Summary
When combined with JWT authentication, the ACL plugin always denies user even with proper group attribute. The 0.13.0 version works fine. It only happens on 1.0.3.
Steps To Reproduce
- set up service and route
- enable jwt authentication plugin
- enable ACL plugin and set up whitelist group
- create consumer and assign the consumer to whitelist group
- trying to access resource with created jwt token, and always have error
HTTP/1.1 403 Forbidden
Date: Fri, 01 Mar 2019 16:36:14 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Content-Length: 45
Server: kong/1.0.3
{"message":"You cannot consume this service"}
One thing I noticed is there is difference of return with curl request to ACL. It seems the "total" object in the response is removed.
with 0.13.0
$ curl -X GET http://localhost:8001/acls
{"total":1,"data":[{"group":"user","created_at":1551372206,"consumer":{"id":"fbed5924-fdd5-41c2-9be3-38eab68d3620"},"id":"67b9aa28-47ec-41af-9f07-e6c07fca61ec"}]}
with 1.0.3
$ curl -X GET http://localhost:8001/acls
{"next":null,"data":[{"group":"user","created_at":1551372306,"consumer":{"id":"fbedc824-fdd5-41c2-9be3-38eab68d3620"},"id":"67b9aa28-47ec-41af-9f07-e6c07fca61ec"}]}
Additional Details & Logs
- Kong version: 1.0.3
- Kong debug-level startup logs
- Kong error logs
- Kong configuration
- Operating system: windows 10 as well as Ubuntu 18.04 LTS
tingyuz
All 13 comments
Interesting, I wonder why we don't display the total field on both responses (in addition to the original ACL problem).
subnetmarco
on 5 Mar 2019
@subnetmarco the total is gone everywhere with new dao.
bungle
on 5 Mar 2019
@tingyuz
Hi, I tried this but I could not reproduce. Please give us full commands and the tokens that you tried to use. Below is mine on 1.0.3 (you cannot use exact same commands as it generates different keys, but you can adjust to that).
Create Service:
$ http put :8001/services/test url=http://httpbin.org/anything
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 255
Content-Type: application/json; charset=utf-8
Date: Tue, 05 Mar 2019 18:14:05 GMT
Server: kong/1.0.3
{
"connect_timeout": 60000,
"created_at": 1551809645,
"host": "httpbin.org",
"id": "7fe7f3b0-c2df-4d5d-85d0-13612a7f0a69",
"name": "test",
"path": "/anything",
"port": 80,
"protocol": "http",
"read_timeout": 60000,
"retries": 5,
"updated_at": 1551809645,
"write_timeout": 60000
}
Create Route:
$ http :8001/services/test/routes name=test paths=/ -f
HTTP/1.1 201 Created
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 341
Content-Type: application/json; charset=utf-8
Date: Tue, 05 Mar 2019 18:14:25 GMT
Server: kong/1.0.3
{
"created_at": 1551809665,
"destinations": null,
"hosts": null,
"id": "aa03c7ed-d6b8-47e8-95a5-9faf7eb1d0b5",
"methods": null,
"name": "test",
"paths": [
"/"
],
"preserve_host": false,
"protocols": [
"http",
"https"
],
"regex_priority": 0,
"service": {
"id": "7fe7f3b0-c2df-4d5d-85d0-13612a7f0a69"
},
"snis": null,
"sources": null,
"strip_path": true,
"updated_at": 1551809665
}
Add JWT Plugin to Service:
$ http :8001/services/test/plugins name=jwt
HTTP/1.1 201 Created
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 390
Content-Type: application/json; charset=utf-8
Date: Tue, 05 Mar 2019 18:16:24 GMT
Server: kong/1.0.3
{
"config": {
"anonymous": null,
"claims_to_verify": null,
"cookie_names": [],
"key_claim_name": "iss",
"maximum_expiration": 0,
"run_on_preflight": true,
"secret_is_base64": false,
"uri_param_names": [
"jwt"
]
},
"consumer": null,
"created_at": 1551809784,
"enabled": true,
"id": "f536f1e6-42cd-4547-8c6f-dfd6c08f4050",
"name": "jwt",
"route": null,
"run_on": "first",
"service": {
"id": "7fe7f3b0-c2df-4d5d-85d0-13612a7f0a69"
}
}
Add ACL Plugin to Service:
$ http :8001/services/test/plugins name=acl config.whitelist=users -f
HTTP/1.1 201 Created
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 276
Content-Type: application/json; charset=utf-8
Date: Tue, 05 Mar 2019 18:24:59 GMT
Server: kong/1.0.3
{
"config": {
"blacklist": null,
"hide_groups_header": false,
"whitelist": [
"users"
]
},
"consumer": null,
"created_at": 1551810299,
"enabled": true,
"id": "00018d24-3378-41bd-b750-b689b85c1641",
"name": "acl",
"route": null,
"run_on": "first",
"service": {
"id": "7fe7f3b0-c2df-4d5d-85d0-13612a7f0a69"
}
}
Create Consumer:
$ http put :8001/consumers/jack
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 104
Content-Type: application/json; charset=utf-8
Date: Tue, 05 Mar 2019 18:16:56 GMT
Server: kong/1.0.3
{
"created_at": 1551809816,
"custom_id": null,
"id": "9519e776-4d10-427e-8c0a-d7748a77e3ed",
"username": "jack"
}
Add JWT Credential for Consumer:
$ http post :8001/consumers/jack/jwt
HTTP/1.1 201 Created
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 253
Content-Type: application/json; charset=utf-8
Date: Tue, 05 Mar 2019 18:17:59 GMT
Server: kong/1.0.3
{
"algorithm": "HS256",
"consumer": {
"id": "9519e776-4d10-427e-8c0a-d7748a77e3ed"
},
"created_at": 1551809879,
"id": "ca7835b2-5e95-4e1f-92f2-f4a49751a467",
"key": "2QQyeIiqQzm6xxiPhyDlvEvoOa0Mt7lK",
"rsa_public_key": null,
"secret": "4plXFsnYdovakfAd1ND9ygs7M0lnm0BA"
}
Add ACL group to consumer:
$ http :8001/consumers/jack/acls group=users
HTTP/1.1 201 Created
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 142
Content-Type: application/json; charset=utf-8
Date: Tue, 05 Mar 2019 18:25:27 GMT
Server: kong/1.0.3
{
"consumer": {
"id": "9519e776-4d10-427e-8c0a-d7748a77e3ed"
},
"created_at": 1551810327,
"group": "users",
"id": "f4b87dec-70b8-456f-93bd-b22319ad16b1"
}
Fire a Request:
$ http :8000 Authorization:"Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiIyUVF5ZUlpcVF6bTZ4eGlQaHlEbHZFdm9PYTBNdDdsSyJ9.5pjlwfWkLXxJ6XgKfGPknlTec2MJt3pL0wwqHS8Y06E"
HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Encoding: gzip
Content-Length: 444
Content-Type: application/json
Date: Tue, 05 Mar 2019 18:25:33 GMT
Server: nginx
Via: kong/1.0.3
X-Kong-Proxy-Latency: 48
X-Kong-Upstream-Latency: 77
{
"args": {},
"data": "",
"files": {},
"form": {},
"headers": {
"Accept": "*/*",
"Accept-Encoding": "gzip, deflate",
"Authorization": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiIyUVF5ZUlpcVF6bTZ4eGlQaHlEbHZFdm9PYTBNdDdsSyJ9.5pjlwfWkLXxJ6XgKfGPknlTec2MJt3pL0wwqHS8Y06E",
"Host": "httpbin.org",
"User-Agent": "HTTPie/1.0.2",
"X-Consumer-Groups": "users",
"X-Consumer-Id": "9519e776-4d10-427e-8c0a-d7748a77e3ed",
"X-Consumer-Username": "jack",
"X-Forwarded-Host": "localhost"
},
"json": null,
"method": "GET",
"origin": "127.0.0.1, 136.24.186.134, 127.0.0.1",
"url": "https://localhost/anything"
}
@bungle I noticed that you didn't set up JWT as well as ACL on the routes. It seems that's the difference from what I have tried.
Can you add your output of :8001/acls as well? I will get more logs from my side soon.
tingyuz
on 5 Mar 2019
@tingyuz,
Here is a one with plugins applied to routes:
((1.0.3)) bungle@mbp:~/Sources/kong$ http put :8001/services/test url=http://httpbin.org/anything
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 255
Content-Type: application/json; charset=utf-8
Date: Tue, 05 Mar 2019 20:59:14 GMT
Server: kong/1.0.3
{
"connect_timeout": 60000,
"created_at": 1551819554,
"host": "httpbin.org",
"id": "fe2e75d7-3092-4a67-a1d9-719995809418",
"name": "test",
"path": "/anything",
"port": 80,
"protocol": "http",
"read_timeout": 60000,
"retries": 5,
"updated_at": 1551819554,
"write_timeout": 60000
}
((1.0.3)) bungle@mbp:~/Sources/kong$ http :8001/services/test/routes name=test paths=/ -f
HTTP/1.1 201 Created
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 341
Content-Type: application/json; charset=utf-8
Date: Tue, 05 Mar 2019 20:59:21 GMT
Server: kong/1.0.3
{
"created_at": 1551819561,
"destinations": null,
"hosts": null,
"id": "5327a58a-c577-44ac-8341-ec0f3113e437",
"methods": null,
"name": "test",
"paths": [
"/"
],
"preserve_host": false,
"protocols": [
"http",
"https"
],
"regex_priority": 0,
"service": {
"id": "fe2e75d7-3092-4a67-a1d9-719995809418"
},
"snis": null,
"sources": null,
"strip_path": true,
"updated_at": 1551819561
}
((1.0.3)) bungle@mbp:~/Sources/kong$ http :8001/routes/test/plugins name=jwt
HTTP/1.1 201 Created
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 390
Content-Type: application/json; charset=utf-8
Date: Tue, 05 Mar 2019 20:59:35 GMT
Server: kong/1.0.3
{
"config": {
"anonymous": null,
"claims_to_verify": null,
"cookie_names": [],
"key_claim_name": "iss",
"maximum_expiration": 0,
"run_on_preflight": true,
"secret_is_base64": false,
"uri_param_names": [
"jwt"
]
},
"consumer": null,
"created_at": 1551819575,
"enabled": true,
"id": "29430d70-fa18-40a0-babf-e906b50b482e",
"name": "jwt",
"route": {
"id": "5327a58a-c577-44ac-8341-ec0f3113e437"
},
"run_on": "first",
"service": null
}
((1.0.3)) bungle@mbp:~/Sources/kong$ http :8001/routes/test/plugins name=acl config.whitelist=users -f
HTTP/1.1 201 Created
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 276
Content-Type: application/json; charset=utf-8
Date: Tue, 05 Mar 2019 20:59:48 GMT
Server: kong/1.0.3
{
"config": {
"blacklist": null,
"hide_groups_header": false,
"whitelist": [
"users"
]
},
"consumer": null,
"created_at": 1551819588,
"enabled": true,
"id": "a04cbdbd-2af2-4824-9ad1-8aaaa5ed337f",
"name": "acl",
"route": {
"id": "5327a58a-c577-44ac-8341-ec0f3113e437"
},
"run_on": "first",
"service": null
}
((1.0.3)) bungle@mbp:~/Sources/kong$ http put :8001/consumers/jack
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 104
Content-Type: application/json; charset=utf-8
Date: Tue, 05 Mar 2019 20:59:57 GMT
Server: kong/1.0.3
{
"created_at": 1551819597,
"custom_id": null,
"id": "c5db4407-7499-4af7-8202-d57651ac00f6",
"username": "jack"
}
((1.0.3)) bungle@mbp:~/Sources/kong$ http post :8001/consumers/jack/jwt
HTTP/1.1 201 Created
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 253
Content-Type: application/json; charset=utf-8
Date: Tue, 05 Mar 2019 21:00:03 GMT
Server: kong/1.0.3
{
"algorithm": "HS256",
"consumer": {
"id": "c5db4407-7499-4af7-8202-d57651ac00f6"
},
"created_at": 1551819603,
"id": "adf25319-93cb-4371-a15a-13e05dfbfe5c",
"key": "tVSD3fxDHi6fPTkCYms7E09wOWFXxKJy",
"rsa_public_key": null,
"secret": "rmwnSeUbSMqkABD8AATHJly7sqv91mLP"
}
((1.0.3)) bungle@mbp:~/Sources/kong$ http :8001/consumers/jack/acls group=users
HTTP/1.1 201 Created
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 142
Content-Type: application/json; charset=utf-8
Date: Tue, 05 Mar 2019 21:00:10 GMT
Server: kong/1.0.3
{
"consumer": {
"id": "c5db4407-7499-4af7-8202-d57651ac00f6"
},
"created_at": 1551819610,
"group": "users",
"id": "040ec0bd-3be1-4171-bf18-0272c7b41937"
}
((1.0.3)) bungle@mbp:~/Sources/kong$ http :8000 Authorization:"Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJ0VlNEM2Z4REhpNmZQVGtDWW1zN0UwOXdPV0ZYeEtKeSJ9.LI-Y0DraKt7kbmdlS9Anmv1f6UOCmpiGbwqT3srO_as"
HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Encoding: gzip
Content-Length: 446
Content-Type: application/json
Date: Tue, 05 Mar 2019 21:01:09 GMT
Server: nginx
Via: kong/1.0.3
X-Kong-Proxy-Latency: 44
X-Kong-Upstream-Latency: 1900
{
"args": {},
"data": "",
"files": {},
"form": {},
"headers": {
"Accept": "*/*",
"Accept-Encoding": "gzip, deflate",
"Authorization": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJ0VlNEM2Z4REhpNmZQVGtDWW1zN0UwOXdPV0ZYeEtKeSJ9.LI-Y0DraKt7kbmdlS9Anmv1f6UOCmpiGbwqT3srO_as",
"Host": "httpbin.org",
"User-Agent": "HTTPie/1.0.2",
"X-Consumer-Groups": "users",
"X-Consumer-Id": "c5db4407-7499-4af7-8202-d57651ac00f6",
"X-Consumer-Username": "jack",
"X-Forwarded-Host": "localhost"
},
"json": null,
"method": "GET",
"origin": "127.0.0.1, 136.24.186.134, 127.0.0.1",
"url": "https://localhost/anything"
}
@tingyuz,
here is the output of /acls:
((1.0.3)) bungle@mbp:~/Sources/kong$ http :8001/acls
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 165
Content-Type: application/json; charset=utf-8
Date: Tue, 05 Mar 2019 21:02:30 GMT
Server: kong/1.0.3
{
"data": [
{
"consumer": {
"id": "c5db4407-7499-4af7-8202-d57651ac00f6"
},
"created_at": 1551819610,
"group": "users",
"id": "040ec0bd-3be1-4171-bf18-0272c7b41937"
}
],
"next": null
}
The sample works with me as well. However I am using golang to initialize kong and set up service/routes/jwt/ACL. When setting up routes in my code I specify the host, something like this ( notice the last parameter). It seems httpie is unable to overwrite "host" header. Can you set up host header and try as well?
curl -i -X POST --url http://localhost:8001/services/metadata/routes -d "paths[]=/metadata" -d "hosts[] = edgex.com"
Here is some output in my system that still shows ACL permission denied. I have a service running on 48081, and I am using "metadata" as the path for the service of KONG
$ curl http://localhost:8001/services/metadata
{"host":"edgex-core-metadata","created_at":1551819791,"connect_timeout":60000,"id":"7138e5b4-b606-41a9-8ca5-c4560c4eb9b7","protocol":"http","name":"metadata","read_timeout":60000,"port":48081,"path":null,"updated_at":1551819791,"retries":5,"write_timeout":60000}
$ curl http://localhost:8001/acls
{"next":null,"data":[{"group":"users","created_at":1551819826,"consumer":{"id":"6a72906e-465e-4f32-a73f-d554de86eb87"},"id":"81f989a8-3319-4299-b02c-509de0b8a983"}]}
$ curl http://localhost:8001/consumers/tom/acls {"next":null,"data":[{"group":"users","created_at":1551819826,"consumer":{"id":"6a72906e-465e-4f32-a73f-d554de86eb87"},"id":"81f989a8-3319-4299-b02c-509de0b8a983"}]}
$ curl http://localhost:8001/services/metadata/plugins {"next":null,"data":[]}
---------Build JWT based on key and secret of user "tom", and got denied by ACL plugin ----
$ curl http://localhost:8000/metadata/api/v1/ping?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJmV2xsd0JPVEJ2YUhUZjIxMGpMMGVrMW9WenNhTlNmNSIsImFjY291bnQiOiJ0b20ifQ.IXuaMM95VhF2L1KcxbpkWeC8vYpr54_9Uk_gSeNjtmM -H "host: edgex.com"
{"message":"You cannot consume this service"}
tingyuz
on 6 Mar 2019
bump this thread - can you verify with customer header to see if you can reproduce the issue? Thanks.
tingyuz
on 14 Mar 2019
Latest update: I have removed the "host" header in my route definition, and changed JWT and ACL plugin from global scope to individual routes, and it is working with 1.0.3 currently. I think the bug could be around the combination of these. In previous version I was using ( 0.13.0) there was no such issue with these combinations.
tingyuz
on 26 Mar 2019
If you facing with this problem when adding more than one groups to an ACL, this can be helpful:
Before v1 when you add multiple groups to an ACL you do it like that(note that groups are comma-seperated):
$ curl -X POST -H "Content-Type: "application/json" \
> -d '{"name": "acl", "config.whitelist": "group1, group2"}' \
> http://localhost:8001/routes/{routeId}/plugins
In the new version, when whitelist is like above, it accepts as only one group, however.
It should be like that for the new version(config.whitelist is a list):
$ curl -X POST -H "Content-Type: "application/json" \
> -d '{"name": "acl", "config.whitelist": ["group1", "group2"]}' \
> http://localhost:8001/routes/{routeId}/plugins
b-erdem
on 9 Apr 2019
This is an issue I also have with acl plugin on version 1.1.1.
@bungle this probably did not happen in your sample because you are adding a single group or because you are sending a json body.
@b-erdem was able to solve this because they are able to change the group type to an array using json body.
Send multiple config.whitelist group
Request:
curl -X POST http://kong_server:8001/services/people_api/plugins \
> --data "name=acl" \
> --data "config.whitelist=people1, people2, people3" \
> --data "config.hide_groups_header=true"
Response
{"created_at":1555747826,"consumer":null,"id":"c2303396-ccc4-4524-b6b5-5fcbf3835709","service":{"id":"8462811f-ede5-4cb1-b124-5d7f3829320b"},"name":"acl","config":{"hide_groups_header":false,"blacklist":null,"whitelist":["people1, people2, people3"]},"route":null,"run_on":"first","tags":null,"protocols":["http","https"],"enabled":true}
Send single config.whitelist group
This works fine because of the single group sent to the acl plugin.
Request:
curl -X POST http://kong_admin/services/people_api/plugins --data "name=acl" --data "config.whitelist=people1" --data "config.hide_groups_header=true"
Response
{"created_at":1555748062,"consumer":null,"id":"44a31c8e-c1a8-4b2d-a40c-e502b657b9fa","service":{"id":"8462811f-ede5-4cb1-b124-5d7f3829320b"},"name":"acl","config":{"hide_groups_header":false,"blacklist":null,"whitelist":["people1"]},"route":null,"run_on":"first","tags":null,"protocols":["http","https"],"enabled":true}
The issue i noticed is that when sending int multiple groups according to documentation they are treated as a single string rather than an array. i.e "config.whitelist=people1, people2, people3"->["people1, people2, people3"] instead of "config.whitelist=people1, people2, people3"->["people1", "people2", "people3"]
I later changed the request to an array to make it work.
Here is what works for me
curl -X POST http://kong_admin/services/people_api/plugins \
--data "name=acl" \
--data "config.whitelist[]=people1" \
--data "config.whitelist[]=people2" \
--data "config.whitelist[]=people3" \
--data "config.hide_groups_header=true"
timotew
on 20 Apr 2019
This is an issue I also have with acl plugin on version 1.1.0 and 1.2.0.
Add ACL plugin to service, the result is same with @timotew 's test, and is ok, but not works for route, after setting the jwt plugin's "consumer" to null, it works ok.
So, the plugin's consumer field mislead me.
@bungle I suggest that plugins should have more strict checker, for example: the consumer in JWT plugin.
ddy86
on 26 Jun 2019
Ok, sounds like everybody got it to work. Yes the admin api changed from 0.x to 1.x. Biggest change being comma separating array values is not supported. So closing this.
bungle
on 24 Jan 2020
Related issues
rucciva
路
3Comments
kwahome
路
3Comments
z843248880
路
3Comments
Tieske
路
4Comments
hbagdi
路
3Comments