apisix的authz-casbin
目录
1、apisix的auth-casbin官方介绍
2、casbin介绍和使用
2.1基本知识:
2.2使用例子
3、配置插件
4、postman调用
5、auth-casbin的坑
1、apisix的auth-casbin官方介绍
authz-casbin | Apache APISIX® -- Cloud-Native API Gateway
2、casbin介绍和使用
casbin如果看不懂,可以学习基础语法
需要学习casbin的详细理解过程(附图片理解)(rbac模型)-CSDN博客
2.1基本知识:
r = sub, obj, act
意思:请求入参(实体,资源,方法)
p = sub, obj, act
意思:策略(实体,资源,方法)
g = _ , _
意思:角色权限,这里的意思是g收到两个参数 g = 用户,角色
2.2使用例子
"policy": "p,GRANT_ROLE_firstconsumer,/dcpyo/test, *\ng,firstconsumer,GRANT_ROLE_firstconsumer\np,GRANT_ROLE_11120150115,/dcpyo/test, *\ng,11120150115,GRANT_ROLE_11120150115\n",
"username": "appKey"
policy的意思是:
p,GRANT_ROLE_firstconsumer,/dcpyo/test, *
意思:策略GRANT_ROLE_firstconsumer有接口/dcpyo/test的所有权限
g,firstconsumer,GRANT_ROLE_firstconsumer
意思:用户firstconsumer有权限GRANT_ROLE_firstconsumer
3、配置插件
auth-caszbin username可以指定头的别名
配置一个路由例子:
{
"uri": "/dcpyo/test",
"name": "4种认证20250113",
"desc": "4种认证20250113",
"plugins": {
"authz-casbin": {
"model": " [request_definition] \n r = sub, obj, act \n [policy_definition] \n p = sub, obj, act \n [role_definition] \n g = _, _ \n [policy_effect] \n e = some(where (p.eft == allow)) \n [matchers] \n m = (g(r.sub, p.sub) || keyMatch(r.sub, p.sub)) && keyMatch(r.obj, p.obj) && keyMatch(r.act, p.act) ",
"policy": "p,GRANT_ROLE_firstconsumer,/dcpyo/test, *\ng,firstconsumer,GRANT_ROLE_firstconsumer\np,GRANT_ROLE_11120150115,/dcpyo/test, *\ng,11120150115,GRANT_ROLE_11120150115\n",
"username": "appKey"
},
"proxy-rewrite": {
"uri": "/dapi/v1.0/ssApi/getDataForGet",
"use_real_request_uri_unsafe": false
}
},
"upstream": {
"nodes": [
{
"host": "10.255.159.236",
"port": 9034,
"weight": 1
}
],
"type": "roundrobin",
"hash_on": "vars",
"scheme": "http",
"pass_host": "pass"
},
"status": 1
}
4、postman调用
调用的时候,请求头就用appKey(上面设置的别名)
5、auth-casbin的坑
auth-casbin如果多个路由配置的userName时一样的值,会导致路由1,可能用到路由2的策略,这是因为默认情况下auth-casbin会缓存策略。
conf是全局配置,这里就是隐式的使用了缓存
