adding basic auth support in the konga dashboard ,

[rgplvr]

basic auth is to protect the kong dash board urls from
directly accessed and making changes to the service and thereby
the changes are restricted only via the dashboard. incase the basic
auth is disabled there is nothing to do other than the installation steps
and the changes inject the basic auth header to the kong from server to server
thereby leakage of such credentials are also wont happen, this is done by injecting
the basic auth header to the kong apis dynamically.

[pantsel]

@rajagopalvreghunath thanks for the contribution!

This feature is already introduced in Konga next which will be the next release with the exception that it uses an apikey and you can set it for each admin URL individually.

Check it out, or if you're using docker, pull pantsel/konga:next.

Thanks again!

[rgplvr]

This merge is to avoid sharing the api keys with the non admin users and to avoid the kong admin urls being accessed outside konga, More over am trying to add role based access control into konga which allow editors/viewers and admins so that it will allow konga to be used as a full fledged access system for kong

[pantsel]

Hi @rajagopalvreghunath ,

with the addition of api keys in v0.7.3, the kong admin urls won't be accessed outside konga (provided that kong's admin port 8001 is not publicly accessible) in addition of implemeting a "loop-back" API as described here. Each Kong installation should have it's own "loop-back" API and konga will have to use a different apikey for speaking to them.

Apart from that, as you can see, Konga's ACL is very basic. That's because it didn't feel important to me at the time i started development. I mean, why would someone have access to Konga if not to manage a Kong instance? Just to READ the APIs, consumers, plugins and not being able to modify them?

That's the way i think about it at least but i might by wrong and I'm surely open to debate.

Can you please elaborate on what you have in mind when saying

full fledged access system for kong ?

How do you visualize it with roles and what would each role's permissions be on the GUI and Kong's admin API itself?

[rgplvr]

i being a security developer dont need the kong's admin url to be added to the loop back address more than that i need the kong to have a username and password where the same is available to konga only, hence the kong is accessible only through konga (by this i meant the kong is safe from external attacks since the admin port in internal to the vpc), There fore the authentication in kong admin url ie the admin nginx route is the best way to avoid kong being altered directly, also this ensures that the kong even exposed internally or externally still its safe. This is the reason i went with direct auth instead of a loop back On the Other side we where having requirements where people to see the routes and only some to edit the same this called for an access system which prevents people from editing the kong routes. Regards, Raj

…

On Sun, May 28, 2017 at 11:48 PM, Panagis Tselentis < ***@***.***> wrote: Hi @rajagopalvreghunath <https://github.com/rajagopalvreghunath> , with the addition of api keys in v0.7.3, the kong admin urls won't be accessed outside konga (provided that kong's admin port 8001 is not publicly accessible) in addition of implemeting a "loop-back" API as described here <https://docs.gelato.io/guides/advanced-kong-integration>. Each Kong installation should have it's own "loop-back" API and konga will have to use a different apikey for speaking to them. Apart from that, as you can see, Konga's ACL is very basic. That's because it didn't feel important to me at the time i started development. I mean, why would someone have access to Konga if not to manage a Kong instance? Just to READ the APIs, consumers, plugins and not being able to modify them? That's the way i think about it at least but i might by wrong and I'm surely open to debate. Can you please elaborate on what you have in mind when saying full fledged access system for kong ? How do you visualize it with roles and what would each role's permissions be on the GUI and Kong's admin API itself? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#65 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AHb61XSQg2LeELFjXVY2PWZ0xyz26A5bks5r-bqQgaJpZM4Nmocn> .