All Products
Search

This Product

    Enterprise Distributed Application Service:Implement access control for a Dubbo application by using service authentication

    Document Center

    Enterprise Distributed Application Service:Implement access control for a Dubbo application by using service authentication

    Last Updated:Jul 17, 2023

    If a microservices application requires high security, you can implement access control for the application at an interface or a method granularity to authenticate access requests from callers. This ensures that only the callers who match the service authentication rule can call the microservices application to enhance security. This topic describes how to implement access control for a Dubbo application by using service authentication.

    Background information

    This topic uses an example to introduce scenarios where Spring Cloud service authentication is performed.

    • Do not configure service authentication

      Consumers 1, 2, and 3 and a service provider are deployed in the same namespace. By default, Consumers 1, 2, and 3 can call all the paths (Paths 1, 2, and 3) of the provider.

      Do not configure service authentication

    • Configure service authentication

      • Configure an authentication rule for all the paths.

        You can configure an authentication rule for all the paths of the provider. For example, you can configure a blacklist for Consumer 1 to prevent it from calling the paths of the provider, and configure a whitelist for Consumers 2 and 3 to allow them to call the paths of the provider.

      • Configure an authentication rule for a specific path.

        You can also configure an authentication rule for a specific path of the provider. For example, you can configure a blacklist for Consumer 2 to prevent it from calling Path 2 of the provider because the path involves core business or core data. Then, Consumer 2 can call only Paths 1 and 3 of the provider.

      The following figure shows the application call process after you configure the authentication rules.

      Service authentication configured

    Create a service authentication rule

    1. Log on to the EDAS console.

    2. In the left-side navigation pane, choose Traffic Management > Microservices Governance > Dubbo.

    3. In the left-side navigation tree of the Dubbo page, click Service Authentication.

    4. On the Service Authentication page, click Create Rule.

    5. In the Create Rule panel, configure the parameters related to a service authentication rule and click OK.

      服务鉴权-创建规则-Dubbo

      The following table describes the parameters.

      Parameter

      Description

      Microservice Space

      Select the region and microservices namespace where the callee application resides.

      Rule Name

      Specify a name for the rule that you want to create. The name can be up to 64 characters in length, and can contain letters, digits, underscores (_), and hyphens (-).

      Type of Callee

      A value of Application is automatically used.

      Callee (Application)

      Select the callee application.

      Framework of Callee

      Specify the framework that is used by the callee application. In this example, select Dubbo.

      Add All Interface Rules

      Important

      You can add only one global rule for all interfaces.

      Callee Interface

      A value of All Services / All Interfaces is automatically used. You cannot change the parameter value.

      Authentication Mode

      Select the mode of service authentication based on your business requirements. Valid values: Whitelist (Allowed to Call) and Blacklist (Called Prohibited).

      Caller

      Select the callers to be authenticated.

      Valid values: Application, Gateway, and any source. You can select Enterprise Distributed Application Service (EDAS) applications and Microservices Engine (MSE) gateways as the callers. You can also select any source to expose interfaces for public use.

      Note

      • You can select both Application and Gateway to add multiple applications and gateways.

      • any source is mutually exclusive with Application and Gateway.

      Add Specified Interface Rule

      Important

      The rule added for a specific interface is not appended. Instead, the rule overwrites the global rule for all interfaces. Exercise caution when you configure this type of rule.

      Callee Interface

      Specify the services and interfaces of the callee application.

      Authentication Mode

      Select the mode of service authentication based on your business requirements. Valid values: Whitelist (Allowed to Call) and Blacklist (Called Prohibited).

      Caller

      Select the callers to be authenticated.

      Valid values: Application, Gateway, and any source. You can select EDAS applications and MSE gateways as the callers. You can also select any source to expose interfaces for public use.

      Note

      • You can select both Application and Gateway to add multiple applications and gateways.

      • any source is mutually exclusive with Application and Gateway.

      Use Default Values

      Specify whether to enable the rule.

      • If you turn on the switch, the rule is enabled immediately after it is created. By default, the rule is enabled.

      • If you turn off the switch, the rule is disabled after it is created. To enable the rule, find the rule on the Service Authentication page and click Enable in the Operation column.

    Verify the results

    After the service authentication rule is created and enabled, check whether the rule takes effect.

    What to do next

    After you create a service authentication rule, you can click Edit, Close, or Open in the Operation column to manage the rule. If the service authentication rule is no longer required, you can click Delete in the Operation column to delete the rule.