Configure a Kong Gateway RBAC user with custom permissions
To configure an RBAC user in Kong Gateway, create the user with the /rbac/users
endpoint of the Admin API, create a custom role with endpoint permissions using /rbac/roles
, then assign the role to the new user.
Prerequisites
Kong Gateway running with RBAC enabled
This tutorial requires Kong Gateway Enterprise.
-
Export your license to an environment variable:
export KONG_LICENSE_DATA='LICENSE-CONTENTS-GO-HERE'
Copied to clipboard! -
Run the quickstart script with RBAC enabled:
curl -Ls get.konghq.com/quickstart | bash -s -- -e "KONG_LICENSE_DATA" \ -e "KONG_ENFORCE_RBAC=on" \ -e "KONG_ADMIN_GUI_AUTH=basic-auth" \ -e "KONG_PASSWORD=kong" \ -e 'KONG_ADMIN_GUI_SESSION_CONF={"secret":"kong", "cookie_lifetime":300000, "cookie_renew":200000, "cookie_name":"kong_cookie", "cookie_secure":false, "cookie_samesite": "off"}'
Copied to clipboard!For more information about the values see the RBAC reference. Once Kong Gateway is ready, you will see the following message:
Kong Gateway Ready
Copied to clipboard!
Create an RBAC user
An RBAC user has the ability to access the Kong Gateway Admin API. The permissions assigned to their role will define the types of actions they can perform with various Admin API objects.
Create an RBAC user by sending a POST
request to the /rbac/users
endpoint:
curl -X POST "http://localhost:8001/rbac/users" \
-H "Kong-Admin-Token:kong" \
--json '{
"name": "alex",
"user_token": "alex-token"
}'
By omitting the Workspace in the request, the user gets added to the default
Workspace.
Create a role with endpoint permissions
Let’s say that in our environment, we need a subset of users to access Gateway Services only. Create a new role:
curl -X POST "http://localhost:8001/rbac/roles" \
-H "Kong-Admin-Token:kong" \
--json '{
"name": "dev"
}'
Then, assign endpoint permissions to the role, allowing access only to the /services
endpoint:
curl -X POST "http://localhost:8001/rbac/roles/dev/endpoints" \
-H "Kong-Admin-Token:kong" \
--json '{
"endpoint": "/services/",
"workspace": "default",
"actions": [
"*"
]
}'
Assign role to user
Assign the dev
role to the user you created earlier:
curl -X POST "http://localhost:8001/rbac/users/alex/roles" \
-H "Kong-Admin-Token:kong" \
--json '{
"roles": "dev"
}'
Validate
You can validate that the user has correct permissions by trying to access entities with the user’s access token.
First, try to access /routes
, which this user doesn’t have permissions for:
curl "http://localhost:8001/routes" \
-H "Kong-Admin-Token:alex-token"
If RBAC was enabled correctly, this request returns the following error message:
{"message":"alex, you do not have permissions to read this resource"}%
Now, try adding a Service using the /services
endpoint:
curl -X POST "http://localhost:8001/services" \
-H "Kong-Admin-Token:alex-token" \
--json '{
"name": "test-service",
"host": "httpbin.konghq.com"
}'
This time, the request succeeds with a 201
and creates a new Service.
Cleanup
Destroy the Kong Gateway container
curl -Ls https://get.konghq.com/quickstart | bash -s -- -d