Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[plugin] RBAC #785

Closed
sonicaghi opened this issue Dec 8, 2015 · 7 comments
Closed

[plugin] RBAC #785

sonicaghi opened this issue Dec 8, 2015 · 7 comments
Labels
idea/new plugin [legacy] those issues belong to Kong Nation, since GitHub issues are reserved for bug reports.

Comments

@sonicaghi
Copy link
Member

We currently have ACL plugin for simple operations. But the next iteration is having a RBAC plugin for complex operations. The main difference is that RBAC has way more granular control and can offer mandatory access control and discretionary access control.

Reference:
@sonicaghi sonicaghi added area/admin api idea/new plugin [legacy] those issues belong to Kong Nation, since GitHub issues are reserved for bug reports. and removed area/admin api labels Dec 8, 2015
@jakubriedl
Copy link

+1 for us, we are looking for RBAC as well.

@jmdacruz
Copy link

jmdacruz commented Jun 8, 2016

I'd suggest you guys also consider ABAC or "Attribute Based Access Control" (http://csrc.nist.gov/projects/abac/), which is more generic than RBAC. RBAC deals with roles, and in that model roles can be inherited, and so on so forth. ABAC on the other hand is based on attributes, and is closer to what XACML provides.

I think ABAC is easier to implement than RBAC, and RBAC can be implemented (not painlessly though... the role inheritance is hard to model on XACML) on top of ABAC.

@jmdacruz
Copy link

jmdacruz commented Jun 8, 2016

Couple of interesting articles on how ABAC is taking over RBAC:

On the last link, in reference to ABAC:

This method of Access Control has made Gartner predict, “By 2020, 70% of all businesses will use ABAC as the dominant mechanism to protect critical assets, up from 5% today.”

@awfm9
Copy link

awfm9 commented Dec 2, 2016

No movement on this?

@coopr
Copy link
Contributor

coopr commented Sep 25, 2017

@awishformore @jakubriedl @jmdacruz are you seeking RBAC on the proxied APIs, or on Kong's Admin API? I ask because we recently released the latter, as part of Kong Enterprise Edition https://www.mashape.com/enterprise/

@jmdacruz
Copy link

@coopr My original thought was on the proxied APIs, but good to hear there is also the option for RBAC on the admin APIs.

@m4r10k
Copy link

m4r10k commented Nov 26, 2017

The Kong concept is great and it would be a real benefit to get authorization layers on API's without modifying the original service. For example, there is a Docker RBAC plugin to apply policies (GET,...) onto API paths. But this requires to add the plugin to the Docker engine which can be a troublesome at some point. Therefore it would be cool to have a Kong method to apply policies like described here: https://github.com/casbin/casbin-authz-plugin for proxied API's.

@guanlan guanlan closed this as completed May 26, 2021
@Kong Kong locked and limited conversation to collaborators May 26, 2021

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Assignees
No one assigned
Labels
idea/new plugin [legacy] those issues belong to Kong Nation, since GitHub issues are reserved for bug reports.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@coopr @guanlan @jmdacruz @sonicaghi @jakubriedl @awfm9 @m4r10k