Get Started - Explore RBAC - Enable RBAC

Introduction

Role-based access control (RBAC) adds user roles and permissions to Kong Enterprise Admin API and Kong Manager. RBAC allows you to create multiple administrators with varying levels of permission to access different Kong entities. For example, you may create administrator accounts that can:

  • Access and modify all entities, including RBAC accounts (a superuser account).
  • Access and modify entities other than RBAC accounts (a standard administrator).
  • Read status information only (a monitoring account).
  • Access and modify consumer entities, but not API or plugin configuration (an end-user account administrator).

Learning Lab

RBAC provides flexibility and is secures access to Kong. In this learning lab, you will:

  1. Create a RBAC user named super-admin
  2. Enable and Verify that RBAC is enforced on Kong
  3. Access Kong using the RBAC user token

High Level Tasks

  • Step 0: Review: Setup the environment
  • Step 1: Creates a RBAC user named super-admin
  • Step 2: Set a variable $user_token with the super-admin token
  • Step 3: Enforce RBAC on Kong
  • Step 4: Access Kong using the RBAC user token

Step 0: Review: Setup the environment

Let’s setup the environment that will load the following

  1. Creates a Docker Network called kong-net
  2. Installs and starts the database
  3. Prepares your database (Kong migration)
  4. Installs and starts Kong with environment variables and configurations

Launch Setup Script

Run this script in the terminal to setup your environment (~30 seconds).

launch.sh

Step 1: Create Super Admin User

Create the RBAC user, named super-admin:

As the super-admin user name coincides with an existing super-admin role, it gets automatically added to the super-admin role—which can be confirmed with the following command:

http post :8001/rbac/users \
name=super-admin

Verify super-admin role

http get :8001/rbac/users/super-admin/roles
http get :8001/rbac/users/super-admin

Step 2: Set Variable for super-admin user token

Set variable for super-admin user

user_token=$(curl -s get 'http://localhost:8001/rbac/users/super-admin' | python -c "import sys, json; print json.load(sys.stdin)['user_token']")

Verify variable is set

echo $user_token

http get :8001/rbac/users/super-admin

Important Note: As the super-admin user has just been created, the Kong Admin may now restart Kong with RBAC enforced.

Optional : you can manually create a variable.

To do so, run the following command:

export user_token=<super-admin user_token>

Important Note: You should only do this for this training exercise so that retrieve the user token. In a production environment make sure you secure this token. This token gives access to your entire system.

Step 3: Enforce RBAC

docker exec -it kong-ee /bin/sh
KONG_ENFORCE_RBAC=on kong reload --vv
exit

Note: In this environment you are using a Docker container. This command docker exec -it kong-ee /bin/sh gives you access to the container shell.

This command KONG_ENFORCE_RBAC=on kong reload --vv will enforce RBAC and reload the Kong configurations.

Step 4: Access Kong using the RBAC user token

Verify RBAC is enabled

http get :8001

What message to do you get?

Verify access using RBAC token

http get :8001 \
Kong-Admin-Token:$user_token

What’s Next:

In the next learning lab, this RBAC super admin user will create teams and workspaces.

Learning Challenge:

Alternatively options to Enforce RBAC are:

  • Option 1: Modify the kong.conf to enforce RBAC by uncommenting this line and set it to on.

enforce RBAC = on

  • Option 2: Modify the container environment variables to enable RBAC. In the example below, notice that RBAC is enforced KONG_ENFORCE_RBAC=on along with Basic-Authentication for the Kong Manager KONG_ADMIN_GUI_AUTH
docker run -d --name kong-ee --link kong-ee-database:kong-ee-database --net kong-net \
-e "KONG_DATABASE=postgres" \
-e "KONG_PG_HOST=kong-ee-database" \
-e "KONG_CASSANDRA_CONTACT_POINTS=kong-ee-database" \
-e "KONG_PROXY_ACCESS_LOG=/dev/stdout" \
-e "KONG_ADMIN_ACCESS_LOG=/dev/stdout" \
-e "KONG_PROXY_ERROR_LOG=/dev/stderr" \
-e "KONG_ADMIN_ERROR_LOG=/dev/stderr" \
-e "KONG_ADMIN_LISTEN=0.0.0.0:8001" \
-e "KONG_PORTAL=on" \
-e "KONG_LICENSE_DATA=$KONG_LICENSE_DATA" \
-e "KONG_PROXY_LISTEN=0.0.0.0:8000, 0.0.0.0:8443 ssl" \
-e "KONG_ADMIN_GUI_LISTEN=0.0.0.0:8002" \
-e "KONG_PORTAL_GUI_LISTEN=0.0.0.0:8003" \
-e "KONG_VITALS=on" \
-e "KONG_ADMIN_GUI_AUTH=basic-auth" \
-e "KONG_ENFORCE_RBAC=on" \
-p 8000:8000 \
-p 8443:8443 \
-p 8001:8001 \
-p 8444:8444 \
-p 8002:8002 \
-p 8445:8445 \
-p 8003:8003 \
-p 8004:8004 \
-v /var/run/docker.sock:/var/run/docker.sock kong-ee

Important Note: You have to be careful with this because, if you didn’t boot strap your Kong configurations for a super-admin, you will essentially be locked out)

Edit this page