跳转至

第五章:认证与授权

本章介绍 API 网关的认证和授权配置。

认证方式

API Key 认证

# Kong
# 添加插件
curl -i -X POST http://localhost:8001/services/user-service/plugins \
  -d "name=key-auth"

# 创建 Consumer 和 Key
curl -i -X POST http://localhost:8001/consumers \
  -d "username=client-app"

curl -i -X POST http://localhost:8001/consumers/client-app/key-auth \
  -d "key=app-api-key"

# APISIX
curl -i -X PUT http://localhost:9180/apisix/admin/routes/1 \
  -H "X-API-KEY: edd1c9f034335f136f87ad84b625c8f1" \
  -d '{
    "uri": "/api/*",
    "plugins": {
      "key-auth": {
        "key": "app-api-key"
      }
    },
    "upstream_id": "1"
  }'

JWT 认证

# Kong
curl -i -X POST http://localhost:8001/services/user-service/plugins \
  -d "name=jwt"

# 创建 Consumer 和 JWT
curl -i -X POST http://localhost:8001/consumers/client-app/jwt \
  -d "key=app-key" \
  -d "secret=app-secret"

# APISIX
curl -i -X PUT http://localhost:9180/apisix/admin/routes/1 \
  -H "X-API-KEY: edd1c9f034335f136f87ad84b625c8f1" \
  -d '{
    "uri": "/api/*",
    "plugins": {
      "jwt-auth": {
        "key": "app-key",
        "secret": "app-secret"
      }
    },
    "upstream_id": "1"
  }'

Basic Auth

# Kong
curl -i -X POST http://localhost:8001/services/user-service/plugins \
  -d "name=basic-auth"

# 创建 Consumer
curl -i -X POST http://localhost:8001/consumers/client-app/basic-auth \
  -d "username=admin" \
  -d "password=secret"

# APISIX
curl -i -X PUT http://localhost:9180/apisix/admin/routes/1 \
  -H "X-API-KEY: edd1c9f034335f136f87ad84b625c8f1" \
  -d '{
    "uri": "/api/*",
    "plugins": {
      "basic-auth": {}
    },
    "upstream_id": "1"
  }'

OAuth2 集成

# Kong
curl -i -X POST http://localhost:8001/services/user-service/plugins \
  -d "name=oauth2" \
  -d "config.scopes=email,profile" \
  -d "config.mandatory_scope=true"

# APISIX
curl -i -X PUT http://localhost:9180/apisix/admin/routes/1 \
  -H "X-API-KEY: edd1c9f034335f136f87ad84b625c8f1" \
  -d '{
    "uri": "/api/*",
    "plugins": {
      "openid-connect": {
        "client_id": "apisix",
        "client_secret": "secret",
        "discovery": "https://auth.example.com/.well-known/openid-configuration"
      }
    },
    "upstream_id": "1"
  }'

授权控制

RBAC 权限

# APISIX
curl -i -X PUT http://localhost:9180/apisix/admin/routes/1 \
  -H "X-API-KEY: edd1c9f034335f136f87ad84b625c8f1" \
  -d '{
    "uri": "/api/admin/*",
    "plugins": {
      "jwt-auth": {},
      "authz-casbin": {
        "model_path": "/path/to/model.conf",
        "policy_path": "/path/to/policy.csv"
      }
    },
    "upstream_id": "1"
  }'

IP 白名单

# Kong
curl -i -X POST http://localhost:8001/services/user-service/plugins \
  -d "name=ip-restriction" \
  -d "config.allow=192.168.1.0/24,10.0.0.0/8"

# APISIX
curl -i -X PUT http://localhost:9180/apisix/admin/routes/1 \
  -H "X-API-KEY: edd1c9f034335f136f87ad84b625c8f1" \
  -d '{
    "uri": "/api/*",
    "plugins": {
      "ip-restriction": {
        "whitelist": ["192.168.1.0/24", "10.0.0.0/8"]
      }
    },
    "upstream_id": "1"
  }'

请求体大小限制

# Kong
curl -i -X POST http://localhost:8001/services/user-service/plugins \
  -d "name=request-size-limiting" \
  -d "config.allowed_payload_size=10"

# APISIX
curl -i -X PUT http://localhost:9180/apisix/admin/routes/1 \
  -H "X-API-KEY: edd1c9f034335f136f87ad84b625c8f1" \
  -d '{
    "uri": "/api/*",
    "plugins": {
      "request-validation": {
        "body_schema": {
          "type": "object",
          "maxProperties": 100
        }
      }
    },
    "upstream_id": "1"
  }'

多认证组合

# APISIX 多认证
curl -i -X PUT http://localhost:9180/apisix/admin/routes/1 \
  -H "X-API-KEY: edd1c9f034335f136f87ad84b625c8f1" \
  -d '{
    "uri": "/api/*",
    "plugins": {
      "jwt-auth": {},
      "ip-restriction": {
        "whitelist": ["10.0.0.0/8"]
      },
      "authz-casbin": {
        "model_path": "/path/to/model.conf",
        "policy_path": "/path/to/policy.csv"
      }
    },
    "upstream_id": "1"
  }'

小结

认证与授权要点:

  • 认证方式:API Key、JWT、Basic Auth、OAuth2
  • 授权控制:RBAC、IP 白名单
  • 多认证组合:灵活配置

下一章我们将学习限流与熔断。