wolf-rbac

Description

The wolf-rbac Plugin provides a role-based access control system with wolf to a Route or a Service. This Plugin can be used with a Consumer.

Attributes

NameTypeRequiredDefaultDescription
serverstringFalsehttp://127.0.0.1:12180”Service address of wolf server.
appidstringFalse“unset”App id added in wolf console. This field supports saving the value in Secret Manager using the APISIX Secret resource.
header_prefixstringFalse“X-“Prefix for a custom HTTP header. After authentication is successful, three headers will be added to the request header (for backend) and response header (for frontend) namely: X-UserId, X-Username, and X-Nickname.

API

This Plugin will add the following endpoints when enabled:

  • /apisix/plugin/wolf-rbac/login
  • /apisix/plugin/wolf-rbac/change_pwd
  • /apisix/plugin/wolf-rbac/user_info
wolf-rbac - 图1note

You may need to use the public-api Plugin to expose this endpoint.

Pre-requisites

To use this Plugin, you have to first install wolf and start it.

Once you have done that you need to add application, admin, normal user, permission, resource and user authorize to the wolf-console.

Enable Plugin

You need to first configure the Plugin on a Consumer:

wolf-rbac - 图2note

You can fetch the admin_key from config.yaml and save to an environment variable with the following command:

  1. admin_key=$(yq '.deployment.admin.admin_key[0].key' conf/config.yaml | sed 's/"//g')
  1. curl http://127.0.0.1:9180/apisix/admin/consumers -H "X-API-KEY: $admin_key" -X PUT -d '
  2. {
  3. "username":"wolf_rbac",
  4. "plugins":{
  5. "wolf-rbac":{
  6. "server":"http://127.0.0.1:12180",
  7. "appid":"restful"
  8. }
  9. },
  10. "desc":"wolf-rbac"
  11. }'
wolf-rbac - 图3note

The appid added in the configuration should already exist in wolf.

You can now add the Plugin to a Route or a Service:

  1. curl http://127.0.0.1:9180/apisix/admin/routes/1 -H "X-API-KEY: $admin_key" -X PUT -d '
  2. {
  3. "methods": ["GET"],
  4. "uri": "/*",
  5. "plugins": {
  6. "wolf-rbac": {}
  7. },
  8. "upstream": {
  9. "type": "roundrobin",
  10. "nodes": {
  11. "www.baidu.com:80": 1
  12. }
  13. }
  14. }'

You can also use the APISIX Dashboard to complete the operation through a web UI.

Example usage

You can use the public-api Plugin to expose the API:

  1. curl http://127.0.0.1:9180/apisix/admin/routes/wal -H "X-API-KEY: $admin_key" -X PUT -d '
  2. {
  3. "uri": "/apisix/plugin/wolf-rbac/login",
  4. "plugins": {
  5. "public-api": {}
  6. }
  7. }'

Similarly, you can setup the Routes for change_pwd and user_info.

You can now login and get a wolf rbac_token:

  1. curl http://127.0.0.1:9080/apisix/plugin/wolf-rbac/login -i \
  2. -H "Content-Type: application/json" \
  3. -d '{"appid": "restful", "username":"test", "password":"user-password", "authType":1}'
  1. HTTP/1.1 200 OK
  2. Date: Wed, 24 Jul 2019 10:33:31 GMT
  3. Content-Type: text/plain
  4. Transfer-Encoding: chunked
  5. Connection: keep-alive
  6. Server: APISIX web server
  7. {"rbac_token":"V1#restful#eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6NzQ5LCJ1c2VybmFtZSI6InRlc3QiLCJtYW5hZ2VyIjoiIiwiYXBwaWQiOiJyZXN0ZnVsIiwiaWF0IjoxNTc5NDQ5ODQxLCJleHAiOjE1ODAwNTQ2NDF9.n2-830zbhrEh6OAxn4K_yYtg5pqfmjpZAjoQXgtcuts","user_info":{"nickname":"test","username":"test","id":"749"}}
wolf-rbac - 图4note

The appid, username, and password must be configured in the wolf system.

authType is the authentication type—1 for password authentication (default) and 2 for LDAP authentication (v0.5.0+).

You can also make a post request with x-www-form-urlencoded instead of JSON:

  1. curl http://127.0.0.1:9080/apisix/plugin/wolf-rbac/login -i \
  2. -H "Content-Type: application/x-www-form-urlencoded" \
  3. -d 'appid=restful&username=test&password=user-password'

Now you can test the Route:

  • without token:
  1. curl http://127.0.0.1:9080/ -H"Host: www.baidu.com" -i
  1. HTTP/1.1 401 Unauthorized
  2. ...
  3. {"message":"Missing rbac token in request"}
  • with token in Authorization header:
  1. curl http://127.0.0.1:9080/ -H"Host: www.baidu.com" \
  2. -H 'Authorization: V1#restful#eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6NzQ5LCJ1c2VybmFtZSI6InRlc3QiLCJtYW5hZ2VyIjoiIiwiYXBwaWQiOiJyZXN0ZnVsIiwiaWF0IjoxNTc5NDQ5ODQxLCJleHAiOjE1ODAwNTQ2NDF9.n2-830zbhrEh6OAxn4K_yYtg5pqfmjpZAjoQXgtcuts' -i
  1. HTTP/1.1 200 OK
  2. <!DOCTYPE html>
  • with token in x-rbac-token header:
  1. curl http://127.0.0.1:9080/ -H"Host: www.baidu.com" \
  2. -H 'x-rbac-token: V1#restful#eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6NzQ5LCJ1c2VybmFtZSI6InRlc3QiLCJtYW5hZ2VyIjoiIiwiYXBwaWQiOiJyZXN0ZnVsIiwiaWF0IjoxNTc5NDQ5ODQxLCJleHAiOjE1ODAwNTQ2NDF9.n2-830zbhrEh6OAxn4K_yYtg5pqfmjpZAjoQXgtcuts' -i
  1. HTTP/1.1 200 OK
  2. <!DOCTYPE html>
  • with token in request parameters:
  1. curl 'http://127.0.0.1:9080?rbac_token=V1%23restful%23eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6NzQ5LCJ1c2VybmFtZSI6InRlc3QiLCJtYW5hZ2VyIjoiIiwiYXBwaWQiOiJyZXN0ZnVsIiwiaWF0IjoxNTc5NDQ5ODQxLCJleHAiOjE1ODAwNTQ2NDF9.n2-830zbhrEh6OAxn4K_yYtg5pqfmjpZAjoQXgtcuts' -H"Host: www.baidu.com" -i
  1. HTTP/1.1 200 OK
  2. <!DOCTYPE html>
  • with token in cookie:
  1. curl http://127.0.0.1:9080 -H"Host: www.baidu.com" \
  2. --cookie x-rbac-token=V1#restful#eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6NzQ5LCJ1c2VybmFtZSI6InRlc3QiLCJtYW5hZ2VyIjoiIiwiYXBwaWQiOiJyZXN0ZnVsIiwiaWF0IjoxNTc5NDQ5ODQxLCJleHAiOjE1ODAwNTQ2NDF9.n2-830zbhrEh6OAxn4K_yYtg5pqfmjpZAjoQXgtcuts -i
  1. HTTP/1.1 200 OK
  2. <!DOCTYPE html>

And to get a user information:

  1. curl http://127.0.0.1:9080/apisix/plugin/wolf-rbac/user_info \
  2. --cookie x-rbac-token=V1#restful#eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6NzQ5LCJ1c2VybmFtZSI6InRlc3QiLCJtYW5hZ2VyIjoiIiwiYXBwaWQiOiJyZXN0ZnVsIiwiaWF0IjoxNTc5NDQ5ODQxLCJleHAiOjE1ODAwNTQ2NDF9.n2-830zbhrEh6OAxn4K_yYtg5pqfmjpZAjoQXgtcuts -i
  1. HTTP/1.1 200 OK
  2. {
  3. "user_info":{
  4. "nickname":"test",
  5. "lastLogin":1582816780,
  6. "id":749,
  7. "username":"test",
  8. "appIDs":["restful"],
  9. "manager":"none",
  10. "permissions":{"USER_LIST":true},
  11. "profile":null,
  12. "roles":{},
  13. "createTime":1578820506,
  14. "email":""
  15. }
  16. }

And to change a user’s password:

  1. curl http://127.0.0.1:9080/apisix/plugin/wolf-rbac/change_pwd \
  2. -H "Content-Type: application/json" \
  3. --cookie x-rbac-token=V1#restful#eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6NzQ5LCJ1c2VybmFtZSI6InRlc3QiLCJtYW5hZ2VyIjoiIiwiYXBwaWQiOiJyZXN0ZnVsIiwiaWF0IjoxNTc5NDQ5ODQxLCJleHAiOjE1ODAwNTQ2NDF9.n2-830zbhrEh6OAxn4K_yYtg5pqfmjpZAjoQXgtcuts -i \
  4. -X PUT -d '{"oldPassword": "old password", "newPassword": "new password"}'
  1. HTTP/1.1 200 OK
  2. {"message":"success to change password"}

Delete Plugin

To remove the wolf-rbac Plugin, you can delete the corresponding JSON configuration from the Plugin configuration. APISIX will automatically reload and you do not have to restart for this to take effect.

  1. curl http://127.0.0.1:9180/apisix/admin/routes/1 -H "X-API-KEY: $admin_key" -X PUT -d '
  2. {
  3. "methods": ["GET"],
  4. "uri": "/*",
  5. "plugins": {
  6. },
  7. "upstream": {
  8. "type": "roundrobin",
  9. "nodes": {
  10. "www.baidu.com:80": 1
  11. }
  12. }
  13. }'