Get Started - Explore RBAC - Super-Admin Configures Workspaces
Introduction
In the previous lab, you created a RBAC super admin user and enabled RBAC on Kong. Let’s now use this RBAC super admin to configure workspaces and administrators.
Learning Lab
In this learning lab, you will use the Kong Super Admin RBAC user to create 3 workspaces each with 1 administrator.
High Level Tasks
Pre-requisites:
- Step 0: Review: Setup the environment
- Step 0: Review: Create RBAC super-admin user and enable RBAC
The Kong Super Admin user you previously created will:
- Step 1: Create 3 workspaces
- Step 2: Create an admin for each workspace
- Step 3: Verify each admin belongs to correct workspace
- Step 4: Create admin role for each workspace
- Step 5: Add workspace admin to role
- Step 6: Verify each workspace admin has appropriate access
Step 0: Review: Setup the environment
Let’s setup the environment that will load the following
Launch Setup Script
Run this script in the terminal to setup your environment (~30 seconds).
launch.sh
Step 0: Review: Create RBAC super-admin user and enable RBAC
ADD SCRIPT HERE
Step 1: Create 3 workspaces
The Super Admin will now set up our 3 teams: teamA, teamB, and teamC, creating one workspace for each, one admin for each. Enough talking.
Create workspaces for each team
This overlaps a bit with Workspaces Examples, yes, but it will make our exploration of RBAC + Workspaces easier:
Team A:
http post :8001/workspaces \
name=teamA \
Kong-Admin-Token:$user_token
Team B:
http post :8001/workspaces \
name=teamB \
Kong-Admin-Token:$user_token
Team C:
http post :8001/workspaces \
name=teamC \
Kong-Admin-Token:$user_token
Note This is the RBAC Super Admin creating workspaces—note his token being passed in through the Kong-Admin-Token HTTP header.
Step 2: Create an admin for each workspace
Team A:
http post :8001/teamA/rbac/users \
name=adminA \
Kong-Admin-Token:$user_token
Team B:
http post :8001/teamB/rbac/users \
name=adminB \
Kong-Admin-Token:$user_token
Team C:
http post :8001/teamC/rbac/users \
name=adminC \
Kong-Admin-Token:$user_token
Step 3: Verify each admin belongs to correct workspace
All of the teams have one admin and each admin. Let’s verify each admin can only been seen in his/her corresponding workspace.
teamA Admin ⇒ Team A workspace teamB Admin ⇒ Team B workspace teamC Admin ⇒ Team C workspace
http get :8001/teamA/rbac/users \
Kong-Admin-Token:$user_token
Similarly, workspaces teamB and teamC only show their respective admins:
http get :8001/teamB/rbac/users \
Kong-Admin-Token:$user_token
http get :8001/teamC/rbac/users \
Kong-Admin-Token:$user_token
Set variable for adminA, adminB and adminC user_token
Let’s set these variables for later use.
adminA_user_token variable
adminA_user_token=$(http get :8001/teamA/rbac/users/adminA Kong-Admin-Token:$user_token | python -c "import sys, json; print json.load(sys.stdin)['user_token']")
adminB_user_token variable
adminB_user_token=$(http get :8001/teamB/rbac/users/adminB Kong-Admin-Token:$user_token | python -c "import sys, json; print json.load(sys.stdin)['user_token']")
adminC_user_token variable
adminC_user_token=$(http get :8001/teamC/rbac/users/adminB Kong-Admin-Token:$user_token | python -c "import sys, json; print json.load(sys.stdin)['user_token']")
Step 4: Create admin role for each workspace
The Super Admin is now done creating the RBAC Admin users for each workspace. The next task is to create admin roles that effectively grant permissions to admin users.
The admin role must have access to all of the Admin API, restricted to his workspace. In the configuration, pay close attention to the request parameters.
Set up the Admin role
http :8001/teamA/rbac/roles/ \
name=admin \
Kong-Admin-Token:$user_token
Create role endpoint permissions:
http :8001/teamA/rbac/roles/admin/endpoints/ \
endpoint=* \
workspace=teamA \
actions=* \
Kong-Admin-Token:$user_token
Step 5: Add workspace admin to role
Add adminA user to Workspace teamA
Next logical step is to add the adminA user admin of Team A—to the Admin role in his workspace:
http post :8001/teamA/rbac/users/adminA/roles/ \
roles=admin \
Kong-Admin-Token:$user_token
Note the admin role in the list above.
Step 6: Verify AdminA user has access to only his workspace
With these steps, Team A’s admin user is now able to manage his team. To validate that, let’s try to list RBAC users in Team B using Team A’s admin user token—and see that we are not allowed to do so.
Verify adminA user does not have access teamB Workspace
http get :8001/teamB/rbac/users \
Kong-Admin-Token:$adminA_user_token
What message do you get?
{ “message”: “Invalid RBAC credentials” }
Verify adminA user has access teamA Workspace
adminA should have access to TeamA workspace.
http get :8001/teamA/rbac/users/ \
Kong-Admin-Token:$adminA_user_token
What message do you get?
Next Steps: Repeat Steps 4-6 for Team B/C
Repeat the same procedures for Team B and Team C. If the same procedure is repeated for Team B and Team C, they will end up with a similar set up, with an admin role and an admin user, both restricted to the team’s workspace.
What’s Next
This Super Admin ends the Super Admin user participation in configuring Kong. Each team admin is now able to set up his teams users and entities! Let’s explore this in the next learning lab.