cverdela opened a new issue, #9317:
URL: https://github.com/apache/apisix/issues/9317
### Current Behavior
I want to use proxy rewrite to write consumer group information to the
header, and then use casbin to confirm permissions. Upstream users can also
obtain header information。
I added the header as the ID of the consumer group using proxy rewrite, and
verified the header using casbin. Surprisingly, the header. add implemented my
idea, but the header. set failed
two consumer_groups :
PUT /apisix/admin/consumer_groups/1000
{
"plugins": {
}
}
PUT /apisix/admin/consumer_groups/2080
{
"plugins": {
}
}
{
"username": "tom",
"plugins": {
"key-auth": {
"key":
"192b9bdd22ab9ed4d12e236c78afcb9a393ec15f71bbf5dc987d54727823bcbf"
}
},
"group_id":"1000"
}
two consumer:
{
"username": "jack",
"plugins": {
"key-auth": {
"key":
"QinPGTd7Ulec03lar0vkI9ojqmXsuw4VOyirnC5NuvEdJSCwLwesmknNygXITunT"
}
},
"group_id":"2080"
}
1 router:
{
"name": "web1-rewrite",
"status": 1,
"methods": [
"GET",
"POST",
"PUT",
"DELETE",
"PATCH",
"HEAD",
"OPTIONS",
"CONNECT",
"TRACE",
"PURGE"
],
"priority": 0,
"labels": {},
"uri": "/web1/*",
"plugins": {
"proxy-rewrite": {
"_meta": {
"priority": 1
},
"headers": {
"set": {
"tenant": "$consumer_group_id"
}
}
},
"key-auth": {
"_meta": {
"priority": 2
}
},
"authz-casbin": {
"_meta": {
"priority": 0
},
"model": "[request_definition]
r = sub, obj, act
[policy_definition]
p = sub, obj, act
[role_definition]
g = _, _
[policy_effect]
e = some(where (p.eft == allow))
[matchers]
m = (g(r.sub, p.sub) || keyMatch(r.sub, p.sub)) &&
keyMatch(r.obj, p.obj) && keyMatch(r.act, p.act)",
"policy": "p, *, web1, GET
p, admin, *, *
g, 2080, admin",
"username": "tenant"
}
},
"upstream_id": "452002436731634371"
}
access :
POST /web1/ HTTP/1.1
HEADER
apikey: QinPGTd7Ulec03lar0vkI9ojqmXsuw4VOyirnC5NuvEdJSCwLwesmknNygXITunT
{"message":"Access Denied"}
POST /web1/ HTTP/1.1
HEADER
apikey: 192b9bdd22ab9ed4d12e236c78afcb9a393ec15f71bbf5dc987d54727823bcbf
{"message":"Access Denied"}
changed
```
"proxy-rewrite": {
"_meta": {
"priority": 1
},
"headers": {
"add": {
"tenant": "$consumer_group_id"
}
}
},
```
access :
POST /web1/ HTTP/1.1
HEADER
apikey: QinPGTd7Ulec03lar0vkI9ojqmXsuw4VOyirnC5NuvEdJSCwLwesmknNygXITunT
hello web1
POST /web1/ HTTP/1.1
HEADER
apikey: 192b9bdd22ab9ed4d12e236c78afcb9a393ec15f71bbf5dc987d54727823bcbf
{"message":"Access Denied"}
### Expected Behavior
```
"proxy-rewrite": {
"_meta": {
"priority": 1
},
"headers": {
"set": {
"tenant": "$consumer_group_id"
}
}
},
```
POST /web1/ HTTP/1.1
HEADER
apikey: QinPGTd7Ulec03lar0vkI9ojqmXsuw4VOyirnC5NuvEdJSCwLwesmknNygXITunT
hello web1
POST /web1/ HTTP/1.1
HEADER
apikey: 192b9bdd22ab9ed4d12e236c78afcb9a393ec15f71bbf5dc987d54727823bcbf
{"message":"Access Denied"}
### Error Logs
no error
### Steps to Reproduce
two consumer_groups :
PUT /apisix/admin/consumer_groups/1000
{
"plugins": {
}
}
PUT /apisix/admin/consumer_groups/2080
{
"plugins": {
}
}
{
"username": "tom",
"plugins": {
"key-auth": {
"key":
"192b9bdd22ab9ed4d12e236c78afcb9a393ec15f71bbf5dc987d54727823bcbf"
}
},
"group_id":"1000"
}
two consumer:
{
"username": "jack",
"plugins": {
"key-auth": {
"key":
"QinPGTd7Ulec03lar0vkI9ojqmXsuw4VOyirnC5NuvEdJSCwLwesmknNygXITunT"
}
},
"group_id":"2080"
}
1 router:
{
"name": "web1-rewrite",
"status": 1,
"methods": [
"GET",
"POST",
"PUT",
"DELETE",
"PATCH",
"HEAD",
"OPTIONS",
"CONNECT",
"TRACE",
"PURGE"
],
"priority": 0,
"labels": {},
"uri": "/web1/*",
"plugins": {
"proxy-rewrite": {
"_meta": {
"priority": 1
},
"headers": {
"set": {
"tenant": "$consumer_group_id"
}
}
},
"key-auth": {
"_meta": {
"priority": 2
}
},
"authz-casbin": {
"_meta": {
"priority": 0
},
"model": "[request_definition]
r = sub, obj, act
[policy_definition]
p = sub, obj, act
[role_definition]
g = _, _
[policy_effect]
e = some(where (p.eft == allow))
[matchers]
m = (g(r.sub, p.sub) || keyMatch(r.sub, p.sub)) &&
keyMatch(r.obj, p.obj) && keyMatch(r.act, p.act)",
"policy": "p, *, web1, GET
p, admin, *, *
g, 2080, admin",
"username": "tenant"
}
},
"upstream_id": "452002436731634371"
}
access :
POST /web1/ HTTP/1.1
HEADER
apikey: QinPGTd7Ulec03lar0vkI9ojqmXsuw4VOyirnC5NuvEdJSCwLwesmknNygXITunT
{"message":"Access Denied"}
POST /web1/ HTTP/1.1
HEADER
apikey: 192b9bdd22ab9ed4d12e236c78afcb9a393ec15f71bbf5dc987d54727823bcbf
{"message":"Access Denied"}
changed
```
"proxy-rewrite": {
"_meta": {
"priority": 1
},
"headers": {
"add": {
"tenant": "$consumer_group_id"
}
}
},
```
access :
POST /web1/ HTTP/1.1
HEADER
apikey: QinPGTd7Ulec03lar0vkI9ojqmXsuw4VOyirnC5NuvEdJSCwLwesmknNygXITunT
hello web1
POST /web1/ HTTP/1.1
HEADER
apikey: 192b9bdd22ab9ed4d12e236c78afcb9a393ec15f71bbf5dc987d54727823bcbf
{"message":"Access Denied"}
### Environment
- APISIX version (run `apisix version`):3.2.0
- Operating system (run `uname -a`):win docker example
- OpenResty / Nginx version (run `openresty -V` or `nginx -V`):
- etcd version, if relevant (run `curl
http://127.0.0.1:9090/v1/server_info`):
- APISIX Dashboard version, if relevant:
- Plugin runner version, for issues related to plugin runners:
- LuaRocks version, for installation issues (run `luarocks --version`):
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
