Use the ACL plugin with Consumer Groups in Kong Gateway
Enable an authentication plugin, create Consumer Groups and Consumers, then enable the ACL plugin and use the config.allow to allow access to the Consumer Groups.
Prerequisites
Kong Konnect
This is a Konnect tutorial and requires a Konnect personal access token.
-
Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.
-
Export your token to an environment variable:
export KONNECT_TOKEN='YOUR_KONNECT_PAT'Copied! -
Run the quickstart script to automatically provision a Control Plane and Data Plane, and configure your environment:
curl -Ls https://get.konghq.com/quickstart | bash -s -- -k $KONNECT_TOKEN --deck-outputCopied!This sets up a Konnect Control Plane named
quickstart, provisions a local Data Plane, and prints out the following environment variable exports:export DECK_KONNECT_TOKEN=$KONNECT_TOKEN export DECK_KONNECT_CONTROL_PLANE_NAME=quickstart export KONNECT_CONTROL_PLANE_URL=https://us.api.konghq.com export KONNECT_PROXY_URL='http://localhost:8000'Copied!Copy and paste these into your terminal to configure your session.
Kong Gateway running
This tutorial requires Kong Gateway Enterprise. If you don’t have Kong Gateway set up yet, you can use the quickstart script with an enterprise license to get an instance of Kong Gateway running almost instantly.
-
Export your license to an environment variable:
export KONG_LICENSE_DATA='LICENSE-CONTENTS-GO-HERE'Copied! -
Run the quickstart script:
curl -Ls https://get.konghq.com/quickstart | bash -s -- -e KONG_LICENSE_DATACopied!Once Kong Gateway is ready, you will see the following message:
Kong Gateway Ready
decK v1.43+
decK is a CLI tool for managing Kong Gateway declaratively with state files. To complete this tutorial, install decK version 1.43 or later.
This guide uses deck gateway apply, which directly applies entity configuration to your Gateway instance.
We recommend upgrading your decK installation to take advantage of this tool.
You can check your current decK version with deck version.
Required entities
For this tutorial, you’ll need Kong Gateway entities, like Gateway Services and Routes, pre-configured. These entities are essential for Kong Gateway to function but installing them isn’t the focus of this guide. Follow these steps to pre-configure them:
-
Run the following command:
echo ' _format_version: "3.0" services: - name: example-service url: http://httpbin.konghq.com/anything routes: - name: delete-route paths: - "/anything" methods: - DELETE service: name: example-service - name: no-delete-route paths: - "/anything" methods: - GET - POST - PUT service: name: example-service ' | deck gateway apply -Copied!
To learn more about entities, you can read our entities documentation.
Enable key authentication
The ACL plugin requires an authentication plugin. In this example, we’ll use the Key Auth plugin plugin, but you can use any authentication plugin.
echo '
_format_version: "3.0"
plugins:
- name: key-auth
config:
key_names:
- apikey
' | deck gateway apply -
Create Consumer Groups
Let’s create two Consumer Groups named dev and admin. These groups will be used to configure access to the Routes we created in the prerequisites.
echo '
_format_version: "3.0"
consumer_groups:
- name: dev
- name: admin
' | deck gateway apply -
Create Consumers
Create Consumers with credentials and assign each of them to a Consumer Group.
echo '
_format_version: "3.0"
consumers:
- username: Amal
groups:
- name: admin
keyauth_credentials:
- key: amal
- username: Dana
groups:
- name: dev
keyauth_credentials:
- key: dana
' | deck gateway apply -
Enable the ACL plugin
Enable the ACL plugin for each Route and use the config.allow parameter to allow access to the Consumer Groups. We’ll give the admin Consumer Group access to both Routes, but the dev group will only have access to no-delete-route. This means that only the admin group will be able to use the DELETE method on the /anything endpoint.
echo '
_format_version: "3.0"
plugins:
- name: acl
route: delete-route
config:
include_consumer_groups: true
allow:
- admin
- name: acl
route: no-delete-route
config:
include_consumer_groups: true
allow:
- admin
- dev
' | deck gateway apply -
Validate
Send requests to both Routes with the two API keys to validate that the access restrictions work as expected.
With the API key amal, we can send GET, POST, PUT, and DELETE requests to the /anything endpoint:
curl -X POST "$KONNECT_PROXY_URL/anything" \
--no-progress-meter --fail-with-body \
-H "apikey:amal"
curl -X POST "http://localhost:8000/anything" \
--no-progress-meter --fail-with-body \
-H "apikey:amal"
curl -X DELETE "$KONNECT_PROXY_URL/anything" \
--no-progress-meter --fail-with-body \
-H "apikey:amal"
curl -X DELETE "http://localhost:8000/anything" \
--no-progress-meter --fail-with-body \
-H "apikey:amal"
With the API key dana, we can’t send DELETE requests:
curl -X DELETE "$KONNECT_PROXY_URL/anything" \
--no-progress-meter --fail-with-body \
-H "apikey:dana"
curl -X DELETE "http://localhost:8000/anything" \
--no-progress-meter --fail-with-body \
-H "apikey:dana"
Cleanup
Clean up Konnect environment
If you created a new control plane and want to conserve your free trial credits or avoid unnecessary charges, delete the new control plane used in this tutorial.
Destroy the Kong Gateway container
curl -Ls https://get.konghq.com/quickstart | bash -s -- -d