Enable RBAC on Enterprise KONG - 0.33


#1

Enabled RBAC but throws Network error on login.

2018/08/29 05:56:30 [verbose] Kong: 0.33-enterprise-edition
2018/08/29 05:56:30 [debug] ngx_lua: 10013
2018/08/29 05:56:30 [debug] nginx: 1013006
2018/08/29 05:56:30 [debug] Lua: LuaJIT 2.1.0-beta3
2018/08/29 05:56:30 [verbose] reading config file at /etc/kong/kong.conf.default
2018/08/29 05:56:30 [debug] admin_access_log = “logs/admin_access.log”
2018/08/29 05:56:30 [debug] admin_api_uri = “http://MASKED:8001
2018/08/29 05:56:30 [debug] admin_error_log = “logs/error.log”
2018/08/29 05:56:30 [debug] admin_gui_access_log = “logs/admin_gui_access.log”
2018/08/29 05:56:30 [debug] admin_gui_auth = “key-auth”
2018/08/29 05:56:30 [debug] admin_gui_error_log = “logs/admin_gui_error.log”
2018/08/29 05:56:30 [debug] admin_gui_flags = “{}”
2018/08/29 05:56:30 [debug] admin_gui_listen = {“MASKED:8002”}
2018/08/29 05:56:30 [debug] admin_gui_url = “http://MASKED:8002
2018/08/29 05:56:30 [debug] admin_listen = {“MASKED:8001”}
2018/08/29 05:56:30 [debug] anonymous_reports = true
2018/08/29 05:56:30 [debug] cassandra_consistency = “ONE”
2018/08/29 05:56:30 [debug] cassandra_contact_points = {“127.0.0.1”}
2018/08/29 05:56:30 [debug] cassandra_data_centers = {“dc1:2”,“dc2:3”}
2018/08/29 05:56:30 [debug] cassandra_keyspace = “kong”
2018/08/29 05:56:30 [debug] cassandra_lb_policy = “RoundRobin”
2018/08/29 05:56:30 [debug] cassandra_port = 9042
2018/08/29 05:56:30 [debug] cassandra_repl_factor = 1
2018/08/29 05:56:30 [debug] cassandra_repl_strategy = “SimpleStrategy”
2018/08/29 05:56:30 [debug] cassandra_schema_consensus_timeout = 10000
2018/08/29 05:56:30 [debug] cassandra_ssl = false
2018/08/29 05:56:30 [debug] cassandra_ssl_verify = false
2018/08/29 05:56:30 [debug] cassandra_timeout = 5000
2018/08/29 05:56:30 [debug] cassandra_username = “kong”
2018/08/29 05:56:30 [debug] client_body_buffer_size = “8k”
2018/08/29 05:56:30 [debug] client_max_body_size = “0”
2018/08/29 05:56:30 [debug] client_ssl = false
2018/08/29 05:56:30 [debug] custom_plugins = {}
2018/08/29 05:56:30 [debug] database = “postgres”
2018/08/29 05:56:30 [debug] db_cache_ttl = 3600
2018/08/29 05:56:30 [debug] db_update_frequency = 5
2018/08/29 05:56:30 [debug] db_update_propagation = 0
2018/08/29 05:56:30 [debug] dns_error_ttl = 1
2018/08/29 05:56:30 [debug] dns_hostsfile = “/etc/hosts”
2018/08/29 05:56:30 [debug] dns_no_sync = false
2018/08/29 05:56:30 [debug] dns_not_found_ttl = 30
2018/08/29 05:56:30 [debug] dns_order = {“LAST”,“SRV”,“A”,“CNAME”}
2018/08/29 05:56:30 [debug] dns_resolver = {}
2018/08/29 05:56:30 [debug] dns_stale_ttl = 4
2018/08/29 05:56:30 [debug] enforce_rbac = “on”
2018/08/29 05:56:30 [debug] error_default_type = “text/plain”
2018/08/29 05:56:30 [debug] latency_tokens = true
2018/08/29 05:56:30 [debug] log_level = “notice”
2018/08/29 05:56:30 [debug] lua_package_cpath = “”
2018/08/29 05:56:30 [debug] lua_package_path = “./?.lua;./?/init.lua;”
2018/08/29 05:56:30 [debug] lua_socket_pool_size = 30
2018/08/29 05:56:30 [debug] lua_ssl_verify_depth = 1
2018/08/29 05:56:30 [debug] mem_cache_size = “128m”
2018/08/29 05:56:30 [debug] nginx_daemon = “on”
2018/08/29 05:56:30 [debug] nginx_optimizations = true
2018/08/29 05:56:30 [debug] nginx_user = “nobody nobody”
2018/08/29 05:56:30 [debug] nginx_worker_processes = “auto”
2018/08/29 05:56:30 [debug] pg_database = “kong”
2018/08/29 05:56:30 [debug] pg_host = “127.0.0.1”
2018/08/29 05:56:30 [debug] pg_password = “******”
2018/08/29 05:56:30 [debug] pg_port = 5432
2018/08/29 05:56:30 [debug] pg_ssl = false
2018/08/29 05:56:30 [debug] pg_ssl_verify = false
2018/08/29 05:56:30 [debug] pg_user = “kong”
2018/08/29 05:56:30 [debug] portal = true
2018/08/29 05:56:30 [debug] portal_api_access_log = “logs/portal_api_access.log”
2018/08/29 05:56:30 [debug] portal_api_error_log = “logs/error.log”
2018/08/29 05:56:30 [debug] portal_api_listen = {“MASKED:8004”}
2018/08/29 05:56:30 [debug] portal_api_url = “http://MASKED:8004
2018/08/29 05:56:30 [debug] portal_auth = “basic-auth”
2018/08/29 05:56:30 [debug] portal_auto_approve = false
2018/08/29 05:56:30 [debug] portal_gui_listen = {“MASKED:8003”}
2018/08/29 05:56:30 [debug] portal_gui_url = “http://MASKED:8003
2018/08/29 05:56:30 [debug] prefix = “/usr/local/kong/”
2018/08/29 05:56:30 [debug] proxy_access_log = “logs/access.log”
2018/08/29 05:56:30 [debug] proxy_error_log = “logs/error.log”
2018/08/29 05:56:30 [debug] proxy_listen = {“MASKED:8000”}
2018/08/29 05:56:30 [debug] proxy_url = “http://MASKED:8000
2018/08/29 05:56:30 [debug] rbac_auth_header = “Kong-Admin-Token”
2018/08/29 05:56:30 [debug] real_ip_header = “X-Real-IP”
2018/08/29 05:56:30 [debug] real_ip_recursive = “off”
2018/08/29 05:56:30 [debug] server_tokens = true
2018/08/29 05:56:30 [debug] ssl_cipher_suite = “modern”
2018/08/29 05:56:30 [debug] ssl_ciphers = “ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256”
2018/08/29 05:56:30 [debug] trusted_ips = {}
2018/08/29 05:56:30 [debug] upstream_keepalive = 60
2018/08/29 05:56:30 [debug] vitals = true
2018/08/29 05:56:30 [debug] vitals_delete_interval_pg = 30
2018/08/29 05:56:30 [debug] vitals_flush_interval = 10
2018/08/29 05:56:30 [debug] vitals_ttl_minutes = 90000
2018/08/29 05:56:30 [debug] vitals_ttl_seconds = 3600
2018/08/29 05:56:30 [warn] RBAC authorization is enabled but Admin API calls will not be encrypted via SSL
2018/08/29 05:56:30 [verbose] prefix in use: /usr/local/kong
2018/08/29 05:56:30 [verbose] preparing nginx prefix directory at /usr/local/kong
2018/08/29 05:56:30 [warn] ulimit is currently set to “1024”. For better performance set it to at least “4096” using “ulimit -n”
2018/08/29 05:56:30 [debug] searching for OpenResty ‘nginx’ executable
2018/08/29 05:56:30 [debug] /usr/local/openresty/nginx/sbin/nginx -v: ‘nginx version: openresty/1.13.6.2’
2018/08/29 05:56:30 [debug] found OpenResty ‘nginx’ executable at /usr/local/openresty/nginx/sbin/nginx
2018/08/29 05:56:30 [debug] starting nginx: /usr/local/openresty/nginx/sbin/nginx -p /usr/local/kong -c nginx.conf
2018/08/29 05:56:31 [debug] nginx started
2018/08/29 05:56:31 [info] Kong started
[root@ip-10-222-113-235 ec2-user]# arn] RBAC authorization is enabled but Admin API calls will not be encrypted via SSL
2018/08/29 05:56:30 [verbose] prefix in use: /usr/local/kong
2018/08/29 05:56:30 [verbose] preparing nginx prefix directory at /usr/local/kong
2018/08/29 05:56:30 [warn] ulimit is currently set to “1024”. For better performance set it to at least “4096” using “ulimit -n”
2018/08/29 05:56:30 [debug] searching for OpenResty ‘nginx’ executable
2018/08/29 05:56:30 [debug] /usr/local/openresty/nginx/sbin/nginx -v: ‘nginx version: openresty/1.13.6.2’
2018/08/29 05:56:30 [debug] found OpenResty ‘nginx’ executable at /usr/-bash: arn]: command not foundl
ocal/openresty/nginx/sbin/nginx
2018/08/29 05:56:30 [debug] starting nginx: /usr/local/openresty/nginx/sbin/nginx -p /usr/local/kong -c nginx.conf
2018/08/29 05:56:31 [debug] nginx started
2018/08/29 05:56:31 [info] Kong started


#2

2018/08/29 05:34:48 [error] 14475#0: *30 connect() failed (111: Connection refused) while connecting to upstream, client: MASKED.112.87, server: kong, request: “GET /_kong/admin/userinfo HTTP/1.1”, upstream: “http://0.0.0.0:8001/userinfo”, host: “MASKED.113.235:8000”, referrer: “http://MASKED.113.235:8002/login
2018/08/29 05:34:48 [error] 14475#0: *30 connect() failed (111: Connection refused) while connecting to upstream, client: MASKED.112.87, server: kong, request: “GET /_kong/admin/userinfo HTTP/1.1”, upstream: “http://0.0.0.0:8001/userinfo”, host: “MASKED.113.235:8000”, referrer: “http://MASKED.113.235:8002/login
2018/08/29 05:34:48 [error] 14475#0: *30 connect() failed (111: Connection refused) while connecting to upstream, client: MASKED.112.87, server: kong, request: “GET /_kong/admin/userinfo HTTP/1.1”, upstream: “http://0.0.0.0:8001/userinfo”, host: “MASKED.113.235:8000”, referrer: “http://MASKED.113.235:8002/login
2018/08/29 05:34:48 [error] 14475#0: *30 connect() failed (111: Connection refused) while connecting to upstream, client: MASKED.112.87, server: kong, request: “GET /_kong/admin/userinfo HTTP/1.1”, upstream: “http://0.0.0.0:8001/userinfo”, host: “MASKED.113.235:8000”, referrer: “http://MASKED.113.235:8002/login
2018/08/29 05:34:48 [error] 14475#0: *30 connect() failed (111: Connection refused) while connecting to upstream, client: MASKED.112.87, server: kong, request: “GET /_kong/admin/userinfo HTTP/1.1”, upstream: “http://0.0.0.0:8001/userinfo”, host: “MASKED.113.235:8000”, referrer: “http://MASKED.113.235:8002/login
2018/08/29 05:34:48 [error] 14475#0: *30 connect() failed (111: Connection refused) while connecting to upstream, client: MASKED.112.87, server: kong, request: “GET /_kong/admin/userinfo HTTP/1.1”, upstream: “http://0.0.0.0:8001/userinfo”, host: “MASKED.113.235:8000”, referrer: “http://MASKED.113.235:8002/login


#3

Hi @gansa1986 just want to make sure that you aren’t stuck. Since it looks like you might be an enterprise customer you could get a faster response in the enterprise support portal.


#4

I am trying to evaluate the KONG enterprise version and we have not got any support from the enterprise team so far. So please fill in your thoughts.


#5

We ran into some similar things. The RBAC components in the ADMIN GUI are based on client-side JavaScript. That being said, the resolution to the admin api endpoint needs to be visible from a client app - as opposed to something server-side.

We split our workers based on type: gateway, admin-ui, portal

For each of these types, we have to specify things like KONG_ENFORCE_RBAC and then provide client-side, resolvable URLs in some cases. The Admin GUI is one of those cases.

Also, be careful with the values for things like KONG_ENFORCE_RBAC. Your config output shows bool value but the value for the env var isn’t bool. Many DSLs that help in deployment interpolate on as a true value and swap it out.


#6

We have resolved this issue, by removing the IP address that we added static on the kong.conf for the proxy and admin listen ports.