apache · moonming · Jun 8, 2020 · Apr 9, 2020 · Apr 9, 2020 · Apr 13, 2020
diff --git a/apisix/plugins/consumer-restriction.lua b/apisix/plugins/consumer-restriction.lua
@@ -0,0 +1,94 @@
+--
+-- Licensed to the Apache Software Foundation (ASF) under one or more
+-- contributor license agreements.  See the NOTICE file distributed with
+-- this work for additional information regarding copyright ownership.
+-- The ASF licenses this file to You under the Apache License, Version 2.0
+-- (the "License"); you may not use this file except in compliance with
+-- the License.  You may obtain a copy of the License at
+--
+--     http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+--
+local ipairs    = ipairs
+local core      = require("apisix.core")
+
+local schema = {
+    type = "object",
+    properties = {
+        whitelist = {
+            type = "array",
+            items = {type = "string"},
+            minItems = 1
+        },
+        blacklist = {
+            type = "array",
+            items = {type = "string"},
+            minItems = 1
+        }
+    },
+    oneOf = {
+        {required = {"whitelist"}},
+        {required = {"blacklist"}}
+    }
+}
+
+
+local plugin_name = "consumer-restriction"
+
+
+local _M = {
+    version = 0.1,
+    priority = 2400,
+    name = plugin_name,
+    schema = schema,
+}
+
+local function is_include(value, tab)
+    for k,v in ipairs(tab) do
+        if v == value then
+            return true
+        end
+    end
+    return false
+end
+
+function _M.check_schema(conf)
+    local ok, err = core.schema.check(schema, conf)
+
+    if not ok then
+        return false, err
+    end
+
+    return true
+end
+
+function _M.access(conf, ctx)
+    if not ctx.consumer then
+        return 401, { message = "Missing authentication or identity verification." }
+    end
+
+    local block = false
+    if conf.blacklist and #conf.blacklist > 0 then
+        if is_include(ctx.consumer.username, conf.blacklist) then
+            block = true
+        end
+    end
+
+    if conf.whitelist and #conf.whitelist > 0 then
+        if not is_include(ctx.consumer.username, conf.whitelist) then
+            block = true
+        end
+    end
+
+    if block then
+        return 403, { message = "The consumer is not allowed" }
+    end
+end
+
+
+return _M
diff --git a/conf/config.yaml b/conf/config.yaml
@@ -158,6 +158,7 @@ plugins:                          # plugin list
   - proxy-mirror
   - kafka-logger
   - cors
+  - consumer-restriction
   - syslog
   - batch-requests
   - http-logger

diff --git a/doc/architecture-design-cn.md b/doc/architecture-design-cn.md
@@ -548,6 +548,36 @@ HTTP/1.1 503 Service Temporarily Unavailable
 
 ```
 
+结合 [consumer-restriction](./plugins/consumer-restriction-cn.md) 插件，限制jack对该 route 的访问
+
+# 设置黑名单，禁止jack访问该API
+$ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+    "plugins": {
+        "key-auth": {},
+        "consumer-restriction": {
+            "blacklist": [
+                "jack"
+            ]
+        }
+    },
+    "upstream": {
+        "nodes": {
+            "127.0.0.1:1980": 1
+        },
+        "type": "roundrobin"
+    },
+    "uri": "/hello"
+}'
+
+# 反复测试，均返回 403，jack被禁止访问
+$ curl http://127.0.0.1:9080/hello -H 'apikey: auth-one' -I
+HTTP/1.1 403
+...
+
+```
+
+
 [返回目录](#目录)
 
 ## Global Rule

diff --git a/doc/architecture-design.md b/doc/architecture-design.md
@@ -537,6 +537,35 @@ HTTP/1.1 503 Service Temporarily Unavailable
 
 ```
 
+Use the [consumer-restriction](./plugins/consumer-restriction-cn.md) plug-in to restrict the access of Jack to this API.
+
+# Add Jack to the blacklist
+$ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+    "plugins": {
+        "key-auth": {},
+        "consumer-restriction": {
+            "blacklist": [
+                "jack"
+            ]
+        }
+    },
+    "upstream": {
+        "nodes": {
+            "127.0.0.1:1980": 1
+        },
+        "type": "roundrobin"
+    },
+    "uri": "/hello"
+}'
+
+# Repeated tests, all return 403; Jack is forbidden to access this API
+$ curl http://127.0.0.1:9080/hello -H 'apikey: auth-one' -I
+HTTP/1.1 403
+...
+
+```
+
 [Back to top](#Table-of-contents)
 
 ## Global Rule

diff --git a/doc/plugins/consumer-restriction-cn.md b/doc/plugins/consumer-restriction-cn.md
@@ -0,0 +1,128 @@
+<!--
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+-->
+
+[English](consumer-restriction.md)
+
+# 目录
+- [**名字**](#名字)
+- [**属性**](#属性)
+- [**如何启用**](#如何启用)
+- [**测试插件**](#测试插件)
+- [**禁用插件**](#禁用插件)
+
+## 名字
+
+`consumer-restriction` 可以通过以下方式限制对服务或路线的访问，将 consumer 列入白名单或黑名单。 支持单个或多个 consumer。
+
+## 属性
+
+* `whitelist`: 可选，加入白名单的consumer
+* `blacklist`: 可选，加入黑名单的consumer
+
+只能单独启用白名单或黑名单，两个不能一起使用。
+
+## 如何启用
+
+下面是一个示例，在指定的 route 上开启了 `consumer-restriction` 插件，限制consumer访问:
+
+
+```shell
+curl http://127.0.0.1:9080/apisix/admin/consumers/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -i -d '
+{
+    "username": "jack1",
+    "plugins": {
+        "basic-auth": {
+            "username":"jack2019",
+            "password": "123456"
+        }
+    }
+}'
+
+curl http://127.0.0.1:9080/apisix/admin/consumers/2 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -i -d '
+{
+    "username": "jack2",
+    "plugins": {
+        "basic-auth": {
+            "username":"jack2020",
+            "password": "123456"
+        }
+    }
+}'
+
+curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+    "uri": "/index.html",
+    "upstream": {
+        "type": "roundrobin",
+        "nodes": {
+            "127.0.0.1:1980": 1
+        }
+    },
+    "plugins": {
+        "basic-auth": {},
+        "consumer-restriction": {
+            "whitelist": [
+                "jack1"
+            ]
+        }
+    }
+}'
+```
+
+## 测试插件
+
+jack1 访问:
+
+```shell
+$ curl -u jack2019:123456 http://127.0.0.1:9080/index.html
+HTTP/1.1 200 OK
+...
+```
+
+jack2 访问:
+
+```shell
+$ curl -u jack2020:123456 http://127.0.0.1:9080/index.html -i
+HTTP/1.1 403 Forbidden
+...
+{"message":"You are not allowed"}
+```
+
+## 禁用插件
+
+当你想去掉 `consumer-restriction` 插件的时候，很简单，在插件的配置中把对应的 json 配置删除即可，无须重启服务，即刻生效：
+
+```shell
+$ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+    "uri": "/index.html",
+    "upstream": {
+        "type": "roundrobin",
+        "nodes": {
+            "127.0.0.1:1980": 1
+        }
+    },
+    "plugins": {
+        "basic-auth": {}
+    }
+}'
+```
+
+现在就已移除 `consumer-restriction` 插件，其它插件的开启和移除也类似。
+