Hi, As for authentication in this project, it's using a JSON file to store all users, could we use some libraries like Casbin to implement this?
Best Regards! @ Zhiyuan Ju <https://github.com/juzhiyuan> Bisakh Mondal <[email protected]> 于2021年8月30日周一 下午10:37写道: > Hi Community, > > This is Bisakh. This thread is regarding an issue/request [1] in > the apisix-dashboard project to support a *viewer account *that basically > can be used by non-admin users (users with low access privileges). These > accounts will be purely view-only, users of these accounts are restricted > to perform any sort of change/modification to the gateway internal state. > > Now, coming to the implementation part I am proposing the following > approach. As we are working on our authentication framework to support > dynamic user registration and login, I think we can extend the > implementation in two phases: > > Phase - 1 [Implementing viewers account] > > The dashboard is for the authenticated users, we definitely can work on top > of the authentication framework by storing another field something similar > to `"restrict-full-access": bool` in the etcd for each user extending the > current schema that we have [2]. The info gets encoded into the existing > jwt and passed to the web-ui / CLI on a successful sign in. > We will add middleware or modify the existing one to restrict the protected > routes (here HTTP methods, allow only GET requests (maybe selectively, we > can maintain a list here), no POST, PUT, PATCH and DELETE). > And for the frontend part, we can cache the info in a react state while > receiving the jwt from the backend and perform all sorts of restrictions. > > Phase - 2 [Implementing mechanism to manage viewers account- IAM] > > Now, still, there is another question left, how we/admins are going to > manage it? > I am proposing an *IAM* (Identity and Access Management) section into the > dashboard (both in manager API and dashboard web) that can be used to > > - List all available members. > - Upgrade/Downgrade certain members for from/to viewers account > - Blacklist certain users from further using the dashboard instance for a > certain period/permanently. > > Let me know how it sounds. Looking forward to your feedback : ) Thank you. > > Best regards, > Bisakh <https://github.com/bisakhmondal> > > [1] : https://github.com/apache/apisix-dashboard/issues/1825 > [2] : > https://github.com/apache/apisix-dashboard/pull/2010#issuecomment-895737216 >
