Enable RBAC on Enterprise KONG - 0.33

Enabled RBAC but throws Network error on login.

2018/08/29 05:56:30 [verbose] Kong: 0.33-enterprise-edition
2018/08/29 05:56:30 [debug] ngx_lua: 10013
2018/08/29 05:56:30 [debug] nginx: 1013006
2018/08/29 05:56:30 [debug] Lua: LuaJIT 2.1.0-beta3
2018/08/29 05:56:30 [verbose] reading config file at /etc/kong/kong.conf.default
2018/08/29 05:56:30 [debug] admin_access_log = “logs/admin_access.log”
2018/08/29 05:56:30 [debug] admin_api_uri = “http://MASKED:8001
2018/08/29 05:56:30 [debug] admin_error_log = “logs/error.log”
2018/08/29 05:56:30 [debug] admin_gui_access_log = “logs/admin_gui_access.log”
2018/08/29 05:56:30 [debug] admin_gui_auth = “key-auth”
2018/08/29 05:56:30 [debug] admin_gui_error_log = “logs/admin_gui_error.log”
2018/08/29 05:56:30 [debug] admin_gui_flags = “{}”
2018/08/29 05:56:30 [debug] admin_gui_listen = {“MASKED:8002”}
2018/08/29 05:56:30 [debug] admin_gui_url = “http://MASKED:8002
2018/08/29 05:56:30 [debug] admin_listen = {“MASKED:8001”}
2018/08/29 05:56:30 [debug] anonymous_reports = true
2018/08/29 05:56:30 [debug] cassandra_consistency = “ONE”
2018/08/29 05:56:30 [debug] cassandra_contact_points = {“127.0.0.1”}
2018/08/29 05:56:30 [debug] cassandra_data_centers = {“dc1:2”,“dc2:3”}
2018/08/29 05:56:30 [debug] cassandra_keyspace = “kong”
2018/08/29 05:56:30 [debug] cassandra_lb_policy = “RoundRobin”
2018/08/29 05:56:30 [debug] cassandra_port = 9042
2018/08/29 05:56:30 [debug] cassandra_repl_factor = 1
2018/08/29 05:56:30 [debug] cassandra_repl_strategy = “SimpleStrategy”
2018/08/29 05:56:30 [debug] cassandra_schema_consensus_timeout = 10000
2018/08/29 05:56:30 [debug] cassandra_ssl = false
2018/08/29 05:56:30 [debug] cassandra_ssl_verify = false
2018/08/29 05:56:30 [debug] cassandra_timeout = 5000
2018/08/29 05:56:30 [debug] cassandra_username = “kong”
2018/08/29 05:56:30 [debug] client_body_buffer_size = “8k”
2018/08/29 05:56:30 [debug] client_max_body_size = “0”
2018/08/29 05:56:30 [debug] client_ssl = false
2018/08/29 05:56:30 [debug] custom_plugins = {}
2018/08/29 05:56:30 [debug] database = “postgres”
2018/08/29 05:56:30 [debug] db_cache_ttl = 3600
2018/08/29 05:56:30 [debug] db_update_frequency = 5
2018/08/29 05:56:30 [debug] db_update_propagation = 0
2018/08/29 05:56:30 [debug] dns_error_ttl = 1
2018/08/29 05:56:30 [debug] dns_hostsfile = “/etc/hosts”
2018/08/29 05:56:30 [debug] dns_no_sync = false
2018/08/29 05:56:30 [debug] dns_not_found_ttl = 30
2018/08/29 05:56:30 [debug] dns_order = {“LAST”,“SRV”,“A”,“CNAME”}
2018/08/29 05:56:30 [debug] dns_resolver = {}
2018/08/29 05:56:30 [debug] dns_stale_ttl = 4
2018/08/29 05:56:30 [debug] enforce_rbac = “on”
2018/08/29 05:56:30 [debug] error_default_type = “text/plain”
2018/08/29 05:56:30 [debug] latency_tokens = true
2018/08/29 05:56:30 [debug] log_level = “notice”
2018/08/29 05:56:30 [debug] lua_package_cpath = “”
2018/08/29 05:56:30 [debug] lua_package_path = “./?.lua;./?/init.lua;”
2018/08/29 05:56:30 [debug] lua_socket_pool_size = 30
2018/08/29 05:56:30 [debug] lua_ssl_verify_depth = 1
2018/08/29 05:56:30 [debug] mem_cache_size = “128m”
2018/08/29 05:56:30 [debug] nginx_daemon = “on”
2018/08/29 05:56:30 [debug] nginx_optimizations = true
2018/08/29 05:56:30 [debug] nginx_user = “nobody nobody”
2018/08/29 05:56:30 [debug] nginx_worker_processes = “auto”
2018/08/29 05:56:30 [debug] pg_database = “kong”
2018/08/29 05:56:30 [debug] pg_host = “127.0.0.1”
2018/08/29 05:56:30 [debug] pg_password = “******”
2018/08/29 05:56:30 [debug] pg_port = 5432
2018/08/29 05:56:30 [debug] pg_ssl = false
2018/08/29 05:56:30 [debug] pg_ssl_verify = false
2018/08/29 05:56:30 [debug] pg_user = “kong”
2018/08/29 05:56:30 [debug] portal = true
2018/08/29 05:56:30 [debug] portal_api_access_log = “logs/portal_api_access.log”
2018/08/29 05:56:30 [debug] portal_api_error_log = “logs/error.log”
2018/08/29 05:56:30 [debug] portal_api_listen = {“MASKED:8004”}
2018/08/29 05:56:30 [debug] portal_api_url = “http://MASKED:8004
2018/08/29 05:56:30 [debug] portal_auth = “basic-auth”
2018/08/29 05:56:30 [debug] portal_auto_approve = false
2018/08/29 05:56:30 [debug] portal_gui_listen = {“MASKED:8003”}
2018/08/29 05:56:30 [debug] portal_gui_url = “http://MASKED:8003
2018/08/29 05:56:30 [debug] prefix = “/usr/local/kong/”
2018/08/29 05:56:30 [debug] proxy_access_log = “logs/access.log”
2018/08/29 05:56:30 [debug] proxy_error_log = “logs/error.log”
2018/08/29 05:56:30 [debug] proxy_listen = {“MASKED:8000”}
2018/08/29 05:56:30 [debug] proxy_url = “http://MASKED:8000
2018/08/29 05:56:30 [debug] rbac_auth_header = “Kong-Admin-Token”
2018/08/29 05:56:30 [debug] real_ip_header = “X-Real-IP”
2018/08/29 05:56:30 [debug] real_ip_recursive = “off”
2018/08/29 05:56:30 [debug] server_tokens = true
2018/08/29 05:56:30 [debug] ssl_cipher_suite = “modern”
2018/08/29 05:56:30 [debug] ssl_ciphers = “ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256”
2018/08/29 05:56:30 [debug] trusted_ips = {}
2018/08/29 05:56:30 [debug] upstream_keepalive = 60
2018/08/29 05:56:30 [debug] vitals = true
2018/08/29 05:56:30 [debug] vitals_delete_interval_pg = 30
2018/08/29 05:56:30 [debug] vitals_flush_interval = 10
2018/08/29 05:56:30 [debug] vitals_ttl_minutes = 90000
2018/08/29 05:56:30 [debug] vitals_ttl_seconds = 3600
2018/08/29 05:56:30 [warn] RBAC authorization is enabled but Admin API calls will not be encrypted via SSL
2018/08/29 05:56:30 [verbose] prefix in use: /usr/local/kong
2018/08/29 05:56:30 [verbose] preparing nginx prefix directory at /usr/local/kong
2018/08/29 05:56:30 [warn] ulimit is currently set to “1024”. For better performance set it to at least “4096” using “ulimit -n”
2018/08/29 05:56:30 [debug] searching for OpenResty ‘nginx’ executable
2018/08/29 05:56:30 [debug] /usr/local/openresty/nginx/sbin/nginx -v: ‘nginx version: openresty/1.13.6.2’
2018/08/29 05:56:30 [debug] found OpenResty ‘nginx’ executable at /usr/local/openresty/nginx/sbin/nginx
2018/08/29 05:56:30 [debug] starting nginx: /usr/local/openresty/nginx/sbin/nginx -p /usr/local/kong -c nginx.conf
2018/08/29 05:56:31 [debug] nginx started
2018/08/29 05:56:31 [info] Kong started
[root@ip-10-222-113-235 ec2-user]# arn] RBAC authorization is enabled but Admin API calls will not be encrypted via SSL
2018/08/29 05:56:30 [verbose] prefix in use: /usr/local/kong
2018/08/29 05:56:30 [verbose] preparing nginx prefix directory at /usr/local/kong
2018/08/29 05:56:30 [warn] ulimit is currently set to “1024”. For better performance set it to at least “4096” using “ulimit -n”
2018/08/29 05:56:30 [debug] searching for OpenResty ‘nginx’ executable
2018/08/29 05:56:30 [debug] /usr/local/openresty/nginx/sbin/nginx -v: ‘nginx version: openresty/1.13.6.2’
2018/08/29 05:56:30 [debug] found OpenResty ‘nginx’ executable at /usr/-bash: arn]: command not foundl
ocal/openresty/nginx/sbin/nginx
2018/08/29 05:56:30 [debug] starting nginx: /usr/local/openresty/nginx/sbin/nginx -p /usr/local/kong -c nginx.conf
2018/08/29 05:56:31 [debug] nginx started
2018/08/29 05:56:31 [info] Kong started

2018/08/29 05:34:48 [error] 14475#0: *30 connect() failed (111: Connection refused) while connecting to upstream, client: MASKED.112.87, server: kong, request: “GET /_kong/admin/userinfo HTTP/1.1”, upstream: “http://0.0.0.0:8001/userinfo”, host: “MASKED.113.235:8000”, referrer: “http://MASKED.113.235:8002/login
2018/08/29 05:34:48 [error] 14475#0: *30 connect() failed (111: Connection refused) while connecting to upstream, client: MASKED.112.87, server: kong, request: “GET /_kong/admin/userinfo HTTP/1.1”, upstream: “http://0.0.0.0:8001/userinfo”, host: “MASKED.113.235:8000”, referrer: “http://MASKED.113.235:8002/login
2018/08/29 05:34:48 [error] 14475#0: *30 connect() failed (111: Connection refused) while connecting to upstream, client: MASKED.112.87, server: kong, request: “GET /_kong/admin/userinfo HTTP/1.1”, upstream: “http://0.0.0.0:8001/userinfo”, host: “MASKED.113.235:8000”, referrer: “http://MASKED.113.235:8002/login
2018/08/29 05:34:48 [error] 14475#0: *30 connect() failed (111: Connection refused) while connecting to upstream, client: MASKED.112.87, server: kong, request: “GET /_kong/admin/userinfo HTTP/1.1”, upstream: “http://0.0.0.0:8001/userinfo”, host: “MASKED.113.235:8000”, referrer: “http://MASKED.113.235:8002/login
2018/08/29 05:34:48 [error] 14475#0: *30 connect() failed (111: Connection refused) while connecting to upstream, client: MASKED.112.87, server: kong, request: “GET /_kong/admin/userinfo HTTP/1.1”, upstream: “http://0.0.0.0:8001/userinfo”, host: “MASKED.113.235:8000”, referrer: “http://MASKED.113.235:8002/login
2018/08/29 05:34:48 [error] 14475#0: *30 connect() failed (111: Connection refused) while connecting to upstream, client: MASKED.112.87, server: kong, request: “GET /_kong/admin/userinfo HTTP/1.1”, upstream: “http://0.0.0.0:8001/userinfo”, host: “MASKED.113.235:8000”, referrer: “http://MASKED.113.235:8002/login

Hi @gansa1986 just want to make sure that you aren’t stuck. Since it looks like you might be an enterprise customer you could get a faster response in the enterprise support portal.

1 Like

I am trying to evaluate the KONG enterprise version and we have not got any support from the enterprise team so far. So please fill in your thoughts.

We ran into some similar things. The RBAC components in the ADMIN GUI are based on client-side JavaScript. That being said, the resolution to the admin api endpoint needs to be visible from a client app - as opposed to something server-side.

We split our workers based on type: gateway, admin-ui, portal

For each of these types, we have to specify things like KONG_ENFORCE_RBAC and then provide client-side, resolvable URLs in some cases. The Admin GUI is one of those cases.

Also, be careful with the values for things like KONG_ENFORCE_RBAC. Your config output shows bool value but the value for the env var isn’t bool. Many DSLs that help in deployment interpolate on as a true value and swap it out.

We have resolved this issue, by removing the IP address that we added static on the kong.conf for the proxy and admin listen ports.