If a microservice-oriented application requires high security and you want to restrict access to it from other applications, you can authenticate the applications that call the microservice-oriented application. This ensures that only the applications that match the authentication rules can call the microservice-oriented application.
Background information
This topic uses an example to introduce scenarios where Dubbo service authentication is performed.
Consumers 1, 2, and 3 and a service provider are deployed in the same namespace. By default, Consumers 1, 2, and 3 can call all the services and interfaces of the provider.
You can specify an authentication method for all the services and interfaces of the provider. For example, set the authentication method to Blacklist (call denied) for Consumer 1 and set the authentication method to Whitelist (allow calls) for Consumer 2 and Consumer 3.
Then, you can also set an authentication method for specified services and interfaces of the provider. For example, after you apply the preceding settings, Consumer 2 and Consumer 3 can access all services and interfaces of the provider. However, Service and Interface 2 of the provider involves core business and data. To disable Consumer 2 from accessing Service and Interface 2, set the authentication method of Service and Interface 2 to Blacklist (call denied) for Consumer 2. This way, Consumer 2 can access only Service and Interface 1 and Service and Interface 3 of the provider.
The following figure shows the application call process after you configure the authentication rules.
Create a service authentication rule
- On the Create rules page, set service authentication parameters, and click OK.
Service authentication rule parameters:
Parameter Description Microservice Namespaces The region and the microservice namespace where the service is deployed. Rule name The name of the service authentication rule. The name can be a maximum of 64 characters in length, and can contain letters, digits, underscores (_), and hyphens (-). The callee The called application. Callee framework The framework that is used by the called application. For this example, select Dubbo. Add all interface rules Notice You can add only one global rule for all interfaces.Callee Path Default value: All services/all interfaces. You cannot change the value of this parameter. Authentication method The service authentication method. Valid values: Whitelist (allow calls) and Blacklist (call denied). Select an option as needed. Caller The caller application to be authenticated for calling the service. Click Add caller to select multiple applications. Add specified interface rule Notice The rule added for a specific interface is not appended. Instead, the rule overwrites the common rule added for the interface. Exercise caution when you configure this parameter.Callee Interface Specify the services and interfaces of the called application. Authentication method The service authentication method. Valid values: Whitelist (allow calls) and Blacklist (call denied). Select an option as needed. Caller The caller application to be authenticated for calling the service. Click Add caller to select multiple applications. Default State Specifies whether to enable the rule. - On: The rule is enabled immediately after you create it. This is the default value.
- Off: The rule is not enabled after it is created. To enable the rule, find the rule on the Service Authentication page and click Open in the Operation column.
Verify the results
After the service authentication rule is created and enabled, check whether the rule takes effect.