Access Control Lists with Kong
The Business Problem
Access control is an important function in our daily lives. Access control is provided in many different realms. For example, a physical door, a software program, or an API. Access control simply means that you are controlling who/what can access something.
We’re going to focus this discussion around access control for an API. Businesses benefit from providing APIs to their internal (and external) developers. Businesses want to know who is accessing the API and may want to control access to each API based on different metrics that drive revenues or save costs. For example, I may only want to provide access to an API for my customers and not my partners.
There are many reasons and methods for providing access control to an API. Today we’re going to take a closer look at how the Kong API Gateway can help us enforce access control using key authentication and access control lists.
Let’s imagine a scenario where we want to allow consumers in a specific group access to our Orders API, but deny access to others. I have 2 consumers (consumerA and consumerB) which I only want to allow access to the Orders API because they are customers, and therefore, part of the customers group. This is a common business use case we see for internal or external access to an API. We can set this example up in Kong quickly. Here is a diagram that describes what we want to do.
Here are the commands to get this setup in Kong.
NOTE: This assumes you have Kong and httpie already installed.
1. Create consumers A and B
$ http post localhost:8001/consumers username=consumerA
$ http post localhost:8001/consumers username=consumerB
2. Create Key-Auth credentials for each consumer
$ http post localhost:8001/consumers/consumerA/key-auth key=keyA
$ http post localhost:8001/consumers/consumerB/key-auth key=keyB
3. Assign Consumer A to the customers group
$ http post localhost:8001/consumers/consumerA/acls group=customers
4. Create a Service and Route
$ http post localhost:8001/services name=OrdersAPI url=http://httpbin.org
$ http post localhost:8001/services/OrdersAPI/routes paths:='["/orders"]'
5. Create an key-auth and ACL plugin at the service level to limit access to a group
$ http -f localhost:8001/services/OrdersAPI/plugins name=key-auth
$ http -f localhost:8001/services/OrdersAPI/plugins name=acl config.whitelist=customers -f
6. Test to make sure only consumerA can access the API
$ http get localhost:8000/orders apikey:keyA
$ http get localhost:8000/orders apikey:keyB
Forbidden! This means the access control list is working.
There are many reasons why a business would want to limit the access to an API to specific clients or consumers. You can easily enforce this type of access control in Kong to take control of the access to your API and ensure you know who is using your service.
For more advanced access control mechanisms, you can look at the Kong gateway which also gives you the ability to use a central identity/token management system and make use of OpenID Connect and OAuth 2.0 standards.
Learn more about the Kong Enterprise Service Control Platform