How to do ACL fine tuning on ressources

Hello Kong Nation,

I’m finally playing with my kong gateway and want to apply the following regular access management.

Let’s say I have 2 objects

and 2 consumers
Consumer 1, identified by a JWT Token 1, should only be able to get /objects/1
Consumer 2 identified by a JWT Token 2, should only be able to get /objects/2

The problem is quite simple, however, I’m not sure about the proper way to do this with Kong, even if I read a lot about that.

I see 2 approaches :

  • 2 differents routes, then ACL plugin on both to check if token match the requested ressource
    -> Unsustainable if I need to manage billions of objects

  • 1 single route /objects/* but then my backend will have to check if this jwt token can access this ressource, maybe through some kind of ACL backend
    -> In that case, can Kong do this check with a dedicated plugin (pre-request action) and block the request before?

Thanks for any help! I just hope the answer is not obvious

Yeah you are talking fine grained vs coarse grained auth. I would say the standard impl using Kong is probably coarse grained auth where you have a wildcard proxy and all consumers can reach that endpoint and any wildcard pathing that proxy enables like your /objects/* example.

Then on the back-end after consumer is validated on Kong proxy layer you get the X-Consumer-Username and X-Consumer-ID fields you can use as validation of who successfully authenticated and was authorized to that proxy endpoint. No need to parse the jwt auth token the client sent to Kong.

Thanks for your answer, I’ll go that way !

Maybe I’ll try to use the request transformer to ensure with an ACL backend that the request is allowed. (The result may be dropped here if it works)