We’re planning to use Kong as an API gateway in front of a set of services. Our product is a multi-tenant solution where each tenant has a number of users.
Requirements
- A user with admin rights within a tenant can issue an API key which grants access to the APIs but limits the access to that specific tenant.
- Several API keys may be issued for the same tenant
- API keys should only have access to a selected set of services
- All services and all tenants are served by a single host (api.example.com)
My ideas
I thought of solving this by
- Create services with corresponding routes
/service-a,/service-b - The routes will have ACL plugins requiring the consumer to have a specific group (
/service-arequiringgroup-a, etc) - Creating a new Kong Consumer for every issued API key.
- The consumers will have groups added corresponding to the services served.
- The consumers will have individual Request Transformer plugins set up which adds a “X-Tenant-Id” header so the upstream services know which tenant to serve
Questions
- Is this a good way of configuring Kong for my use case?
- Assuming there are 10,000 tenants, all with 2 API keys, there will be 20,000 request-transformer plugins running. Is that OK?
- Is there a way to have a database table with API keys and tenant IDs and make the above mapping dynamically?
- How can I make sure the “X-Tenant-Id” (and other internal headers) are stripped from the client requests? I could delete it with a request transformer but the order of the transformers are not easily controlled (all have priority 801 and when configured with decK, there is no way of controlling creation order)