Higress外部认证插件(ext-auth)白名单无效

[wh-tianya]

问题：使用Higress外部认证插件(ext-auth)调用认证服务，配置的白名单没有效果
Higress版本： v2.1.0
Ext-auth版本：higress-system.ext-auth-1.0.0

这是我的外部认证插件配置，我是在域名下(api-dev.abc.net)配置的外部认证，这是yaml的配置：

http_service:
  authorization_request:
    allowed_headers:
    - exact: "Authorization"
    - exact: "Content-Type"
    - exact: "Accept"
    - exact: "User-Agent"
    - exact: "X-Request-ID"
    - prefix: "Kbfs-"
  authorization_response:
    allowed_upstream_headers:
    - exact: "x-md-global-userID"
    - exact: "X-User-Info"
    - exact: "X-Auth-Roles"
    - prefix: "x-md-"
  endpoint:
    path: "/auth/validate"
    request_method: "POST"
    service_name: "abc.user.http.DEFAULT-GROUP.public.nacos"
    service_port: 8000
  endpoint_mode: "forward_auth"
  match_list:
  - match_rule_domain: "api-dev.abc.net"
    match_rule_method: "*"
    match_rule_path: "/user"
    match_rule_type: "prefix"
  match_type: "whitelist"

3. 下面higress-gateway 报的错误，我配置的白名单，我理解白名单上的地址和path都应该放行，不应该认证啊

[johnlanni]

cc @hanxiantao

[hanxiantao]

match_type 、 match_list 和 http_service 是一个层级的。试下这样

http_service:
  authorization_request:
    allowed_headers:
    - exact: "Authorization"
    - exact: "Content-Type"
    - exact: "Accept"
    - exact: "User-Agent"
    - exact: "X-Request-ID"
    - prefix: "Kbfs-"
  authorization_response:
    allowed_upstream_headers:
    - exact: "x-md-global-userID"
    - exact: "X-User-Info"
    - exact: "X-Auth-Roles"
    - prefix: "x-md-"
  endpoint:
    path: "/auth/validate"
    request_method: "POST"
    service_name: "abc.user.http.DEFAULT-GROUP.public.nacos"
    service_port: 8000
  endpoint_mode: "forward_auth"
match_list:
- match_rule_domain: "api-dev.abc.net"
   match_rule_method: "*"
   match_rule_path: "/user"
   match_rule_type: "prefix"
match_type: "whitelist"

[wh-tianya]

match_type 、 match_list 和 http_service 一个层级的,这样做，match_list中第一条生效了，但是第二条domin中的不生效啊，带login 的http path 还是调用了认证服务

http_service:
  authorization_request:
    allowed_headers:
    - exact: "Authorization"
    - exact: "Content-Type"
    - exact: "Accept"
    - exact: "User-Agent"
    - exact: "X-Request-ID"
    - prefix: "Kbfs-"
  authorization_response:
    allowed_upstream_headers:
    - exact: "x-md-global-userID"
    - exact: "X-User-Info"
    - exact: "X-Auth-Roles"
    - prefix: "x-md-"
  endpoint:
    path: "/auth/validate"
    request_method: "POST"
    service_name: "qy.user.http.DEFAULT-GROUP.public.nacos"
    service_port: 8000
  endpoint_mode: "forward_auth"
match_list:
- match_rule_domain: "api-dev.abc.net"
  match_rule_path: "/open"
  match_rule_type: "prefix"
- match_rule_domain: "api-dev.abc.net"
  match_rule_path: "/login"
  match_rule_type: "contains"
match_type: "whitelist"

[hanxiantao]

我用上面的配置试了下好像没问题，第一个响应为403，走了认证服务，第二三个跳过了认证返回200

[wh-tianya]

是的，可以了，感谢

[dukehxin]

你们是怎么做到的呀

---

How did you do it

[dukehxin]

我试了认证，没一个会生效的，只有路由消费者的key-auth可以生效

---

I tried authentication, but none of them will take effect. Only the key-auth of the routing consumer can take effect