I'm using Kong Gateway (community edition, using database, dockerized setup, kong:3.3.0) and Konga + King + manual apis to manage it.
I have a key-auth plugin setup on a service in Kong, and when I hit the route under it with a consumer's valid apikey included in the url parameters, it's working fine, exactly as described.
Now I want to restrict access based on groups of consumers. The path given to achieve this is: add ACL plugin for this service, giving the group name in Allow. Done.
This group shows up properly in King's view of the plugin as well:
Next, for the consumer who should be able to access this: Add it to an ACL group by the same name: Done.
But once this is all setup, I'm no longer able to access the route. Getting 403 response with message: "You cannot consume this service"
If I disable the ACL plugin, it works again. (with the consumer's apikey included in the url parameters - key-auth plugin alone is working)
I'm not understanding what's going wrong here. I saw guides showing a similar setup with JWT plugin : https://medium.com/engineering-applift/kong-acl-example-77a033d59034 and OAuth2: https://medium.com/@far3ns/kong-acl-plugin-76a9ff948f4c . At first I thought a precise id value of the ACL group will be needed, but from all the documentation it seems just setting the group name at both consumer side and plugin side should do the job. But it's not happening. Can someone help to solve this?
Ref: https://docs.konghq.com/hub/kong-inc/acl/how-to/basic-example/
Edit: updated the version in top, 3.3.0
Edit: Clarification: There are other services/routes active in my setup which are open and don't have a key-auth plugin on them. Hence, I'm enabling the key-auth plugin for few services (hence, at service-level not global), upon which then I want to enable ACL plugin.
I am unsure I saw all the required bits in your question -- in particular, I am afraid the ACL plugin does not find an authenticated consumer -- but here goes a working example using the Admin API, hopefully it helps!
$ http :8001/services url=http://mockbin.org name=mockbin -f
$ http :8001/services/mockbin/routes paths=/ -f
# issue a test request to the /request endpoint, useful for debugging headers that got sent to the upstream
$ http :8000/request
$ http :8001/consumers username=c1 -f
$ http :8001/consumers/c1/acls group=g1 -f
$ http :8001/consumers/c1/key-auth key=token
$ http :8001/plugins name=key-auth
$ http :8001/plugins name=acl config.allow=g1 -f
$ http :8000/request apikey:token
# See how the x-consumer-group header was sent upstream
$ http :8000/request apikey:token | jq '.headers["x-consumer-groups"]'
Note that the apikey is required so that Kong can map it to a consumer, from which it can verify against the ACL plugin's config -- allow or disallow.