-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
doc: add API7 Authentication #24
base: main
Are you sure you want to change the base?
Changes from 2 commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
@@ -0,0 +1,50 @@ | ||||||
--- | ||||||
title: Portal文档:API7 Authentication | ||||||
--- | ||||||
|
||||||
## 一、认证方案架构说明 | ||||||
|
||||||
API7 认证用于 API7 Portal 系统中,给 Developer 访问 Provider 提供的上游服务提供身份认证能力。 | ||||||
相较于传统的 Developer 直接认证于 API Endpoints (如下图一所示),API7 认证(如下图二所示)升级为 Developer 与 API7 Portal 之间统一通过 API key 认证,API7 Portal 与 API Endpoints 之间保持原有认证方式。 | ||||||
|
||||||
![Protocol Conversion](https://static.apiseven.com/uploads/2023/08/22/6Pjiyfip_%E4%BC%A0%E7%BB%9F%E8%AE%A4%E8%AF%81%20%281%29.jpg) | ||||||
|
||||||
图一 传统认证方案:Developer 直接认证于 API Endpoints | ||||||
|
||||||
![Protocol Conversion](https://static.apiseven.com/uploads/2023/08/22/d9Hy1vyM_api7%20%E8%AE%A4%E8%AF%81.jpg) | ||||||
|
||||||
图二 API7 认证 | ||||||
|
||||||
|
||||||
## 二、认证方案优势说明 | ||||||
|
||||||
API7 认证具有如下优势: | ||||||
1. 简化了 Developer 对 API 的调用,无需感知适配 API Endpoints 提供的的各种不同认证方式; | ||||||
2. 将 Developer 对 API Endpoints 的访问进行解耦、大大增加了 API Endpoints 抵御攻击的能力; | ||||||
3. Developer 可以自己管控 API key,增加了 Developer 对 API 的调度安全,并且方便 Developer 后续对基于 key 的调度进行运营分析; | ||||||
|
||||||
|
||||||
## 三、API Key 的安全性保障 | ||||||
|
||||||
### API7 Portal 提供 API Key 的发放和回收机制 | ||||||
1. Developer 可以自己创建 API key,并且自己命名,方便后续使用时分辨,不过 API key 是由 API7 Portal 的后端服务按照一定的规则主动生成的,Developer 不可编辑; | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
2. API key 列表可以展示它的生成时间和上次使用时间,API7 Portal 还提供了针对 API key 使用情况的运行分析能力,方便 Developer 追踪 API key 的使用情况; | ||||||
3. 对于现存的 API key,Developer 还可以使用删除操作进行回收; | ||||||
|
||||||
### API key 采用的安全措施 | ||||||
1. 密钥使用 HTTP Header 传递,不出现在 URL 中,从而增加了 API key 的安全性; | ||||||
2. 提供了 API Key 的发放和回收机制,保障了密钥可以定期轮换,防止被盗用; | ||||||
3. 提供了针对 API key 使用情况的运行分析能力,方便 Developer 追踪 API key 的使用情况; | ||||||
4. 有多种 key 的认证机制可以选择,比如 key-auth、JWT 等,用户可以选择自己信任的机制进行认证; | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 我们现在还不支持 key 的认证机制选择吧。 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @sijingzhangzsj0604 斯静确认一下。 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 将来要支持多种的,暂时只有key-auth |
||||||
|
||||||
## 四 API7 与 API Endpoint 之间认证安全性保障 | ||||||
|
||||||
### 认证流程和原理 | ||||||
|
||||||
1. Provider 在 API7 Portal 创建 API Source 时,可以选择 API7 Portal 与 API Endpoints 之间的认证方式,包括:No Auth、API Key、Basic Auth、JWT; | ||||||
2. API7 Portal 对这些认证机制的实现采用的是 Apache APISIX 的 [key-auth](https://apisix.apache.org/docs/apisix/plugins/key-auth/)、[basic-auth](https://apisix.apache.org/docs/apisix/plugins/basic-auth/)、[jwt-auth](https://apisix.apache.org/docs/apisix/plugins/jwt-auth/) 插件; | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 这些认证都是 client => APISIX 的,不是 APISIX -> Upstream 的。 |
||||||
|
||||||
### 优点 | ||||||
|
||||||
1. API7 与 API Endpoint 之间认证方式对 Developer 并没有暴露,因此大大降低攻击风险。 | ||||||
2. API7 Portal 与 API Endpoints 之间通过 API 密钥认证机制进行互信和访问控制,保证 API 调用的安全性,同时结合API Key 对安全性的保障,可以形成完善的安全体系。 | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 这里说的是 API Portal => API Endpoints 的吧。 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
这一句话我不是很理解,是给 Developer 访问我们数据面提供的身份认证能力吧。
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
用户关心的是developer到provider。我们要在这篇文档说清楚我们是拆成两节了,中间做了一层中转