Consumers are used for the authentication method controlled by Apache APISIX, if users want to use their own auth system or 3rd party systems, use OIDC.
Consumers add their key either in a header or query string parameter to authenticate their requests. For more information about Key Auth, please refer to APISIX key-auth plugin. Also, we can using the secretRef field to reference a K8s Secret object so that we can avoid the hardcoded sensitive data in the ApisixConsumer object. For reference Secret use example, please refer to the key-auth-reference-secret-object.
apiVersion: apisix.apache.org/v2 kind: ApisixConsumer metadata: name: ${name} spec: authParameter: keyAuth: value: key: ${key} #required
Consumers add their key in a header to authenticate their requests. For more information about Basic Auth, please refer to APISIX basic-auth plugin. Also, we can using the secretRef field to reference a K8s Secret object so that we can avoid the hardcoded sensitive data in the ApisixConsumer object. For reference Secret use example, please refer to the key-auth-reference-secret-object.
apiVersion: apisix.apache.org/v2 kind: ApisixConsumer metadata: name: ${name} spec: authParameter: basicAuth: value: username: ${username} #required password: ${password} #required
The consumer then adds its key to the query string parameter, request header, or cookie to verify its request. For more information about JWT Auth, please refer to APISIX jwt-auth plugin. Also, we can using the secretRef field to reference a K8s Secret object so that we can avoid the hardcoded sensitive data in the ApisixConsumer object. For reference Secret use example, please refer to the key-auth-reference-secret-object.
:::note Need to expose API This plugin will add /apisix/plugin/jwt/sign to sign. You may need to use public-api plugin to expose it. :::
apiVersion: apisix.apache.org/v2 kind: ApisixConsumer metadata: name: ${name} spec: authParameter: wolfRbac: value: key: "${key}" #required secret: "${secret}" #optional public_key: "${public_key}" #optional, required when algorithm attribute selects RS256 algorithm. private_key: "{private_key}" #optional, required when algorithm attribute selects RS256 algorithm. algorithm: "${HS256 | HS512 | RS256}" #optional exp: ${ 86400 | token's expire time, in seconds} #optional algorithm: ${true | false} #optional
Wolf RBACTo use wolfRbac authentication, you need to start and install wolf-server. For more information about Wolf RBAC, please refer to APISIX wolf-rbac plugin. Also, we can using the secretRef field to reference a K8s Secret object so that we can avoid the hardcoded sensitive data in the ApisixConsumer object. For reference Secret use example, please refer to the key-auth-reference-secret-object.
:::note This plugin will add several APIs
You may need to use public-api plugin to expose it. :::
apiVersion: apisix.apache.org/v2 kind: ApisixConsumer metadata: name: ${name} spec: authParameter: wolfRBAC: value: server: "${server of wolf-rbac}" #optional appid: "${appid of wolf-rbac}" #optional header_prefix: "${X- | X-UserId | X-Username | X-Nickname}" #optional
whitelist or blacklistwhitelist: Grant full access to all users specified in the provided list, has the priority over allowed_by_methods blacklist: Reject connection to all users specified in the provided list, has the priority over whitelist
plugins: - name: consumer-restriction enable: true config: blacklist: - "${consumer_name}" - "${consumer_name}"
allowed_by_methodsHTTP methods can be methods:["GET", "POST", "PUT", "DELETE", "PATCH", "HEAD", "OPTIONS", "CONNECT", "TRACE", "PURGE"]
plugins: - name: consumer-restriction enable: true config: allowed_by_methods: - user: "${consumer_name}" methods: - "${GET | POST | PUT |...}" - "${GET | POST | PUT |...}" - user: "${consumer_name}" methods: - "${GET | POST | PUT |...}"
Refer to the corresponding e2e test case.
To use this tutorial, you must deploy Ingress APISIX and httpbin in Kubernetes cluster.
Ingress APISIX.httpbin service.#Now, try to deploy httpbin to your Kubernetes cluster: kubectl run httpbin --image kennethreitz/httpbin --port 80 kubectl expose pod httpbin --port 80
AuthenticationkeyAuthThe following is an example. The keyAuth is enabled on the specified route to restrict user access.
key-auth:kubectl apply -f - <<EOF apiVersion: apisix.apache.org/v2 kind: ApisixConsumer metadata: name: foo spec: authParameter: keyAuth: value: key: foo-key EOF
key-auth:kubectl apply -f - <<EOF apiVersion: apisix.apache.org/v2 kind: ApisixRoute metadata: name: httpserver-route spec: http: - name: rule1 match: hosts: - httpbin.org paths: - /* backends: - serviceName: httpbin servicePort: 80 authentication: enable: true type: keyAuth EOF
kubectl exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} -- curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H 'apikey:foo-key' -i
HTTP/1.1 200 OK ...
Secret object:kubectl apply -f - <<EOF apiVersion: v1 kind: Secret metadata: name: foovalue data: key: Zm9vLWtleQ== EOF
Secret object:kubectl apply -f - <<EOF apiVersion: apisix.apache.org/v2 kind: ApisixConsumer metadata: name: foo spec: authParameter: keyAuth: secretRef: name: foovalue EOF
key-auth:kubectl apply -f - <<EOF apiVersion: apisix.apache.org/v2 kind: ApisixRoute metadata: name: httpserver-route spec: http: - name: rule1 match: hosts: - httpbin.org paths: - /* backends: - serviceName: httpbin servicePort: 80 authentication: enable: true type: keyAuth EOF
kubectl exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} -- curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H 'apikey:foo-key' -i
HTTP/1.1 200 OK ...
JWT Authjwt-auth:kubectl apply -f - <<EOF apiVersion: apisix.apache.org/v2 kind: ApisixConsumer metadata: name: foo2 spec: authParameter: jwtAuth: value: key: foo2-key EOF
public-api plugin to expose the public API:kubectl apply -f - <<EOF apiVersion: apisix.apache.org/v2 kind: ApisixRoute metadata: name: default spec: http: - name: public-api match: paths: - /apisix/plugin/jwt/sign backends: - serviceName: apisix-admin servicePort: 9180 plugins: - name: public-api enable: true EOF
kubectl apply -f - <<EOF apiVersion: apisix.apache.org/v2 kind: ApisixRoute metadata: name: httpbin-route spec: http: - name: rule1 match: hosts: - httpbin.org paths: - /* backends: - serviceName: httpbin servicePort: 80 authentication: enable: true type: jwtAuth EOF
kubectl exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} -- curl http://127.0.0.1:9080/apisix/plugin/jwt/sign?key=foo2-key -H 'Host: httpbin.org' -i
HTTP/1.1 200 OK ... eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTU2NDA1MDgxMX0.Us8zh_4VjJXF-TmR5f8cif8mBU7SuefPlpxhH0jbPVI
kubectl exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} -- curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -i
HTTP/1.1 401 ... {"message":"Missing JWT token in request"}
kubectl exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} -- curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H 'Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTU2NDA1MDgxMX0.Us8zh_4VjJXF-TmR5f8cif8mBU7SuefPlpxhH0jbPVI' -i
HTTP/1.1 200 OK ...
RestrictionWe can also use the consumer-restriction Plugin to restrict our user from accessing the API.
consumer_nameThe following is an example. The consumer-restriction plugin is enabled on the specified route to restrict consumer_name access.
consumer_name: Add the username of consumer to a whitelist or blacklist (supporting single or multiple consumers) to restrict access to services or routes.
Create ApisixConsumer jack1:
kubectl apply -f - <<EOF apiVersion: apisix.apache.org/v2 kind: ApisixConsumer metadata: name: jack1 spec: authParameter: keyAuth: value: key: jack1-key EOF
kubectl apply -f - <<EOF apiVersion: apisix.apache.org/v2 kind: ApisixConsumer metadata: name: jack2 spec: authParameter: keyAuth: value: key: jack2-key EOF
whitelist of the plugin consumer-restriction:kubectl apply -f - <<EOF apiVersion: apisix.apache.org/v2 kind: ApisixRoute metadata: name: httpserver-route spec: http: - name: rule1 match: hosts: - httpbin.org paths: - /* backends: - serviceName: httpbin servicePort: 80 authentication: enable: true type: keyAuth plugins: - name: consumer-restriction enable: true config: whitelist: - "default_jack1" EOF
:::note The default_jack1 generation rules:
view ApisixConsumer resource object from this namespace default
$ kubectl get apisixconsumers.apisix.apache.org -n default NAME AGE foo 14h jack1 14h jack2 14h
${consumer_name} = ${namespace}_${ApisixConsumer_name} --> default_foo ${consumer_name} = ${namespace}_${ApisixConsumer_name} --> default_jack1 ${consumer_name} = ${namespace}_${ApisixConsumer_name} --> default_jack2
:::
Example usage
kubectl exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} -- curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H 'apikey:jack1-key' -i
HTTP/1.1 200 OK ...
kubectl exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} -- curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H 'apikey:jack2-key' -i
HTTP/1.1 403 Forbidden ... {"message":"The consumer_name is forbidden."}
allowed_by_methodsThis example restrict the user jack2 to only GET on the resource.
allowed_by_methods of the plugin consumer-restriction:kubectl apply -f - <<EOF apiVersion: apisix.apache.org/v2 kind: ApisixRoute metadata: name: httpserver-route spec: http: - name: rule1 match: hosts: - httpbin.org paths: - /* backends: - serviceName: httpbin servicePort: 80 authentication: enable: true type: keyAuth plugins: - name: consumer-restriction enable: true config: allowed_by_methods: - user: "default_jack1" methods: - "POST" - "GET" - user: "default_jack2" methods: - "GET" EOF
Example usage
kubectl exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} -- curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H 'apikey:jack1-key' -i
HTTP/1.1 200 OK ...
kubectl exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} -- curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H 'apikey:jack1-key' -d '' -i
HTTP/1.1 200 OK ...
kubectl exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} -- curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H 'apikey:jack2-key' -i
HTTP/1.1 200 OK ...
kubectl exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} -- curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H 'apikey:jack2-key' -d '' -i
HTTP/1.1 403 Forbidden ...
To disable the consumer-restriction Plugin, you can set the enable: false from the plugins configuration. Also, disable the keyAuth, you can set the enable: false from the authentication configuration.
kubectl apply -f - <<EOF apiVersion: apisix.apache.org/v2 kind: ApisixRoute metadata: name: httpserver-route spec: http: - name: rule1 match: hosts: - httpbin.org paths: - /* backends: - serviceName: httpbin servicePort: 80 authentication: enable: false type: keyAuth plugins: - name: consumer-restriction enable: false config: allowed_by_methods: - user: "default_jack1" methods: - "POST" - "GET" - user: "default_jack2" methods: - "GET" EOF
kubectl exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} -- curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -i
HTTP/1.1 200 OK ...