AlinsRan opened a new pull request, #13349: URL: https://github.com/apache/apisix/pull/13349
## Summary Add the `acl` plugin, which provides label-based access control for API routes. ## Description The `acl` plugin checks consumer labels (from APISIX consumers) or external user attributes (from authentication plugins that set `ctx.external_user`) against configured allow or deny lists. ### Key features - **Allow list** (`allow_labels`): Only consumers whose labels match are granted access. - **Deny list** (`deny_labels`): Consumers whose labels match are rejected; others are allowed. - **Three label value formats**: Lua table, JSON array string (`["a","b"]`), or delimiter-separated text (`a,b`). - **External user support**: Works with external auth plugins (e.g. SAML) that populate `ctx.external_user`, using JSONPath to extract label values. - **Customizable rejection**: Configurable HTTP status code and message. ### Plugin details - Priority: 2410 - Phase: access - Dependencies: `jsonpath` (already in rockspec deps) ## Changes - `apisix/plugins/acl.lua`: Plugin implementation - `t/plugin/acl.t`: Test cases for consumer label-based ACL (55 tests) - `t/plugin/acl2.t`: Test cases for `ctx.external_user` based ACL - `docs/en/latest/plugins/acl.md`: English documentation - `docs/zh/latest/plugins/acl.md`: Chinese documentation - `conf/config.yaml.example`: Register plugin at priority 2410 - `apisix/cli/config.lua`: Add to default plugin list -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
