Difference in end result between admin api and declarative config for consumers and acls

There seems to be a discrepancy between creating consumers with acls groups using the admin api and declarative config. I am using the latest Kong 1.2.1 backed by Datastax Enterprise Cassandra 6.7.

With an empty bootstrapped database, creating 3 consumers with the admin api as below, 2 with the same acl groups associated with them you end up with the 3 consumers entries, 2 api keys entries and 5 acls entries.

curl -s -X PUT  http://localhost:8001/consumers/web-portal                   --data-urlencode username=web-portal
curl -s -X POST http://localhost:8001/consumers/web-portal/acls              --data-urlencode group=legacy-group
curl -s -X POST http://localhost:8001/consumers/web-portal/acls              --data-urlencode group=sdk-group
curl -s -X POST http://localhost:8001/consumers/web-portal/key-auth          --data-urlencode key=12345
curl -s -X PUT  http://localhost:8001/consumers/device-portal                --data-urlencode username=device-portal
curl -s -X POST http://localhost:8001/consumers/device-portal/acls           --data-urlencode group=legacy-group
curl -s -X POST http://localhost:8001/consumers/device-portal/acls           --data-urlencode group=sdk-group
curl -s -X POST http://localhost:8001/consumers/device-portal/key-auth       --data-urlencode key=98765
curl -s -X PUT  http://localhost:8001/consumers/anonymous-device-portal      --data-urlencode username=anonymous-device-portal
curl -s -X POST http://localhost:8001/consumers/anonymous-device-portal/acls --data-urlencode group=anonymous-device

When creating the same config with the following declarative config file, we end up with the same 3 consumers, same 2 api keys but only 3 acls entries. This is imported with kong config db_import command line on a empty bootstrapped database.
It appears that the groups for the device-portal consumer overwrite the ones for the web-portal and there are no acls entries for the web portal.

consumers:
  - username: web-portal
    keyauth_credentials:
      - key: "12345"
    acls:
      - group: legacy-group
      - group: sdk-group
  - username: device-portal
    keyauth_credentials:
      - key: "98765"
    acls:
      - group: legacy-group
      - group: sdk-group
  - username: anonymous-device-portal
    acls:
      - group: anonymous-device

The diff comparison below shows the consumers, key-auths and acls entries created by the admin api on the left and the declarative config on the right. I have changed the id numbers by hand in the declarative config to match for simplicity and ignored the created_at fields

Left file: C:\cygwin64\home\gchristi\tmp\kong-adminapi
Right file: C:\cygwin64\home\gchristi\tmp\kong-declatative
Kong Consumers                                       =  Kong Consumers
{                                                       {
  "data": [                                               "data": [
    {                                                       {
      "created_at": 1565594794,                               "created_at": 1565595301,
      "custom_id": null,                                      "custom_id": null,
      "id": "d902e1f2-230b-4cb5-bf46-fefdeb38f721",           "id": "d902e1f2-230b-4cb5-bf46-fefdeb38f721",
      "tags": null,                                           "tags": null,
      "username": "anonymous-device-portal"                   "username": "anonymous-device-portal"
    },                                                      },
    {                                                       {
      "created_at": 1565594794,                               "created_at": 1565595301,
      "custom_id": null,                                      "custom_id": null,
      "id": "97424c04-3765-434b-966f-81e991e80e5f",           "id": "97424c04-3765-434b-966f-81e991e80e5f",
      "tags": null,                                           "tags": null,
      "username": "device-portal"                             "username": "device-portal"
    },                                                      },
    {                                                       {
      "created_at": 1565594794,                               "created_at": 1565595301,
      "custom_id": null,                                      "custom_id": null,
      "id": "3169bf7f-ae5d-4221-b949-302b5b2d7ffc",           "id": "3169bf7f-ae5d-4221-b949-302b5b2d7ffc",
      "tags": null,                                           "tags": null,
      "username": "web-portal"                                "username": "web-portal"
    }                                                       }
  ],                                                      ],
  "next": null                                            "next": null
}                                                       }

Kong API Keys                                           Kong API Keys
{                                                       {
  "data": [                                               "data": [
    {                                                       {
      "consumer": {                                           "consumer": {
        "id": "97424c04-3765-434b-966f-81e991e80e5f"            "id": "97424c04-3765-434b-966f-81e991e80e5f"
      },                                                      },
      "created_at": 1565594794,                               "created_at": 1565595301,
      "id": "c9262ec3-fcef-46bd-8bdc-ec8e6493ec7d",           "id": "c9262ec3-fcef-46bd-8bdc-ec8e6493ec7d",
      "key": "98765"                                          "key": "98765"
    },                                                      },
    {                                                       {
      "consumer": {                                           "consumer": {
        "id": "3169bf7f-ae5d-4221-b949-302b5b2d7ffc"            "id": "3169bf7f-ae5d-4221-b949-302b5b2d7ffc"
      },                                                      },
      "created_at": 1565594794,                               "created_at": 1565595301,
      "id": "dac590e8-098c-43d4-99b2-fc88f13ad561",           "id": "dac590e8-098c-43d4-99b2-fc88f13ad561",
      "key": "12345"                                          "key": "12345"
    }                                                       }
  ],                                                      ],
  "next": null                                            "next": null
}                                                       }

Kong ACLs                                               Kong ACLs
{                                                       {
  "data": [                                               "data": [
    {                                                       {
      "consumer": {                                           "consumer": {
        "id": "97424c04-3765-434b-966f-81e991e80e5f"            "id": "97424c04-3765-434b-966f-81e991e80e5f"
      },                                                      },
      "created_at": 1565594794,                               "created_at": 1565595301,
      "group": "sdk-group",                                   "group": "sdk-group",
      "id": "c6968844-4a91-4778-85b4-7783af3943d0"            "id": "c6968844-4a91-4778-85b4-7783af3943d0"
    },                                                      },
    {                                                       {
      "consumer": {                                           "consumer": {
        "id": "97424c04-3765-434b-966f-81e991e80e5f"            "id": "97424c04-3765-434b-966f-81e991e80e5f"
      },                                                      },
      "created_at": 1565594794,                               "created_at": 1565595301,
      "group": "legacy-group",                                "group": "legacy-group",
      "id": "956b201f-4b5a-4453-a8bb-377b3f1c08e7"            "id": "956b201f-4b5a-4453-a8bb-377b3f1c08e7"
    },                                                      },
    {                                                       {
      "consumer": {                                           "consumer": {
        "id": "d902e1f2-230b-4cb5-bf46-fefdeb38f721"            "id": "d902e1f2-230b-4cb5-bf46-fefdeb38f721"
      },                                                      },
      "created_at": 1565594794,                               "created_at": 1565595301,
      "group": "anonymous-device",                            "group": "anonymous-device",
      "id": "6fe8de14-6666-4545-be05-63d1b2dcce7f"            "id": "6fe8de14-6666-4545-be05-63d1b2dcce7f"
------------------------------------------------------------------------------------------------------------
    },                                               <>     }
    {
      "consumer": {
        "id": "3169bf7f-ae5d-4221-b949-302b5b2d7ffc"
      },
      "created_at": 1565594794,                      
      "group": "sdk-group",                          
      "id": "32b965bf-93eb-4dec-b083-9927542acf6b"
    },
    {
      "consumer": {
        "id": "3169bf7f-ae5d-4221-b949-302b5b2d7ffc"
      },
      "created_at": 1565594794,                      
      "group": "legacy-group",                       
      "id": "a7f134e0-60f2-4aeb-a675-5b35aa527b74"
    }
------------------------------------------------------------------------------------------------------------
  ],                                                 =    ],
  "next": null                                            "next": null
}                                                       }
------------------------------------------------------------------------------------------------------------

Am i doing something wrong in the declarative config or is this an issue.

The second issue i have is with the anonymous configuration of the key-auth plugin on a service/route. The purpose of the anonymous-device-portal consumer above is so that i can assign it to the anonymous config item on the key-auth plugin against a service or route. However the anonymous config item of the key–auth plugin only accepts the UUID of the consumer. If this is the case how am I supposed to configure this in the declarative config when its not known.!!!

Thanks
George

Have raised an issue https://github.com/Kong/kong/issues/4909 as this appears to be an issue when multiple consumers have the same group names associated with them. If consumers have unique groups they are created as expected.

Having said that the second issue is still open, how do you stipulate the anonymous consumer for the key-auth plugin on a service/route as a UUID in declarative config.

Please see my comment on the Github Issue. Thanks!

Tested on 1.3.0rc1 and the issue has been resolved.

I still have that burning question on configuring the anonymous consumer config on the key-auth plugin when attaching the plugin to a route or service. It the field only supports the UUID of the consumer how can it be configured in the declarative config when that is not known.

Thanks
George

You can specify the id in a consumer and then reference it in the plugin config:

_format_version: "1.1"
consumers:
- id: <uuid-here>
plugins
- name: key-auth
  anonymous: <same-uuid-here>

Ok thanks, so in this case I specify the consumer id and name rather than just a name and letting Kong create the id.

In this case I assume its the id that takes precedence in defining the consumer ? ie if i happened to use an id that say already existed for some other purpose then i would assume the name of that consumer would change to the name in the config rather than create a new consumer as i would want it to.

Thanks
George

That’s correct.
Please do note that it is a UUID and the probability of that happening is extremely low.