Role Based Access Control in kong


#1

Currently we have ACL’s in kong which allow or restrict a particular user to an endpoint written in kong

But how about Role Based Access Control?

So was just wondering if we could take each endpoint in given by user in kong and specify that only user having services.api_name.get can access get request (just as an example when we are trying to perform /GET ) or allow users to configure the requests itself i.e. services.api_name.get -> is configured by the user where he/she can assign specific roles and users inheriting those roles can access that endpoint


#2

As it stands today, and after reading the documentation, I have to assume that the only option is to create a new API entry and restrict that one to only GET for example using the methods property, then you can acl it to api-xxx-only-get.

If you need more tunning, I would strongly suggest you do use JWT in your endpoint and restrict per consumer… maybe a Kong JWT plugin + OAuth0 could also else shape your request like it’s explain in the docs because then all the roles are managed in their own dashboard.