jiazhizhong/higress
1
0
Fork 0
mirror of https://github.com/alibaba/higress.git synced 2026-02-18 13:00:55 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
09e563cf9ca5324f9e6c00d5ec3e0f2d386b135a
higress/plugins/wasm-cpp/extensions/basic_auth
History
onlypiglet 09e563cf9c doc: add basic_auth plugin english readme (#221)
2023-03-25 21:43:20 +08:00
..
BUILD
Add plugins (#27)
2022-11-04 17:46:43 +08:00
plugin_test.cc
Add plugins (#27)
2022-11-04 17:46:43 +08:00
plugin.cc
Add plugins (#27)
2022-11-04 17:46:43 +08:00
plugin.h
Add plugins (#27)
2022-11-04 17:46:43 +08:00
README_EN.md
doc: add basic_auth plugin english readme (#221)
2023-03-25 21:43:20 +08:00
README.md
doc: add basic_auth plugin english readme (#221)
2023-03-25 21:43:20 +08:00
VERSION
Add wasm plugin contribution introduction (#47)
2022-11-10 09:52:54 +08:00

README_EN.md

English | 中文

Description

basic-auth plugin implements the function of authentication based on the HTTP Basic Auth standard.

Configuration Fields

Name Type Requirement Default Value Description
consumers array of object Required - Caller of the service for authentication of requests
_rules_ array of object Optional - Configure access permission list for specific routes or domains to authenticate requests

Filed descriptions of consumers items:

Name Type Requirement Default Value Description
credential string Required - Credential for this consumer's access
name string Required - Name of this consumer

Configuration field descriptions for each item in _rules_ are as follows:

Field Name Data Type Requirement Default Description
_match_route_ array of string One of _match_route_ or _match_domain_ - Configure the routes to match for request authorization
_match_domain_ array of string One of _match_route_ , _match_domain_ - Configure the domains to match for request authorization
allow array of string Required - Configure the consumer names allowed to access requests that match the match condition

Note:

  • If the _rules_ field is not configured, authentication is enabled for all routes of the current gateway instance by default;
  • For authenticated requests, X-Mse-Consumer field will be added to the request header to identify the name of the caller.

Configuration Samples

Enable Authentication and Authorization for specific routes or domains

The following configuration will enable Basic Auth authentication and authorization for specific routes or domains of the gateway. Note that the username and password in the credential information are separated by a ":", and the credential field cannot be repeated.

# use the _rules_ field for fine-grained rule configuration.
consumers:
- credential: 'admin:123456'
  name: consumer1
- credential: 'guest:abc'
  name: consumer2
_rules_:
# rule 1: match by the route name.
  - _match_route_:
    - route-a
    - route-b
    allow:
    - consumer1
# rule 2: match by the domain.
  - _match_domain_:
    - "*.example.com"
    - test.com
    allow:
    - consumer2

In this sample, route-a and route-b specified in _match_route_ are the route names filled in when creating gateway routes. When these two routes are matched, the caller with name as consumer1 is allowed to access, and other callers are not allowed to access.

The *.example.com and test.com specified in _match_domain_ are used to match the domain name of the request. When the domain name is matched, the caller with name as consumer2 is allowed to access, and other callers are not allowed to access.

According to this configuration, the following requests are allowed:

Requests with specified username and password

# Assuming the following request will match with route-a
# Use -u option of curl to specify the credentials
curl -u admin:123456  http://xxx.hello.com/test
# Or specify the Authorization request header directly with the credentials in base64 encoding
curl -H 'Authorization: Basic YWRtaW46MTIzNDU2'  http://xxx.hello.com/test

A X-Mse-Consumer field will be added to the headers of the request, and its value in this example is consumer1, used to identify the name of the caller when passed authentication and authorization.

The following requests will be denied:

Requests without providing username and password, returning 401

curl  http://xxx.hello.com/test

Requests with incorrect username or password, returning 401

curl -u admin:abc  http://xxx.hello.com/test

Requests matched with a caller who has no access permission, returning 403

# consumer2 is not in the allow list of route-a
curl -u guest:abc  http://xxx.hello.com/test

Enable basic auth for gateway instance

The following configuration does not specify the _rules_ field, so Basic Auth authentication will be effective for the whole gateway instance.

consumers:
- credential: 'admin:123456'
  name: consumer1
- credential: 'guest:abc'
  name: consumer2

Error Codes

HTTP Status Code Error Info Reason
401 Request denied by Basic Auth check. No Basic Authentication information found. Credentials not provided in the request
401 Request denied by Basic Auth check. Invalid username and/or password Invalid username and/or password
403 Request denied by Basic Auth check. Unauthorized consumer Unauthorized consumer
Reference in New Issue View Git Blame Copy Permalink