kongkong-pluginkonga

ACL + key-auth plugin on a Kong service not working

I'm using Kong Gateway (community edition, using database, dockerized setup, kong:3.3.0) and Konga + King + manual apis to manage it.

I have a key-auth plugin setup on a service in Kong, and when I hit the route under it with a consumer's valid apikey included in the url parameters, it's working fine, exactly as described.

Now I want to restrict access based on groups of consumers. The path given to achieve this is: add ACL plugin for this service, giving the group name in Allow. Done. ACL plugin konga

This group shows up properly in King's view of the plugin as well: ACL plugin King

Next, for the consumer who should be able to access this: Add it to an ACL group by the same name: Done. Consumer ACL King

But once this is all setup, I'm no longer able to access the route. Getting 403 response with message: "You cannot consume this service"

If I disable the ACL plugin, it works again. (with the consumer's apikey included in the url parameters - key-auth plugin alone is working)

I'm not understanding what's going wrong here. I saw guides showing a similar setup with JWT plugin : https://medium.com/engineering-applift/kong-acl-example-77a033d59034 and OAuth2: https://medium.com/@far3ns/kong-acl-plugin-76a9ff948f4c . At first I thought a precise id value of the ACL group will be needed, but from all the documentation it seems just setting the group name at both consumer side and plugin side should do the job. But it's not happening. Can someone help to solve this?

Ref: https://docs.konghq.com/hub/kong-inc/acl/how-to/basic-example/

Edit: updated the version in top, 3.3.0

Edit: Clarification: There are other services/routes active in my setup which are open and don't have a key-auth plugin on them. Hence, I'm enabling the key-auth plugin for few services (hence, at service-level not global), upon which then I want to enable ACL plugin.

Solution

  • I am unsure I saw all the required bits in your question -- in particular, I am afraid the ACL plugin does not find an authenticated consumer -- but here goes a working example using the Admin API, hopefully it helps!

    1. Create a service / route pair:
    $ http :8001/services url=http://mockbin.org name=mockbin -f
$ http :8001/services/mockbin/routes paths=/ -f 

# issue a test request to the /request endpoint, useful for debugging headers that got sent to the upstream
$ http :8000/request
    1. Create a consumer and map it to the ACL group:
    $ http :8001/consumers username=c1 -f
$ http :8001/consumers/c1/acls group=g1 -f
    1. Create keyauth token and enable keyauth plugin
    $ http :8001/consumers/c1/key-auth key=token
$ http :8001/plugins name=key-auth
$ http :8001/plugins name=acl config.allow=g1 -f
    1. Issue another testing request:
    $ http :8000/request apikey:token

# See how the x-consumer-group header was sent upstream
$ http :8000/request apikey:token | jq '.headers["x-consumer-groups"]'

    Note that the apikey is required so that Kong can map it to a consumer, from which it can verify against the ACL plugin's config -- allow or disallow.