Ability to restrict key-auth credential to specific service or route

[TimUnderhay]

There seems to be a security risk with the current key-auth implementation, and would like to request a feature to mitigate it.

The Problem

The problem is security: if any of a consumer's key-auth API keys is compromised, then an attacker potentially gains access to all the routes or services which the consumer has access to by virtue of ACL memberships. One wants to be able to limit the damage a compromised key can cause, so that an attacker can only access a single service or route.

The Feature Request

I would like the ability to create unique API keys for a consumer / service or route pair, or to phrase it another way, to limit a specific key-auth credential's use to only a specific service or route. As it stands, one can create a key-auth credential for a consumer, but AFAIK, there is no way to restrict its use to a specific service or route.

Absent this ability, the workaround is to create a new consumer for every route / service that a given user has access to, creating a key-auth credential for that new consumer. This feels quite burdensome:

1. The admin has to manage many more consumers.
2. These consumers cannot share a username or custom id, either requiring the caller to manage / store some other type of identifier for the consumer.

Thank you for your consideration!