Baidu AI Cloud
中国站

百度智能云

API Gateway

Access Control

Access control is one of the security components provided by the API gateway. You can configure a control policy based on the request source IP, user's account ID (ACCOUNT ID), or application AK (APP KEY) to decide whether calling the specified API is allowed.

There are two types of access control, namely allow and prohibit:

image.png

Privilege: This type of access control only allows requests that meet the policy to pass.

Prohibit: This type of access control will reject requests that meet the policy.

There are two conditions for the access control policy to take effect: satisfying any one policy and satisfying all policies at the same time:

image.png

Meet any policy: When the access control type is allowed, the request only needs to meet any one of the policies. When all the policies are not satisfied, it will be rejected; when the access control type is forbidden, the request will meet any one of the policies. Rejected, the request will go through when none is met.

Meet all policies at the same time: When the access control type is allowed, the request must meet all the policies at the same time to be allowed to be forwarded to the backend, and the rest will be rejected; When the access control type is forbidden, the request will be rejected and forwarded to the back-end only when all policy conditions are met, and the other conditions will be judged as allowed.

Create Access Control

1.Select "Access Control" and click "New Access Control" to create a new access control.

image.png

2.There are two types of access control, "Allow" and "Forbidden", corresponding to allow and deny requests respectively.

image.png

3.The access control policy effective conditions are also divided into two types: satisfying any one policy and satisfying all policies at the same time, which are defined as explained above.

image.png

Fill in the corresponding information, and after selecting the access control type, click "Confirm" to complete the creation.

Policy Addition

An access control can add up to 3 policy items, corresponding to three different dimensions: source IP, user's account ID (ACCOUNT ID) or application AK (APP KEY). According to the type of access control and the effective conditions of the policy, the API gateway will choose to allow or deny the request.

1.In the access control details page, click "Add Policy Item" to add a policy item:

image.png

You can also click Manage under the "Control Policy" column on the access control list page to enter the access control details and add policy items:

image.png

2.After opening the policy item’s add dialog box, select the policy dimension and add the policy item of the corresponding dimension. For example, the policy item corresponding to the IP dimension is the IP of the request source, then fill in the policy item as the IP or IP segment to be effective; The policy item corresponding to the AK dimension is the app key corresponding to the request source, and fill in the app key to take effect; the policy item corresponding to the account ID dimension is the requested account ID, and the policy item to be filled in is the user's account ID. More than one policy item can be filled in (please use line breaks or ";" to separate multiple items, if any, and the number should not exceed 50):

image.png

Edit Policy

In the details page of access control, you can edit the policy and change its specific policy items:

image.png

Policy Deletion

In the details page of access control, click "Delete" button of the corresponding policy, and delete the policy after confirmation.

image.png

API Binding

One API has test, pre-release and on-line environments, and each environment can bind only one access control. If the API which has bound the access control is bound to the new access control, the new access control can override the old access control for the API.

1.In the access control details page, click "Binding API List" and then click "Binding API" to bind the API:
image.png

Or click "Manage” under the "Binding API Quantity" column on the access control list page, and then click "Binding API" to bind:

image.png

2.After opening the API binding dialog box, select the API to be bound:

image.png

Note: If one policy has been bound to the API, the policy is overwritten by the currently bound policy.

API Unbinding

In the details page of access control, click "Unbind" under the corresponding API "Operation" column in the "Bound API List":

To unbind multiple APIs, tick the corresponding API, and then click "Batch Unbundling":

Edit Access Control

There is an entry to edit access control on the list page and detail page of access control.

image.png

image.png

After clicking the edit button, you can edit the name, type, description and other information of the access control.

image.png

After editing, click OK to save the edited content.

Delete Access Control

In the access control list, click "Delete" under the "Operation" column, and delete the IP access control after confirmation:

image.png

Previous
APP Management
Next
Traffic Control Management