"API网关安全与多租户隔离最佳实践"

API网关安全与多租户隔离最佳实践概述API网关作为统一入口需承担身份认证、授权与流量治理职责。通过租户维度的策略与配额，可在多租户场景下保证隔离与公平使用。策略引擎type GatewayContext = { tenantId: string; route: string; method: string; scopes: string[]; ip: string } type Decision = { allow: boolean; reasons?: string[] } class GatewayPolicy { private routeWhitelist: Record<string, string[]> = { GET: ['/health', '/status'] } evaluate(ctx: GatewayContext): Decision { const reasons: string[] = [] if (this.isWhitelisted(ctx)) return { allow: true } if (!this.hasScope(ctx)) { reasons.push('scope_missing'); return { allow: false, reasons } } return { allow: true } } private isWhitelisted(ctx: GatewayContext): boolean { const list = this.routeWhitelist[ctx.method] || [] return list.includes(ctx.route) } private hasScope(ctx: GatewayContext): boolean { const required = this.requiredScope(ctx.route, ctx.method) return required ? ctx.scopes.includes(required) : true } private requiredScope(route: string, method: string): string | null { const key = `${method}:${route}` const map: Record<string, string> = { 'POST:/orders': 'orders:write', 'GET:/orders': 'orders:read' } return map[key] || null } } 租户配额与速率限制class TenantLimiter { private hits = new Map<string, number[]>() constructor(private windowMs: number, private maxPerWindow: number) {} allow(tenantId: string): boolean { const now = Date.now() const arr = (this.hits.get(tenantId) || []).filter(t => now - t < this.windowMs) if (arr.length >= this.maxPerWindow) return false arr.push(now) this.hits.set(tenantId, arr) return true } } 认证与JWT作用域type JwtPayload = { sub: string; tenant: string; scope: string[]; exp: number } function extractCtxFromJwt(token: string): GatewayContext { const payload = decodeJwt(token) as JwtPayload return { tenantId: payload.tenant, route: '', method: '', scopes: payload.scope, ip: '' } } 上游mTLS与零信任网关到上游服务启用mTLS，双向证书验证按服务标识与租户标签进行细粒度访问控制运维要点路由白名单与作用域映射统一在策略引擎管理速率限制按租户与端点维度配置，监控拒绝率与误杀率启用mTLS与服务身份，形成入口到上游的零信任链路通过策略引擎、租户速率与mTLS协同，可在复杂多租户场景下实现稳健的网关安全隔离。