There seems to be a discrepancy between creating consumers with acls groups using the admin api and declarative config. I am using the latest Kong 1.2.1 backed by Datastax Enterprise Cassandra 6.7.
With an empty bootstrapped database, creating 3 consumers with the admin api as below, 2 with the same acl groups associated with them you end up with the 3 consumers entries, 2 api keys entries and 5 acls entries.
curl -s -X PUT http://localhost:8001/consumers/web-portal --data-urlencode username=web-portal
curl -s -X POST http://localhost:8001/consumers/web-portal/acls --data-urlencode group=legacy-group
curl -s -X POST http://localhost:8001/consumers/web-portal/acls --data-urlencode group=sdk-group
curl -s -X POST http://localhost:8001/consumers/web-portal/key-auth --data-urlencode key=12345
curl -s -X PUT http://localhost:8001/consumers/device-portal --data-urlencode username=device-portal
curl -s -X POST http://localhost:8001/consumers/device-portal/acls --data-urlencode group=legacy-group
curl -s -X POST http://localhost:8001/consumers/device-portal/acls --data-urlencode group=sdk-group
curl -s -X POST http://localhost:8001/consumers/device-portal/key-auth --data-urlencode key=98765
curl -s -X PUT http://localhost:8001/consumers/anonymous-device-portal --data-urlencode username=anonymous-device-portal
curl -s -X POST http://localhost:8001/consumers/anonymous-device-portal/acls --data-urlencode group=anonymous-device
When creating the same config with the following declarative config file, we end up with the same 3 consumers, same 2 api keys but only 3 acls entries. This is imported with kong config db_import command line on a empty bootstrapped database.
It appears that the groups for the device-portal consumer overwrite the ones for the web-portal and there are no acls entries for the web portal.
consumers:
- username: web-portal
keyauth_credentials:
- key: "12345"
acls:
- group: legacy-group
- group: sdk-group
- username: device-portal
keyauth_credentials:
- key: "98765"
acls:
- group: legacy-group
- group: sdk-group
- username: anonymous-device-portal
acls:
- group: anonymous-device
The diff comparison below shows the consumers, key-auths and acls entries created by the admin api on the left and the declarative config on the right. I have changed the id numbers by hand in the declarative config to match for simplicity and ignored the created_at fields
Left file: C:\cygwin64\home\gchristi\tmp\kong-adminapi
Right file: C:\cygwin64\home\gchristi\tmp\kong-declatative
Kong Consumers = Kong Consumers
{ {
"data": [ "data": [
{ {
"created_at": 1565594794, "created_at": 1565595301,
"custom_id": null, "custom_id": null,
"id": "d902e1f2-230b-4cb5-bf46-fefdeb38f721", "id": "d902e1f2-230b-4cb5-bf46-fefdeb38f721",
"tags": null, "tags": null,
"username": "anonymous-device-portal" "username": "anonymous-device-portal"
}, },
{ {
"created_at": 1565594794, "created_at": 1565595301,
"custom_id": null, "custom_id": null,
"id": "97424c04-3765-434b-966f-81e991e80e5f", "id": "97424c04-3765-434b-966f-81e991e80e5f",
"tags": null, "tags": null,
"username": "device-portal" "username": "device-portal"
}, },
{ {
"created_at": 1565594794, "created_at": 1565595301,
"custom_id": null, "custom_id": null,
"id": "3169bf7f-ae5d-4221-b949-302b5b2d7ffc", "id": "3169bf7f-ae5d-4221-b949-302b5b2d7ffc",
"tags": null, "tags": null,
"username": "web-portal" "username": "web-portal"
} }
], ],
"next": null "next": null
} }
Kong API Keys Kong API Keys
{ {
"data": [ "data": [
{ {
"consumer": { "consumer": {
"id": "97424c04-3765-434b-966f-81e991e80e5f" "id": "97424c04-3765-434b-966f-81e991e80e5f"
}, },
"created_at": 1565594794, "created_at": 1565595301,
"id": "c9262ec3-fcef-46bd-8bdc-ec8e6493ec7d", "id": "c9262ec3-fcef-46bd-8bdc-ec8e6493ec7d",
"key": "98765" "key": "98765"
}, },
{ {
"consumer": { "consumer": {
"id": "3169bf7f-ae5d-4221-b949-302b5b2d7ffc" "id": "3169bf7f-ae5d-4221-b949-302b5b2d7ffc"
}, },
"created_at": 1565594794, "created_at": 1565595301,
"id": "dac590e8-098c-43d4-99b2-fc88f13ad561", "id": "dac590e8-098c-43d4-99b2-fc88f13ad561",
"key": "12345" "key": "12345"
} }
], ],
"next": null "next": null
} }
Kong ACLs Kong ACLs
{ {
"data": [ "data": [
{ {
"consumer": { "consumer": {
"id": "97424c04-3765-434b-966f-81e991e80e5f" "id": "97424c04-3765-434b-966f-81e991e80e5f"
}, },
"created_at": 1565594794, "created_at": 1565595301,
"group": "sdk-group", "group": "sdk-group",
"id": "c6968844-4a91-4778-85b4-7783af3943d0" "id": "c6968844-4a91-4778-85b4-7783af3943d0"
}, },
{ {
"consumer": { "consumer": {
"id": "97424c04-3765-434b-966f-81e991e80e5f" "id": "97424c04-3765-434b-966f-81e991e80e5f"
}, },
"created_at": 1565594794, "created_at": 1565595301,
"group": "legacy-group", "group": "legacy-group",
"id": "956b201f-4b5a-4453-a8bb-377b3f1c08e7" "id": "956b201f-4b5a-4453-a8bb-377b3f1c08e7"
}, },
{ {
"consumer": { "consumer": {
"id": "d902e1f2-230b-4cb5-bf46-fefdeb38f721" "id": "d902e1f2-230b-4cb5-bf46-fefdeb38f721"
}, },
"created_at": 1565594794, "created_at": 1565595301,
"group": "anonymous-device", "group": "anonymous-device",
"id": "6fe8de14-6666-4545-be05-63d1b2dcce7f" "id": "6fe8de14-6666-4545-be05-63d1b2dcce7f"
------------------------------------------------------------------------------------------------------------
}, <> }
{
"consumer": {
"id": "3169bf7f-ae5d-4221-b949-302b5b2d7ffc"
},
"created_at": 1565594794,
"group": "sdk-group",
"id": "32b965bf-93eb-4dec-b083-9927542acf6b"
},
{
"consumer": {
"id": "3169bf7f-ae5d-4221-b949-302b5b2d7ffc"
},
"created_at": 1565594794,
"group": "legacy-group",
"id": "a7f134e0-60f2-4aeb-a675-5b35aa527b74"
}
------------------------------------------------------------------------------------------------------------
], = ],
"next": null "next": null
} }
------------------------------------------------------------------------------------------------------------
Am i doing something wrong in the declarative config or is this an issue.
The second issue i have is with the anonymous configuration of the key-auth plugin on a service/route. The purpose of the anonymous-device-portal consumer above is so that i can assign it to the anonymous config item on the key-auth plugin against a service or route. However the anonymous config item of the key–auth plugin only accepts the UUID of the consumer. If this is the case how am I supposed to configure this in the declarative config when its not known.!!!
Thanks
George