Kong: Update ACL with PATCH method, ignore the plugin validation

Created on 3 Sep 2016  路  8Comments  路  Source: Kong/kong

Updating ACL with PATCH method

When I created the API and attached the ACL plugin in first time everything is OK, but I need to update the ACL configuration and I did this using PATCH method with another configuration. Look the example bellow.

Steps

1. Create API:

$ http POST localhost:8001/apis name=mockbin request_host=mockbin.com upstream_url=http://mockbin.com/
{
    "created_at": 1472912043000,
    "id": "e82b96fb-a85e-4f62-87ef-4d47f538cd28",
    "name": "mockbin",
    "preserve_host": false,
    "request_host": "mockbin.com",
    "strip_request_path": false,
    "upstream_url": "http://mockbin.com/"
}

2. Attach ACL plugin:

$ http POST localhost:8001/apis/mockbin/plugins name=acl config.whitelist=admin
{
    "api_id": "e82b96fb-a85e-4f62-87ef-4d47f538cd28",
    "config": {
        "whitelist": [
            "admin"
        ]
    },
    "created_at": 1472912596000,
    "enabled": true,
    "id": "b51917e1-b3a6-4080-9822-d8340db2807e",
    "name": "acl"
}

3. Update ACL plugin configuration:

$ http PATCH localhost:8001/apis/mockbin/plugins/b51917e1-b3a6-4080-9822-d8340db2807e config.blacklist=admin
{
    "api_id": "e82b96fb-a85e-4f62-87ef-4d47f538cd28",
    "config": {
        "blacklist": [
            "admin"
        ],
        "whitelist": [
            "admin"
        ]
    },
    "created_at": 1472912596000,
    "enabled": true,
    "id": "b51917e1-b3a6-4080-9822-d8340db2807e",
    "name": "acl"
}

4. Update ACL plugin configuration with PUT:

http PUT localhost:8001/apis/mockbin/plugins/b51917e1-b3a6-4080-9822-d8340db2807e config.blacklist=admin
{
    "message": "Method not allowed"
}

Unfortunately, the PUT method is not enabled to update the ACL plugin and when use the PATCH method, the validation does not work.

Additional Details & Logs

  • Kong version (0.9.0)
  • OSX - Docker
tasneeds-investigation
Source
picture faabiosr

Most helpful comment

I tried on a specific API and I could update the ACL plugin in this way

curl -X POST http://localhost:8001/apis/{api_id}/plugins --data "name=acl" --data "config.whitelist=group1"
curl -X PATCH http://localhost:8001/apis/{api_id}/plugins/{plugin_id} --data "config.whitelist=group3"

picture tizpuppi on 16 Feb 2018
👍2 🎉1

All 8 comments

When using PUT, I believe that you would have to execute:

$ http PUT localhost:8001/apis/mockbin/plugins/ \
     id=b51917e1-b3a6-4080-9822-d8340db2807e \
     config.blacklist=admin

Could you try that?

thibaultcha picture thibaultcha on 8 Sep 2016

See the response:

$ http PUT localhost:8001/apis/mockbin/plugins/ id=b51917e1-b3a6-4080-9822-d8340db2807e config.blacklist=admin
{
    "name": "name is required"
}

If I set the name, the api require created_at field.

We have two issues here, first the update using PUT doesn't work, and the update using PATCH doesn't validate the plugins requirements.

faabiosr picture faabiosr on 9 Sep 2016

I have just stumbled across this PATCH bug on the ACL plugin too. I can set a whitelist and blacklist at the same time with the following:

curl -X POST http://localhost:8001/plugins \
    --data "name=acl" \
    --data "config.whitelist=group1, group2"

curl -X PATCH http://localhost:8001/plugins/{id} \
    --data "name=acl" \
    --data "config.blacklist=group3, group4"

This was found on versions 0.10.0 and 0.10.1.

peter-evans picture peter-evans on 30 Mar 2017

I've just discovered that this same issue also exists with the IP Restriction plugin.

peter-evans picture peter-evans on 10 Apr 2017

This is somewhat related to #2430. Looks like we need to clean up the PATCH interfaces for some of these routes.

This is a limitation in how PATCH requests (which use dao:update) work. Some schema restrictions are not properly applied to the newly defined object before it is committed to the data store, as a result of how the DAO processes updates and validates the schema. Unfortunately, there doesn't appear to be a simple fix for this, and a pending reworking of how Kong handles data modelling is likely where we'll see a solution for this.

p0pr0ck5 picture p0pr0ck5 on 21 Apr 2017

I tried on a specific API and I could update the ACL plugin in this way

curl -X POST http://localhost:8001/apis/{api_id}/plugins --data "name=acl" --data "config.whitelist=group1"
curl -X PATCH http://localhost:8001/apis/{api_id}/plugins/{plugin_id} --data "config.whitelist=group3"

tizpuppi picture tizpuppi on 16 Feb 2018
👍2 🎉1

Hi,
See my post here to explain the reason of the issue. https://discuss.konghq.com/t/unable-to-properly-patch-a-plugin/2233
A look to the source code of the self_check function shows that in case of a PATCH to add blacklist, config does not contain the whitelist data previously set using a PUT/POST, so the PATCH is accepted while it should not.

pamiel picture pamiel on 8 Nov 2018

I'll close this now as I am fairly certain that this has been fixed since. Please re-open, if you still feel there are issues with the admin api regarding to this.

bungle picture bungle on 15 Aug 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

antoniott15 picture antoniott15  路  3Comments
ypscotto picture ypscotto  路  3Comments
ghost picture ghost  路  3Comments
xiaochai picture xiaochai  路  3Comments
hos7ein picture hos7ein  路  3Comments