apache · spacewander · Sep 13, 2022 · Aug 31, 2022
diff --git a/apisix/admin/init.lua b/apisix/admin/init.lua
@@ -63,8 +63,8 @@ local router
 
 local function check_token(ctx)
     local local_conf = core.config.local_conf()
-    if not local_conf or not local_conf.apisix
-       or not local_conf.apisix.admin_key then
+    local admin_key = core.table.try_read_attr(local_conf, "deployment", "admin", "admin_key")
+    if not admin_key then
         return true
     end
 
@@ -75,7 +75,7 @@ local function check_token(ctx)
     end
 
     local admin
-    for i, row in ipairs(local_conf.apisix.admin_key) do
+    for i, row in ipairs(admin_key) do
         if req_token == row.key then
             admin = row
             break

diff --git a/apisix/admin/v3_adapter.lua b/apisix/admin/v3_adapter.lua
@@ -48,7 +48,7 @@ local function enable_v3()
         return false
     end
 
-    local api_ver = try_read_attr(local_conf, "apisix", "admin_api_version")
+    local api_ver = try_read_attr(local_conf, "deployment", "admin", "admin_api_version")
     if api_ver ~= "v3" then
         admin_api_version = "default"
         return false

diff --git a/apisix/cli/ops.lua b/apisix/cli/ops.lua
@@ -183,8 +183,10 @@ local function init(env)
 
     -- check the Admin API token
     local checked_admin_key = false
-    if yaml_conf.apisix.enable_admin and yaml_conf.apisix.allow_admin then
-        for _, allow_ip in ipairs(yaml_conf.apisix.allow_admin) do
+    local allow_admin = yaml_conf.deployment.admin and
+        yaml_conf.deployment.admin.allow_admin
+    if yaml_conf.apisix.enable_admin and allow_admin then
+        for _, allow_ip in ipairs(allow_admin) do
             if allow_ip == "127.0.0.0/24" then
                 checked_admin_key = true
             end
@@ -198,13 +200,17 @@ local function init(env)
 Please modify "admin_key" in conf/config.yaml .
 
 ]]
-        if type(yaml_conf.apisix.admin_key) ~= "table" or
-           #yaml_conf.apisix.admin_key == 0
+        local admin_key = yaml_conf.deployment.admin
+        if admin_key then
+            admin_key = admin_key.admin_key
+        end
+
+        if type(admin_key) ~= "table" or #admin_key == 0
         then
             util.die(help:format("ERROR: missing valid Admin API token."))
         end
 
-        for _, admin in ipairs(yaml_conf.apisix.admin_key) do
+        for _, admin in ipairs(admin_key) do
             if type(admin.key) == "table" then
                 admin.key = ""
             else
@@ -224,6 +230,19 @@ Please modify "admin_key" in conf/config.yaml .
         end
     end
 
+    if yaml_conf.deployment.admin then
+        local admin_api_mtls = yaml_conf.deployment.admin.admin_api_mtls
+        local https_admin = yaml_conf.deployment.admin.https_admin
+        if https_admin and not (admin_api_mtls and
+            admin_api_mtls.admin_ssl_cert and
+            admin_api_mtls.admin_ssl_cert ~= "" and
+            admin_api_mtls.admin_ssl_cert_key and
+            admin_api_mtls.admin_ssl_cert_key ~= "")
+        then
+            util.die("missing ssl cert for https admin")
+        end
+    end
+
     if yaml_conf.apisix.enable_admin and
         yaml_conf.apisix.config_center == "yaml"
     then
@@ -315,8 +334,8 @@ Please modify "admin_key" in conf/config.yaml .
     -- listen in admin use a separate port, support specific IP, compatible with the original style
     local admin_server_addr
     if yaml_conf.apisix.enable_admin then
-        local ip = yaml_conf.apisix.admin_listen.ip
-        local port = yaml_conf.apisix.admin_listen.port
+        local ip = yaml_conf.deployment.admin.admin_listen.ip
+        local port = yaml_conf.deployment.admin.admin_listen.port
         admin_server_addr = validate_and_get_listen_addr("admin port", "0.0.0.0", ip,
                                                           9180, port)
     end
@@ -464,17 +483,6 @@ Please modify "admin_key" in conf/config.yaml .
         yaml_conf.apisix.ssl.ssl_trusted_certificate = cert_path
     end
 
-    local admin_api_mtls = yaml_conf.apisix.admin_api_mtls
-    if yaml_conf.apisix.https_admin and
-       not (admin_api_mtls and
-            admin_api_mtls.admin_ssl_cert and
-            admin_api_mtls.admin_ssl_cert ~= "" and
-            admin_api_mtls.admin_ssl_cert_key and
-            admin_api_mtls.admin_ssl_cert_key ~= "")
-    then
-        util.die("missing ssl cert for https admin")
-    end
-
     -- enable ssl with place holder crt&key
     yaml_conf.apisix.ssl.ssl_cert = "cert/ssl_PLACE_HOLDER.crt"
     yaml_conf.apisix.ssl.ssl_cert_key = "cert/ssl_PLACE_HOLDER.key"
@@ -570,6 +578,11 @@ Please modify "admin_key" in conf/config.yaml .
     for k,v in pairs(yaml_conf.nginx_config) do
         sys_conf[k] = v
     end
+    if yaml_conf.deployment.admin then
+        for k,v in pairs(yaml_conf.deployment.admin) do
+            sys_conf[k] = v
+        end
+    end
     sys_conf["wasm"] = yaml_conf.wasm
 
 
@@ -588,10 +601,6 @@ Please modify "admin_key" in conf/config.yaml .
         sys_conf["worker_processes"] = "auto"
     end
 
-    if sys_conf.allow_admin and #sys_conf.allow_admin == 0 then
-        sys_conf.allow_admin = nil
-    end
-
     local dns_resolver = sys_conf["dns_resolver"]
     if not dns_resolver or #dns_resolver == 0 then
         local dns_addrs, err = local_dns_resolver("/etc/resolv.conf")

diff --git a/apisix/cli/schema.lua b/apisix/cli/schema.lua
@@ -65,6 +65,7 @@ local etcd_schema = {
     },
     required = {"prefix", "host"}
 }
+
 local config_schema = {
     type = "object",
     properties = {
@@ -133,19 +134,6 @@ local config_schema = {
                         }
                     }
                 },
-                https_admin = {
-                    type = "boolean",
-                },
-                admin_listen = {
-                    properties = {
-                        listen = { type = "string" },
-                        port = { type = "integer" },
-                    },
-                    default = {
-                        listen = "0.0.0.0",
-                        port = 9180,
-                    }
-                },
                 stream_proxy = {
                     type = "object",
                     properties = {
@@ -292,17 +280,51 @@ local config_schema = {
             type = "object",
             properties = {
                 role = {
-                    enum = {"traditional", "control_plane", "data_plane", "standalone"}
+                    enum = {"traditional", "control_plane", "data_plane", "standalone"},
+                    default = "traditional"
+                }
+            },
+        },
+    },
+    required = {"apisix", "deployment"},
+}
+
+local admin_schema = {
+    type = "object",
+    properties = {
+        admin_key = {
+            type = "array",
+            properties = {
+                items = {
+                    properties = {
+                        name = {type = "string"},
+                        key = {type = "string"},
+                        role = {type = "string"},
+                    }
                 }
+            }
+        },
+        admin_listen = {
+            properties = {
+                listen = { type = "string" },
+                port = { type = "integer" },
             },
-            required = {"role"},
+            default = {
+                listen = "0.0.0.0",
+                port = 9180,
+            }
+        },
+        https_admin = {
+            type = "boolean",
         },
     }
 }
+
 local deployment_schema = {
     traditional = {
         properties = {
             etcd = etcd_schema,
+            admin = admin_schema,
             role_traditional = {
                 properties = {
                     config_provider = {
@@ -402,13 +424,11 @@ function _M.validate(yaml_conf)
         end
     end
 
-    if yaml_conf.deployment then
-        local role = yaml_conf.deployment.role
-        local validator = jsonschema.generate_validator(deployment_schema[role])
-        local ok, err = validator(yaml_conf.deployment)
-        if not ok then
-            return false, "invalid deployment " .. role .. " configuration: " .. err
-        end
+    local role = yaml_conf.deployment.role
+    local validator = jsonschema.generate_validator(deployment_schema[role])
+    local ok, err = validator(yaml_conf.deployment)
+    if not ok then
+        return false, "invalid deployment " .. role .. " configuration: " .. err
     end
 
     return true

diff --git a/apisix/init.lua b/apisix/init.lua
@@ -762,7 +762,7 @@ end
 
 local function cors_admin()
     local_conf = core.config.local_conf()
-    if local_conf.apisix and not local_conf.apisix.enable_admin_cors then
+    if not core.table.try_read_attr(local_conf, "deployment", "admin", "enable_admin_cors") then
         return
     end
 

diff --git a/benchmark/run.sh b/benchmark/run.sh
@@ -68,11 +68,6 @@ else
 fi
 
 echo "
-apisix:
-  admin_key:
-    - name: admin
-      key: edd1c9f034335f136f87ad84b625c8f1
-      role: admin
 nginx_config:
   worker_processes: ${worker_cnt}
 " > conf/config.yaml

diff --git a/conf/config-default.yaml b/conf/config-default.yaml
@@ -29,7 +29,6 @@ apisix:
   #     port: 9082
   #     enable_http2: true
   enable_admin: true
-  enable_admin_cors: true           # Admin API support CORS response headers.
   enable_dev_mode: false            # Sets nginx worker_processes to 1 if set to true
   enable_reuseport: true            # Enable nginx SO_REUSEPORT switch if set to true.
   show_upstream_status_in_response_header: false # when true all upstream status write to `X-APISIX-Upstream-Status` otherwise only 5xx code
@@ -71,37 +70,6 @@ apisix:
       - name: memory_cache
         memory_size: 50m
 
-  allow_admin:                  # http://nginx.org/en/docs/http/ngx_http_access_module.html#allow
-    - 127.0.0.0/24              # If we don't set any IP list, then any IP access is allowed by default.
-    #- "::/64"
-  admin_listen:                 # use a separate port
-    ip: 0.0.0.0                 # Specific IP, if not set, the default value is `0.0.0.0`.
-    port: 9180                  # Specific port, which must be different from node_listen's port.
-
-  #https_admin: true            # enable HTTPS when use a separate port for Admin API.
-                                # Admin API will use conf/apisix_admin_api.crt and conf/apisix_admin_api.key as certificate.
-  admin_api_mtls:               # Depends on `admin_listen` and `https_admin`.
-    admin_ssl_cert: ""          # Path of your self-signed server side cert.
-    admin_ssl_cert_key: ""      # Path of your self-signed server side key.
-    admin_ssl_ca_cert: ""       # Path of your self-signed ca cert.The CA is used to sign all admin api callers' certificates.
-
-  admin_api_version: v3        # The version of admin api, latest version is v3.
-
-  # Default token when use API to call for Admin API.
-  # *NOTE*: Highly recommended to modify this value to protect APISIX's Admin API.
-  # Disabling this configuration item means that the Admin API does not
-  # require any authentication.
-  admin_key:
-    -
-      name: admin
-      key: edd1c9f034335f136f87ad84b625c8f1
-      role: admin                 # admin: manage all configuration data
-                                  # viewer: only can view configuration data
-    -
-      name: viewer
-      key: 4054f7cf07e344346cd3f287985e76a2
-      role: viewer
-
   delete_uri_tail_slash: false    # delete the '/' at the end of the URI
   # The URI normalization in servlet is a little different from the RFC's.
   # See https://github.com/jakartaee/servlet/blob/master/spec/src/main/asciidoc/servlet-spec-body.adoc#352-uri-path-canonicalization,
@@ -543,6 +511,40 @@ deployment:
   role: traditional
   role_traditional:
     config_provider: etcd
+  admin:
+    # Default token when use API to call for Admin API.
+    # *NOTE*: Highly recommended to modify this value to protect APISIX's Admin API.
+    # Disabling this configuration item means that the Admin API does not
+    # require any authentication.
+    admin_key:
+      -
+        name: admin
+        key: edd1c9f034335f136f87ad84b625c8f1
+        role: admin                 # admin: manage all configuration data
+                                    # viewer: only can view configuration data
+      -
+        name: viewer
+        key: 4054f7cf07e344346cd3f287985e76a2
+        role: viewer
+
+    enable_admin_cors: true         # Admin API support CORS response headers.
+    allow_admin:                    # http://nginx.org/en/docs/http/ngx_http_access_module.html#allow
+      - 127.0.0.0/24                # If we don't set any IP list, then any IP access is allowed by default.
+      #- "::/64"
+    admin_listen:                 # use a separate port
+      ip: 0.0.0.0                 # Specific IP, if not set, the default value is `0.0.0.0`.
+      port: 9180                  # Specific port, which must be different from node_listen's port.
+
+    #https_admin: true            # enable HTTPS when use a separate port for Admin API.
+                                  # Admin API will use conf/apisix_admin_api.crt and conf/apisix_admin_api.key as certificate.
+
+    admin_api_mtls:               # Depends on `admin_listen` and `https_admin`.
+      admin_ssl_cert: ""          # Path of your self-signed server side cert.
+      admin_ssl_cert_key: ""      # Path of your self-signed server side key.
+      admin_ssl_ca_cert: ""       # Path of your self-signed ca cert.The CA is used to sign all admin api callers' certificates.
+
+    admin_api_version: v3         # The version of admin api, latest version is v3.
+
   etcd:
     host:                           # it's possible to define multiple etcd hosts addresses of the same etcd cluster.
       - "http://127.0.0.1:2379"     # multiple etcd address, if your etcd cluster enables TLS, please use https scheme,

diff --git a/conf/config.yaml b/conf/config.yaml
@@ -52,8 +52,12 @@
 #
 # This will find environment variable `ETCD_HOST` first, and if it's not exist it will use `localhost` as default value.
 #
-apisix:
-  admin_key:
-    - name: admin
-      key: edd1c9f034335f136f87ad84b625c8f1  # using fixed API token has security risk, please update it when you deploy to production environment
-      role: admin
+deployment:
+  role: traditional
+  role_traditional:
+    config_provider: etcd
+  admin:
+    admin_key:
+      - name: admin
+        key: edd1c9f034335f136f87ad84b625c8f1  # using fixed API token has security risk, please update it when you deploy to production environment
+        role: admin
diff --git a/docs/en/latest/FAQ.md b/docs/en/latest/FAQ.md
@@ -365,10 +365,11 @@ You can follow the steps below to configure this:
 1. Configure different ports for Apache APISIX proxy and Admin API. Or, disable the Admin API.
 
 ```yaml
-apisix:
-  admin_listen: # use a separate port
-    ip: 127.0.0.1
-    port: 9180
+deployment:
+  admin:
+    admin_listen: # use a separate port
+      ip: 127.0.0.1
+      port: 9180
 ```
 
 2. Add a proxy Route for the Apache APISIX dashboard:
@@ -501,9 +502,10 @@ By default, Apache APISIX only allows IPs in the range `127.0.0.0/24` to access
 To allow IPs in all ranges, you can update your configuration file as show below and restart or reload Apache APISIX.
 
 ```yaml
-apisix:
-  allow_admin:
-    - 0.0.0.0/0
+deployment:
+  admin:
+    allow_admin:
+      - 0.0.0.0/0
 ```
 
 **Note**: This should only be used in non-production environments to allow all clients to access Apache APISIX and is not safe for production environments. Always authorize specific IP addresses or address ranges for production environments.