Kong as API Gateway support for configurable plugin, to get what is Kong and basic tutorial to install and setup KONG you could go to this article — https://medium.com/@far3ns/kong-the-microservice-api-gateway-526c4ca0cfa6
This plugin requires an authentication plugin to have been already enabled on the service or route. To get installed Oauth2 tutorial you could go to this article — https://medium.com/@far3ns/kong-oauth-2-0-plugin-38faf938a468
Now we through how to setup ACL to our Kong.
What is ACL — Access Control List ? — Restrict access to a service or a route by whitelisting or blacklisting consumer using arbitrary ACL group names.
Before it Please make sure you have installed and setup KONG, and it’s up and running. You should have this:
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
272841a859d2 node_kong “npm start” 3 days ago Up 15 hours 10000/tcp node_kong
2bd5d4b0126b kong:latest “/docker-entrypoint.…” 3 days ago Up 15 hours 0.0.0.0:9000->8000/tcp, 0.0.0.0:9001->8001/tcp, 0.0.0.0:9443->8443/tcp, 0.0.0.0:9444->8444/tcp kong
92877820c824 postgres:9.6 “docker-entrypoint.s…” 3 days ago Up 15 hours 0.0.0.0:5555->5432/tcp kong-databaseand we could access the API through KONG (localhost with port 9000):
GET: localhost:9000/api/v1/customers
Headers: Host:api.ct.id
Respond:
[
{
“id”: 5,
“first_name”: “Dodol”,
“last_name”: “Dargombez”
},
{
“id”: 6,
“first_name”: “Nyongot”,
“last_name”: “Gonzales”
}
]So we already have KONG as API gateway connected to upstream service as own API/service to get customers. Now we go through to try plugin that can be as sidecar on API-gateway.
To make it easier if you have not done yet, please download file kong.postman_collection.json on github NodeJS-API-KONG (https://github.com/faren/NodeJS-API-KONG), and import it to postman.
Enabling the plugin on a service
For this example, we have a service api-v1-customers. Hit the GET API KONG services:
GET: localhost:9001/services/
Respond:
{
“next”: null,
“data”: [
{
“host”: “172.19.0.4”,
“created_at”: 1531989815,
“connect_timeout”: 60000,
“id”: “d28c20e4–94d3–4c3b-9a0d-688ac8dbf213”,
“protocol”: “http”,
“name”: “api-v1-customers”,
“read_timeout”: 60000,
“port”: 10000,
“path”: null,
“updated_at”: 1531989815,
“retries”: 5,
“write_timeout”: 60000
}
]
}So, we enable this service to ACL plugin by hit API method POST for add service to plugin:
POST: localhost:9001/services/api-v1-customers/plugins
Headers: Content-Type:application/json
Body:
{
“name”: “acl”,
“config.whitelist”: “group-api-v1-customers”
}Respond:
{
“created_at”: 1532510757000,
“config”: {
“whitelist”: [
“group-api-v1-customers”
]
},
“id”: “e85617c3–7366–448d-bf1a-71b39df96191”,
“enabled”: true,
“service_id”: “eb422ef1–65a3–4654-a75f-41a8132d7861”,
“name”: “acl”
}
We have create a whitelist to service “api-v1-customers”.
Setup Consumer
If you follow the tutorial OAuth 2 from this article — https://medium.com/@far3ns/kong-oauth-2-0-plugin-38faf938a468 , you should have ready one consumer which is oneone@gmail.com
Now we need to have one more consumer and create OAuth application for this consumer
POST: localhost:9001/consumers
Headers: Content-Type:application/json
Body:
{
“username”: “twot@gmail.com”,
“custom_id”: “22”
}Respond:
{
“custom_id”: “22”,
“created_at”: 1532514470,
“username”: “twotwo@gmail.com”,
“id”: “162f0807–5302–42c0–9dcc-85ef0430cd31”
}
Create application OAuth2 to this consumer.
POST: localhost:9001/consumers/twotwo@gmail.com/oauth2
Headers: Content-Type:application/json
Body:
{
“name”: “APP 22”,
“client_id”: “CLIENT_ID_22”,
“client_secret”: “CLIENT_SECRET_22”,
“redirect_uri”: “http://localhost:9800/cb"
}Respond:
{
“client_id”: “CLIENT_ID_22”,
“created_at”: 1532514660000,
“id”: “9f64ac9c-e992–46a7–80a4–2ba29d9af48b”,
“redirect_uri”: [
“http://localhost:9800/cb"
],
“name”: “APP 22”,
“client_secret”: “CLIENT_SECRET_22”,
“consumer_id”: “162f0807–5302–42c0–9dcc-85ef0430cd31”
}
Now we have two consumer: oneone@gmail.com and twotwo@gmail.com, and they are authorised to access the API.
Associating Consumer
So, we set only consumer oneone@gmail.com to set access ACL to “group-api-v1-customers”, but not for twotwo@gmail.com.
Then you can finally associate specific consumer to group ACL by making the following hit API POST, as follow:
POST: localhost:9001/consumers/oneone@gmail.com/acl
Headers: Content-Type:application/json
Body:
{
“group”: “group-api-v1-customers”
}Respond:
{
“group”: “group-api-v1-customers”,
“created_at”: 1532511087000,
“id”: “6cc67f05–3635–4caa-b7f4–882bfa5d7501”,
“consumer_id”: “6db1dfe5–47f2–455b-8fb0-d935017efcb3”
}
Oke, all have been setup. We try to access the API customer with different user/consumer. Before that you need to get token for each user by hit API:
POST: https://localhost:9443/api/v1/customers/oauth2/token
Headers: Content-Type:application/json
Host:api.ct.id
Body:
{
“client_id”: “CLIENT_ID_11”,
“client_secret”: “CLIENT_SECRET_11”,
“grant_type”: “password”,
“provision_key”: “jT7g5nPngdW6HL9NH8cdxAPiH7jo85io”,
“authenticated_userid”: “oneone@gmail.com”,
“scope”: “read”
}Respond:
{
“refresh_token”: “2ZDAQJbuR1Mp131YHwrowXw4XCjjC7zY”,
“token_type”: “bearer”,
“access_token”: “fxSd3LuB4DHk7Phi0jfGgQ2I6Afuxx8z”,
“expires_in”: 180
}
Do the same with user twotwo@gmail.com to get token to access API customer.
First we try with token that get from user oneone@gmail.com to access API customer.
GET: localhost:9000/api/v1/customers
Headers: Host:api.ct.id
Authorization:bearer fxSd3LuB4DHk7Phi0jfGgQ2I6Afuxx8zRespond:
[
{
“id”: 5,
“first_name”: “Dodol”,
“last_name”: “Dargombez”
},
{
“id”: 6,
“first_name”: “Nyongot”,
“last_name”: “Gonzales”
}
]
Next, try to access API customer from user twotwo@gmail.com
GET: localhost:9000/api/v1/customers
Headers: Host:api.ct.id
Authorization:bearer rSH2Q8tHG5nOPaDU4ZljjChFsimjA41eRespond:
{
“message”: “You cannot consume this service”
}
So, ACL has restricted user twotwo@gmail.com that not set on whitelist ACL to access API customers.
Conclusion
Plugin ACL is one of the common authorisation and access control that used nowadays. Kong has provided this plugin and manage it by API for community edition. However to get more understanding on ACL Flowsgo to this https://docs.konghq.com/plugins/acl
