help request: proxy-rewrite plugin impact on authz-keycloak plugin #7248
Description
Description
in my scene,the route enable proxy-rewrite and authz-keycloak plugins both
{
"uri": "/elastic-compute1/*",
"name": "test1",
"methods": [
"GET",
"POST",
"PUT",
"DELETE",
"PATCH",
"HEAD",
"OPTIONS",
"CONNECT",
"TRACE"
],
"plugins": {
"authz-keycloak": {
"client_id": "xx",
"client_secret": "yyyyy",
"disable": false,
"http_method_as_scope": true,
"lazy_load_paths": true,
"resource_registration_endpoint": "https://keycloak.paas-middleware:8443/auth/realms/xx/authz/protection/resource_set",
"ssl_verify": false,
"token_endpoint": "https://keycloak.paas-middleware:8443/auth/realms/xx/protocol/openid-connect/token"
},
"key-auth": {
"disable": false
},
"proxy-rewrite": {
"headers": {
"X-App-Id": "$consumer_name"
},
"regex_uri": [
"^/elastic-compute1/(.*)",
"/elastic-compute/$1"
]
}
},
"upstream_id": "1",
"status": 1
}
i notice that the proxy-rewrite plugin priority is smaller than authz-keycloak, which means do the proxy-rewrite plugin process first.
the request is /elastic-compute1/v1/clusters
so the ctx.var.upstream_uri match proxy-rewrite regex_uri ,became to /elastic-compute/v1/clusters
BUT the authz-keycloak plugin use ctx.var.request_uri as resource_id send to keycloak get permissions
-- Resolve URI to resource(s).
permission, err = authz_keycloak_resolve_resource(conf, ctx.var.request_uri,
sa_access_token)
Is it designed this way?
or maybe we can pass request_uri replaced by upstream_uri when they are not same(usually means processed by proxy-rewrite before)
sth like this
-- Resolve URI to resource(s).
local uri = ctx.var.request_uri
if uri ~= ctx.var.upstream_uri then
uri = ctx.var.upstream_uri
permission, err = authz_keycloak_resolve_resource(conf, uri,
sa_access_token)
in my scene, i do need the result uri processed by proxy-rewrite plugin, so i wonder maybe it's a scene which is thoughtless so we can do some improvements?
Environment
- APISIX version (run
apisix version):2.14.1 - Operating system (run
uname -a):centos 3.10.0-1160.el7.x86_64 - OpenResty / Nginx version (run
openresty -Vornginx -V): 1.19.9.1 - etcd version, if relevant (run
curl http://127.0.0.1:9090/v1/server_info): 3.5.4 - APISIX Dashboard version, if relevant:
- Plugin runner version, for issues related to plugin runners:
- LuaRocks version, for installation issues (run
luarocks --version):