ronething opened a new issue, #8792: URL: https://github.com/apache/apisix/issues/8792
### Description I want to restrict a user to access the route only by a certain method(like GET) and deny other users to access the route via set `allowed_by_methods`, configured as follows ```shell # create consumer baz curl http://127.0.0.1:9180/apisix/admin/consumers \ -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' { "username": "baz", "plugins": { "basic-auth": { "username": "baz", "password": "foo" } } }' # create consumer baz curl http://127.0.0.1:9180/apisix/admin/consumers \ -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' { "username": "hello", "plugins": { "basic-auth": { "username": "hello", "password": "world" } } }' # access user baz by GET method with the field `allowed_by_methods` curl http://127.0.0.1:9180/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' { "uri": "/get", "upstream": { "type": "roundrobin", "nodes": { "127.0.0.1:8080": 1 } }, "plugins": { "basic-auth": {}, "consumer-restriction": { "allowed_by_methods":[{ "user": "baz", "methods": ["GET"] }] } } }' ``` 1、restrict a user to access the route only by a certain method(like GET) is ok ```shell $ curl -i -ubaz:foo http://127.0.0.1:9080/get -X GET HTTP/1.1 200 OK Content-Type: application/json Content-Length: 265 Connection: keep-alive Date: Mon, 06 Feb 2023 03:26:03 GMT Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true Server: APISIX/3.1.0 { "args": {}, "headers": { "Accept": "*/*", "Authorization": "Basic YmF6OmZvbw==", "Host": "127.0.0.1:9080", "User-Agent": "curl/7.79.1", "X-Forwarded-Host": "127.0.0.1" }, "origin": "127.0.0.1", "url": "http://127.0.0.1/get"; } ``` ```shell $ curl -i -ubaz:foo http://127.0.0.1:9080/get -X POST HTTP/1.1 403 Forbidden Date: Mon, 06 Feb 2023 03:22:57 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Server: APISIX/3.1.0 {"message":"The consumer_name is forbidden."} ``` 2、Deny other users to access this route, this does **not work** ```shell $ curl -i -uhello:world http://127.0.0.1:9080/get HTTP/1.1 200 OK Content-Type: application/json Content-Length: 269 Connection: keep-alive Date: Mon, 06 Feb 2023 03:22:31 GMT Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true Server: APISIX/3.1.0 { "args": {}, "headers": { "Accept": "*/*", "Authorization": "Basic aGVsbG86d29ybGQ=", "Host": "127.0.0.1:9080", "User-Agent": "curl/7.79.1", "X-Forwarded-Host": "127.0.0.1" }, "origin": "127.0.0.1", "url": "http://127.0.0.1/get"; } ``` If this is a bug, i would like to help and fix it ### Environment - APISIX version (run `apisix version`): 3.1.0 - Operating system (run `uname -a`): - OpenResty / Nginx version (run `openresty -V` or `nginx -V`): - etcd version, if relevant (run `curl http://127.0.0.1:9090/v1/server_info`): - APISIX Dashboard version, if relevant: - Plugin runner version, for issues related to plugin runners: - LuaRocks version, for installation issues (run `luarocks --version`): -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
