Anonymous Access的理解

Every request proxied by Kong must be associated with a Consumer.

You’ll now create a Consumer named  anonymous_users

启用认证插件后，如果不配置匿名用户，那么如果客户 端不传递凭据，那么就不会通过

 

每个请求必须要和一个消费者关联，匿名消费者的配置，需要如下：

 

 $ curl -i -X PATCH \
   --url http://localhost:8001/plugins/<your-plugin-id> \
   --data "config.anonymous=<your-consumer-id>"

当客户端不设置apikey的时候，kongm默认取配置的匿名用户转发到后端

我们可以针对匿名用户配置限流策略

PermalinkAnonymous Access

Kong has the ability to configure a given Service to allow both authenticated and anonymous access.

You might use this configuration to grant access to anonymous users with a low rate-limit, and grant access to authenticated users with a higher rate limit.

To configure a Service like this, you first apply your selected authentication plugin, then create a new consumer to represent anonymous users, then configure your authentication plugin to allow anonymous access. Here is an example, which assumes you have already configured a Service named example-service and the corresponding route:

1. PermalinkCreate an example Service and a Route

   Issue the following cURL request to create example-service pointing to mockbin.org, which will echo the request:

    $ curl -i -X POST \
      --url http://localhost:8001/services/ \
      --data 'name=example-service' \
      --data 'url=http://mockbin.org/request'
   

   Add a route to the Service:

    $ curl -i -X POST \
      --url http://localhost:8001/services/example-service/routes \
      --data 'paths[]=/auth-sample'
   

   The url http://localhost:8000/auth-sample will now echo whatever is being requested.

2. PermalinkConfigure the key-auth Plugin for your Service

   Issue the following cURL request to add a plugin to a Service:

    $ curl -i -X POST \
      --url http://localhost:8001/services/example-service/plugins/ \
      --data 'name=key-auth'
   

   Be sure to note the created Plugin id - you’ll need it in step 5.

3. PermalinkVerify that the key-auth plugin is properly configured

   Issue the following cURL request to verify that the key-auth plugin was properly configured on the Service:

    $ curl -i -X GET \
      --url http://localhost:8000/auth-sample
   

   Since you did not specify the required apikey header or parameter, and you have not yet enabled anonymous access, the response should be 403 Forbidden:

    HTTP/1.1 403 Forbidden
    ...
   
    {
      "message": "No API key found in headers or querystring"
    }
   

4. PermalinkCreate an anonymous Consumer

   Every request proxied by Kong must be associated with a Consumer. You’ll now create a Consumer named anonymous_users (that Kong will utilize when proxying anonymous access) by issuing the following request:

    $ curl -i -X POST \
      --url http://localhost:8001/consumers/ \
      --data "username=anonymous_users"
   

   You should see a response similar to the one below:

    HTTP/1.1 201 Created
    Content-Type: application/json
    Connection: keep-alive
   
    {
      "username": "anonymous_users",
      "created_at": 1428555626000,
      "id": "bbdf1c48-19dc-4ab7-cae0-ff4f59d87dc9"
    }
   

   Be sure to note the Consumer id - you’ll need it in the next step.

5. PermalinkEnable anonymous access

   You’ll now re-configure the key-auth plugin to permit anonymous access by issuing the following request (replace the sample uuids below by the id values from step 2 and 4):

    $ curl -i -X PATCH \
      --url http://localhost:8001/plugins/<your-plugin-id> \
      --data "config.anonymous=<your-consumer-id>"
   

   The config.anonymous=<your-consumer-id> parameter instructs the key-auth plugin on this Service to permit anonymous access, and to associate such access with the Consumer id we received in the previous step. It is required that you provide a valid and pre-existing Consumer id in this step - validity of the Consumer id is not currently checked when configuring anonymous access, and provisioning of a Consumer id that doesn’t already exist will result in an incorrect configuration.

6. PermalinkCheck anonymous access

   Confirm that your Service now permits anonymous access by issuing the following request:

    $ curl -i -X GET \
      --url http://localhost:8000/auth-sample
   

   This is the same request you made in step #3, however this time the request should succeed, because you enabled anonymous access in step #5.

   The response (which is the request as Mockbin received it) should have these elements:

    {
      ...
      "headers": {
        ...
        "x-consumer-id": "713c592c-38b8-4f5b-976f-1bd2b8069494",
        "x-consumer-username": "anonymous_users",
        "x-anonymous-consumer": "true",
        ...
      },
      ...
    }

   It shows the request was successful, but anonymous.