gongfig icon indicating copy to clipboard operation
gongfig copied to clipboard

Published 20 hours ago verified publisher icon romanovskyj

Authentication enabled on Admin API

Open csabatini opened this issue 6 years ago • 4 comments

I'm not that familiar with go, but it seems like the project doesn't support the case when auth is enabled? That requires adding the 'apikey' header in HTTP requests.

csabatini avatar Jan 14 '19 22:01 csabatini

Hi @csabatini , thank you for pointing this out. Could you please describe this use-case in more details? I did not find any reference where admin API can request auth using an API key.

There is a key authentication plugin: https://docs.konghq.com/hub/kong-inc/key-auth/ that can be enabled for services/routes (but not for API interface if I understand is correct)

There is also securing admin API reference: https://docs.konghq.com/1.0.x/secure-admin-api/ but there I also cannot see apikey enabling possibility for admin interface.

romanovskyj avatar Jan 16 '19 06:01 romanovskyj

Sure, yes you're right, my team is using the key-auth plugin you referenced in front of the admin API. I found this recommended on the Kong mailing list below:

https://groups.google.com/forum/#!topic/konglayer/veIk6o-UXuY

I can't find the key-auth documentation for the API endpoint, but we use this scripting to enable the key-auth plugin for the admin API (we are on Kong Enterprise Version 0.33)

curl -X POST $kong_admin_host/apis/ --data 'name=kong-admin' --data 'uris=/kong-admin' --data "upstream_url=https://$kong_upstream_host" --data 'preserve_host=true'
curl -X POST --url $kong_admin_host/apis/kong-admin/plugins/ --data 'name=key-auth'
curl -X POST --url $kong_admin_host/consumers/ --data 'username=testuser'
curl -X POST --url $kong_admin_host/consumers/testuser/key-auth/ --data 'key=testkey'

csabatini avatar Jan 16 '19 20:01 csabatini

Would you be interested in a PR for this? I have a fork that I'm working on and trying out in my Kong environment. It's adding an optional '--key' argument to be used by the HTTP client.

I also had an issue that when passing a non-root admin url (e.g. http://localhost:8001/kong-admin), the base path is dropped and replaced with the API path. That's a simple fix and I added a test for it in my changes.

Here is the log output I get when importing the config without an API key. Exporting doesn't surface the error.

The configuration is importing...
2019/01/17 15:45:04 No API key found in request
2019/01/17 15:45:04 Was not able to create resource

csabatini avatar Jan 17 '19 16:01 csabatini

The PR both for key and non-root will be highly appreciated, especially with tests. Thanks!

romanovskyj avatar Jan 18 '19 06:01 romanovskyj