列表group3和group4,只要没把用户jack、john和cathy任何一个人关联到黑名单group3或者黑名单group4
那么以下命令依然可以访问book服务:

curl -i -X GET \
--url http://localhost:8000/v1/books/1 \
--header "Authorization: Basic amFja0Bob3RtYWlsLmNvbToxMjM0NTY=" \
--header 'Host: contoso.com'

curl -i -X GET \
--url http://localhost:8000/v1/books/2 \
--header "Authorization: Basic am9obkBob3RtYWlsLmNvbToxMjM0NTY=" \
--header 'Host: contoso.com'

curl -i -X GET \
--url http://localhost:8000/v1/books/3 \
--header "Authorization: Basic Y2F0aHlAaG90bWFpbC5jb206MTIzNDU2" \
--header 'Host: contoso.com'

我们如何把不按照我们业务规则或者带攻击性的用户加入黑名单?
答:我们现在可以使用以下命令将黑名单组group4关联到消费者jack:
URL格式:http://localhost:8001/consumers/{consumer_id or username}/acls
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/consumers/jack/acls \
--data "group=group4"

HTTP/1.1 201 Created
Date: Thu, 10 May 2018 03:17:58 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
"group": "group4",
"created_at": 1525922278000,
"id": "bf3d30cc-67c5-4b05-b6bf-7a75f551aa64",
"consumer_id": "14af98df-237a-4555-bc00-580db0b26032"
}

以下命令执行结果表明:加入白名单的用户jack有权访问书籍数据接口
在线base64编码工具http://tool.oschina.net/encrypt?type=3
键-值对{username:password}字符串
jack@hotmail.com:123456 左边的键-值对字符串BASE64编码结果为:
amFja0Bob3RtYWlsLmNvbToxMjM0NTY=
使用用户jack的Basic验证方式访问书籍数据接口
[root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books/1 \
--header "Authorization: Basic amFja0Bob3RtYWlsLmNvbToxMjM0NTY=" \
--header 'Host: contoso.com'

HTTP/1.1 403 Forbidden
Date: Thu, 10 May 2018 03:19:39 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: kong/0.13.1

{"message":"You cannot consume this service"}

没有加入黑名单的用户john依然可以访问book服务
以下命令执行结果表明:即没有加入白名单也没有加入黑名单用户组的用户无权访问书籍数据接口
键-值对{username:password}字符串
john@hotmail.com:123456 左边的键-值对字符串BASE64编码结果为:
am9obkBob3RtYWlsLmNvbToxMjM0NTY=
使用用户john的Basic验证方式访问书籍数据接口
[root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books/2 \
--header "Authorization: Basic am9obkBob3RtYWlsLmNvbToxMjM0NTY=" \
--header 'Host: contoso.com'

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 106
Connection: keep-alive
Date: Thu, 10 May 2018 03:22:35 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 23
X-Kong-Proxy-Latency: 0
Via: kong/0.13.1

[{"id":2,"title":"Brigitte Bardot - My Life in Fashion","author":"Henry-Jean Servat and Brigitte Bardot"}]

没有加入黑名单的用户cathy依然可以访问book服务
以下命令执行结果表明:即没有加入白名单也没有加入黑名单用户组的用户无权访问书籍数据接口
键-值对{username:password}字符串
cathy@hotmail.com:123456 左边的键-值对字符串BASE64编码结果为:
Y2F0aHlAaG90bWFpbC5jb206MTIzNDU2
使用用户cathy的Basic验证方式访问书籍数据接口
[root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books/3 \
--header "Authorization: Basic Y2F0aHlAaG90bWFpbC5jb206MTIzNDU2" \
--header 'Host: contoso.com'

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 63
Connection: keep-alive
Date: Thu, 10 May 2018 03:23:02 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 25
X-Kong-Proxy-Latency: 0
Via: kong/0.13.1

[{"id":3,"title":"The Fashion Image","author":"Thomas Werner"}]

如何使用命令将黑名单组group4到消费者jack的关联取消 ------ 删掉用户与黑名单之间关联让用户继续能够访问book服务
[root@contoso ~]# curl -i -X GET http://localhost:8001/consumers/jack/acls
HTTP/1.1 200 OK
Date: Thu, 10 May 2018 03:24:50 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{"total":1,"data":[{"group":"group4","created_at":1525922278000,"id":"bf3d30cc-67c5-4b05-b6bf-7a75f551aa64","consumer_id":"14af98df-237a-4555-bc00-580db0b26032"}]}
[root@contoso ~]# curl -i -X GET http://localhost:8001/consumers/jack/acls/bf3d30cc-67c5-4b05-b6bf-7a75f551aa64
HTTP/1.1 200 OK
Date: Thu, 10 May 2018 03:25:48 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{"group":"group4","created_at":1525922278000,"id":"bf3d30cc-67c5-4b05-b6bf-7a75f551aa64","consumer_id":"14af98df-237a-4555-bc00-580db0b26032"}
[root@contoso ~]# curl -i -X DELETE http://localhost:8001/consumers/jack/acls/bf3d30cc-67c5-4b05-b6bf-7a75f551aa64
HTTP/1.1 204 No Content
Date: Thu, 10 May 2018 03:26:00 GMT
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
// 此处虽然没有删除成功的提示,但确实已经删掉用户与黑名单之间关联
[root@contoso ~]#
[root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books/1 \
--header "Authorization: Basic amFja0Bob3RtYWlsLmNvbToxMjM0NTY=" \
--header 'Host: contoso.com'

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 77
Connection: keep-alive
Date: Thu, 10 May 2018 03:29:46 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 23
X-Kong-Proxy-Latency: 5
Via: kong/0.13.1

[{"id":1,"title":"Fashion That Changed the World","author":"Jennifer Croll"}]

// 本来关联存黑名单存在时jack是不允许访问book服务的,现在变成了又可以继续访问book这个服务了,即恢复用户的合法访问身份
[root@contoso ~]#

*****************************************************************************************

备注:以下方式虽然能让同1个服务同1个用户 同时关联白名单和黑名单 但这么干违背官网定义黑名单与白名单不能同时在配置文件里定义的原则,故不建议向下面这么做(假如首先定义了白名单group1和group2):

[root@contoso ~]# curl http://localhost:8001/plugins/93419daf-ec5f-455a-8404-e0105f3c540f
[root@contoso ~]# curl -i -X PATCH \
--url http://localhost:8001/plugins/93419daf-ec5f-455a-8404-e0105f3c540f \
--data "config.blacklist=group3, group4"

HTTP/1.1 200 OK
Date: Wed, 09 May 2018 15:28:05 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
    "created_at": 1525795744000,
    "config": {
        "blacklist": [
            "group3",
            "group4"
        ],
        "whitelist": [
            "group1",
            "group2"
        ]
    },
    "id": "93419daf-ec5f-455a-8404-e0105f3c540f",
    "enabled": true,
    "service_id": "e55beddd-a9f1-4865-94ae-1b2e2bf4e6d5",
    "name": "acl"
}

[root@contoso ~]# curl http://localhost:8001/plugins/da001489-1e0e-4235-b32d-624dfe9e5518
[root@contoso ~]# curl -i -X PATCH \
--url http://localhost:8001/plugins/da001489-1e0e-4235-b32d-624dfe9e5518 \
--data "config.blacklist=group3, group4"

HTTP/1.1 200 OK
Date: Wed, 09 May 2018 15:30:11 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
    "created_at": 1525795992000,
    "config": {
        "blacklist": [
            "group3",
            "group4"
        ],
        "whitelist": [
            "group1",
            "group2"
        ]
    },
    "id": "da001489-1e0e-4235-b32d-624dfe9e5518",
    "enabled": true,
    "route_id": "cbcb0d5f-e95a-4114-8aa0-3f77283cc980",
    "name": "acl"
}

现在可以使用以下命令将黑名单组group3关联到消费者jack:
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/consumers/jack/acls \
--data "group=group3"
HTTP/1.1 201 Created
Date: Wed, 09 May 2018 15:41:37 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
    "group": "group3",
    "created_at": 1525880497000,
    "id": "4af05fd8-816e-4151-b0fe-77300af200a4",
    "consumer_id": "d81de922-1dab-4ec4-9a7c-91403b6b1d51"
}

[root@contoso ~]# curl -i -X GET http://localhost:8001/consumers/jack/acls
HTTP/1.1 200 OK
Date: Wed, 09 May 2018 16:06:21 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
    "total": 2,
    "data": [
        {
            "group": "group1",     // 白名单组
            "created_at": 1525797101000,
            "id": "b2534048-7f56-440b-87c0-da56e90590df",
            "consumer_id": "d81de922-1dab-4ec4-9a7c-91403b6b1d51"
        },
        {
            "group": "group3",     // 黑名单组
            "created_at": 1525880497000,
            "id": "4af05fd8-816e-4151-b0fe-77300af200a4",
            "consumer_id": "d81de922-1dab-4ec4-9a7c-91403b6b1d51"
        }
    ]
}

当用户jack即关联到白名单又关联到黑名单时,那么用户jack就不能消费book服务
[root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books/3 \
--header "Authorization: Basic amFja0Bob3RtYWlsLmNvbToxMjM0NTY=" \
--header 'Host: contoso.com'

HTTP/1.1 403 Forbidden
Date: Wed, 09 May 2018 15:44:56 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: kong/0.13.1

{"message":"You cannot consume this service"}
————————————————
版权声明:本文为CSDN博主「zhengzizhi」的原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/zhengzizhi/article/details/80262757

Kong Gateway - 11 基于网关服务的ACL访问控制列表 黑名单的更多相关文章

  1. CCNA 之 十 ACL 访问控制列表

    ACL 访问控制列表 ACL(Access Control List) 接入控制列表 ACL 的量大主要功能: 流量控制 匹配感兴趣流量 标准访问控制列表 只能根据源地址做过滤 针对曾哥协议采取相关动 ...

  2. 普通ACL访问控制列表

    配置OSPF R1: R2: R3: R4: 在R1上查看OSPF的学习 测试R1与R4环回接口连通性 配置普通ACL访问控制列表: 先在R4配置密码用R1与R4建立telnet建立 密码huawei ...

  3. 高级ACL访问控制列表

    实验拓扑: 配置: 基本配置做完之后搭建OSPF网络 R1: ospf 1 area 0 network 10.0.13.0 0.0.0.255 network 1.1.1.1 0.0.0.0 R2: ...

  4. [转载]ACM(访问控制模型),Security Identifiers(SID),Security Descriptors(安全描述符),ACL(访问控制列表),Access Tokens(访问令牌)

    对于<windows核心编程>中的只言片语无法驱散心中的疑惑.就让MSDN中的解释给我们一盏明灯吧.如果要很详细的介绍,还是到MSDN仔细的看吧,我只是大体用容易理解的语言描述一下. wi ...

  5. ACL访问控制列表

    acl是基于文件系统的,所以支不支持acl在于使用什么文件系统. FAT32文件系统不支持权限,也不区分大小写 如果一个分区不是安装系统时分的分区,是一个新的分区的话,默认是不支持acl CentOS ...

  6. 交换路由中期测验20181226(动态路由配置与重分发、NAT转换、ACL访问控制列表)

    测试拓扑: 接口配置信息 HostName 接口 IP地址 网关 Server 0 Fa0 172.16.15.1/24 172.16.15.254 Server 1 Fa0 100.2.15.200 ...

  7. ensp,acl访问控制列表

    ACL分类: 基本ACL 编号范围: 2000-2999     参数:源ip地址 高级ACL 编号范围: 3000-3999     参数:源ip地址,目的ip地址,源端口,目的端口等 二层ACL ...

  8. SpringCloud Alibaba实战(11:引入服务网关Gateway)

    源码地址:https://gitee.com/fighter3/eshop-project.git 持续更新中-- 大家好,我是三分恶. 在前面的章节中,我们已经完成了服务间的调用.统一配置等等,在这 ...

  9. VLAN技术 & ACL访问控制

    VLAN介绍与配置 VLAN概述 交换网络中的问题 VLAN(Virtual Local Area Network) 在物理网络上划分出逻辑网 ,对应OS模型第二层 VLAN划分不受端口物理位置限制, ...

随机推荐

  1. jmeter使用—远程分布式

    今天要说的是在远程服务器上使用多台服务器进行noGUI分布式使用jmeter压测. 1.首先准备几台服务器,服务器上都需要安装同一个版本的jmeter. 2.在服务器上启动jmeter的方式是在jme ...

  2. CSS-17-页面布局

    页面布局: 静态布局: 静态布局:元素不变的布局. 布局特点:缩小后内容被遮挡,拖动滚动条显示布局 设计方法: PC:居中布局,所有样式使用绝对宽度和高度 移动设备:另外建立移动网站,以m.域名为域名 ...

  3. jdk8 ConcurrentHashMap分析

    ConcurrentHashMap分析 tryPresize() transfer() putVal() addCount() sumCount() class ConcurrentHashMap { ...

  4. C++ 对TXT 的串并行读写

    任务说明:有36篇文档,现在要读入,并统计词频,字典长度25,希望能够比较串并行读写操作的时间差距. 串行读入并统计词频 // LoadDocsInUbuntu.cpp // #include < ...

  5. Distance Dependent Infinite Latent Feature Model 阅读笔记1

    阅读文献:Distance Dependent Infinite Latent Feature Model 作者:Samuel J.Gershman ,Peter I.Frazier ,and Dav ...

  6. Lambda 表达式入门,看这篇就够了

    说出来怕你们不相信,刚接到物业通知,疫情防控升级了,车辆只能出不能进,每户家庭每天可指派 1 名成员上街采购生活用品.这不是谣言,截个图自证清白,出自洛阳市湖北路街道处. 看来事态严峻,这样看似好心, ...

  7. 18、DHCP

    Dynamic Host Configuration Protocol DHCP的前身:Bootstrap DHCP的封装 DHCP基本知识点 1 .DHCP协议在RFC2131中定义,使用udp协议 ...

  8. for实例

    #-*- coding:utf-8 *-* salary = 5000 shop_list = [('iphone',9000),('mac book',10000),('python book',9 ...

  9. CCF_201403-1_相反数

    按绝对值排序,因为没相同的数,直接遍历比较一遍即可. #include<iostream> #include<cstdio> #include<algorithm> ...

  10. shellcode 反汇编,模拟运行以及调试方法

    onlinedisassembler https://onlinedisassembler.com 在线反汇编工具,类似于lda.功能比较单一. Any.run 等平台在线分析 将shellcode保 ...