If a microservice-oriented application requires high security and you want to restrict access to it from other applications, you can authenticate the applications that call the microservice-oriented application. This ensures that only the applications that match the authentication rules can call the microservice-oriented application.

Background information

This topic uses an example to introduce scenarios where Spring Cloud service authentication is performed.

  • Do not configure service authentication

    Consumers 1, 2, and 3 and a service provider are deployed in the same namespace. By default, Consumers 1, 2, and 3 can call all the paths (Paths 1, 2, and 3) of the provider.

  • Configure service authentication
    • Configure an authentication rule for all the paths.

      You can configure an authentication rule for all the paths of the provider. For example, you can configure a blacklist for Consumer 1 to prevent it from calling the paths of the provider, and configure a whitelist for Consumers 2 and 3 to allow them to call the paths of the provider.

    • Configure an authentication rule for a specific path.

      You can also configure an authentication rule for a specific path of the provider. For example, you can configure a blacklist for Consumer 2 to prevent it from calling Path 2 of the provider because the path involves core business or core data. Then, Consumer 2 can call only Paths 1 and 3 of the provider.

Create a service authentication rule

  1. Log on to the EDAS console.
  2. In the left-side navigation pane, choose Microservices Governance > Service Mesh.
  3. In the navigation tree of the Service Mesh page, click Service Authentication.
  4. On the Service Authentication page, click Create rules.
  5. In the Create rules panel, set the parameters and click OK.
    Create a service authentication rule - Service Mesh

    The following table describes the parameters.

    Parameter Description
    Microservice Namespaces The region and microservice namespace where the service resides.
    Rule name The name of the service authentication rule. The name can be up to 64 characters in length, and can contain letters, digits, underscores (_), and hyphens (-).
    The callee The called application.
    Callee framework The framework that is used by the called application. In this example, select Service Mesh.
    Add all interface rules
    Notice You can create a common rule for all interfaces only once.
    Callee interface Default value: Callee interface. You cannot change the value of this parameter.
    All Path Default value: All Path. You cannot change the value of this parameter.
    Authentication method The method that is used for service authentication. Only Blacklist (call denied) is supported.
    Caller The application that must be authenticated before it can call the service. To add multiple applications, click Add caller.
    Add specified interface rule
    Notice The rule created for a specific interface is not appended. Instead, the rule overwrites the common rule for all interfaces. Exercise caution when you configure this type of rule.
    Callee Path The path of the called application.
    Authentication method The method that is used for service authentication. Only Blacklist (call denied) is supported.
    Caller The application that must be authenticated before it can call the service. To add multiple applications, click Add caller.
    Default state Specifies whether to enable the rule.
    • On: enables the rule after it is created. By default, the switch is turned on.
    • Off: disables the rule after it is created. To enable the rule, find the rule on the Service Authentication page and click Open in the Operation column.

Verify the results

After the service authentication rule is created and enabled, check whether the rule takes effect.

What to do next

After you create a service authentication rule, you can click Edit, Close, or Open in the Operation column to manage the rule. If the service authentication rule is no longer required, you can click Delete in the Operation column to delete the rule.