---用Kong配置一个first-api服务
在安装并启动Kong之后,使用Kong的管理API端口8001添加一个名称为first-api的服务
curl -i -X POST \
--url http://localhost:8001/services/ \
--data 'name=first-api' \
--data 'url=http://jcca.tech/first'
HTTP/1.1 201 Created
Date: Tue, 23 Jun 2020 09:36:50 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/2.0.4
Content-Length: 293
X-Kong-Admin-Latency: 5
{"host":"jcca.tech","created_at":1592905010,"connect_timeout":60000,"id":"672bccd6-f72e-44dd-b601-dc13ba0c32fa","protocol":"http","name":"first-api","read_timeout":60000,"port":80,"path":"\/first","updated_at":1592905010,"retries":5,"write_timeout":60000,"tags":null,"client_certificate":null}r
-------添加一个路由(paths[]的值必须与first-api服务中的/v1/first-apis一致)
使first-api服务暴露出来以供用户访问,first-api服务没必要添加多个路由。
curl -i -X POST \
--url http://localhost:8001/services/first-api/routes \
--data 'hosts[]=jcca.tech' \
--data 'paths[]=/first'
HTTP/1.1 201 Created
Date: Tue, 23 Jun 2020 09:38:42 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/2.0.4
Content-Length: 434
X-Kong-Admin-Latency: 7
{"id":"a852b4f5-fce4-4a59-a82b-c1993285770d","path_handling":"v0","paths":["\/first"],"destinations":null,"headers":null,"protocols":["http","https"],"methods":null,"snis":null,"service":{"id":"672bccd6-f72e-44dd-b601-dc13ba0c32fa"},"name":null,"strip_path":true,"preserve_host":false,"regex_priority":0,"updated_at":1592905122,"sources":null,"hosts":["jcca.tech"],"https_redirect_status_code":426,"tags":null,"created_at":1592905122}r
-------通过first-api服务的Path来验证服务是否成功
curl -i -X GET \
--url http://localhost:8000/first\
--header 'Host: jcca.tech'
HTTP/1.1 200
Content-Type: text/plain;charset=UTF-8
Content-Length: 31
Connection: keep-alive
Date: Tue, 23 Jun 2020 09:39:25 GMT
X-Kong-Upstream-Latency: 11
X-Kong-Proxy-Latency: 322
Via: kong/2.0.4
Hello World---------------first
-------通过first-api服务的Path来验证路由是否成功
curl -i -X GET \
--url http://localhost:8001/services/first-api/routes
HTTP/1.1 200 OK
Date: Tue, 23 Jun 2020 09:41:28 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/2.0.4
Content-Length: 457
X-Kong-Admin-Latency: 2
{"next":null,"data":[{"id":"a852b4f5-fce4-4a59-a82b-c1993285770d","path_handling":"v0","paths":["\/first"],"destinations":null,"headers":null,"protocols":["http","https"],"methods":null,"snis":null,"service":{"id":"672bccd6-f72e-44dd-b601-dc13ba0c32fa"},"name":null,"strip_path":true,"preserve_host":false,"regex_priority":0,"updated_at":1592905122,"sources":null,"hosts":["jcca.tech"],"https_redirect_status_code":426,"tags":null,"created_at":1592905122}]}
为first-api服务的路由{route_id}启动Basic验证插件
URL格式:http://localhost:8001/routes/{route_id}/plugins
curl -i -X POST \
--url http://localhost:8001/routes/a852b4f5-fce4-4a59-a82b-c1993285770d/plugins \
--data "name=basic-auth" \
--data "config.hide_credentials=true"
HTTP/1.1 201 Created
Date: Tue, 23 Jun 2020 09:44:18 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/2.0.4
Content-Length: 297
X-Kong-Admin-Latency: 7
{"created_at":1592905458,"config":{"hide_credentials":true,"anonymous":null},"id":"c68dbdb9-4861-490a-8145-68b31118057e","service":null,"enabled":true,"protocols":["grpc","grpcs","http","https"],"name":"basic-auth","consumer":null,"route":{"id":"a852b4f5-fce4-4a59-a82b-c1993285770d"},"tags":null}
添加第1个username为jack的消费者,{custom_id}参数可省略,此参数是个自定义唯一标识,
它作用是把消费者jack映射到另外一个数据库上
curl -i -X POST \
--url http://localhost:8001/consumers/ \
--data "username=jack"
HTTP/1.1 201 Created
Date: Tue, 23 Jun 2020 09:45:50 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/2.0.4
Content-Length: 116
X-Kong-Admin-Latency: 5
{"custom_id":null,"created_at":1592905550,"id":"d071e5e1-e017-44d6-bc06-50cb7aa9ad8b","tags":null,"username":"jack"}
为第1个用户jack启用Basic验证插件
URL格式:http://localhost:8001/consumers/{username or consumer_id}/basic-auth
curl -i -X POST \
--url http://localhost:8001/consumers/jack/basic-auth \
--data "username=jack" \
--data "password=123456"
HTTP/1.1 201 Created
Date: Tue, 23 Jun 2020 09:57:41 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/2.0.4
Content-Length: 210
X-Kong-Admin-Latency: 6
{"created_at":1592906261,"consumer":{"id":"d071e5e1-e017-44d6-bc06-50cb7aa9ad8b"},"id":"b0c162d8-04e4-4df2-a70b-9e2ab7c0bc29","tags":null,"password":"c8fc1290af917665d0bb0e09500a2de6b1508829","username":"jack"}
在线base64编码工具http://tool.oschina.net/encrypt?type=3
键-值对{username:password}字符串
jack:123456 左边的键-值对字符串BASE64编码结果为:amFjazoxMjM0NTY=
使用用户jack的Basic验证方式访问first 数据接口
curl -i -X GET \
--url http://localhost:8000/first \
--header "Authorization: Basic amFjazoxMjM0NTY=" \
--header 'Host: jcca.tech'
HTTP/1.1 200
Content-Type: text/plain;charset=UTF-8
Content-Length: 31
Connection: keep-alive
Date: Wed, 24 Jun 2020 00:58:31 GMT
X-Kong-Upstream-Latency: 3
X-Kong-Proxy-Latency: 1
Via: kong/2.0.4
Hello World---------------firstroot
添加第2个username为john的消费者,{custom_id}参数可省略,此参数是个自定义唯一标识,
它作用是把消费者john映射到另外一个数据库上
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/consumers/ \
--data "username=john" \
--data "custom_id=abc12345"
HTTP/1.1 201 Created
Date: Wed, 24 Jun 2020 01:03:32 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/2.0.4
Content-Length: 122
X-Kong-Admin-Latency: 6
{"custom_id":"abc12345","created_at":1592960612,"id":"67b7abaf-cc01-4d78-8006-8d36fb46da11","tags":null,"username":"john"}
为第2个用户john启用Basic验证插件
URL格式:http://localhost:8001/consumers/{username or consumer_id}/basic-auth
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/consumers/john/basic-auth \
--data "username=john" \
--data "password=123456"
HTTP/1.1 201 Created
Date: Wed, 24 Jun 2020 01:04:59 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/2.0.4
Content-Length: 210
X-Kong-Admin-Latency: 6
{"created_at":1592960699,"consumer":{"id":"67b7abaf-cc01-4d78-8006-8d36fb46da11"},"id":"ca058e63-8d52-4d89-9317-77a082902cde","tags":null,"password":"5febf254a953961c96d7ceb868316a19b943ee28","username":"john"}
在线base64编码工具http://tool.oschina.net/encrypt?type=3
键-值对{username:password}字符串
john:123456 左边的键-值对字符串BASE64编码结果为:
am9objoxMjM0NTY=
使用用户john的Basic验证方式访问first 数据接口
curl -i -X GET \
--url http://localhost:8000/first \
--header "Authorization: Basic am9objoxMjM0NTY=" \
--header 'Host: jcca.tech'
HTTP/1.1 200
Content-Type: text/plain;charset=UTF-8
Content-Length: 31
Connection: keep-alive
Date: Wed, 24 Jun 2020 01:08:17 GMT
X-Kong-Upstream-Latency: 11
X-Kong-Proxy-Latency: 2
Via: kong/2.0.4
Hello World---------------first
添加第3个username为cathy的消费者,{custom_id}参数可省略,此参数是个自定义唯一标识,
它作用是把消费者cathy映射到另外一个数据库上
curl -i -X POST \
--url http://localhost:8001/consumers/ \
--data "username=cathy"
HTTP/1.1 201 Created
Date: Wed, 24 Jun 2020 01:09:38 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/2.0.4
Content-Length: 117
X-Kong-Admin-Latency: 6
{"custom_id":null,"created_at":1592960978,"id":"98a8fcab-0a6b-4a0f-aea1-544e192571b7","tags":null,"username":"cathy"}
为第3个用户cathy启用Basic验证插件
URL格式:http://localhost:8001/consumers/{username or consumer_id}/basic-auth
curl -i -X POST \
--url http://localhost:8001/consumers/cathy/basic-auth \
--data "username=cathy" \
--data "password=123456"
HTTP/1.1 201 Created
Date: Wed, 24 Jun 2020 01:10:36 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/2.0.4
Content-Length: 211
X-Kong-Admin-Latency: 5
{"created_at":1592961036,"consumer":{"id":"98a8fcab-0a6b-4a0f-aea1-544e192571b7"},"id":"b6269ffc-50eb-40fe-957a-a5988551da06","tags":null,"password":"99579e578ced438e5d5959a9bc43b97ba7fb2667","username":"cathy"}r
在线base64编码工具http://tool.oschina.net/encrypt?type=3
键-值对{username:password}字符串
cathy@hotmail.com:123456 左边的键-值对字符串BASE64编码结果为:
Y2F0aHk6MTIzNDU2
使用用户cathy的Basic验证方式访问first数据接口curl -i -X GET \
--url http://localhost:8000/first \
--header "Authorization: Basic Y2F0aHk6MTIzNDU2" \
--header 'Host: jcca.tech'
HTTP/1.1 200
Content-Type: text/plain;charset=UTF-8
Content-Length: 31
Connection: keep-alive
Date: Wed, 24 Jun 2020 01:15:09 GMT
X-Kong-Upstream-Latency: 8
X-Kong-Proxy-Latency: 257
Via: kong/2.0.4
Hello World---------------firstroot
为first-api服务启用ACL访问控制列表插件,并且定义黑名单group3和group4
URL格式:http://localhost:8001/services/{service}/plugins
curl -i -X POST \
--url http://localhost:8001/services/first-api/plugins \
--data "name=acl" \
--data "config.blacklist=blacklist_group1, blacklist_group2"
HTTP/1.1 201 Created
Date: Wed, 24 Jun 2020 01:19:06 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/2.0.4
Content-Length: 344
X-Kong-Admin-Latency: 7
{
"created_at": 1592961546,
"config": {
"hide_groups_header": false,
"blacklist": ["blacklist_group1, blacklist_group2"],
"whitelist": null
},
"id": "d2820ca9-4634-4bb5-bdc0-b25c439be8c9",
"service": {
"id": "672bccd6-f72e-44dd-b601-dc13ba0c32fa"
},
"enabled": true,
"protocols": ["grpc", "grpcs", "http", "https"],
"name": "acl",
"consumer": null,
"route": null,
"tags": null
}
为first-api服务的路由{route_id}启动ACL访问控制列表插件,并且定义黑名单blacklist_group1,和blacklist_group2
URL格式:http://localhost:8001/routes/{route_id}/plugins
curl -i -X POST \
--url http://localhost:8001/routes/a852b4f5-fce4-4a59-a82b-c1993285770d/plugins \
--data "name=acl" \
--data "config.blacklist=blacklist_group1, blacklist_group2"
HTTP/1.1 201 Created
Date: Wed, 24 Jun 2020 01:22:18 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/2.0.4
Content-Length: 344
X-Kong-Admin-Latency: 7
{
"created_at": 1592961738,
"config": {
"hide_groups_header": false,
"blacklist": ["blacklist_group1, blacklist_group2"],
"whitelist": null
},
"id": "1453eb6d-60f7-46da-af28-2166b439b40d",
"service": null,
"enabled": true,
"protocols": ["grpc", "grpcs", "http", "https"],
"name": "acl",
"consumer": null,
"route": {
"id": "a852b4f5-fce4-4a59-a82b-c1993285770d"
},
"tags": null
}
如果建立黑名单列表blacklist_group1和blacklist_group2,只要没把用户jack、john和cathy任何一个人关联到黑名单blacklist_group1,或者黑名单blacklist_group2
那么以下命令依然可以访问first服务:
-----------------消费者用户jack- 的访问接口的url如下-----------
curl -i -X GET \
--url http://localhost:8000/first \
--header "Authorization: Basic amFjazoxMjM0NTY=" \
--header 'Host: jcca.tech'
HTTP/1.1 200
Content-Type: text/plain;charset=UTF-8
Content-Length: 31
Connection: keep-alive
Date: Wed, 24 Jun 2020 01:26:20 GMT
X-Kong-Upstream-Latency: 8
X-Kong-Proxy-Latency: 17
Via: kong/2.0.4
Hello World---------------firstroot
-----------------消费者用户john- 的访问接口的url如下-----------
curl -i -X GET \
--url http://localhost:8000/first \
--header "Authorization: Basic am9objoxMjM0NTY=" \
--header 'Host: jcca.tech'
HTTP/1.1 200
Content-Type: text/plain;charset=UTF-8
Content-Length: 31
Connection: keep-alive
Date: Wed, 24 Jun 2020 01:26:57 GMT
X-Kong-Upstream-Latency: 5
X-Kong-Proxy-Latency: 2
Via: kong/2.0.4
Hello World---------------first
-----------------消费者用户cathy- 的访问接口的url如下-----------
curl -i -X GET \
--url http://localhost:8000/first \
--header "Authorization: Basic Y2F0aHk6MTIzNDU2" \
--header 'Host: jcca.tech'
HTTP/1.1 200
Content-Type: text/plain;charset=UTF-8
Content-Length: 31
Connection: keep-alive
Date: Wed, 24 Jun 2020 01:28:25 GMT
X-Kong-Upstream-Latency: 8
X-Kong-Proxy-Latency: 272
Via: kong/2.0.4
Hello World---------------first
有时间,我们需要把外部访问的消费者做鉴权,所以就可以把黑名单组blacklist_group2关联到消费者jack:
URL格式:http://localhost:8001/consumers/{consumer_id or username}/acls
curl -i -X POST \
--url http://localhost:8001/consumers/jack/acls \
--data "group=blacklist_group2"
HTTP/1.1 201 Created
Date: Wed, 24 Jun 2020 01:29:51 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/2.0.4
Content-Length: 165
X-Kong-Admin-Latency: 7
{"created_at":1592962191,"consumer":{"id":"d071e5e1-e017-44d6-bc06-50cb7aa9ad8b"},"id":"cd67bfa0-b376-49a5-af75-150acd70b9d5","group":"blacklist_group2","tags":null}
我们来看下黑名单组blacklist_group2关联到消费者jack的访问
-----------------消费者用户jack- 的访问接口的url如下-----------
curl -i -X GET \
--url http://localhost:8000/first \
--header "Authorization: Basic amFjazoxMjM0NTY=" \
--header 'Host: jcca.tech'
HTTP/1.1 403 Forbidden
Date: Wed, 24 Jun 2020 02:00:59 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Content-Length: 45
X-Kong-Response-Latency: 2
Server: kong/2.0.4
{"message":"You cannot consume this service"}
没有加入黑名单的用户john和 cathy依然可以访问first服务
-----------------消费者用户john- 的访问接口的url如下-----------
curl -i -X GET \
--url http://localhost:8000/first \
--header "Authorization: Basic am9objoxMjM0NTY=" \
--header 'Host: jcca.tech'
HTTP/1.1 200
Content-Type: text/plain;charset=UTF-8
Content-Length: 31
Connection: keep-alive
Date: Wed, 24 Jun 2020 02:01:17 GMT
X-Kong-Upstream-Latency: 8
X-Kong-Proxy-Latency: 0
Via: kong/2.0.4
Hello World---------------firstroot
-----------------消费者用户cathy- 的访问接口的url如下-----------
curl -i -X GET \
--url http://localhost:8000/first \
--header "Authorization: Basic Y2F0aHk6MTIzNDU2" \
--header 'Host: jcca.tech'
HTTP/1.1 200
Content-Type: text/plain;charset=UTF-8
Content-Length: 31
Connection: keep-alive
Date: Wed, 24 Jun 2020 02:05:05 GMT
X-Kong-Upstream-Latency: 8
X-Kong-Proxy-Latency: 1094
Via: kong/2.0.4
Hello World---------------first