Implement access control for a Dubbo application by using service authentication - Enterprise Distributed Application Service

If a microservices application requires high security, you can implement access control for the application at an interface or a method granularity to authenticate access requests from callers. This ensures that only the callers who match the service authentication rule can call the microservices application to enhance security. This topic describes how to implement access control for a Dubbo application by using service authentication.

Background information

This topic uses an example to introduce scenarios where Spring Cloud service authentication is performed.

Do not configure service authentication
Consumers 1, 2, and 3 and a service provider are deployed in the same namespace. By default, Consumers 1, 2, and 3 can call all the paths (Paths 1, 2, and 3) of the provider.
Configure service authentication
- Configure an authentication rule for all the paths.
  You can configure an authentication rule for all the paths of the provider. For example, you can configure a blacklist for Consumer 1 to prevent it from calling the paths of the provider, and configure a whitelist for Consumers 2 and 3 to allow them to call the paths of the provider.
- Configure an authentication rule for a specific path.
  You can also configure an authentication rule for a specific path of the provider. For example, you can configure a blacklist for Consumer 2 to prevent it from calling Path 2 of the provider because the path involves core business or core data. Then, Consumer 2 can call only Paths 1 and 3 of the provider.
The following figure shows the application call process after you configure the authentication rules.

Create a service authentication rule

Log on to the EDAS console.
In the left-side navigation pane, choose Traffic Management > Microservices Governance > Dubbo.
In the left-side navigation tree of the Dubbo page, click Service Authentication.
On the Service Authentication page, click Create Rule.

In the Create Rule panel, configure the parameters related to a service authentication rule and click OK.

The following table describes the parameters.

Parameter		Description
Microservice Space		Select the region and microservices namespace where the callee application resides.
Rule Name		Specify a name for the rule that you want to create. The name can be up to 64 characters in length, and can contain letters, digits, underscores (_), and hyphens (-).
Type of Callee		A value of Application is automatically used.
Callee (Application)		Select the callee application.
Framework of Callee		Specify the framework that is used by the callee application. In this example, select Dubbo.
Add All Interface Rules	Important You can add only one global rule for all interfaces.
	Callee Interface	A value of All Services / All Interfaces is automatically used. You cannot change the parameter value.
	Authentication Mode	Select the mode of service authentication based on your business requirements. Valid values: Whitelist (Allowed to Call) and Blacklist (Called Prohibited).
	Caller	Select the callers to be authenticated. Valid values: Application, Gateway, and any source. You can select Enterprise Distributed Application Service (EDAS) applications and Microservices Engine (MSE) gateways as the callers. You can also select any source to expose interfaces for public use. Note You can select both Application and Gateway to add multiple applications and gateways. any source is mutually exclusive with Application and Gateway.
Add Specified Interface Rule	Important The rule added for a specific interface is not appended. Instead, the rule overwrites the global rule for all interfaces. Exercise caution when you configure this type of rule.
	Callee Interface	Specify the services and interfaces of the callee application.
	Authentication Mode	Select the mode of service authentication based on your business requirements. Valid values: Whitelist (Allowed to Call) and Blacklist (Called Prohibited).
	Caller	Select the callers to be authenticated. Valid values: Application, Gateway, and any source. You can select EDAS applications and MSE gateways as the callers. You can also select any source to expose interfaces for public use. Note You can select both Application and Gateway to add multiple applications and gateways. any source is mutually exclusive with Application and Gateway.
Use Default Values		Specify whether to enable the rule. If you turn on the switch, the rule is enabled immediately after it is created. By default, the rule is enabled. If you turn off the switch, the rule is disabled after it is created. To enable the rule, find the rule on the Service Authentication page and click Enable in the Operation column.

Verify the results

After the service authentication rule is created and enabled, check whether the rule takes effect.

What to do next

After you create a service authentication rule, you can click Edit, Close, or Open in the Operation column to manage the rule. If the service authentication rule is no longer required, you can click Delete in the Operation column to delete the rule.