Estimated reading time:
This feature is only available with a Kong Enterprise subscription.
In this topic, you’ll learn how to manage and configure user authorization using workspaces and teams in Kong Enterprise.
If you are following the getting started workflow, make sure you have completed Set Up Intelligent Load Balancing before moving on.
Overview of Workspaces and Teams
Many organizations have strict security requirements. For example, organizations need the ability to segregate the duties of an administrator to ensure that a mistake or malicious act by one administrator doesn’t cause an outage. Kong Enterprise Gateway provides a number of security capabilities to help customers secure the administration environment.
Workspaces enable an organization to segment objects and admins into namespaces. The segmentation allows teams of admins sharing the same Kong Enterprise Gateway cluster to adopt roles for interacting with specific objects. For example, one team (Team A) may be responsible for managing a particular service, whereas another team (Team B) may be responsible for managing another service. Teams should only have the roles they need to perform the administrative tasks within their specific workspaces.
Kong Enterprise Gateway does all of this through Role-Based Access Control (RBAC). All administrators can be given specific roles, whether you are using Kong Manager or the Admin API, which control and limit the scope of administrative privileges within specific workspaces.
In this example, you’ll start by creating a simple workspace called “SecureWorkspace”. Then, you’ll create an administrator for that workspace, with rights to administer only the objects in the SecureWorkspace and nothing else.
Securing your Kong Enterprise Installation
At a high level, securing Kong Enterprise administration is a two-step process:
- Turn on RBAC.
- Create a Workspace and an admin for segregated administration.
At this point in the Getting Started Guide, you have been interacting with your environment as the built-in Super Admin,
kong_admin. The password for this
kong_admin user was “seeded” during the installation process using the KONG_PASSWORD environment variable. Once RBAC is enabled, you will need to authenticate to the Kong Manager and the Kong Admin API using the proper credentials.
In the following sections, you will need the
kong_admin account’s password in order to log in to Kong Enterprise, and the
kong_admin_uri needs to be configured to avoid getting CORS errors.
Turn on RBAC
To enable RBAC, you will need the initial KONG_PASSWORD that was used when you first installed Kong Enterprise Gateway and ran migrations. This is also the default password for the Super Admin, and will be required once RBAC is on.
Outside of this guide, you will likely want to modify these settings differently, depending on your installation. You can read more about these settings here: Basic Auth for Kong Manager.
Create a Workspace
Create an Admin
Next, create an admin for the SecureWorkspace, granting them permissions to manage only that workspace.
Verify the New Admin
That’s it! You are now controlling access to Kong Enterprise Gateway administration with RBAC.
Summary and next steps
In this topic, you:
- Enabled RBAC
- Created a workspace named
- Created an admin named
secureworkspaceadmin and granted them permissions to manage to everything in the
Next, set up the Kong Developer Portal.