More control with Kong ACLs


#1

Hi everyone!

Is there any possibility in Kong to limit certain endpoints with certain API methods and accessibility?

Something like:
/aaa/bbb/ccc/ - GET,PUT,PATCH for Group1,Group2,Group3
/aaa/ddd/ - GET for Group3 and GET,PUT,PATCH for Group1,Group2,
or so?

Do I have to write my own plugin here?


Kong-ingress services usage avoidance
#2

I don’t think what you need is possible with the ACL plugin out of the box but you could tweak the ACL plugin to support this specific use case.

A roundabout solution comes to mind:
Create two routes in Kong under the same service

  • One with paths[]=/aaa/bbb/ccc/ methods[]=GET,PUT,PATCH
  • One with paths[]=/aaa/ddd/ methods[]=GET,PUT,PATCH

Now, configure ACL plugin on these routes.
Kong’s router will match the correct route and ACL plugin will limit access to certain groups.

This might or might not be maintainable based on your use case.


#3

Thanks @hbagdi!

I see it is not that obvious.
Could you please also help me with the following:

  • Is there any possibility to manage with regexp path templating? E.g. /p1/*/p2
  • Forbid some “/p1/forbidden_path/p2” access while allowing access to p1 and p2
  • Path length limiting, e.g.: “/p1/p2/p3/” and no possibility to access, say “/p1/p2/p3/dddd”

#4

Hello @megastallman,

You can use regular expressions in Kong Routes.

In your case, you can create multiple Kong routes under the same Service in Kong and then apply the ACL plugin on those routes as needed.
Kong, by default, matches the absolute path before a regex match. Hence, /p1/forbidden_path/p2 will get matches before /p1/*/p2, providing the intended behavior you’re seeking.