Skip to main content
Version: 2.13

wolf-rbac

Description#

wolf-rbac is an authentication and authorization (rbac) plugin. It needs to work with consumer. Also need to add wolf-rbac to a service or route. The rbac feature is provided by wolf. For more information about wolf, please refer to wolf documentation.

Attributes#

NameTypeRequirementDefaultValidDescription
serverstringoptional"http://127.0.0.1:12180"Set the service address of wolf-server.
appidstringoptional"unset"Set the app id. The app id must be added in wolf-console.
header_prefixstringoptional"X-"prefix of custom HTTP header. After authentication is successful, three headers will be added to the request header (for backend) and response header (for frontend): X-UserId, X-Username, X-Nickname.

API#

This plugin will add several API:

  • /apisix/plugin/wolf-rbac/login
  • /apisix/plugin/wolf-rbac/change_pwd
  • /apisix/plugin/wolf-rbac/user_info

You may need to use public-api plugin to expose it.

Dependencies#

Install wolf and start the service#

Wolf quick start

Add application, admin, normal user, permission, resource and user authorize#

Wolf-console usage

How To Enable#

  1. set a consumer and config the value of the wolf-rbac
curl http://127.0.0.1:9080/apisix/admin/consumers  -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '{  "username":"wolf_rbac",  "plugins":{    "wolf-rbac":{      "server":"http://127.0.0.1:12180",      "appid":"restful"    }  },  "desc":"wolf-rbac"}'

You also can complete the above operations through the web interface, first add a consumer:

add a consumer
Click to Preview

Then add the wolf-rbac plugin to the consumer page:

enable wolf-rbac plugin
Click to Preview

Notes: The appid filled in above needs to already exist in the wolf system.

  1. Add a Route or Service and enable the wolf-rbac plugin.
curl http://127.0.0.1:9080/apisix/admin/routes/1  -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '{    "methods": ["GET"],    "uri": "/*",    "plugins": {        "wolf-rbac": {}    },    "upstream": {        "type": "roundrobin",        "nodes": {            "www.baidu.com:80": 1        }    }}'

Test Plugin#

Setup routes for public API#

Use the public-api plugin to expose the public API.

$ curl http://127.0.0.1:9080/apisix/admin/routes/wal -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '{    "uri": "/apisix/plugin/wolf-rbac/login",    "plugins": {        "public-api": {}    }}'

You also need to setup the change_pwd and user_info routes together.

Login and get wolf-rbac token:#

The following appid, username, and password must be real ones in the wolf system. authType is the authentication type, 1 is password authentication, 2 is LDAP authentication. The default is 1. wolf supports LDAP authentication since version 0.5.0

  • Login as POST application/json
curl http://127.0.0.1:9080/apisix/plugin/wolf-rbac/login -i \-H "Content-Type: application/json" \-d '{"appid": "restful", "username":"test", "password":"user-password", "authType":1}'
HTTP/1.1 200 OKDate: Wed, 24 Jul 2019 10:33:31 GMTContent-Type: text/plainTransfer-Encoding: chunkedConnection: keep-aliveServer: APISIX web server{"rbac_token":"V1#restful#eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6NzQ5LCJ1c2VybmFtZSI6InRlc3QiLCJtYW5hZ2VyIjoiIiwiYXBwaWQiOiJyZXN0ZnVsIiwiaWF0IjoxNTc5NDQ5ODQxLCJleHAiOjE1ODAwNTQ2NDF9.n2-830zbhrEh6OAxn4K_yYtg5pqfmjpZAjoQXgtcuts","user_info":{"nickname":"test","username":"test","id":"749"}}
  • Login as POST x-www-form-urlencoded
curl http://127.0.0.1:9080/apisix/plugin/wolf-rbac/login -i \-H "Content-Type: application/x-www-form-urlencoded" \-d 'appid=restful&username=test&password=user-password'

try request with token#

  • without token
curl http://127.0.0.1:9080/ -H"Host: www.baidu.com" -i
HTTP/1.1 401 Unauthorized...{"message":"Missing rbac token in request"}
  • request header(Authorization) with token:
curl http://127.0.0.1:9080/ -H"Host: www.baidu.com" \-H 'Authorization: V1#restful#eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6NzQ5LCJ1c2VybmFtZSI6InRlc3QiLCJtYW5hZ2VyIjoiIiwiYXBwaWQiOiJyZXN0ZnVsIiwiaWF0IjoxNTc5NDQ5ODQxLCJleHAiOjE1ODAwNTQ2NDF9.n2-830zbhrEh6OAxn4K_yYtg5pqfmjpZAjoQXgtcuts' -i
HTTP/1.1 200 OK
<!DOCTYPE html>
  • request header(x-rbac-token) with token:
curl http://127.0.0.1:9080/ -H"Host: www.baidu.com" \-H 'x-rbac-token: V1#restful#eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6NzQ5LCJ1c2VybmFtZSI6InRlc3QiLCJtYW5hZ2VyIjoiIiwiYXBwaWQiOiJyZXN0ZnVsIiwiaWF0IjoxNTc5NDQ5ODQxLCJleHAiOjE1ODAwNTQ2NDF9.n2-830zbhrEh6OAxn4K_yYtg5pqfmjpZAjoQXgtcuts' -i

HTTP/1.1 200 OK
<!DOCTYPE html>
  • request params with token:
curl 'http://127.0.0.1:9080?rbac_token=V1%23restful%23eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6NzQ5LCJ1c2VybmFtZSI6InRlc3QiLCJtYW5hZ2VyIjoiIiwiYXBwaWQiOiJyZXN0ZnVsIiwiaWF0IjoxNTc5NDQ5ODQxLCJleHAiOjE1ODAwNTQ2NDF9.n2-830zbhrEh6OAxn4K_yYtg5pqfmjpZAjoQXgtcuts' -H"Host: www.baidu.com" -i

HTTP/1.1 200 OK
<!DOCTYPE html>
  • request cookie with token:
curl http://127.0.0.1:9080 -H"Host: www.baidu.com" \--cookie x-rbac-token=V1#restful#eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6NzQ5LCJ1c2VybmFtZSI6InRlc3QiLCJtYW5hZ2VyIjoiIiwiYXBwaWQiOiJyZXN0ZnVsIiwiaWF0IjoxNTc5NDQ5ODQxLCJleHAiOjE1ODAwNTQ2NDF9.n2-830zbhrEh6OAxn4K_yYtg5pqfmjpZAjoQXgtcuts -i

HTTP/1.1 200 OK
<!DOCTYPE html>

Get RBAC user information#

curl http://127.0.0.1:9080/apisix/plugin/wolf-rbac/user_info \--cookie x-rbac-token=V1#restful#eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6NzQ5LCJ1c2VybmFtZSI6InRlc3QiLCJtYW5hZ2VyIjoiIiwiYXBwaWQiOiJyZXN0ZnVsIiwiaWF0IjoxNTc5NDQ5ODQxLCJleHAiOjE1ODAwNTQ2NDF9.n2-830zbhrEh6OAxn4K_yYtg5pqfmjpZAjoQXgtcuts -i

HTTP/1.1 200 OK{    "user_info":{        "nickname":"test",        "lastLogin":1582816780,        "id":749,        "username":"test",        "appIDs":["restful"],        "manager":"none",        "permissions":{"USER_LIST":true},        "profile":null,        "roles":{},        "createTime":1578820506,        "email":""    }}

Change 'RBAC' user password#

curl http://127.0.0.1:9080/apisix/plugin/wolf-rbac/change_pwd \-H "Content-Type: application/json" \--cookie x-rbac-token=V1#restful#eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6NzQ5LCJ1c2VybmFtZSI6InRlc3QiLCJtYW5hZ2VyIjoiIiwiYXBwaWQiOiJyZXN0ZnVsIiwiaWF0IjoxNTc5NDQ5ODQxLCJleHAiOjE1ODAwNTQ2NDF9.n2-830zbhrEh6OAxn4K_yYtg5pqfmjpZAjoQXgtcuts -i \-X PUT -d '{"oldPassword": "old password", "newPassword": "new password"}'

HTTP/1.1 200 OK{"message":"success to change password"}

Disable Plugin#

When you want to disable the wolf-rbac plugin, it is very simple, you can delete the corresponding json configuration in the plugin configuration, no need to restart the service, it will take effect immediately:

curl http://127.0.0.1:9080/apisix/admin/routes/1  -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '{    "methods": ["GET"],    "uri": "/*",    "plugins": {    },    "upstream": {        "type": "roundrobin",        "nodes": {            "www.baidu.com:80": 1        }    }}'