nic-chen
commented
3 years ago doesn't support this feature now.PR is welcome
Open oldthreefeng opened 3 years ago
nic-chen
commented
3 years ago doesn't support this feature now.PR is welcome
bisakhmondal
commented
3 years ago I can give it a try. @nic-chen how are we planning to support this as of now, through YAML? Seems like we had a similar conversation a month back :)
starsz
commented
3 years ago I can give it a try. @nic-chen how are we planning to support this as of now, through YAML? Seems like we had a similar conversation a month back :)
Use YAML is fine. And the front end should also do some work. You can refer to the config of apisix. https://github.com/apache/apisix/blob/504cd1b0966880101b3e2582cfb1cf65f23a7863/conf/config-default.yaml#L82-L83
You can send your proposal to the email list. Then we can discuss it.
bisakhmondal
commented
3 years ago This looks good. Thanks for the reference.
You can send your proposal to the email list. Then we can discuss it.
Sure. I'd be happy to do so :)
liuxiran
commented
3 years ago Hi @bisakhmondal , there is a pr to refactor our auth framework, hope this can help you
and for a easy way to create a view user, sorry we still do not have plane to do it, and if you have some ideas about it , welcome to send mail to our mail list, thanks a lot
bisakhmondal
commented
3 years ago Hi @liuxiran, Thanks for sharing the details.
Since Dashboard is for the authenticated users, we definitely can work on top of the authentication framework by storing another field something similar to "restrict-full-access": bool in the etcd for each user. The info gets encoded into the existing jwt and passed to the web-ui / CLI on successful signin.
We will add a middleware or modify the existing one to restrict the protected routes (here ig HTTP methods, allow only GET requests, no POST, PUT, PATCH or DELETE).
And for the frontend part, we can cache the info in a react state while receiving the jwt from the backend and perform all sorts of restrictions.
Let me know how this sounds (also @nic-chen @starsz). I would love to hear from you. Thanks.
starsz
commented
3 years ago Hi @liuxiran, Thanks for sharing the details.
Since Dashboard is for the authenticated users, we definitely can work on top of the authentication framework by storing another field something similar to
"restrict-full-access": boolin the etcd for each user. The info gets encoded into the existing jwt and passed to the web-ui / CLI on successful signin. We will add a middleware or modify the existing one to restrict the protected routes (here ig HTTP methods, allow only GET requests, no POST, PUT, PATCH or DELETE). And for the frontend part, we can cache the info in a react state while receiving the jwt from the backend and perform all sorts of restrictions.Let me know how this sounds (also @nic-chen @starsz). I would love to hear from you. Thanks.
That sounds good. Maybe we can discuss this in the email list.
tranthang2404
commented
1 year ago i would love to have this feature too
Feature request
Please describe your feature
apisix-dashborad create an admin account by apisix-cm.yaml but how to create an read only account for dev user?
Describe the solution you'd like
like apisix X-API-KEY.