ACL Plugin

Updated Feb 26, 2023 ·

Overview

Traffic Control in Kong plugins help manage and regulate traffic to your services.

• Rate Limiting: Controls the number of requests a client can make in a specific time.
• Request Size Limiting: Restricts the size of client requests.
• Connection Limiting: Limits the number of simultaneous client connections.

The ACL (Access Control List) plugin restricts or grants access to services based on consumer group membership.

• Allows or denies requests using whitelisted or blacklisted groups.
• Requires consumers to belong to predefined groups for access.

Lab Environment

This lab tests a Kong API Gateway deployment using a FastAPI endpoint. To simplify, both the containerized Kong API Gateway and the FastAPI endpoint are installed locally on a Windows 10 machine. A Docker Compose file is used to deploy Kong, along with other applications like Prometheus, Zipkin, the ELK Stack, and more.

info

Make sure that you have installed Docker Desktop.

Simply installing Docker in WSL2 without Docker Desktop may introduce some issue when configuring the communication between the containerized Kong API Gateway and the FastAPI application that is installed on the local host.

Pre-requisites

• Postman
• Setup the Kong API Gateway
• Setup the FastAPI Endpoint
• Kong Manager OSS Access
• Create the Routes and Services
• Enable the Basic Authentication Plugin

Create the Consumers

Go to Kong Manager > Consumers > New Consumer. You need to create two consumers. Make sure to click Save.

• finance
• marketing

Configure the Consumer Credentials

info

Make sure you enabled the Basic Authentication Plugin.

Click the consumer > Credentials > New Basic Auth Credential, then add the username and passwords:

Consumer	Username	Password
finance	finance	finance
marketing	marketing	marketing

In addition to this, you also need to add the ACL credentials. Click the consumer > Credentials > New ACL Credential, then add the group name.

Consumer	Group
finance	finance
marketing	marketing

As an example, below are the credentials for the marketing consumer.

Enable the ACL Plugin

To enable the plugin, go to Kong Manager > Plugins > New Plugin > Traffic Control > Select ACL. Set it Global and under the Deny field, add marketing, Click Save.

Test the plugin via Postman

Setup Postman

To setup Postman, please see Testing with Postman

Open Postman and create a new request. Rename it to FastAPI via Kong - ACL. Enter the URL below.

http://localhost:8000/kong/healthy 

Click the Authorization tab, click the Auth Type dropdown bar, and select Basic Auth. Enter the username and password for finance. Click Send. It should return a healthy status.

Now, enter the credentials for the marketing consumer. It should return an error message.