nic-6443 opened a new pull request, #13529: URL: https://github.com/apache/apisix/pull/13529
### Description The Admin API accepts two different consumers (or credentials) configured with the same authentication key, e.g. two consumers with an identical `key-auth` key. At runtime, consumer matching builds a `key -> consumer` map, so the last loaded consumer silently wins and traffic is attributed to an arbitrary one of them — identity, quotas and ACLs all follow the wrong consumer. The root cause is that there is no write-time validation of key uniqueness. This PR revives the approach from #12040 (write-time checking, as endorsed in the issue discussion): on consumer and credential create/update, the Admin API now lists the stored consumers/credentials and rejects the write with `400` when the same unique key of an auth plugin (`key-auth` `key`, `basic-auth` `username`, `jwt-auth` `key`, `hmac-auth` `key_id`) is already used by another owner. Re-PUT of the same owner with an unchanged key stays allowed. Compared with #12040, the check reads the current data from etcd instead of the in-memory runtime view, so it does not depend on the config sync delay, and it decrypts the stored plugin conf (like the Admin API GET path does) so the comparison also works when `data_encryption` is enabled. Notes on scope: - Key values that are secret references (`$secret://`, `$env://`) are skipped, since they cannot be resolved at write time. - The check is best-effort: two concurrent writes can still race past it; it is meant to catch the common misconfiguration at the API boundary. - Each consumer/credential write now performs one etcd range read of `/consumers` (O(n) over consumers). Admin writes are infrequent, so this is acceptable. - A credential duplicating a key that the consumer itself already uses in its inline plugin conf is also rejected (same as #12040), because the two entries may carry different secrets/passwords under the same lookup key. One pre-existing test case in `t/admin/credentials.t` relied on such a duplicate and was adjusted accordingly. #### Which issue(s) this PR fixes: Fixes #11197 ### Checklist - [x] I have explained the need for this PR and the problem it solves - [x] I have explained the changes or the new features added to this PR - [x] I have added tests corresponding to this change - [ ] I have updated the documentation to reflect this change - [x] I have verified that this change is backward compatible (If not, please discuss on the [APISIX mailing list](https://github.com/apache/apisix/tree/master#community) first) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
