Home / How-to Guides
Edit
Report

Use the ACL plugin with Consumer Groups in Kong Gateway

Uses: Kong Gateway decK
Related Documentation
All Gateway Documentation
All decK Documentation
Tags
#security #traffic-control
Minimum Version
Kong Gateway - 3.4
TL;DR

Enable an authentication plugin, create Consumer Groups and Consumers, then enable the ACL plugin and use the config.allow to allow access to the Consumer Groups.

Prerequisites

Kong Konnect

This is a Konnect tutorial. If you don’t have a Konnect account, you can get started quickly with our onboarding wizard.

  1. The following Konnect items are required to complete this tutorial:

    • Personal access token (PAT): Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.
    • Control Plane Name: You can use an existing Control Plane or create a new one to use for this tutorial.
    • Konnect Proxy URL: By default, a self-hosted Data Plane uses http://localhost:8000. You can set up Data Plane nodes for your Control Plane from the Gateway Manager in Konnect.

  2. Set the personal access token, the Control Plane name, the Control Plane URL, and the Konnect proxy URL as environment variables:

     export DECK_KONNECT_TOKEN='YOUR KONNECT TOKEN'
 export DECK_KONNECT_CONTROL_PLANE_NAME='YOUR CONTROL PLANE NAME'
 export KONNECT_CONTROL_PLANE_URL=https://us.api.konghq.com
 export KONNECT_PROXY_URL='KONNECT PROXY URL'

Kong Gateway running

This tutorial requires Kong Gateway Enterprise. If you don’t have Kong Gateway set up yet, you can use the quickstart script with an enterprise license to get an instance of Kong Gateway running almost instantly.

  1. Export your license to an environment variable:

     export KONG_LICENSE_DATA='LICENSE-CONTENTS-GO-HERE'

  2. Run the quickstart script:

     curl -Ls https://get.konghq.com/quickstart | bash -s -- -e KONG_LICENSE_DATA

    Once Kong Gateway is ready, you will see the following message:

     Kong Gateway Ready

decK

decK is a CLI tool for managing Kong Gateway declaratively with state files. To complete this tutorial you will first need to install decK.

Required entities

For this tutorial, you’ll need Kong Gateway entities, like Gateway Services and Routes, pre-configured. These entities are essential for Kong Gateway to function but installing them isn’t the focus of this guide. Follow these steps to pre-configure them:

  1. Run the following command:

    echo '
_format_version: "3.0"
services:
  - name: example-service
    url: http://httpbin.konghq.com/anything
routes:
  - name: delete-route
    paths:
    - "/anything"
    methods:
    - DELETE
    service:
      name: example-service
  - name: no-delete-route
    paths:
    - "/anything"
    methods:
    - GET
    - POST
    - PUT
    service:
      name: example-service
' | deck gateway apply -

To learn more about entities, you can read our entities documentation.

Enable key authentication

The ACL plugin requires an authentication plugin. In this example, we’ll use the Key Auth plugin plugin, but you can use any authentication plugin.

echo '
_format_version: "3.0"
plugins:
  - name: key-auth
    config:
      key_names:
      - apikey
' | deck gateway apply -

Create Consumer Groups

Let’s create two Consumer Groups named dev and admin. These groups will be used to configure access to the Routes we created in the prerequisites.

echo '
_format_version: "3.0"
consumer_groups:
  - name: dev
  - name: admin
' | deck gateway apply -

Create Consumers

Create Consumers with credentials and assign each of them to a Consumer Group.

echo '
_format_version: "3.0"
consumers:
  - username: Amal
    groups:
    - name: admin
    keyauth_credentials:
    - key: amal
  - username: Dana
    groups:
    - name: dev
    keyauth_credentials:
    - key: dana
' | deck gateway apply -

Enable the ACL plugin

Enable the ACL plugin for each Route and use the config.allow parameter to allow access to the Consumer Groups. We’ll give the admin Consumer Group access to both Routes, but the dev group will only have access to no-delete-route. This means that only the admin group will be able to use the DELETE method on the /anything endpoint.

echo '
_format_version: "3.0"
plugins:
  - name: acl
    route: delete-route
    config:
      include_consumer_groups: true
      allow:
      - admin
  - name: acl
    route: no-delete-route
    config:
      include_consumer_groups: true
      allow:
      - admin
      - dev
' | deck gateway apply -

Validate

Send requests to both Routes with the two API keys to validate that the access restrictions work as expected.

With the API key amal, we can send GET, POST, PUT, and DELETE requests to the /anything endpoint:

curl -X POST "$KONNECT_PROXY_URL/anything" \
     -H "apikey:amal"

curl -X POST "http://localhost:8000/anything" \
     -H "apikey:amal"

curl -X DELETE "$KONNECT_PROXY_URL/anything" \
     -H "apikey:amal"

curl -X DELETE "http://localhost:8000/anything" \
     -H "apikey:amal"

With the API key dana, we can’t send DELETE requests:

curl -X DELETE "$KONNECT_PROXY_URL/anything" \
     -H "apikey:dana"

curl -X DELETE "http://localhost:8000/anything" \
     -H "apikey:dana"

Cleanup

Clean up Konnect environment

If you created a new control plane and want to conserve your free trial credits or avoid unnecessary charges, delete the new control plane used in this tutorial.

Destroy the Kong Gateway container

 
curl -Ls https://get.konghq.com/quickstart | bash -s -- -d
Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support