wolf-rbac
#
Summary#
Namewolf-rbac
is an authentication and authorization (rbac) plugin. It needs to work with consumer
. Also need to add wolf-rbac
to a service
or route
.
The rbac feature is provided by wolf. For more information about wolf
, please refer to wolf documentation.
#
AttributesName | Type | Requirement | Default | Valid | Description |
---|---|---|---|---|---|
server | string | optional | "http://127.0.0.1:10080" | Set the service address of wolf-server . | |
appid | string | optional | "unset" | Set the app id. The app id must be added in wolf-console. | |
header_prefix | string | optional | "X-" | prefix of custom HTTP header. After authentication is successful, three headers will be added to the request header (for backend) and response header (for frontend): X-UserId , X-Username , X-Nickname . |
#
APIThis plugin will add several API:
- /apisix/plugin/wolf-rbac/login
- /apisix/plugin/wolf-rbac/change_pwd
- /apisix/plugin/wolf-rbac/user_info
You may need to use interceptors to protect it.
#
Dependencies#
Install wolf and start the serviceapplication
, admin
, normal user
, permission
, resource
and user authorize#
Add #
How To Enable- set a consumer and config the value of the
wolf-rbac
。
curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '{ "username":"wolf_rbac", "plugins":{ "wolf-rbac":{ "server":"http://127.0.0.1:10080", "appid":"restful" } }, "desc":"wolf-rbac"}'
You also can complete the above operations through the web interface, first add a consumer:
Then add the wolf-rbac plugin to the consumer page:
Notes: The appid
filled in above needs to already exist in the wolf system.
- Add a
Route
orService
and enable the wolf-rbac plugin.
curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '{ "methods": ["GET"], "uri": "/*", "plugins": { "wolf-rbac": {} }, "upstream": { "type": "roundrobin", "nodes": { "www.baidu.com:80": 1 } }}'
#
Test Pluginwolf-rbac
token:#
Login and get The following appid
, username
, and password
must be real ones in the wolf system.
- Login as
POST application/json
curl http://127.0.0.1:9080/apisix/plugin/wolf-rbac/login -i \-H "Content-Type: application/json" \-d '{"appid": "restful", "username":"test", "password":"user-password"}'
HTTP/1.1 200 OKDate: Wed, 24 Jul 2019 10:33:31 GMTContent-Type: text/plainTransfer-Encoding: chunkedConnection: keep-aliveServer: APISIX web server{"rbac_token":"V1#restful#eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6NzQ5LCJ1c2VybmFtZSI6InRlc3QiLCJtYW5hZ2VyIjoiIiwiYXBwaWQiOiJyZXN0ZnVsIiwiaWF0IjoxNTc5NDQ5ODQxLCJleHAiOjE1ODAwNTQ2NDF9.n2-830zbhrEh6OAxn4K_yYtg5pqfmjpZAjoQXgtcuts","user_info":{"nickname":"test","username":"test","id":"749"}}
- Login as
POST x-www-form-urlencoded
curl http://127.0.0.1:9080/apisix/plugin/wolf-rbac/login -i \-H "Content-Type: application/x-www-form-urlencoded" \-d 'appid=restful&username=test&password=user-password'
#
try request with token- without token
curl http://127.0.0.1:9080/ -H"Host: www.baidu.com" -i
HTTP/1.1 401 Unauthorized...{"message":"Missing rbac token in request"}
- request header(Authorization) with token:
curl http://127.0.0.1:9080/ -H"Host: www.baidu.com" \-H 'Authorization: V1#restful#eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6NzQ5LCJ1c2VybmFtZSI6InRlc3QiLCJtYW5hZ2VyIjoiIiwiYXBwaWQiOiJyZXN0ZnVsIiwiaWF0IjoxNTc5NDQ5ODQxLCJleHAiOjE1ODAwNTQ2NDF9.n2-830zbhrEh6OAxn4K_yYtg5pqfmjpZAjoQXgtcuts' -i
HTTP/1.1 200 OK
<!DOCTYPE html>
- request header(x-rbac-token) with token:
curl http://127.0.0.1:9080/ -H"Host: www.baidu.com" \-H 'x-rbac-token: V1#restful#eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6NzQ5LCJ1c2VybmFtZSI6InRlc3QiLCJtYW5hZ2VyIjoiIiwiYXBwaWQiOiJyZXN0ZnVsIiwiaWF0IjoxNTc5NDQ5ODQxLCJleHAiOjE1ODAwNTQ2NDF9.n2-830zbhrEh6OAxn4K_yYtg5pqfmjpZAjoQXgtcuts' -i
HTTP/1.1 200 OK
<!DOCTYPE html>
- request params with token:
curl 'http://127.0.0.1:9080?rbac_token=V1%23restful%23eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6NzQ5LCJ1c2VybmFtZSI6InRlc3QiLCJtYW5hZ2VyIjoiIiwiYXBwaWQiOiJyZXN0ZnVsIiwiaWF0IjoxNTc5NDQ5ODQxLCJleHAiOjE1ODAwNTQ2NDF9.n2-830zbhrEh6OAxn4K_yYtg5pqfmjpZAjoQXgtcuts' -H"Host: www.baidu.com" -i
HTTP/1.1 200 OK
<!DOCTYPE html>
- request cookie with token:
curl http://127.0.0.1:9080 -H"Host: www.baidu.com" \--cookie x-rbac-token=V1#restful#eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6NzQ5LCJ1c2VybmFtZSI6InRlc3QiLCJtYW5hZ2VyIjoiIiwiYXBwaWQiOiJyZXN0ZnVsIiwiaWF0IjoxNTc5NDQ5ODQxLCJleHAiOjE1ODAwNTQ2NDF9.n2-830zbhrEh6OAxn4K_yYtg5pqfmjpZAjoQXgtcuts -i
HTTP/1.1 200 OK
<!DOCTYPE html>
RBAC
user information#
Get curl http://127.0.0.1:9080/apisix/plugin/wolf-rbac/user_info \--cookie x-rbac-token=V1#restful#eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6NzQ5LCJ1c2VybmFtZSI6InRlc3QiLCJtYW5hZ2VyIjoiIiwiYXBwaWQiOiJyZXN0ZnVsIiwiaWF0IjoxNTc5NDQ5ODQxLCJleHAiOjE1ODAwNTQ2NDF9.n2-830zbhrEh6OAxn4K_yYtg5pqfmjpZAjoQXgtcuts -i
HTTP/1.1 200 OK{ "user_info":{ "nickname":"test", "lastLogin":1582816780, "id":749, "username":"test", "appIDs":["restful"], "manager":"none", "permissions":{"USER_LIST":true}, "profile":null, "roles":{}, "createTime":1578820506, "email":"" }}
#
Change 'RBAC' user passwordcurl http://127.0.0.1:9080/apisix/plugin/wolf-rbac/change_pwd \-H "Content-Type: application/json" \--cookie x-rbac-token=V1#restful#eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6NzQ5LCJ1c2VybmFtZSI6InRlc3QiLCJtYW5hZ2VyIjoiIiwiYXBwaWQiOiJyZXN0ZnVsIiwiaWF0IjoxNTc5NDQ5ODQxLCJleHAiOjE1ODAwNTQ2NDF9.n2-830zbhrEh6OAxn4K_yYtg5pqfmjpZAjoQXgtcuts -i \-X PUT -d '{"oldPassword": "old password", "newPassword": "new password"}'
HTTP/1.1 200 OK{"message":"success to change password"}
#
Disable PluginWhen you want to disable the wolf-rbac
plugin, it is very simple,
you can delete the corresponding json configuration in the plugin configuration,
no need to restart the service, it will take effect immediately:
curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '{ "methods": ["GET"], "uri": "/*", "plugins": { }, "upstream": { "type": "roundrobin", "nodes": { "www.baidu.com:80": 1 } }}'