Seeking advice: forward-auth or lua plugin for mysql auth #7224
Replies: 2 comments
-
|
You may try to think about this problem from if the way you do the auth will change? Of course, you can wirte such a Lua plugin to implement the auth, but it also couples Apache APISIX with MySQL, you have to configure some MySQL credentials for Apache APISIX, and you have to pay more attention to the MySQL workload since APISIX might tremendous API requests, and what's worse is if you need to change the auth, you have to write another Lua plugin and consider the same problem you meet this time. With the help of the forward-auth plugin, you can implement your own auth server and provide auth API to APISIX. Apache APISIX then doesn't care about the details of the auth server. You can implement the auth server with MySQL, with some fancy technologies and the most important thing is, that APISIX doesn't perceive the auth topology, this is useful for migration. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks, Alex.
As far as change goes, that wasn’t a concern. I actually assume I’ll change it at some point to handle things like SAML. I wanted to start simple, get good performance, and not have to deal with instrumenting a custom auth server.
Controlling bursts of requests does sound like a problem in particular. Thanks for bringing it up. I planned on running proxysql between it at the db.
Would heavy caching be an issue in the lua plug-in environment? Say I wanted to keep recently used keys in memory, which could be a significant amount of data, especially if I cache bad keys.
Being able to scale the auth pool separately from the api gateway is appealing.
… On Jun 9, 2022, at 6:44 PM, Alex Zhang ***@***.***> wrote:
You may try to think about this problem from if the way you do the auth will change? Of course, you can wirte such a Lua plugin to implement the auth, but it also couples Apache APISIX with MySQL, you have to configure some MySQL credentials for Apache APISIX, and you have to pay more attention to the MySQL workload since APISIX might tremendous API requests, and what's worse is if you need to change the auth, you have to write another Lua plugin and consider the same problem you meet this time.
With the help of the forward-auth plugin, you can implement your own auth server and provide auth API to APISIX. Apache APISIX then doesn't care about the details of the auth server. You can implement the auth server with MySQL, with some fancy technologies and the most important thing is, that APISIX doesn't perceive the auth topology, this is useful for migration.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you authored the thread.
|
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
I need to authenticate apikeys from a MySQL database and then encrypt some data to send to the backend service. What are the tradeoffs between using the forward-auth plugin vs writing my own lua auth plugin?
From what I gather it could be more efficient to write the lua plugin since there will be no serializing/deserializing of data for the subrequest. Operationally it would be simpler as well - no extra process to manage. I'm sure Lua has libraries to meet my crypto needs. likely just hmac/sha2 (unless I can find something faster that is supported in all my backends).
Is there any reason I should consider forward-auth instead?
Beta Was this translation helpful? Give feedback.
All reactions