ACL anomaly improper behaviour

Hi,

Iam not able to access non acl configured routes. For eg

1] Create a service and register 2 routes
2] Create a consumer
3] add one route to an acl group say group1
4] Now try accessing both routes
5] Expected behavior one route must be non consumable, but here both are non consumable getting same error.

{"message":"You cannot consume this service"}

kindly let me know if you need any further info.

Hi,

Yes, please provide more information:

  • How is your ACL plugin configured (whitelist or blacklist? which groups on each? Is it assigned to a Service/Consumer? Or is it global?).
  • Do you see any messages in the nginx logs?
  • How are you authenticating your consumers in Kong?

1] ACL is configured with Whitelist.
2] one route is registered with group1
3] another route is not registered to any group
4] ACL is assigned to a consumer not global. with the same group name group1.
5] I am authenticating user with basic-auth plugin which is also registered with the routes
6] Nginx error
2018/06/18 10:44:06 [error] 52#0: *2873549 [lua] handler.lua:63: [acl plugin] Cannot identify the consumer, add an authentication plugin to use the ACL plugin, client: x.x.x.x, server: kong, request: "GET /api_new/get?client=ubuntu&channel=fs&q=kong+rest+api&ie=utf-8&oe=utf-8 HTTP/1.1", host: "x.x.x.x"

This /api_new route is not registered to any acl neither to basic-auth

The message you are seeing in the log is the key.

Cannot identify the consumer, add an authentication plugin to use the ACL plugin

This indicates that your problem is not with the ACL plugin, but with your authentication.

I suggest removing both the ACL and the basic-auth plugin and starting from scratch. First create a basic-auth plugin associated to the Service. Then check that you can successfully use both of the Service’s routes using credentials, and you are not allowed access without them.

Once you have that working, proceed to installing the ACL plugin as you did before (restricting access to one route, allowing access to the other). Don’t forget to add the credential header in your request when testing ACL.

The relevant docs about basic-auth credentials can be found here:

Hi,
Sure I shall do it, but how to delete the plugin basic-auth of a consumer? or should i create a new consumer? I dint see any reference for that.

Thanks

curl -X DELETE http://kong:8001/consumers/{consumer}/basic-auth/{id}

{consumer} = consmers id in db
{id} = the basic auth cred pair’s id in db

@kikito and @jeremyjpj0916 thanks for the support.

I tried the steps enumerated above and it seems to be working properly. How to close this issue?

Meanwhile i created a new issue regarding rate-limiting . Mind to take a look at it?

Regards and thanks once again