Table of Contents

Introduction

Managing Admins in the Kong Admin GUI

In this section you will learn how to manage Kong Admins in the Kong Admin GUI.

Prerequisites:

  • You have enabled authentication, following the Getting Started guide.
  • You have enabled RBAC
  • You have setup the Super Admin RBAC Role or you are able to login with a user that has /admins and /rbac read/write access, with all associated endpoints for permission creation. We will refer to this user as the Authorized Admin in this guide.

Create RBAC Roles for Your Admin

For every Admin that is using the Kong Admin GUI, they will need roles assigned to them based on which resources they can access.

Login as the Authorized Admin and click “Admins” in the sidebar. Next, click “Add Role”. Fill out the form, and add the endpoint permissions. Name the role accordingly (e.g. “read-only”, “read-services”).

⚠️ IMPORTANT: Every Admin that needs access to the Admin GUI will need at least read access to the home “/” endpoint.

Create an Admin

Login to the Kong Admin GUI as the Super Admin. Click “Admins” in the sidebar. Click “Add Admin”. Fill out the form with a username and associated Role.

Create an Admin in the Kong Admin GUI

Grant Admin Access

Now that you have created an Admin and assigned them roles, you will need to give them access to login to the Admin GUI. If not using the LDAP Auth Advanced plugin, you will need to create Credentials via the API, as it is not currently supported in the Admin GUI.

If you are using LDAP Auth Advanced Plugin, then you can skip credential creation and utilize the Consumer mapping feature, which allows you to map a LDAP user’s username to a consumer’s username or custom_id.

Create Credentials

Admins are a type of Kong Consumer, and therefore can be given Kong Plugin Authentication Credentials. Find the value of your Kong configuration directive admin_gui_auth. You will need to create credentials based on that plugin. Ensure that you have the Admin entity data:

$ curl 'http://kong:8001/admins/<username>'
HTTP/1.1 200 OK

{
  "created_at": 1530911165000,
  "rbac_user": {
    "comment": "User generated on creation of Admin.",
    "user_token": "<RBAC_USER_TOKEN>",
    "id": "<RBAC_USER_ID>",
    "name": "user-<username>",
    "enabled": true,
    "created_at": 1530911165000
  },
  "id": "<CONSUMER_ID>",
  "status": 0,
  "username": "<username>",
  "type": 2
}

Now that you have the <CONSUMER_ID>, you can use this to create a credential with your associated admin_gui_auth plugin:

Once a user has a credential, they can use the credential to log in.

Next: Networking ›