I am currently using Kong Gateway OSS version 3.6.1 and have encountered an issue with access control using the ACL plugin. My setup is as follows:
- I have two consumers: consumer1 and consumer2.
- For consumer1, I have two gateway services: gateway-service1 and gateway-service2.
- For consumer2, there are two services: gateway-service3 and gateway-service4.
- I am using the JWT plugin for authentication.
Problem:
Both consumers have unrestricted access to all four services. I need to limit access such that:
- consumer1 can only access gateway-service1 and gateway-service2.
- consumer2 can only access gateway-service3 and gateway-service4.
I attempted to achieve this using ACL groups:
-
Created allow-consumer1 under consumer1 and allow-consumer2 under consumer2.
-
Added allow-consumer1 to the ACL allow list of gateway-service1 and gateway-service2.
-
Added allow-consumer2 to the ACL allow list of gateway-service3 and gateway-service4.
This setup worked as expected.
Complication:
I want to create another ACL group, deny-consumer, to block a specific consumer from accessing their respective gateway services in certain scenarios. My intention was to add this deny-consumer ACL group to the Deny field of the existing ACL plugin in the gateway services.
However, I encountered an issue: I cannot add both “allow” and “deny” configurations within the same ACL plugin, as this causes an error.
To work around this, I tried creating a separate ACL plugin at the Route level (since multiple ACL plugins cannot be added to the same gateway service). I configured the ACL plugin on the routes of all four gateway services with a Deny configuration.
Unfortunately, the ACL plugin on the route takes precedence over the ACL plugin on the gateway services, and it overrides the allow-list configurations for the services.
Question:
Is there a way to configure the ACL plugin to support both “allow” and “deny” lists? Alternatively, is there another method to restrict access for these consumers to only their respective gateway services while maintaining the current setup?