If a microservice-oriented application requires high security and you want to restrict access to it from other applications, you can authenticate the applications that call the microservice-oriented application. This ensures that only the applications that match the authentication rules can call the microservice-oriented application.

Background information

This topic uses an example to introduce scenarios where Dubbo service authentication is performed.

Consumers 1, 2, and 3 and a service provider are deployed in the same namespace. By default, Consumers 1, 2, and 3 can call all the services and interfaces of the provider.

Service authentication unconfigured

You can specify an authentication method for all the services and interfaces of the provider. For example, set the authentication method to Blacklist (call denied) for Consumer 1 and set the authentication method to Whitelist (allow calls) for Consumer 2 and Consumer 3.

Then, you can also set an authentication method for specified services and interfaces of the provider. For example, after you apply the preceding settings, Consumer 2 and Consumer 3 can access all services and interfaces of the provider. However, Service and Interface 2 of the provider involves core business and data. To disable Consumer 2 from accessing Service and Interface 2, set the authentication method of Service and Interface 2 to Blacklist (call denied) for Consumer 2. This way, Consumer 2 can access only Service and Interface 1 and Service and Interface 3 of the provider.

The following figure shows the application call process after you configure the authentication rules.

Service authentication configured

Create a service authentication rule

  1. Log on to the EDAS console.
  2. In the left-side navigation pane, choose Microservices Governance > Dubbo.
  3. In the left-side navigation pane of Dubbo, click Service Authentication.
  4. On the Service Authentication page, click Create rules.
  5. On the Create rules page, set service authentication parameters, and click OK.
    Create a rule for Dubbo service authentication

    Service authentication rule parameters:

    Parameter Description
    Microservice Namespaces The region and the microservice namespace where the service is deployed.
    Rule name The name of the service authentication rule. The name can be a maximum of 64 characters in length, and can contain letters, digits, underscores (_), and hyphens (-).
    The callee The called application.
    Callee framework The framework that is used by the called application. For this example, select Dubbo.
    Add all interface rules
    Notice You can add only one global rule for all interfaces.
    Callee Path Default value: All services/all interfaces. You cannot change the value of this parameter.
    Authentication method The service authentication method. Valid values: Whitelist (allow calls) and Blacklist (call denied). Select an option as needed.
    Caller The caller application to be authenticated for calling the service. Click Add caller to select multiple applications.
    Add specified interface rule
    Notice The rule added for a specific interface is not appended. Instead, the rule overwrites the common rule added for the interface. Exercise caution when you configure this parameter.
    Callee Interface Specify the services and interfaces of the called application.
    Authentication method The service authentication method. Valid values: Whitelist (allow calls) and Blacklist (call denied). Select an option as needed.
    Caller The caller application to be authenticated for calling the service. Click Add caller to select multiple applications.
    Default State Specifies whether to enable the rule.
    • On: The rule is enabled immediately after you create it. This is the default value.
    • Off: The rule is not enabled after it is created. To enable the rule, find the rule on the Service Authentication page and click Open in the Operation column.

Verify the results

After the service authentication rule is created and enabled, check whether the rule takes effect.

What to do next

After you create a service authentication rule, you can click Edit, Close, or Open in the Operation column to manage the rule. If the service authentication rule is no longer required, you can click Delete in the Operation column to delete the rule.