<!DOCTYPE html> <html lang="en-US" itemscope itemtype="http://schema.org/Article"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <!-- OneTrust Cookies Consent Notice start for konghq.com --> <script src="https://cdn.cookielaw.org/scripttemplates/otSDKStub.js" type="text/javascript" charset="UTF-8" data-domain-script="2c4de954-6bec-4e93-8086-64cb113f151a"> </script> <script type="text/javascript"> function OptanonWrapper() { } </script> <!-- OneTrust Cookies Consent Notice end for konghq.com --> <!-- Google Tag Manager --> <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer', 'GTM-NL48VKT');</script> <!-- End Google Tag Manager --> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>RBAC Examples - Kong Gateway - v3.7.x | Kong Docs</title> <meta name="description" content="Documentation for Kong, the Cloud Connectivity Company for APIs and Microservices."> <meta name="author" content="KongHQ"> <meta property="og:title" content="RBAC Examples - Kong Gateway - v3.7.x | Kong Docs"> <meta property="og:site_name" content="Kong Docs"> <!-- use share link for facebook --> <meta property="og:url" content="https://docs.konghq.com"> <meta property="og:description" content="Documentation for Kong, the Cloud Connectivity Company for APIs and Microservices."> <meta property="og:type" content="website"> <meta property="og:locale" content="en_US"> <meta property="og:image" content="https://docs.konghq.com/assets/images/share.png"> <meta name="twitter:card" content="summary_large_image"> <meta name="twitter:site" content="@thekonginc"> <meta name="twitter:creator" content="@thekonginc"> <meta name="twitter:url" content="https://docs.konghq.com"> <meta name="twitter:description" content="Documentation for Kong, the Cloud Connectivity Company for APIs and Microservices."> <meta name="twitter:image" content="https://docs.konghq.com/assets/images/share.png"> <meta property="fb:admins" content="227304446"> <meta property="fb:admins" content="576641408"> <meta name="google-site-verification" content="CrU3zp02dNKTe8NSAipL4NCPkrIjDXG8fViTZ-MIzP4"> <script type="application/ld+json"> { "@context": "http://schema.org", "@type": "Organization", "name": "KongHQ", "url": "https://docs.konghq.com", "logo": "https://docs.konghq.com/assets/images/logo.png", "sameAs": [ "https://www.facebook.com/konginc", "https://twitter.com/thekonginc", "https://plus.google.com/+mashape" ] } </script> <!-- Preload assets --> <link rel="dns-prefetch" href="https://cloud.typography.com"> <link rel="dns-prefetch" href="https://dev.visualwebsiteoptimizer.com"> <link rel="dns-prefetch" href="https://cdn.segment.com"> <link rel="icon" type="image/x-icon" href="/assets/images/favicon.ico"> <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@docsearch/css@3"> <link rel="canonical" href="https://docs.konghq.com/gateway/latest/production/access-control/enable-rbac/"> <link rel="alternate" hreflang="x-default" href="https://docs.konghq.com/gateway/3.7.x/production/access-control/enable-rbac/"> <link rel="alternate" hreflang="ja" href="https://docs.jp.konghq.com/gateway/3.7.x/production/access-control/enable-rbac/"> <meta name="robots" content="follow,noindex"> <!-- FontAwesome icon font --> <script src="https://kit.fontawesome.com/1332a92967.js" crossorigin="anonymous"> </script> <script src="/vite/assets/application-BwnN4xAL.js" crossorigin="anonymous" type="module"></script> <link href="/vite/assets/_commonjsHelpers-Cpj98o6Y.js" rel="modulepreload" as="script" crossorigin="anonymous"> <link rel="stylesheet" href="/vite/assets/application-9w6VHfwH.css" media="screen"> </head> <body id="" data-spy="scroll" data-target="#scroll-sidebar" data-offset="350"> <!-- Google Tag Manager (noscript) --> <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-NL48VKT" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript> <!-- End Google Tag Manager (noscript) --> <header class="navbar-v2 closed"> <a class="skip-main" href="#main">Skip to content</a> <!-- uncomment the promo-banner div when adding a new promo banner--> <!--also uncomment the promo banner sections in app/assets/stylesheets/header.less and application.js--> <!-- <div id="promo-banner"> <div class="container"> <div class="closebanner"></div> <strong>2024 API Summit Hackathon: Experiment with API Innovation & AI. Submit by Sept 11 &nbsp;&mdash;<a href="https://konghq.com/conferences/kong-summit/hackathon?utm_medium=website&utm_source=docs-konghq-com&utm_campaign=docs-banner">Enter Now &rarr;</a> </strong> </div> </div> --> <div class="navbar-content"> <a href="https://konghq.com" class="navbar-brand col col-xl-auto" target="_blank" rel="noopener noreferrer"> <img src="/assets/images/logos/konglogo-dark-theme.svg" alt="Kong Logo" id="kong-logo"> </a> <span class="logo-divider">|</span> <a href="/" class="navbar-brand col col-xl-auto"> <img src="/assets/images/logos/docslogo-dark-theme.svg" alt="Kong Docs Logo" id="kong-docs-logo"> </a> <div class="separator mobile"></div> <div class="search-input-wrapper" id="getkong-algolia-search-input"> </div> <div class="search-results-wrapper"></div> <div class="navbar-items" role="navigation" aria-label="Main menu"> <ul class="navbar-items" role="menubar"> <li id="top-module-list" aria-haspopup="true" role="menuitem" aria-expanded="false" class="navbar-item main-menu-item with-submenu active"> <span tabindex="0" id="docs-link" class="main-menu-item-title">Docs</span> <span class="caret"></span> <ul class="navbar-item-submenu" role="menu"> <div class="submenu-section"> <li role="menuitem" class="docs-dropdown-li"> <a href="/api/" class="docs-dropdown-li__link" tabindex="-1"> <div class="docs-dropdown-li__card"> <span class="heading">Explore the API Specs</span> <div class="docs-dropdown-li__card-link"> <img src="/assets/images/landing-page/view-all-api-specs.png" alt="View all API Specs"> <span class="docs-dropdown-li__card-image"> View all API Specs <img src="/assets/images/landing-page/arrow-right.svg" alt="View all API Specs arrow image"> </span> </div> </div> </a> </li> <li role="menuitem" class="docs-dropdown-li" tabindex="-1"> <div class="docs-dropdown-li__section"> <div class="docs-dropdown-li__section-title"> <span class="heading">Documentation</span> </div> <div class="docs-dropdown-li__section-items"> <a class="item item-all" href="/api/" tabindex="-1"> <div class="item__description"> <div class="item__description-title">API Specs</div> </div> </a> <a class="item" href="/gateway/latest/" tabindex="-1"> <div class="item__description"> <div class="item__description-title">Kong Gateway</div> <div class="item__description-desc">Lightweight, fast, and flexible cloud-native API gateway</div> </div> </a> <a class="item" href="/konnect/" tabindex="-1"> <div class="item__description"> <div class="item__description-title">Kong Konnect</div> <div class="item__description-desc">Single platform for SaaS end-to-end connectivity</div> </div> </a> <a class="item" href="/gateway/latest/ai-gateway/" tabindex="-1"> <div class="item__description"> <div class="item__description-title">Kong AI Gateway</div> <div class="item__description-desc">Multi-LLM AI Gateway for GenAI infrastructure</div> </div> </a> <a class="item" href="/mesh/latest/" tabindex="-1"> <div class="item__description"> <div class="item__description-title">Kong Mesh</div> <div class="item__description-desc">Enterprise service mesh based on Kuma and Envoy</div> </div> </a> <a class="item" href="/deck/latest/" tabindex="-1"> <div class="item__description"> <div class="item__description-title">decK</div> <div class="item__description-desc">Helps manage Kong’s configuration in a declarative fashion</div> </div> </a> <a class="item" href="/kubernetes-ingress-controller/latest/" tabindex="-1"> <div class="item__description"> <div class="item__description-title">Kong Ingress Controller</div> <div class="item__description-desc">Works inside a Kubernetes cluster and configures Kong to proxy traffic</div> </div> </a> <a class="item" href="/gateway-operator/latest/" tabindex="-1"> <div class="item__description"> <div class="item__description-title">Kong Gateway Operator</div> <div class="item__description-desc">Manage your Kong deployments on Kubernetes using YAML Manifests</div> </div> </a> <a class="item" href="https://docs.insomnia.rest/" tabindex="-1" target="_blank" rel="noopener nofollow noreferrer "> <div class="item__description"> <div class="item__description-title">Insomnia</div> <div class="item__description-desc">Collaborative API development platform</div> </div> </a> </div> </div> </li> </div> </ul> </li> <li role="menuitem" aria-haspopup="true" aria-expanded="false" class="navbar-item main-menu-item with-submenu navbar-item-hub"> <span id="plugin-link" class="main-menu-item-title" tabindex="0">Plugin Hub</span> <span class="caret"></span> <ul class="navbar-item-submenu" role="menu"> <div class="submenu-section"> <li role="menuitem" class="docs-dropdown-li"> <a href="/hub/" class="docs-dropdown-li__link" tabindex="-1"> <div class="docs-dropdown-li__card"> <span class="heading">Explore the Plugin Hub</span> <div class="docs-dropdown-li__card-link"> <img src="/assets/images/landing-page/view-all-plugins.svg" alt="View all plugins"> <span class="docs-dropdown-li__card-image"> View all plugins <img src="/assets/images/landing-page/arrow-right.svg" alt="View all plugins arrow image"> </span> </div> </div> </a> </li> <li role="menuitem" class="docs-dropdown-li"> <div class="docs-dropdown-li__section"> <div class="docs-dropdown-li__section-title"> <span class="heading">Functionality</span> <a href="/hub/" class="view-all" tabindex="-1"> View all <img src="/assets/images/landing-page/arrow-right.svg" alt="View all arrow image"> </a> </div> <div class="docs-dropdown-li__section-items"> <a class="item item-all" href="/hub/" tabindex="-1"> <div class="item__description"> <div class="item__description-title">View all plugins</div> </div> </a> <a class="item" href="/hub/?category=ai" tabindex="-1"> <div> <img src="/assets/images/nav/hub/ai.svg" alt="AI's icon"> </div> <div class="item__description"> <div class="item__description-title">AI</div> <div class="item__description-desc">Govern, secure, and control AI traffic with multi-LLM AI Gateway plugins</div> </div> </a> <a class="item" href="/hub/?category=authentication" tabindex="-1"> <div> <img src="/assets/images/nav/hub/lock_person.svg" alt="Authentication's icon"> </div> <div class="item__description"> <div class="item__description-title">Authentication</div> <div class="item__description-desc">Protect your services with an authentication layer</div> </div> </a> <a class="item" href="/hub/?category=security" tabindex="-1"> <div> <img src="/assets/images/nav/hub/shield.svg" alt="Security's icon"> </div> <div class="item__description"> <div class="item__description-title">Security</div> <div class="item__description-desc">Protect your services with additional security layer</div> </div> </a> <a class="item" href="/hub/?category=traffic-control" tabindex="-1"> <div> <img src="/assets/images/nav/hub/route.svg" alt="Traffic Control's icon"> </div> <div class="item__description"> <div class="item__description-title">Traffic Control</div> <div class="item__description-desc">Manage, throttle and restrict inbound and outbound API traffic</div> </div> </a> <a class="item" href="/hub/?category=serverless" tabindex="-1"> <div> <img src="/assets/images/nav/hub/serverless.svg" alt="Serverless's icon"> </div> <div class="item__description"> <div class="item__description-title">Serverless</div> <div class="item__description-desc">Invoke serverless functions in combination with other plugins</div> </div> </a> <a class="item" href="/hub/?category=analytics-monitoring" tabindex="-1"> <div> <img src="/assets/images/nav/hub/bar_chart.svg" alt="Analytics &amp; Monitoring's icon"> </div> <div class="item__description"> <div class="item__description-title">Analytics &amp; Monitoring</div> <div class="item__description-desc">Visualize, inspect and monitor APIs and microservices traffic</div> </div> </a> <a class="item" href="/hub/?category=transformations" tabindex="-1"> <div> <img src="/assets/images/nav/hub/swap_horiz.svg" alt="Transformations's icon"> </div> <div class="item__description"> <div class="item__description-title">Transformations</div> <div class="item__description-desc">Transform request and responses on the fly on Kong</div> </div> </a> <a class="item" href="/hub/?category=logging" tabindex="-1"> <div> <img src="/assets/images/nav/hub/list_alt.svg" alt="Logging's icon"> </div> <div class="item__description"> <div class="item__description-title">Logging</div> <div class="item__description-desc">Log request and response data using the best transport for your infrastructure</div> </div> </a> </div> </div> </li> </div> </ul> </li> <li role="menuitem" class="main-menu-item"> <a href="https://support.konghq.com/" class="navbar-item" target="_blank" rel="noopener nofollow noreferrer ">Support</a> </li> <li role="menuitem" class="main-menu-item"> <a href="https://konghq.com/community/" class="navbar-item" target="_blank" rel="noopener noreferrer">Community</a> </li> <li role="menuitem" class="main-menu-item"> <a href="https://education.konghq.com" class="navbar-item" target="_blank" rel="noopener nofollow noreferrer ">Kong Academy</a> </li> </ul> <a id="top-cta" href="https://konghq.com/contact-sales?utm_source=docs.konghq.com" class="navbar-button" target="_blank" rel="noopener nofollow noreferrer "> Get a Demo </a> <a id="konnect-cta" href="https://konghq.com/products/kong-konnect/register?utm_medium=referral&amp;utm_source=docs&amp;utm_campaign=gateway-konnect&amp;utm_content=top-nav" class="navbar-button" target="_blank" rel="noopener nofollow noreferrer "> Start Free Trial </a> </div> <div id="navbar-menu-toggle-button" class="small-screen-button" aria-label="Toggle navigation"> <div></div> <div></div> <div></div> </div> </div> </header> <div class="page v2 " data-url="/gateway/3.7.x/production/access-control/enable-rbac/"> <div class="page--header-background page--header-background-doc"></div> <div class="container"> <header class="page-header page-header-doc"> <div class="page-header-product-version"> <div class="edition"> Kong Gateway </div> <div class="version"> 3.7.x </div> </div> <div class="page-header--nav"> <i class="sidebar-toggle"></i> <ul class="breadcrumbs"> <li class="breadcrumb-item"> <a href="/"> <img src="/assets/images/icons/hub-layout/icn-breadcrumbs.svg" alt="Home icon"> </a> </li> <li class="breadcrumb-item"> <a href="/gateway/3.7.x/">Kong Gateway</a> </li> <li class="breadcrumb-item"> Production Deployment </li> <li class="breadcrumb-item"> Access Control </li> <li class="breadcrumb-item"> <a href="/gateway/3.7.x/production/access-control/enable-rbac/">RBAC Examples</a> </li> </ul> <div class="github-links"> <div class="github-links--edit"> <a href="https://github.com/Kong/docs.konghq.com/edit/main/app/_src/gateway/production/access-control/enable-rbac.md" target="_blank" rel="noopener nofollow noreferrer "> <img src="/assets/images/icons/third-party/logo-github-white.svg" alt="github-edit-page">Edit this page </a> </div> <div class="github-links--issues"> <a href="https://github.com/Kong/docs.konghq.com/issues/" target="_blank" rel="noopener nofollow noreferrer "> <img src="/assets/images/icons/documentation/icn-monitoring-white.svg" alt="report-issue">Report an issue</a> </div> </div> </div> </header> <aside class="docs-sidebar"> <i class="fa fa-times close-sidebar"></i> <div class="sidebar-title-container"> <div class="docsets-dropdown dropdown"> <button class="dropdown-button" id="module-dropdown" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false" tabindex="0"> <span> Kong Gateway </span> <span class="caret"></span> </button> <ul class="dropdown-menu dropdown-menu-right with-submenu" id="module-list" role="menu" aria-labelledby="module-dropdown" aria-hidden="true"> <li role="menuitem" tabindex="-1" class="active"> <a href="/gateway/latest/" class="active">Kong Gateway</a> </li> <li role="menuitem" tabindex="-1"> <a href="/konnect/">Kong Konnect</a> </li> <li role="menuitem" tabindex="-1"> <a href="/mesh/latest/">Kong Mesh</a> </li> <li role="menuitem" tabindex="-1"> <a href="/hub/?category=ai">Kong AI Gateway</a> </li> <li role="menuitem" tabindex="-1"> <a href="/hub/">Plugin Hub</a> </li> <li role="menuitem" tabindex="-1"> <a href="/deck/latest/">decK</a> </li> <li role="menuitem" tabindex="-1"> <a href="/kubernetes-ingress-controller/latest/">Kong Ingress Controller</a> </li> <li role="menuitem" tabindex="-1"> <a href="/gateway-operator/latest/">Kong Gateway Operator</a> </li> <li> <a href="https://docs.insomnia.rest/" target="_blank" rel="noopener nofollow noreferrer ">Insomnia</a> </li> <li role="menuitem" tabindex="-1"> <a href="https://kuma.io/docs/" target="_blank" rel="noopener nofollow noreferrer ">Kuma</a> </li> <hr> <li role="menuitem" tabindex="-1"> <a href="/contributing/">Docs contribution guidelines</a> </li> </ul> </div> <div class="versions-dropdown dropdown"> <button class="dropdown-button" id="version-dropdown" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false" tabindex="0"> <span> Version 3.7.x </span> <span class="caret"></span> </button> <ul class="dropdown-menu dropdown-menu-right" id="version-list" role="menu" aria-labelledby="version-dropdown" aria-hidden="true"> <li role="menuitem" tabindex="-1"> <a href="/gateway/unreleased/production/access-control/enable-rbac/" data-version-id="3.9.x"> <em>unreleased</em> </a> </li> <li role="menuitem" tabindex="-1"> <a href="/gateway/3.8.x/production/access-control/enable-rbac/" data-version-id="3.8.x"> 3.8.x <em>(latest)</em> </a> </li> <li class="active" role="menuitem" tabindex="-1"> <a href="/gateway/3.7.x/production/access-control/enable-rbac/" class="active" data-version-id="3.7.x"> 3.7.x </a> </li> <li role="menuitem" tabindex="-1"> <a href="/gateway/3.6.x/production/access-control/enable-rbac/" data-version-id="3.6.x"> 3.6.x </a> </li> <li role="menuitem" tabindex="-1"> <a href="/gateway/3.5.x/production/access-control/enable-rbac/" data-version-id="3.5.x"> 3.5.x </a> </li> <li role="menuitem" tabindex="-1"> <a href="/gateway/3.4.x/production/access-control/enable-rbac/" data-version-id="3.4.x"> 3.4.x (LTS) </a> </li> <li role="menuitem" tabindex="-1"> <a href="/gateway/3.3.x/production/access-control/enable-rbac/" data-version-id="3.3.x"> 3.3.x </a> </li> <li role="menuitem" tabindex="-1"> <a href="/gateway/3.2.x/production/access-control/enable-rbac/" data-version-id="3.2.x"> 3.2.x </a> </li> <li role="menuitem" tabindex="-1"> <a href="/gateway/3.1.x/production/access-control/enable-rbac/" data-version-id="3.1.x"> 3.1.x </a> </li> <li role="menuitem" tabindex="-1"> <a href="/gateway/2.8.x/" data-version-id="2.8.x"> 2.8.x (LTS) </a> </li> <li role="menuitem" tabindex="-1"> <a href="https://legacy-gateway--kongdocs.netlify.app/" target="_blank" rel="noopener nofollow noreferrer "> Archive (3.0.x and pre-2.8.x) </a> </li> </ul> </div> </div> <ul class="sidebar-container" role="tree" aria-label="Documentation"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-1-introduction-subtree"> <img src="/assets/images/icons/documentation/icn-flag.svg" alt=""> Introduction <button class="sidebar-tree-toggle" aria-label="toggle Introduction subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-1-introduction-subtree" role="group" aria-label="Introduction"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/"> Overview of Kong Gateway </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-1-2-support-subtree"> Support <button class="sidebar-tree-toggle" aria-label="toggle Support subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-1-2-support-subtree" role="group" aria-label="Support"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/support-policy/"> Version Support Policy </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/support/third-party/"> Third Party Dependencies </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/support/browser/"> Browser Support </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/support/vulnerability-patching-process/"> Vulnerability Patching Process </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/support/sbom/"> Software Bill of Materials </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/stability/"> Stability </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/changelog/"> Release Notes </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-1-5-breaking-changes-subtree"> Breaking Changes <button class="sidebar-tree-toggle" aria-label="toggle Breaking Changes subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-1-5-breaking-changes-subtree" role="group" aria-label="Breaking Changes"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/breaking-changes/"> Kong Gateway 3.7.x </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/breaking-changes/36x/"> Kong Gateway 3.6.x </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/breaking-changes/35x/"> Kong Gateway 3.5.x </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/breaking-changes/34x/"> Kong Gateway 3.4.x </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/breaking-changes/33x/"> Kong Gateway 3.3.x </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/breaking-changes/32x/"> Kong Gateway 3.2.x </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/breaking-changes/31x/"> Kong Gateway 3.1.x </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/breaking-changes/30x/"> Kong Gateway 3.0.x </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/breaking-changes/28x/"> Kong Gateway 2.8.x or earlier </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-1-6-key-concepts-subtree"> Key Concepts <button class="sidebar-tree-toggle" aria-label="toggle Key Concepts subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-1-6-key-concepts-subtree" role="group" aria-label="Key Concepts"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/key-concepts/services/"> Services </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/key-concepts/routes/"> Routes </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/key-concepts/consumers/"> Consumers </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/key-concepts/upstreams/"> Upstreams </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/key-concepts/plugins/"> Plugins </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/key-concepts/consumer-groups/"> Consumer Groups </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-1-7-how-kong-works-subtree"> How Kong Works <button class="sidebar-tree-toggle" aria-label="toggle How Kong Works subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-1-7-how-kong-works-subtree" role="group" aria-label="How Kong Works"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/how-kong-works/routing-traffic/"> Routing Traffic </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/how-kong-works/load-balancing/"> Load Balancing </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/how-kong-works/health-checks/"> Health Checks and Circuit Breakers </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/glossary/"> Glossary </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-2-get-started-with-kong-subtree"> <img src="/assets/images/icons/documentation/icn-learning.svg" alt=""> Get Started with Kong <button class="sidebar-tree-toggle" aria-label="toggle Get Started with Kong subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-2-get-started-with-kong-subtree" role="group" aria-label="Get Started with Kong"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/get-started/"> Get Kong </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/get-started/services-and-routes/"> Services and Routes </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/get-started/rate-limiting/"> Rate Limiting </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/get-started/proxy-caching/"> Proxy Caching </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/get-started/key-authentication/"> Key Authentication </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/get-started/load-balancing/"> Load-Balancing </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-3-install-kong-subtree"> <img src="/assets/images/icons/documentation/icn-deployment-color.svg" alt=""> Install Kong <button class="sidebar-tree-toggle" aria-label="toggle Install Kong subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-3-install-kong-subtree" role="group" aria-label="Install Kong"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/install/"> Overview </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-3-2-kubernetes-subtree"> Kubernetes <button class="sidebar-tree-toggle" aria-label="toggle Kubernetes subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-3-2-kubernetes-subtree" role="group" aria-label="Kubernetes"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/install/kubernetes/"> Overview </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/install/kubernetes/proxy/"> Install Kong Gateway </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/install/kubernetes/admin/"> Configure the Admin API </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/install/kubernetes/manager/"> Install Kong Manager </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-3-3-docker-subtree"> Docker <button class="sidebar-tree-toggle" aria-label="toggle Docker subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-3-3-docker-subtree" role="group" aria-label="Docker"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/install/docker/"> Using docker run </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/install/docker/build-custom-images/"> Build your own Docker images </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-3-4-linux-subtree"> Linux <button class="sidebar-tree-toggle" aria-label="toggle Linux subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-3-4-linux-subtree" role="group" aria-label="Linux"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/install/linux/amazon-linux/"> Amazon Linux </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/install/linux/debian/"> Debian </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/install/linux/rhel/"> Red Hat </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/install/linux/ubuntu/"> Ubuntu </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-3-5-post-installation-subtree"> Post-installation <button class="sidebar-tree-toggle" aria-label="toggle Post-installation subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-3-5-post-installation-subtree" role="group" aria-label="Post-installation"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/install/post-install/set-up-data-store/"> Set up a data store </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/install/post-install/enterprise-license/"> Apply Enterprise license </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/install/post-install/kong-manager/"> Enable Kong Manager </a> </span> </li> </ul> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-4-kong-in-production-subtree"> <img src="/assets/images/icons/documentation/icn-deployment-color.svg" alt=""> Kong in Production <button class="sidebar-tree-toggle" aria-label="toggle Kong in Production subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-4-kong-in-production-subtree" role="group" aria-label="Kong in Production"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-4-1-deployment-topologies-subtree"> Deployment Topologies <button class="sidebar-tree-toggle" aria-label="toggle Deployment Topologies subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-4-1-deployment-topologies-subtree" role="group" aria-label="Deployment Topologies"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/production/deployment-topologies/"> Overview </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-4-1-2-hybrid-mode-subtree"> Hybrid Mode <button class="sidebar-tree-toggle" aria-label="toggle Hybrid Mode subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-4-1-2-hybrid-mode-subtree" role="group" aria-label="Hybrid Mode"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/production/deployment-topologies/hybrid-mode/"> Overview </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/production/deployment-topologies/hybrid-mode/setup/"> Deploy Kong Gateway in Hybrid mode </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/production/deployment-topologies/db-less-and-declarative-config/"> DB-less Deployment </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/production/deployment-topologies/traditional/"> Traditional </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-4-2-running-kong-subtree"> Running Kong <button class="sidebar-tree-toggle" aria-label="toggle Running Kong subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-4-2-running-kong-subtree" role="group" aria-label="Running Kong"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/production/running-kong/kong-user/"> Running Kong as a non-root user </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/production/running-kong/secure-admin-api/"> Securing the Admin API </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/production/running-kong/systemd/"> Using systemd </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-4-3-access-control-subtree"> Access Control <button class="sidebar-tree-toggle" aria-label="toggle Access Control subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-4-3-access-control-subtree" role="group" aria-label="Access Control"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/production/access-control/start-securely/"> Start Kong Gateway Securely </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/production/access-control/register-admin-api/"> Programatically Creating Admins </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/production/access-control/enable-rbac/"> Enabling RBAC </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-4-4-licenses-subtree"> Licenses <button class="sidebar-tree-toggle" aria-label="toggle Licenses subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-4-4-licenses-subtree" role="group" aria-label="Licenses"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/licenses/"> Overview </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/licenses/download/"> Download your License </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/licenses/deploy/"> Deploy Enterprise License </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/licenses/examples/"> Using the License API </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/licenses/report/"> Monitor Licenses Usage </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-4-5-networking-subtree"> Networking <button class="sidebar-tree-toggle" aria-label="toggle Networking subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-4-5-networking-subtree" role="group" aria-label="Networking"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/production/networking/default-ports/"> Default Ports </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/production/networking/dns-considerations/"> DNS Considerations </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/production/networking/firewall/"> Network and Firewall </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/production/networking/cp-dp-proxy/"> CP/DP Communication through a Forward Proxy </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-4-5-5-postgresql-tls-subtree"> PostgreSQL TLS <button class="sidebar-tree-toggle" aria-label="toggle PostgreSQL TLS subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-4-5-5-postgresql-tls-subtree" role="group" aria-label="PostgreSQL TLS"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/production/networking/configure-postgres-tls/"> Configure PostgreSQL TLS </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/production/networking/troubleshoot-postgres-tls/"> Troubleshooting PostgreSQL TLS </a> </span> </li> </ul> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/production/kong-conf/"> Kong Configuration File </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/production/environment-variables/"> Environment Variables </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/production/website-api-serving/"> Serving a Website and APIs from Kong </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-4-9-monitoring-subtree"> Monitoring <button class="sidebar-tree-toggle" aria-label="toggle Monitoring subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-4-9-monitoring-subtree" role="group" aria-label="Monitoring"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/production/monitoring/"> Overview </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/production/monitoring/prometheus/"> Prometheus </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/production/monitoring/statsd/"> StatsD </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/production/monitoring/datadog/"> Datadog </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/production/monitoring/healthcheck-probes/"> Health Check Probes </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-4-10-tracing-subtree"> Tracing <button class="sidebar-tree-toggle" aria-label="toggle Tracing subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-4-10-tracing-subtree" role="group" aria-label="Tracing"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/production/tracing/"> Overview </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/production/tracing/write-custom-trace-exporter/"> Writing a Custom Trace Exporter </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/production/tracing/api/"> Tracing API Reference </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/production/sizing-guidelines/"> Resource Sizing Guidelines </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/production/security-update-process/"> Security Update Process </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/production/blue-green/"> Blue-Green Deployments </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/production/canary/"> Canary Deployments </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/production/clustering/"> Clustering Reference </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-4-16-performance-subtree"> Performance <button class="sidebar-tree-toggle" aria-label="toggle Performance subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-4-16-performance-subtree" role="group" aria-label="Performance"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/production/performance/performance-testing/"> Performance Testing Benchmarks </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/production/performance/benchmark/"> Establish a Performance Benchmark </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/production/performance/brotli/"> Improve performance with Brotli compression </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-4-17-logging-and-debugging-subtree"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/production/logging/"> Logging and Debugging </a> <button class="sidebar-tree-toggle" aria-label="toggle Logging and Debugging subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-4-17-logging-and-debugging-subtree" role="group" aria-label="Logging and Debugging"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/production/logging/log-reference/"> Log Reference </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/production/logging/update-log-level-dynamically/"> Dynamic log level updates </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/production/logging/customize-gateway-logs/"> Customize Gateway Logs </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/production/debug-request/"> Debug Requests </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/production/logging/ai-analytics/"> AI Gateway Analytics </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/production/configuring-a-grpc-service/"> Configure a gRPC service </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/key-concepts/routes/expressions/"> Use the Expressions Router </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-4-20-upgrade-and-migration-subtree"> Upgrade and Migration <button class="sidebar-tree-toggle" aria-label="toggle Upgrade and Migration subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-4-20-upgrade-and-migration-subtree" role="group" aria-label="Upgrade and Migration"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/upgrade/"> Upgrading Kong Gateway 3.x.x </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/upgrade/backup-and-restore/"> Backup and Restore </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-4-20-3-upgrade-strategies-subtree"> Upgrade Strategies <button class="sidebar-tree-toggle" aria-label="toggle Upgrade Strategies subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-4-20-3-upgrade-strategies-subtree" role="group" aria-label="Upgrade Strategies"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/upgrade/dual-cluster/"> Dual-Cluster Upgrade </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/upgrade/in-place/"> In-Place Upgrade </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/upgrade/blue-green/"> Blue-Green Upgrade </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/upgrade/rolling-upgrade/"> Rolling Upgrade </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/upgrade/lts-upgrade/"> Upgrade from 2.8 LTS to 3.4 LTS </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/migrate-ce-to-ke/"> Migrate from OSS to Enterprise </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/migrate-cassandra-to-postgres/"> Migration Guidelines Cassandra to PostgreSQL </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/production/breaking-changes/"> Breaking Changes </a> </span> </li> </ul> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-5-kong-gateway-enterprise-subtree"> <img src="/assets/images/icons/documentation/icn-enterprise-blue.svg" alt=""> Kong Gateway Enterprise <button class="sidebar-tree-toggle" aria-label="toggle Kong Gateway Enterprise subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-5-kong-gateway-enterprise-subtree" role="group" aria-label="Kong Gateway Enterprise"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-enterprise/"> Overview </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-5-2-secrets-management-subtree"> Secrets Management <button class="sidebar-tree-toggle" aria-label="toggle Secrets Management subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-5-2-secrets-management-subtree" role="group" aria-label="Secrets Management"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-enterprise/secrets-management/"> Overview </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-enterprise/secrets-management/getting-started/"> Getting Started </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-enterprise/secrets-management/secrets-rotation/"> Secrets Rotation </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-enterprise/secrets-management/advanced-usage/"> Advanced Usage </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-5-2-5-backends-subtree"> Backends <button class="sidebar-tree-toggle" aria-label="toggle Backends subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-5-2-5-backends-subtree" role="group" aria-label="Backends"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-enterprise/secrets-management/backends/"> Overview </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-enterprise/secrets-management/backends/env/"> Environment Variables </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-enterprise/secrets-management/backends/aws-sm/"> AWS Secrets Manager </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-enterprise/secrets-management/backends/azure-key-vaults/"> Azure Key Vaults </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-enterprise/secrets-management/backends/gcp-sm/"> Google Cloud Secret Manager </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-enterprise/secrets-management/backends/hashicorp-vault/"> HashiCorp Vault </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-5-2-6-how-to-subtree"> How-To <button class="sidebar-tree-toggle" aria-label="toggle How-To subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-5-2-6-how-to-subtree" role="group" aria-label="How-To"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-enterprise/secrets-management/how-to/aws-secrets-manager/"> Securing the Database with AWS Secrets Manager </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-enterprise/secrets-management/reference-format/"> Reference Format </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-5-3-dynamic-plugin-ordering-subtree"> Dynamic Plugin Ordering <button class="sidebar-tree-toggle" aria-label="toggle Dynamic Plugin Ordering subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-5-3-dynamic-plugin-ordering-subtree" role="group" aria-label="Dynamic Plugin Ordering"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-enterprise/plugin-ordering/"> Overview </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-enterprise/plugin-ordering/get-started/"> Get Started with Dynamic Plugin Ordering </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-enterprise/audit-log/"> Audit Logging </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-enterprise/db-encryption/"> Keyring and Data Encryption </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-enterprise/workspaces/"> Workspaces </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-enterprise/consumer-groups/"> Consumer Groups </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-enterprise/event-hooks/"> Event Hooks </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-enterprise/cp-outage-handling/"> Configure Data Plane Resilience </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-enterprise/cp-outage-handling-faq/"> About Control Plane Outage Management </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-5-11-fips-140-2-subtree"> FIPS 140-2 <button class="sidebar-tree-toggle" aria-label="toggle FIPS 140-2 subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-5-11-fips-140-2-subtree" role="group" aria-label="FIPS 140-2"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-enterprise/fips-support/"> Overview </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-enterprise/fips-support/install/"> Install the FIPS Compliant Package </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-enterprise/fips-support/plugins/"> FIPS 140-2 Compliant Plugins </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-enterprise/aws-iam-auth-to-rds-database/"> Authenticate your Kong Gateway Amazon RDS database with AWS IAM </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-enterprise/signed-images/"> Verify Signatures for Signed Kong Images </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-enterprise/provenance-verification/"> Verify Build Provenance for Signed Kong Images </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-6-kong-ai-gateway-subtree"> <img src="/assets/images/icons/documentation/icn-ai.svg" alt=""> Kong AI Gateway <button class="sidebar-tree-toggle" aria-label="toggle Kong AI Gateway subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-6-kong-ai-gateway-subtree" role="group" aria-label="Kong AI Gateway"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/ai-gateway/"> Overview </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/get-started/ai-gateway/"> Get started with AI Gateway </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-6-3-llm-provider-integration-guides-subtree"> LLM Provider Integration Guides <button class="sidebar-tree-toggle" aria-label="toggle LLM Provider Integration Guides subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-6-3-llm-provider-integration-guides-subtree" role="group" aria-label="LLM Provider Integration Guides"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/hub/kong-inc/ai-proxy/how-to/llm-provider-integration-guides/openai/"> OpenAI </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/hub/kong-inc/ai-proxy/how-to/llm-provider-integration-guides/cohere/"> Cohere </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/hub/kong-inc/ai-proxy/how-to/llm-provider-integration-guides/azure/"> Azure </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/hub/kong-inc/ai-proxy/how-to/llm-provider-integration-guides/anthropic/"> Anthropic </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/hub/kong-inc/ai-proxy/how-to/llm-provider-integration-guides/mistral/"> Mistral </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/hub/kong-inc/ai-proxy/how-to/llm-provider-integration-guides/llama2/"> Llama2 </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/ai-gateway/ai-analytics/"> AI Gateway Analytics </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/hub/?category=ai/"> AI Gateway plugins </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-7-kong-manager-subtree"> <img src="/assets/images/icons/documentation/icn-manager-color.svg" alt=""> Kong Manager <button class="sidebar-tree-toggle" aria-label="toggle Kong Manager subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-7-kong-manager-subtree" role="group" aria-label="Kong Manager"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-manager/"> Overview </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-manager/enable/"> Enable Kong Manager </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-7-3-get-started-with-kong-manager-subtree"> Get Started with Kong Manager <button class="sidebar-tree-toggle" aria-label="toggle Get Started with Kong Manager subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-7-3-get-started-with-kong-manager-subtree" role="group" aria-label="Get Started with Kong Manager"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-manager/get-started/services-and-routes/"> Services and Routes </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-manager/get-started/rate-limiting/"> Rate Limiting </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-manager/get-started/proxy-caching/"> Proxy Caching </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-manager/get-started/consumers/"> Authentication with Consumers </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-manager/get-started/load-balancing/"> Load Balancing </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-7-4-authentication-and-authorization-subtree"> Authentication and Authorization <button class="sidebar-tree-toggle" aria-label="toggle Authentication and Authorization subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-7-4-authentication-and-authorization-subtree" role="group" aria-label="Authentication and Authorization"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-manager/auth/"> Overview </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-manager/auth/super-admin/"> Create a Super Admin </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-manager/auth/workspaces-and-teams/"> Workspaces and Teams </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-manager/auth/reset-password/"> Reset Passwords and RBAC Tokens </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-manager/auth/basic/"> Basic Auth </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-7-4-6-ldap-subtree"> LDAP <button class="sidebar-tree-toggle" aria-label="toggle LDAP subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-7-4-6-ldap-subtree" role="group" aria-label="LDAP"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-manager/auth/ldap/configure/"> Configure LDAP </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-manager/auth/ldap/service-directory-mapping/"> LDAP Service Directory Mapping </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-7-4-7-oidc-subtree"> OIDC <button class="sidebar-tree-toggle" aria-label="toggle OIDC subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-7-4-7-oidc-subtree" role="group" aria-label="OIDC"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-manager/auth/oidc/configure/"> Configure OIDC </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-manager/auth/oidc/mapping/"> OIDC Authenticated Group Mapping </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-manager/auth/oidc/migrate/"> Migrate from previous configurations </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-manager/auth/sessions/"> Sessions </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-7-4-9-rbac-subtree"> RBAC <button class="sidebar-tree-toggle" aria-label="toggle RBAC subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-7-4-9-rbac-subtree" role="group" aria-label="RBAC"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-manager/auth/rbac/"> Overview </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-manager/auth/rbac/enable/"> Enable RBAC </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-manager/auth/rbac/add-role/"> Add a Role and Permissions </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-manager/auth/rbac/add-user/"> Create a User </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-manager/auth/rbac/add-admin/"> Create an Admin </a> </span> </li> </ul> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-manager/networking/"> Networking Configuration </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-manager/workspaces/"> Workspaces </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-manager/consumer-groups/"> Create Consumer Groups </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-manager/configuring-to-send-email/"> Sending Email </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-manager/troubleshoot/"> Troubleshoot </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-8-develop-custom-plugins-subtree"> <img src="/assets/images/icons/documentation/icn-dev-portal-color.svg" alt=""> Develop Custom Plugins <button class="sidebar-tree-toggle" aria-label="toggle Develop Custom Plugins subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-8-develop-custom-plugins-subtree" role="group" aria-label="Develop Custom Plugins"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/plugin-development/"> Overview </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-8-2-getting-started-subtree"> Getting Started <button class="sidebar-tree-toggle" aria-label="toggle Getting Started subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-8-2-getting-started-subtree" role="group" aria-label="Getting Started"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/plugin-development/get-started/"> Introduction </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/plugin-development/get-started/setup/"> Set up the Plugin Project </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/plugin-development/get-started/testing/"> Add Plugin Testing </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/plugin-development/get-started/config/"> Add Plugin Configuration </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/plugin-development/get-started/http/"> Consume External Services </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/plugin-development/get-started/deploy/"> Deploy Plugins </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/plugin-development/file-structure/"> File Structure </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/plugin-development/custom-logic/"> Implementing Custom Logic </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/plugin-development/configuration/"> Plugin Configuration </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/plugin-development/access-the-datastore/"> Accessing the Data Store </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/plugin-development/custom-entities/"> Storing Custom Entities </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/plugin-development/entities-cache/"> Caching Custom Entities </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/plugin-development/admin-api/"> Extending the Admin API </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/plugin-development/tests/"> Writing Tests </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/plugin-development/distribution/"> Installation and Distribution </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-8-12-proxy-wasm-filters-subtree"> Proxy-Wasm Filters <button class="sidebar-tree-toggle" aria-label="toggle Proxy-Wasm Filters subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-8-12-proxy-wasm-filters-subtree" role="group" aria-label="Proxy-Wasm Filters"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/plugin-development/wasm/filter-development-guide/"> Create a Proxy-Wasm Filter </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/plugin-development/wasm/filter-configuration/"> Proxy-Wasm Filter Configuration </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-8-13-plugin-development-kit-subtree"> Plugin Development Kit <button class="sidebar-tree-toggle" aria-label="toggle Plugin Development Kit subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-8-13-plugin-development-kit-subtree" role="group" aria-label="Plugin Development Kit"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/plugin-development/pdk/"> Overview </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/plugin-development/pdk/kong.client/"> kong.client </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/plugin-development/pdk/kong.client.tls/"> kong.client.tls </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/plugin-development/pdk/kong.cluster/"> kong.cluster </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/plugin-development/pdk/kong.ctx/"> kong.ctx </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/plugin-development/pdk/kong.ip/"> kong.ip </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/plugin-development/pdk/kong.jwe/"> kong.jwe </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/plugin-development/pdk/kong.log/"> kong.log </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/plugin-development/pdk/kong.nginx/"> kong.nginx </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/plugin-development/pdk/kong.node/"> kong.node </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/plugin-development/pdk/kong.plugin/"> kong.plugin </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/plugin-development/pdk/kong.request/"> kong.request </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/plugin-development/pdk/kong.response/"> kong.response </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/plugin-development/pdk/kong.router/"> kong.router </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/plugin-development/pdk/kong.service/"> kong.service </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/plugin-development/pdk/kong.service.request/"> kong.service.request </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/plugin-development/pdk/kong.service.response/"> kong.service.response </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/plugin-development/pdk/kong.table/"> kong.table </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/plugin-development/pdk/kong.tracing/"> kong.tracing </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/plugin-development/pdk/kong.vault/"> kong.vault </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/plugin-development/pdk/kong.websocket.client/"> kong.websocket.client </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/plugin-development/pdk/kong.websocket.upstream/"> kong.websocket.upstream </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-8-14-plugins-in-other-languages-subtree"> Plugins in Other Languages <button class="sidebar-tree-toggle" aria-label="toggle Plugins in Other Languages subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-8-14-plugins-in-other-languages-subtree" role="group" aria-label="Plugins in Other Languages"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/plugin-development/pluginserver/go/"> Go </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/plugin-development/pluginserver/javascript/"> Javascript </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/plugin-development/pluginserver/python/"> Python </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/plugin-development/pluginserver/plugins-kubernetes/"> Running Plugins in Containers </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/plugin-development/pluginserver/performance/"> External Plugin Performance </a> </span> </li> </ul> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-9-kong-plugins-subtree"> <img src="/assets/images/icons/documentation/icn-api-plugins-color.svg" alt=""> Kong Plugins <button class="sidebar-tree-toggle" aria-label="toggle Kong Plugins subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-9-kong-plugins-subtree" role="group" aria-label="Kong Plugins"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-plugins/"> Overview </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-plugins/authentication/reference/"> Authentication Reference </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-plugins/authentication/allowing-multiple-authentication-methods/"> Allow Multiple Authentication Plugins </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-9-4-plugin-queuing-subtree"> Plugin Queuing <button class="sidebar-tree-toggle" aria-label="toggle Plugin Queuing subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-9-4-plugin-queuing-subtree" role="group" aria-label="Plugin Queuing"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-plugins/queue/"> Overview </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/kong-plugins/queue/reference/"> Plugin Queuing Reference </a> </span> </li> </ul> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-10-admin-api-subtree"> <img src="/assets/images/icons/documentation/icn-admin-api-color.svg" alt=""> Admin API <button class="sidebar-tree-toggle" aria-label="toggle Admin API subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-10-admin-api-subtree" role="group" aria-label="Admin API"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/admin-api/"> Overview </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/admin-api/declarative-configuration/"> Declarative Configuration </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-10-3-enterprise-api-subtree"> Enterprise API <button class="sidebar-tree-toggle" aria-label="toggle Enterprise API subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-10-3-enterprise-api-subtree" role="group" aria-label="Enterprise API"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/Information/get-endpoints/" target="_blank"> Information Routes </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/Information/get-status/" target="_blank"> Health Routes </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/tags/get-tags/" target="_blank"> Tags </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/debug/put-debug-cluster-control-planes-nodes-log-level-log_level/" target="_blank"> Debug Routes </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/Services/list-service/" target="_blank"> Services </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/Routes/list-route/" target="_blank"> Routes </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/Consumers/list-consumer/" target="_blank"> Consumers </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/Plugins/list-plugins-with-consumer/" target="_blank"> Plugins </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/Certificates/list-certificate/" target="_blank"> Certificates </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/CA%20Certificates/list-ca_certificate/" target="_blank"> CA Certificates </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/SNIs/list-sni-with-certificate/" target="_blank"> SNIs </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/Upstreams/list-upstream/" target="_blank"> Upstreams </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/Targets/list-target-with-upstream/" target="_blank"> Targets </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/Vaults/list-vault/" target="_blank"> Vaults </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/Keys/list-key/" target="_blank"> Keys </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/filter-chains/get-filter-chains/" target="_blank"> Filter Chains </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/licenses/get-licenses/" target="_blank"> Licenses </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/Workspaces/list-workspace/" target="_blank"> Workspaces </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/rbac/get-rbac-users/" target="_blank"> RBAC </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/admins/get-admins/" target="_blank"> Admins </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/consumer_groups/" target="_blank"> Consumer Groups </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/Event-hooks/get-event-hooks/" target="_blank"> Event Hooks </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/Keyring/get-keyring/" target="_blank"> Keyring and Data Encryption </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/audit-logs/get-audit-requests/" target="_blank"> Audit Logs </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/status/v1/" target="_blank"> Status API </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-oss/latest/" target="_blank"> Open Source API </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-11-reference-subtree"> <img src="/assets/images/icons/documentation/icn-references-color.svg" alt=""> Reference <button class="sidebar-tree-toggle" aria-label="toggle Reference subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-11-reference-subtree" role="group" aria-label="Reference"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/reference/configuration/"> kong.conf </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/reference/nginx-directives/"> Injecting Nginx Directives </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/reference/cli/"> CLI </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/reference/key-management/"> Key Management </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-11-5-the-expressions-language-subtree"> The Expressions Language <button class="sidebar-tree-toggle" aria-label="toggle The Expressions Language subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-11-5-the-expressions-language-subtree" role="group" aria-label="The Expressions Language"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/reference/expressions-language/"> Overview </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/reference/expressions-language/language-references/"> Language References </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/reference/expressions-language/performance/"> Performance Optimizations </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/reference/rate-limiting/"> Rate Limiting Library </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/reference/wasm/"> WebAssembly </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.7.x/reference/faq/"> FAQ </a> </span> </li> </ul> </li> </ul> </aside> <aside class="docs-toc"> <i class="fa fa-times close-sidebar"></i> <i class="fa fa-chevron-right collapse-toc"></i> <i class="far fa-list-alt expand-toc"></i> <div id="oss-ee-toggle" data-current="Enterprise" style="display: none"> <span class="oss-ee-toggle-inner"> <img src="/assets/images/icons/icn-enterprise-black.svg" alt="enterprise-switcher-icon"> <span>Switch to <span id="switch-to-version">OSS</span></span> </span> </div> <div class="docs-toc-title"> <img src="/assets/images/icons/hub-layout/icn-on-this-page.svg" alt="On this page"><a href="#">On this page</a> </div> <ul> <li><a href="#use-case" class="active scroll-to">Use case</a></li> <li><a href="#bootstrapping-the-first-rbac-user" class="scroll-to">Bootstrapping the first RBAC user</a></li> <li><a href="#enforcing-rbac" class="scroll-to">Enforcing RBAC</a></li> <li><a href="#super-admin-creates-the-team-workspaces" class="scroll-to">Super admin creates the team workspaces</a></li> <li><a href="#super-admin-creates-one-admin-for-each-team" class="scroll-to">Super admin creates one admin for each team</a></li> <li><a href="#super-admin-creates-admin-roles-for-teams" class="scroll-to">Super admin creates admin roles for teams</a></li> <li> <a href="#team-admins-create-regular-users" class="scroll-to">Team admins create regular users</a> <ul> <li><a href="#create-the-users-role" class="scroll-to">Create the users role</a></li> <li><a href="#add-members-to-a-team" class="scroll-to">Add members to a team</a></li> </ul> </li> <li><a href="#regular-team-users-use-their-tokens" class="scroll-to">Regular team users use their tokens</a></li> <li> <a href="#entity-level-rbac" class="scroll-to">Entity-level RBAC</a> <ul> <li><a href="#creating-entity-level-permissions" class="scroll-to">Creating entity-level permissions</a></li> </ul> </li> <li> <a href="#wildcards-in-permissions" class="scroll-to">Wildcards in permissions</a> <ul> <li><a href="#creating-endpoint-permissions" class="scroll-to">Creating endpoint permissions</a></li> <li><a href="#creating-entity-permissions" class="scroll-to">Creating entity permissions</a></li> </ul> </li> <li> <a href="#entities-nested-in-entity-level-rbac" class="scroll-to">Entities nested in entity-level RBAC</a> <ul> <li><a href="#creating-entities-in-entity-level-rbac" class="scroll-to">Creating entities in entity-level RBAC</a></li> </ul> </li> </ul> </aside> <div class="page-content-container page-content-container-doc v2 " id="documentation"> <div class="toggles "> <i class="far fa-list-alt toc-sidebar-toggle"></i> </div> <div class="page-content"> <div class="content show-anchor-links"> <blockquote id="version-notice" class="important"> You are browsing documentation for an older version. See the <a href="/gateway/latest/production/access-control/enable-rbac/">latest documentation here</a>. </blockquote> <h1 tabindex="-1" id="main" class="page-content-title">RBAC Examples <a href="https://konghq.com/pricing" class="badge enterprise" aria-label="available with Kong Gateway Enterprise subscription" target="_blank" rel="noopener nofollow noreferrer "> </a> </h1> <p>This chapter aims to provide a step-by-step tutorial on how to set up RBAC and see it in action, with an end-to-end use case. The chosen use case demonstrates how <strong>RBAC with workspaces</strong> can be coupled to achieve a flexible organization of teams and users in complex hierarchies.</p> <h2 id="use-case">Use case</h2> <p>For the sake of example, let’s say a given company has a Kong Gateway cluster to be shared with two teams: teamA and teamB. While the Kong clusters are shared among these teams, they want to be able to segment their entities in such a way that management of entities in one team doesn’t disrupt operation in some other team. As shown in the <a href="/gateway/3.7.x/kong-enterprise/workspaces">Workspaces Page</a>, such a use case is possible with workspaces. On top of workspaces, though, each team wants to enforce access control over their Workspace, which is possible with RBAC.</p> <p>To sum up, workspaces and RBAC are complementary: workspaces provide segmentation of Admin API entities, while RBAC provides access control.</p> <blockquote class="note"> <p><strong>Note:</strong> The example responses in this guide are often excerpts of full responses, focusing on the most relevant part of the response, as the full response can be very long.</p> </blockquote> <h2 id="bootstrapping-the-first-rbac-user">Bootstrapping the first RBAC user</h2> <p>The first RBAC user is called the super admin.</p> <p>Kong recommends that you create a super admin user before actually enforcing RBAC and restarting Kong Gateway with RBAC enabled.</p> <blockquote class="note"> <p>It’s possible to create the first super admin at installation time. If you chose this option, skip to <a href="#enforcing-rbac">Enforcing RBAC</a>.</p> </blockquote> <p>Kong Gateway ships with a set of default RBAC roles: <code class="language-plaintext highlighter-rouge">super-admin</code>, the <code class="language-plaintext highlighter-rouge">admin</code>, and <code class="language-plaintext highlighter-rouge">read-only</code>, which makes the task of creating a super admin user easy:</p> <ol> <li> <p>Create the RBAC user, named <code class="language-plaintext highlighter-rouge">super-admin</code>:</p> <div class="language-sh highlighter-rouge"> <div class="highlight"><pre class="highlight"><code> curl <span class="nt">-i</span> <span class="nt">-X</span> POST http://localhost:8001/rbac/users <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'Kong-Admin-Token:secureadmintoken'</span> <span class="se">\</span> <span class="nt">--data</span> <span class="nv">name</span><span class="o">=</span>super-admin <span class="se">\</span> <span class="nt">--data</span> <span class="nv">user_token</span><span class="o">=</span>exampletoken </code></pre></div> </div> <p>Response:</p> <div class="language-json highlighter-rouge"> <div class="highlight"><pre class="highlight"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"user_token"</span><span class="p">:</span><span class="w"> </span><span class="s2">"M8J5A88xKXa7FNKsMbgLMjkm6zI2anOY"</span><span class="p">,</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"da80838d-49f8-40f6-b673-6fff3e2c305b"</span><span class="p">,</span><span class="w"> </span><span class="nl">"enabled"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531009435</span><span class="p">,</span><span class="w"> </span><span class="nl">"updated_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531009435</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"super-admin"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> </div> <p>As the <code class="language-plaintext highlighter-rouge">super-admin</code> username coincides with an existing <code class="language-plaintext highlighter-rouge">super-admin</code> role, it gets automatically added to the <code class="language-plaintext highlighter-rouge">super-admin</code> role.</p> </li> <li> <p>Confirm using the following command:</p> <div class="language-sh highlighter-rouge"> <div class="highlight"><pre class="highlight"><code> curl <span class="nt">-i</span> <span class="nt">-X</span> GET http://localhost:8001/rbac/users/super-admin/roles </code></pre></div> </div> <p>Response:</p> <div class="language-json highlighter-rouge"> <div class="highlight"><pre class="highlight"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"roles"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"comment"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Full access to all endpoints, across all workspaces"</span><span class="p">,</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531009724</span><span class="p">,</span><span class="w"> </span><span class="nl">"updated_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531009724</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"super-admin"</span><span class="p">,</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"b924ac91-e83f-4136-a5a4-4a7ff92594a8"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"user"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531009435</span><span class="p">,</span><span class="w"> </span><span class="nl">"updated_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531009724</span><span class="p">,</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"e6897cc0-0c34-4a9c-9f0b-cc65b4f04d68"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"super-admin"</span><span class="p">,</span><span class="w"> </span><span class="nl">"enabled"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"user_token"</span><span class="p">:</span><span class="w"> </span><span class="s2">"vajeOlkybsn0q0VD9qw9B3nHYOErgY7b8"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> </div> </li> </ol> <h2 id="enforcing-rbac">Enforcing RBAC</h2> <p>With the <code class="language-plaintext highlighter-rouge">super-admin</code> user created, the Kong admin can now restart Kong Gateway with RBAC enforced:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>KONG_ENFORCE_RBAC=on kong restart </code></pre></div></div> <p>This is one of the possible ways of enforcing RBAC and restarting Kong. Another option is editing the Kong Gateway configuration file and restarting.</p> <p>Before moving on, note that this guide uses the super admin user, but you could move on without RBAC enabled, and have the Kong admin set up the whole RBAC hierarchy.</p> <p>However, we want to stress the fact that RBAC is powerful enough to allow a flexible separation of tasks. To summarize:</p> <ul> <li> <strong>Kong admin</strong>: This user has physical access to Kong infrastructure. Their task is to bootstrap the Kong cluster as well as its configuration, including initial RBAC users.</li> <li> <strong>RBAC super admin</strong>: Created by the Kong admin, has the role of managing RBAC users, roles, and permissions. While this could all be done by the Kong admin, we recommend separating the responsibility for better security.</li> </ul> <h2 id="super-admin-creates-the-team-workspaces">Super admin creates the team workspaces</h2> <p>The super admin now sets up two teams: teamA and teamB, creating one workspace for each and one admin for each.</p> <ol> <li> <p>Create the workspace for <code class="language-plaintext highlighter-rouge">teamA</code>:</p> <div class="language-sh highlighter-rouge"> <div class="highlight"><pre class="highlight"><code> curl <span class="nt">-i</span> <span class="nt">-X</span> POST http://localhost:8001/workspaces <span class="se">\</span> <span class="nt">--data</span> <span class="nv">name</span><span class="o">=</span>teamA <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'Kong-Admin-Token:vajeOlkbsn0q0VD9qw9B3nHYOErgY7b8'</span> </code></pre></div> </div> <p>Response:</p> <div class="language-json highlighter-rouge"> <div class="highlight"><pre class="highlight"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"teamA"</span><span class="p">,</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531014100</span><span class="p">,</span><span class="w"> </span><span class="nl">"updated_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531014100</span><span class="p">,</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1412f3a6-4d9b-4b9d-964e-60d8d63a9d46"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> </div> </li> <li> <p>Create the workspace for <code class="language-plaintext highlighter-rouge">teamB</code>:</p> <div class="language-sh highlighter-rouge"> <div class="highlight"><pre class="highlight"><code> curl <span class="nt">-i</span> <span class="nt">-X</span> POST http://localhost:8001/workspaces <span class="se">\</span> <span class="nt">--data</span> <span class="nv">name</span><span class="o">=</span>teamB <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'Kong-Admin-Token:vajeOlkbsn0q0VD9qw9B3nHYOErgY7b8'</span> </code></pre></div> </div> <p>Response:</p> <div class="language-json highlighter-rouge"> <div class="highlight"><pre class="highlight"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"teamB"</span><span class="p">,</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531014143</span><span class="p">,</span><span class="w"> </span><span class="nl">"updated_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531014143</span><span class="p">,</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"7dee8c56-c6db-4125-b87a-b508baa33c66"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> </div> </li> </ol> <h2 id="super-admin-creates-one-admin-for-each-team">Super admin creates one admin for each team</h2> <ol> <li> <p>Create an admin for <code class="language-plaintext highlighter-rouge">teamA</code>:</p> <div class="language-sh highlighter-rouge"> <div class="highlight"><pre class="highlight"><code> curl <span class="nt">-i</span> <span class="nt">-X</span> POST http://localhost:8001/teamA/rbac/users <span class="se">\</span> <span class="nt">--data</span> <span class="nv">name</span><span class="o">=</span>adminA <span class="se">\</span> <span class="nt">--data</span> <span class="nv">user_token</span><span class="o">=</span>exampletokenA <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'Kong-Admin-Token:vajeOlkbsn0q0VD9qw9B3nHYOErgY7b8'</span> </code></pre></div> </div> <p>Response:</p> <div class="language-json highlighter-rouge"> <div class="highlight"><pre class="highlight"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"user_token"</span><span class="p">:</span><span class="w"> </span><span class="s2">"qv1VLIpl8kHj7lC1QOKwRdCMXanqEDii"</span><span class="p">,</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"4d315ff9-8c1a-4844-9ea2-21b16204a154"</span><span class="p">,</span><span class="w"> </span><span class="nl">"enabled"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531015165</span><span class="p">,</span><span class="w"> </span><span class="nl">"updated_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531015165</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"adminA"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> </div> </li> <li> <p>Create an admin for <code class="language-plaintext highlighter-rouge">teamB</code>:</p> <div class="language-sh highlighter-rouge"> <div class="highlight"><pre class="highlight"><code> curl <span class="nt">-i</span> <span class="nt">-X</span> POST http://localhost:8001/teamB/rbac/users <span class="se">\</span> <span class="nt">--data</span> <span class="nv">name</span><span class="o">=</span>adminB <span class="se">\</span> <span class="nt">--data</span> <span class="nv">user_token</span><span class="o">=</span>exampletokenB <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'Kong-Admin-Token:vajeOlkbsn0q0VD9qw9B3nHYOErgY7b8'</span> </code></pre></div> </div> <p>Response:</p> <div class="language-json highlighter-rouge"> <div class="highlight"><pre class="highlight"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"user_token"</span><span class="p">:</span><span class="w"> </span><span class="s2">"IX5vHVgYqM40tLcctdmzRtHyfxB4ToYv"</span><span class="p">,</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"49641fc0-8c9d-4507-bc7a-2acac8f2903a"</span><span class="p">,</span><span class="w"> </span><span class="nl">"enabled"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531015221</span><span class="p">,</span><span class="w"> </span><span class="nl">"updated_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531015221</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"adminB"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> </div> </li> <li> <p>Both of the teams now have one admin and each admin can only be seen in their corresponding workspace. To verify, run:</p> <div class="language-sh highlighter-rouge"> <div class="highlight"><pre class="highlight"><code> curl <span class="nt">-i</span> <span class="nt">-X</span> GET http://localhost:8001/teamA/rbac/users <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'Kong-Admin-Token:vajeOlkbsn0q0VD9qw9B3nHYOErgY7b8'</span> </code></pre></div> </div> <p>Response:</p> <div class="language-json highlighter-rouge"> <div class="highlight"><pre class="highlight"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"total"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"data"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531014784</span><span class="p">,</span><span class="w"> </span><span class="nl">"updated_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531014784</span><span class="p">,</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1faaacd1-709f-4762-8c3e-79f268ec8faf"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"adminA"</span><span class="p">,</span><span class="w"> </span><span class="nl">"enabled"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"user_token"</span><span class="p">:</span><span class="w"> </span><span class="s2">"n5bhjgv0speXp4N7rSUzUj8PGnl3F5eG"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> </div> <p>Similarly, workspace <code class="language-plaintext highlighter-rouge">teamB</code> only shows its own admin:</p> <div class="language-sh highlighter-rouge"> <div class="highlight"><pre class="highlight"><code> curl <span class="nt">-i</span> <span class="nt">-X</span> GET http://localhost:8001/teamB/rbac/users <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'Kong-Admin-Token:vajeOlkbsn0q0VD9qw9B3nHYOErgY7b8'</span> </code></pre></div> </div> <p>Response:</p> <div class="language-json highlighter-rouge"> <div class="highlight"><pre class="highlight"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"total"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"data"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531014805</span><span class="p">,</span><span class="w"> </span><span class="nl">"updated_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531014805</span><span class="p">,</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"3a829408-c1ee-4764-8222-2d280a5de441"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"adminB"</span><span class="p">,</span><span class="w"> </span><span class="nl">"enabled"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"user_token"</span><span class="p">:</span><span class="w"> </span><span class="s2">"C8b6kTTN10JFyU63ORjmCQwVbvK4maeq"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> </div> </li> </ol> <h2 id="super-admin-creates-admin-roles-for-teams">Super admin creates admin roles for teams</h2> <p>The super admin is now done creating RBAC admin users for each team. The next task is to create admin roles that will effectively grant permissions to admin users.</p> <p>The admin role must have access to all of the Admin API, restricted to its workspace.</p> <ol> <li> <p>Set up the admin role, paying close attention to the request parameters:</p> <div class="language-sh highlighter-rouge"> <div class="highlight"><pre class="highlight"><code> curl <span class="nt">-i</span> <span class="nt">-X</span> POST http://localhost:8001/teamA/rbac/roles/ <span class="se">\</span> <span class="nt">--data</span> <span class="nv">name</span><span class="o">=</span>admin <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'Kong-Admin-Token:vajeOlkbsn0q0VD9qw9B3nHYOErgY7b8'</span> </code></pre></div> </div> <p>Response:</p> <div class="language-json highlighter-rouge"> <div class="highlight"><pre class="highlight"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531016728</span><span class="p">,</span><span class="w"> </span><span class="nl">"updated_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531016728</span><span class="p">,</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"d40e61ab-8dad-4ef2-a48b-d11379f7b8d1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"admin"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> </div> </li> <li> <p>Create role endpoint permissions:</p> <div class="language-sh highlighter-rouge"> <div class="highlight"><pre class="highlight"><code> curl <span class="nt">-i</span> <span class="nt">-X</span> POST http://localhost:8001/teamA/rbac/roles/admin/endpoints/ <span class="se">\</span> <span class="nt">--data</span> <span class="s1">'endpoint=*'</span> <span class="se">\</span> <span class="nt">--data</span> <span class="s1">'workspace=teamA'</span> <span class="se">\</span> <span class="nt">--data</span> <span class="s1">'actions=*'</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'Kong-Admin-Token:vajeOlkbsn0q0VD9qw9B3nHYOErgY7b8'</span> </code></pre></div> </div> <p>Response:</p> <div class="language-json highlighter-rouge"> <div class="highlight"><pre class="highlight"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"total"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"data"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"endpoint"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531017322</span><span class="p">,</span><span class="w"> </span><span class="nl">"updated_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531017322</span><span class="p">,</span><span class="w"> </span><span class="nl">"role_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"d40e61ab-8dad-4ef2-a48b-d11379f7b8d1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"actions"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"delete"</span><span class="p">,</span><span class="w"> </span><span class="s2">"create"</span><span class="p">,</span><span class="w"> </span><span class="s2">"update"</span><span class="p">,</span><span class="w"> </span><span class="s2">"read"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"negative"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"workspace"</span><span class="p">:</span><span class="w"> </span><span class="s2">"teamA"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> </div> </li> <li> <p>Add the <code class="language-plaintext highlighter-rouge">adminA</code> user to the admin role in their workspace:</p> <div class="language-sh highlighter-rouge"> <div class="highlight"><pre class="highlight"><code> curl <span class="nt">-i</span> <span class="nt">-X</span> POST http://localhost:8001/teamA/rbac/users/adminA/roles/ <span class="se">\</span> <span class="nt">--data</span> <span class="nv">roles</span><span class="o">=</span>admin <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'Kong-Admin-Token:vajeOlkbsn0q0VD9qw9B3nHYOErgY7b8'</span> </code></pre></div> </div> <p>Response:</p> <div class="language-json highlighter-rouge"> <div class="highlight"><pre class="highlight"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"roles"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1685551877</span><span class="p">,</span><span class="w"> </span><span class="nl">"updated_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531014805</span><span class="p">,</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"42809ada-650c-4575-b0a0-d464a64ffb70"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"admin"</span><span class="p">,</span><span class="w"> </span><span class="nl">"ws_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"9dc7adbb-9b64-4121-bf76-653cf5871bc2"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"user"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"comment"</span><span class="p">:</span><span class="w"> </span><span class="s2">"null"</span><span class="p">,</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1685552809</span><span class="p">,</span><span class="w"> </span><span class="nl">"updated_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531014805</span><span class="p">,</span><span class="w"> </span><span class="nl">"enabled"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"bca4e390-fbbf-4a46-b55d-f4642efc14bb"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"adminA"</span><span class="p">,</span><span class="w"> </span><span class="nl">"user_token"</span><span class="p">:</span><span class="w"> </span><span class="s2">"$2b$09$oLyKTIDuKriPZ.SD5wYtxeMclGYNDn4udJkQG0NGx/Aq3j9j/tWsa"</span><span class="p">,</span><span class="w"> </span><span class="nl">"user_token_ident"</span><span class="p">:</span><span class="w"> </span><span class="s2">"0ebb5"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> </div> </li> <li> <p>Team A’s admin user is now able to manage their team. To validate that, let’s try to list RBAC users in Team B using Team A’s admin user token:</p> <div class="language-sh highlighter-rouge"> <div class="highlight"><pre class="highlight"><code> curl <span class="nt">-i</span> <span class="nt">-X</span> GET http://localhost:8001/teamB/rbac/users <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'Kong-Admin-Token:exampletokenA'</span> </code></pre></div> </div> <p>Notice that you can’t access the endpoint:</p> <div class="language-json highlighter-rouge"> <div class="highlight"><pre class="highlight"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Invalid RBAC credentials"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> </div> </li> <li> <p>Now try listing RBAC users in Team A’s workspace:</p> <div class="language-sh highlighter-rouge"> <div class="highlight"><pre class="highlight"><code> curl <span class="nt">-i</span> <span class="nt">-X</span> GET http://localhost:8001/teamA/rbac/users <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'Kong-Admin-Token:exampletokenA'</span> </code></pre></div> </div> <p>Response:</p> <div class="language-json highlighter-rouge"> <div class="highlight"><pre class="highlight"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"total"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"data"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531014784</span><span class="p">,</span><span class="w"> </span><span class="nl">"updated_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531014784</span><span class="p">,</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1faaacd1-709f-4762-8c3e-79f268ec8faf"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"adminA"</span><span class="p">,</span><span class="w"> </span><span class="nl">"enabled"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"user_token"</span><span class="p">:</span><span class="w"> </span><span class="s2">"n5bhjgv0speXp4N7rSUzUj8PGnl3F5eG"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> </div> </li> </ol> <p>If the same procedure is repeated for Team B, they will end up with a similar set up, with an admin role and an admin user, both restricted to the team’s workspace.</p> <p>The super admin’s job is now done. Individual team admins are now able to set up their team’s users and entities!</p> <h2 id="team-admins-create-regular-users">Team admins create regular users</h2> <p>From this point on, team admins are able to drive the process. The next step is to create team users, such as engineers that are part of Team A or B. Let’s go ahead and do that, using Admin A’s user token.</p> <p>Before regular users can be created, a role needs to be available for them. This role needs to have permissions to all of the Admin API endpoints, except RBAC and workspaces. Regular users don’t need access to these endpoints, and if they do, the admin can grant them individually.</p> <h3 id="create-the-users-role">Create the users role</h3> <ol> <li> <p>As a team admin, create the regular <code class="language-plaintext highlighter-rouge">users</code> role:</p> <div class="language-sh highlighter-rouge"> <div class="highlight"><pre class="highlight"><code> curl <span class="nt">-i</span> <span class="nt">-X</span> POST http://localhost:8001/teamA/rbac/roles/ <span class="se">\</span> <span class="nt">--data</span> <span class="nv">name</span><span class="o">=</span><span class="nb">users</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'Kong-Admin-Token:exampletokenA'</span> </code></pre></div> </div> <p>Response:</p> <div class="language-json highlighter-rouge"> <div class="highlight"><pre class="highlight"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531020346</span><span class="p">,</span><span class="w"> </span><span class="nl">"updated_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531020346</span><span class="p">,</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"9846b92c-6820-4741-ac31-425b3d6abc5b"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"users"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> </div> </li> <li> <p>Create a permission for all of the Admin API, which requires a positive permission on <code class="language-plaintext highlighter-rouge">\*</code>:</p> <div class="language-sh highlighter-rouge"> <div class="highlight"><pre class="highlight"><code> curl <span class="nt">-i</span> <span class="nt">-X</span> POST http://localhost:8001/teamA/rbac/roles/users/endpoints/ <span class="se">\</span> <span class="nt">--data</span> <span class="s1">'endpoint=*'</span> <span class="se">\</span> <span class="nt">--data</span> <span class="s1">'workspace=teamA'</span> <span class="se">\</span> <span class="nt">--data</span> <span class="s1">'actions=*'</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'Kong-Admin-Token:exampletokenA'</span> </code></pre></div> </div> <p>Response:</p> <div class="language-json highlighter-rouge"> <div class="highlight"><pre class="highlight"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"endpoint"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531020573</span><span class="p">,</span><span class="w"> </span><span class="nl">"updated_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531020573</span><span class="p">,</span><span class="w"> </span><span class="nl">"role_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"9846b92c-6820-4741-ac31-425b3d6abc5b"</span><span class="p">,</span><span class="w"> </span><span class="nl">"actions"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"delete"</span><span class="p">,</span><span class="w"> </span><span class="s2">"create"</span><span class="p">,</span><span class="w"> </span><span class="s2">"update"</span><span class="p">,</span><span class="w"> </span><span class="s2">"read"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"negative"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"workspace"</span><span class="p">:</span><span class="w"> </span><span class="s2">"teamA"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> </div> </li> <li> <p>Then, filter out RBAC and workspaces with negative permissions:</p> <p>Filter out RBAC endpoints:</p> <div class="language-sh highlighter-rouge"> <div class="highlight"><pre class="highlight"><code> curl <span class="nt">-i</span> <span class="nt">-X</span> POST http://localhost:8001/teamA/rbac/roles/users/endpoints/ <span class="se">\</span> <span class="nt">--data</span> <span class="s1">'endpoint=/rbac/*'</span> <span class="se">\</span> <span class="nt">--data</span> <span class="s1">'workspace=teamA'</span> <span class="se">\</span> <span class="nt">--data</span> <span class="s1">'actions=*'</span> <span class="se">\</span> <span class="nt">--data</span> <span class="s1">'negative=true'</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'Kong-Admin-Token:exampletokenA'</span> </code></pre></div> </div> <p>Response:</p> <div class="language-json highlighter-rouge"> <div class="highlight"><pre class="highlight"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"endpoint"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/rbac/*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531020744</span><span class="p">,</span><span class="w"> </span><span class="nl">"updated_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531020744</span><span class="p">,</span><span class="w"> </span><span class="nl">"role_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"9846b92c-6820-4741-ac31-425b3d6abc5b"</span><span class="p">,</span><span class="w"> </span><span class="nl">"actions"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"delete"</span><span class="p">,</span><span class="w"> </span><span class="s2">"create"</span><span class="p">,</span><span class="w"> </span><span class="s2">"update"</span><span class="p">,</span><span class="w"> </span><span class="s2">"read"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"negative"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"workspace"</span><span class="p">:</span><span class="w"> </span><span class="s2">"teamA"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> </div> <p>Filter out workspaces endpoints:</p> <div class="language-sh highlighter-rouge"> <div class="highlight"><pre class="highlight"><code> curl <span class="nt">-i</span> <span class="nt">-X</span> POST http://localhost:8001/teamA/rbac/roles/users/endpoints/ <span class="se">\</span> <span class="nt">--data</span> <span class="s1">'endpoint=/workspaces/*'</span> <span class="se">\</span> <span class="nt">--data</span> <span class="s1">'workspace=teamA'</span> <span class="se">\</span> <span class="nt">--data</span> <span class="s1">'actions=*'</span> <span class="se">\</span> <span class="nt">--data</span> <span class="s1">'negative=true'</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'Kong-Admin-Token:exampletokenA'</span> </code></pre></div> </div> <p>Response:</p> <div class="language-json highlighter-rouge"> <div class="highlight"><pre class="highlight"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"endpoint"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/workspaces/*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531020778</span><span class="p">,</span><span class="w"> </span><span class="nl">"updated_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531020778</span><span class="p">,</span><span class="w"> </span><span class="nl">"role_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"9846b92c-6820-4741-ac31-425b3d6abc5b"</span><span class="p">,</span><span class="w"> </span><span class="nl">"actions"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"delete"</span><span class="p">,</span><span class="w"> </span><span class="s2">"create"</span><span class="p">,</span><span class="w"> </span><span class="s2">"update"</span><span class="p">,</span><span class="w"> </span><span class="s2">"read"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"negative"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"workspace"</span><span class="p">:</span><span class="w"> </span><span class="s2">"teamA"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> </div> </li> </ol> <blockquote class="important"> <p><strong>Important</strong>: As explained in the <a href="#wildcards-in-permissions">Wildcards in Permissions</a> section, the meaning of <code class="language-plaintext highlighter-rouge">*</code> is not the same as generic globbing. As such, <code class="language-plaintext highlighter-rouge">/rbac/*</code> or <code class="language-plaintext highlighter-rouge">/workspaces/*</code> do not match all of the RBAC and Workspaces endpoints. For example, to cover all of the RBAC API, you would have to define permissions for the following endpoints:</p> <ul> <li><code class="language-plaintext highlighter-rouge">/rbac/*</code></li> <li><code class="language-plaintext highlighter-rouge">/rbac/*/*</code></li> <li><code class="language-plaintext highlighter-rouge">/rbac/*/*/*</code></li> <li><code class="language-plaintext highlighter-rouge">/rbac/*/*/*/*</code></li> <li><code class="language-plaintext highlighter-rouge">/rbac/*/*/*/*/*</code></li> </ul> </blockquote> <h3 id="add-members-to-a-team">Add members to a team</h3> <p>Team A just got two new members: <code class="language-plaintext highlighter-rouge">foogineer</code> and <code class="language-plaintext highlighter-rouge">bargineer</code>. Admin A welcomes them to the team by creating RBAC users for them and giving them access to Kong.</p> <ol> <li> <p>Create <code class="language-plaintext highlighter-rouge">foogineer</code>:</p> <div class="language-sh highlighter-rouge"> <div class="highlight"><pre class="highlight"><code> curl <span class="nt">-i</span> <span class="nt">-X</span> POST http://localhost:8001/teamA/rbac/users <span class="se">\</span> <span class="nt">--data</span> <span class="nv">name</span><span class="o">=</span>foogineer <span class="se">\</span> <span class="nt">--data</span> <span class="nv">user_token</span><span class="o">=</span>exampletokenfoo <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'Kong-Admin-Token:exampletokenA'</span> </code></pre></div> </div> <p>Response:</p> <div class="language-json highlighter-rouge"> <div class="highlight"><pre class="highlight"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531019797</span><span class="p">,</span><span class="w"> </span><span class="nl">"updated_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531019797</span><span class="p">,</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"0b4111da-2827-4767-8651-a327f7a559e9"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"foogineer"</span><span class="p">,</span><span class="w"> </span><span class="nl">"enabled"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"user_token"</span><span class="p">:</span><span class="w"> </span><span class="s2">"dNeYvYAwvjOJdoReVJZXF8vLBXQioKkI"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> </div> </li> <li> <p>Add <code class="language-plaintext highlighter-rouge">foogineer</code> to the <code class="language-plaintext highlighter-rouge">users</code> role:</p> <div class="language-sh highlighter-rouge"> <div class="highlight"><pre class="highlight"><code> curl <span class="nt">-i</span> <span class="nt">-X</span> POST http://localhost:8001/teamA/rbac/users/foogineer/roles <span class="se">\</span> <span class="nt">--data</span> <span class="nv">roles</span><span class="o">=</span><span class="nb">users</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'Kong-Admin-Token:exampletokenA'</span> </code></pre></div> </div> <p>Response:</p> <div class="language-json highlighter-rouge"> <div class="highlight"><pre class="highlight"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"roles"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"comment"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Default user role generated for foogineer"</span><span class="p">,</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531019797</span><span class="p">,</span><span class="w"> </span><span class="nl">"updated_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531019797</span><span class="p">,</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"125c4212-b882-432d-a323-9cbe38b1d0df"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"foogineer"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531020346</span><span class="p">,</span><span class="w"> </span><span class="nl">"updated_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531020346</span><span class="p">,</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"9846b92c-6820-4741-ac31-425b3d6abc5b"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"users"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"user"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531019797</span><span class="p">,</span><span class="w"> </span><span class="nl">"updated_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531019797</span><span class="p">,</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"0b4111da-2827-4767-8651-a327f7a559e9"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"foogineer"</span><span class="p">,</span><span class="w"> </span><span class="nl">"enabled"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"user_token"</span><span class="p">:</span><span class="w"> </span><span class="s2">"dNeYvYAwvjOJdoReVJZXF8vLBXQioKkI"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> </div> </li> <li> <p>Create <code class="language-plaintext highlighter-rouge">bargineer</code>:</p> <div class="language-sh highlighter-rouge"> <div class="highlight"><pre class="highlight"><code> curl <span class="nt">-i</span> <span class="nt">-X</span> POST http://localhost:8001/teamA/rbac/users <span class="se">\</span> <span class="nt">--data</span> <span class="nv">name</span><span class="o">=</span>bargineer <span class="se">\</span> <span class="nt">--data</span> <span class="nv">user_token</span><span class="o">=</span>exampletokenbar <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'Kong-Admin-Token:exampletokenA'</span> </code></pre></div> </div> <p>Response:</p> <div class="language-json highlighter-rouge"> <div class="highlight"><pre class="highlight"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531019797</span><span class="p">,</span><span class="w"> </span><span class="nl">"updated_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531019797</span><span class="p">,</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"e8926efa-11b4-43a3-9a28-767c05d8e9d8"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"bargineer"</span><span class="p">,</span><span class="w"> </span><span class="nl">"enabled"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"user_token"</span><span class="p">:</span><span class="w"> </span><span class="s2">"dNeYvYAwvjOJdoReVJZXF8vLBXQioKkI"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> </div> </li> <li> <p>Add <code class="language-plaintext highlighter-rouge">bargineer</code> to the <code class="language-plaintext highlighter-rouge">users</code> role:</p> <div class="language-sh highlighter-rouge"> <div class="highlight"><pre class="highlight"><code> curl <span class="nt">-i</span> <span class="nt">-X</span> POST http://localhost:8001/teamA/rbac/users/foogineer/roles <span class="se">\</span> <span class="nt">--data</span> <span class="nv">roles</span><span class="o">=</span><span class="nb">users</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'Kong-Admin-Token:exampletokenA'</span> </code></pre></div> </div> <p>Response:</p> <div class="language-json highlighter-rouge"> <div class="highlight"><pre class="highlight"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"roles"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"comment"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Default user role generated for bargineer"</span><span class="p">,</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531019797</span><span class="p">,</span><span class="w"> </span><span class="nl">"updated_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531019797</span><span class="p">,</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"125c4212-b882-432d-a323-9cbe38b1d0df"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"bargineer"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531020346</span><span class="p">,</span><span class="w"> </span><span class="nl">"updated_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531020346</span><span class="p">,</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"9846b92c-6820-4741-ac31-425b3d6abc5b"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"users"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"user"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531019797</span><span class="p">,</span><span class="w"> </span><span class="nl">"updated_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531019797</span><span class="p">,</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"e8926efa-11b4-43a3-9a28-767c05d8e9d8"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"bargineer"</span><span class="p">,</span><span class="w"> </span><span class="nl">"enabled"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"user_token"</span><span class="p">:</span><span class="w"> </span><span class="s2">"dNeYvYAwvjOJdoReVJZXF8vLBXQioKkI"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> </div> </li> </ol> <h2 id="regular-team-users-use-their-tokens">Regular team users use their tokens</h2> <p><code class="language-plaintext highlighter-rouge">foogineer</code> and <code class="language-plaintext highlighter-rouge">bargineer</code> have gotten their RBAC user tokens from their Team A admin, and are now allowed to explore Kong Gateway within the confines of their Team A workspace. Let’s validate this.</p> <ol> <li> <p>As <code class="language-plaintext highlighter-rouge">foogineer</code>, try listing workspaces:</p> <div class="language-sh highlighter-rouge"> <div class="highlight"><pre class="highlight"><code> curl <span class="nt">-i</span> <span class="nt">-X</span> GET http://localhost:8001/teamA/workspaces/ <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'Kong-Admin-Token:dNeYvYAwvjOJdoReVJZXF8vLBXQioKkI'</span> </code></pre></div> </div> <p>Response:</p> <div class="language-json highlighter-rouge"> <div class="highlight"><pre class="highlight"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"foogineer, you do not have permissions to read this resource"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> </div> </li> <li> <p>Enable some plugin, for example <code class="language-plaintext highlighter-rouge">key-auth</code>:</p> <div class="language-sh highlighter-rouge"> <div class="highlight"><pre class="highlight"><code> curl <span class="nt">-i</span> <span class="nt">-X</span> POST http://localhost:8001/teamA/plugins <span class="se">\</span> <span class="nt">--data</span> <span class="nv">name</span><span class="o">=</span>key-auth <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'Kong-Admin-Token:dNeYvYAwvjOJdoReVJZXF8vLBXQioKkI'</span> </code></pre></div> </div> <p>Response:</p> <div class="language-json highlighter-rouge"> <div class="highlight"><pre class="highlight"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531021732</span><span class="p">,</span><span class="w"> </span><span class="nl">"updated_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531021732</span><span class="p">,</span><span class="w"> </span><span class="nl">"config"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"key_in_body"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"run_on_preflight"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"anonymous"</span><span class="p">:</span><span class="w"> </span><span class="s2">""</span><span class="p">,</span><span class="w"> </span><span class="nl">"hide_credentials"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"key_names"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"apikey"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"cdc85ef0-804b-4f92-aafd-3ff58512e445"</span><span class="p">,</span><span class="w"> </span><span class="nl">"enabled"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"key-auth"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> </div> </li> <li> <p>List currently enabled plugins:</p> <div class="language-sh highlighter-rouge"> <div class="highlight"><pre class="highlight"><code> curl <span class="nt">-i</span> <span class="nt">-X</span> GET http://localhost:8001/teamA/plugins <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'Kong-Admin-Token:dNeYvYAwvjOJdoReVJZXF8vLBXQioKkI'</span> </code></pre></div> </div> <p>Response:</p> <div class="language-json highlighter-rouge"> <div class="highlight"><pre class="highlight"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"total"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"data"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531021732</span><span class="p">,</span><span class="w"> </span><span class="nl">"updated_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531021732</span><span class="p">,</span><span class="w"> </span><span class="nl">"config"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"key_in_body"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"run_on_preflight"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"anonymous"</span><span class="p">:</span><span class="w"> </span><span class="s2">""</span><span class="p">,</span><span class="w"> </span><span class="nl">"hide_credentials"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"key_names"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"apikey"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"cdc85ef0-804b-4f92-aafd-3ff58512e445"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"key-auth"</span><span class="p">,</span><span class="w"> </span><span class="nl">"enabled"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> </div> </li> </ol> <p>This ends the use case tutorial, which demonstrates the power of RBAC and workspaces with a real-world scenario.</p> <h2 id="entity-level-rbac">Entity-level RBAC</h2> <p>In addition to endpoint permissions, RBAC in Kong Gateway supports entity-level permissions, meaning that particular entities, identified by their unique ID, can be allowed or disallowed access in a role.</p> <p>RBAC is <a href="#enforcing-rbac">enforced</a> with the <code class="language-plaintext highlighter-rouge">enforce_rbac</code> configuration directive, or with its <code class="language-plaintext highlighter-rouge">KONG_ENFORCE_RBAC</code> environment variable counterpart. The directive is an enum, with the following possible values:</p> <ul> <li> <code class="language-plaintext highlighter-rouge">on</code>: Applies endpoint-levelaccess control</li> <li> <code class="language-plaintext highlighter-rouge">entity</code>: Applies <strong>only</strong> Entity-level access control</li> <li> <code class="language-plaintext highlighter-rouge">both</code>: Applies <strong>both Endpoint and Entity level access control</strong> </li> <li> <code class="language-plaintext highlighter-rouge">off</code>: disables RBAC enforcement</li> </ul> <p>If set to <code class="language-plaintext highlighter-rouge">entity</code> or <code class="language-plaintext highlighter-rouge">both</code>, Kong enforces entity-level access control. However, as with endpoint-level access control, permissions must be bootstrapped before enforcement is enabled.</p> <h3 id="creating-entity-level-permissions">Creating entity-level permissions</h3> <p>Team A just got one new, temporary, team member: <code class="language-plaintext highlighter-rouge">qux</code>. Admin A, the admin of Team A, has already created the <code class="language-plaintext highlighter-rouge">qux</code> RBAC user.</p> <p>Next, the admin needs to limit the access that <code class="language-plaintext highlighter-rouge">qux</code> has over entities in the Team A workspace, giving the user read access to only a couple of entities. For that, the admin needs to use entity-level RBAC.</p> <ol> <li> <p>As Admin A, create a role for the temporary user <code class="language-plaintext highlighter-rouge">qux</code>:</p> <div class="language-sh highlighter-rouge"> <div class="highlight"><pre class="highlight"><code> curl <span class="nt">-i</span> <span class="nt">-X</span> POST http://localhost:8001/teamA/rbac/roles <span class="se">\</span> <span class="nt">--data</span> <span class="nv">name</span><span class="o">=</span>qux-role <span class="se">\</span> <span class="nt">-H</span> Kong-Admin-Token:exampletokenA </code></pre></div> </div> <p>Response:</p> <div class="language-json highlighter-rouge"> <div class="highlight"><pre class="highlight"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"qux-role"</span><span class="p">,</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531065975</span><span class="p">,</span><span class="w"> </span><span class="nl">"updated_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531065975</span><span class="p">,</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ffe93269-7993-4308-965e-0286d0bc87b9"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> </div> </li> <li> <p>Grant the user read access to two entities: a service and a route. Reference each entity by its ID:</p> <p>For example, using <code class="language-plaintext highlighter-rouge">service1</code> with the ID <code class="language-plaintext highlighter-rouge">3ed24101-19a7-4a0b-a10f-2f47bcd4ff43</code> and <code class="language-plaintext highlighter-rouge">route1</code> with the ID <code class="language-plaintext highlighter-rouge">d25afc46-dc59-48b2-b04f-d3ebe19f6d4b</code>:</p> <div class="language-sh highlighter-rouge"> <div class="highlight"><pre class="highlight"><code> curl <span class="nt">-i</span> <span class="nt">-X</span> POST http://localhost:8001/teamA/rbac/roles/admin/entities <span class="se">\</span> <span class="nt">--data</span> <span class="nv">entity_id</span><span class="o">=</span>3ed24101-19a7-4a0b-a10f-2f47bcd4ff43 <span class="se">\</span> <span class="nt">--data</span> <span class="nv">entity_type</span><span class="o">=</span>services <span class="se">\</span> <span class="nt">--data</span> <span class="nv">actions</span><span class="o">=</span><span class="nb">read</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'Kong-Admin-Token:exampletokenA'</span> </code></pre></div> </div> <p>Response:</p> <div class="language-json highlighter-rouge"> <div class="highlight"><pre class="highlight"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531066684</span><span class="p">,</span><span class="w"> </span><span class="nl">"updated_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531066684</span><span class="p">,</span><span class="w"> </span><span class="nl">"role_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ffe93269-7993-4308-965e-0286d0bc87b9"</span><span class="p">,</span><span class="w"> </span><span class="nl">"entity_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"3ed24101-19a7-4a0b-a10f-2f47bcd4ff43"</span><span class="p">,</span><span class="w"> </span><span class="nl">"negative"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"entity_type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"services"</span><span class="p">,</span><span class="w"> </span><span class="nl">"actions"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"read"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> </div> <div class="language-sh highlighter-rouge"> <div class="highlight"><pre class="highlight"><code> curl <span class="nt">-i</span> <span class="nt">-X</span> POST http://localhost:8001/teamA/rbac/roles/qux-role/entities <span class="se">\</span> <span class="nt">--data</span> <span class="nv">entity_id</span><span class="o">=</span>d25afc46-dc59-48b2-b04f-d3ebe19f6d4b <span class="se">\</span> <span class="nt">--data</span> <span class="nv">entity_type</span><span class="o">=</span>routes <span class="se">\</span> <span class="nt">--data</span> <span class="nv">actions</span><span class="o">=</span><span class="nb">read</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'Kong-Admin-Token:exampletokenA'</span> </code></pre></div> </div> <p>Response:</p> <div class="language-json highlighter-rouge"> <div class="highlight"><pre class="highlight"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531066684</span><span class="p">,</span><span class="w"> </span><span class="nl">"updated_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531066684</span><span class="p">,</span><span class="w"> </span><span class="nl">"role_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ffe93269-7993-4308-965e-0286d0bc87b9"</span><span class="p">,</span><span class="w"> </span><span class="nl">"entity_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"d25afc46-dc59-48b2-b04f-d3ebe19f6d4b"</span><span class="p">,</span><span class="w"> </span><span class="nl">"negative"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"entity_type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"routes"</span><span class="p">,</span><span class="w"> </span><span class="nl">"actions"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"read"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> </div> </li> <li> <p>Add the user <code class="language-plaintext highlighter-rouge">qux</code> to <code class="language-plaintext highlighter-rouge">qux-role</code>:</p> <div class="language-sh highlighter-rouge"> <div class="highlight"><pre class="highlight"><code> curl <span class="nt">-i</span> <span class="nt">-X</span> POST http://localhost:8001/teamA/rbac/users/qux/roles <span class="se">\</span> <span class="nt">--data</span> <span class="nv">roles</span><span class="o">=</span>qux-role <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'Kong-Admin-Token:exampletokenA'</span> </code></pre></div> </div> <p>Response:</p> <div class="language-json highlighter-rouge"> <div class="highlight"><pre class="highlight"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"roles"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"comment"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Default user role generated for qux"</span><span class="p">,</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531065373</span><span class="p">,</span><span class="w"> </span><span class="nl">"updated_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531065373</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"qux"</span><span class="p">,</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"31614171-4174-42b4-9fae-43c9ce14830f"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531065975</span><span class="p">,</span><span class="w"> </span><span class="nl">"updated_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531065975</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"qux-role"</span><span class="p">,</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ffe93269-7993-4308-965e-0286d0bc87b9"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"user"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531065373</span><span class="p">,</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531065373</span><span class="p">,</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"4d87bf78-5824-4756-b0d0-ceaa9bd9b2d5"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"qux"</span><span class="p">,</span><span class="w"> </span><span class="nl">"enabled"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"user_token"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sUnv6uBehM91amYRNWESsgX3HzqoBnR5"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> </div> </li> <li> <p>Check that the correct permissions are listed for <code class="language-plaintext highlighter-rouge">qux</code>:</p> <div class="language-sh highlighter-rouge"> <div class="highlight"><pre class="highlight"><code> curl <span class="nt">-i</span> <span class="nt">-X</span> GET http://localhost:8001/teamA/rbac/users/qux/permissions <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'Kong-Admin-Token:exampletokenA'</span> </code></pre></div> </div> <p>Response:</p> <div class="language-json highlighter-rouge"> <div class="highlight"><pre class="highlight"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"entities"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"d25afc46-dc59-48b2-b04f-d3ebe19f6d4b"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"actions"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"read"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"negative"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"3ed24101-19a7-4a0b-a10f-2f47bcd4ff43"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"actions"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"read"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"negative"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"endpoints"</span><span class="p">:</span><span class="w"> </span><span class="p">{}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> </div> <p><code class="language-plaintext highlighter-rouge">qux</code> should have two entity permissions and no endpoint permissions.</p> </li> </ol> <p>Admin A is done setting up <code class="language-plaintext highlighter-rouge">qux</code>, and <code class="language-plaintext highlighter-rouge">qux </code>can now use their user token to read the two entities over Kong’s admin API.</p> <p>Let’s assume that Admin A <a href="#enforcing-rbac">enabled entity-level enforcement</a> as well. Note that as <code class="language-plaintext highlighter-rouge">qux</code> has <strong>no endpoint-level permissions</strong>. If both endpoint and entity-level enforcement is enabled, <code class="language-plaintext highlighter-rouge">qux</code> won’t be able to read their entities, as endpoint-level validation comes before entity-level.</p> <ol> <li> <p>As <code class="language-plaintext highlighter-rouge">qux</code>, try listing all RBAC users:</p> <div class="language-sh highlighter-rouge"> <div class="highlight"><pre class="highlight"><code> curl <span class="nt">-i</span> <span class="nt">-X</span> GET http://localhost:8001/teamA/rbac/users/ <span class="se">\</span> <span class="nt">-H</span> Kong-Admin-Token:sUnv6uBehM91amYRNWESsgX3HzqoBnR5 </code></pre></div> </div> <p>Response:</p> <div class="language-json highlighter-rouge"> <div class="highlight"><pre class="highlight"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"qux, you do not have permissions to read this resource"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> </div> </li> <li> <p>As <code class="language-plaintext highlighter-rouge">qux</code>, try to access <code class="language-plaintext highlighter-rouge">service1</code>:</p> <div class="language-plaintext highlighter-rouge"> <div class="highlight"><pre class="highlight"><code> curl -i -X GET http://localhost:8001/teamA/services/service1 \ -H Kong-Admin-Token:sUnv6uBehM91amYRNWESsgX3HzqoBnR5 </code></pre></div> </div> <p>Response:</p> <div class="language-json highlighter-rouge"> <div class="highlight"><pre class="highlight"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"host"</span><span class="p">:</span><span class="w"> </span><span class="s2">"httpbin.konghq.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531066074</span><span class="p">,</span><span class="w"> </span><span class="nl">"updated_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531066074</span><span class="p">,</span><span class="w"> </span><span class="nl">"connect_timeout"</span><span class="p">:</span><span class="w"> </span><span class="mi">60000</span><span class="p">,</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"3ed24101-19a7-4a0b-a10f-2f47bcd4ff43"</span><span class="p">,</span><span class="w"> </span><span class="nl">"protocol"</span><span class="p">:</span><span class="w"> </span><span class="s2">"http"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"service1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"read_timeout"</span><span class="p">:</span><span class="w"> </span><span class="mi">60000</span><span class="p">,</span><span class="w"> </span><span class="nl">"port"</span><span class="p">:</span><span class="w"> </span><span class="mi">80</span><span class="p">,</span><span class="w"> </span><span class="nl">"path"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="p">,</span><span class="w"> </span><span class="nl">"updated_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531066074</span><span class="p">,</span><span class="w"> </span><span class="nl">"retries"</span><span class="p">:</span><span class="w"> </span><span class="mi">5</span><span class="p">,</span><span class="w"> </span><span class="nl">"write_timeout"</span><span class="p">:</span><span class="w"> </span><span class="mi">60000</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> </div> </li> </ol> <h2 id="wildcards-in-permissions">Wildcards in permissions</h2> <p>RBAC supports the use of wildcards (<code class="language-plaintext highlighter-rouge">*</code>) in many aspects of permissions.</p> <h3 id="creating-endpoint-permissions">Creating endpoint permissions</h3> <p>To create an endpoint permission via <code class="language-plaintext highlighter-rouge">/rbac/roles/:role/endpoints</code>, you must pass the parameters below, all of which can be replaced by a <code class="language-plaintext highlighter-rouge">*</code> character:</p> <ul> <li> <code class="language-plaintext highlighter-rouge">endpoint</code>: <code class="language-plaintext highlighter-rouge">*</code> matches <strong>any endpoint</strong> </li> <li> <code class="language-plaintext highlighter-rouge">workspace</code>: <code class="language-plaintext highlighter-rouge">*</code> matches <strong>any workspace</strong> </li> <li> <code class="language-plaintext highlighter-rouge">actions</code>: <code class="language-plaintext highlighter-rouge">*</code> evaluates to <strong>all actions—read, update, create, delete</strong> </li> </ul> <p><strong>Special case</strong>: <code class="language-plaintext highlighter-rouge">endpoint</code>, in addition to a single <code class="language-plaintext highlighter-rouge">*</code>, also accepts <code class="language-plaintext highlighter-rouge">*</code> within the endpoint itself, replacing a URL segment between <code class="language-plaintext highlighter-rouge">/</code>. For example, all of the following are valid endpoints:</p> <ul> <li> <code class="language-plaintext highlighter-rouge">/rbac/*</code>: where <code class="language-plaintext highlighter-rouge">*</code> replaces any possible segment, for example <code class="language-plaintext highlighter-rouge">/rbac/users</code> and <code class="language-plaintext highlighter-rouge">/rbac/roles</code> </li> <li> <code class="language-plaintext highlighter-rouge">/services/*/plugins</code>: <code class="language-plaintext highlighter-rouge">*</code> matches any service name or ID</li> </ul> <blockquote class="note"> <p><strong>Note</strong> <code class="language-plaintext highlighter-rouge">*</code> <strong>is not</strong> a generic, shell-like, glob pattern.</p> </blockquote> <p>If <code class="language-plaintext highlighter-rouge">workspace</code> is omitted, it defaults to the current request’s workspace. For example, a role-endpoint permission created with <code class="language-plaintext highlighter-rouge">/teamA/roles/admin/endpoints</code> is scoped to workspace <code class="language-plaintext highlighter-rouge">teamA</code>.</p> <h3 id="creating-entity-permissions">Creating entity permissions</h3> <p>For entity permissions created via <code class="language-plaintext highlighter-rouge">/rbac/roles/:role/entities</code>, the following parameter accepts a <code class="language-plaintext highlighter-rouge">*</code> character:</p> <ul> <li> <code class="language-plaintext highlighter-rouge">entity_id</code>: <code class="language-plaintext highlighter-rouge">*</code> matches <strong>any entity ID</strong> </li> </ul> <h2 id="entities-nested-in-entity-level-rbac">Entities nested in entity-level RBAC</h2> <p>With entity-level RBAC enabled, endpoints that list all entities of a particular collection will only list entities that the user has access to.</p> <p>In the example above, if user <code class="language-plaintext highlighter-rouge">qux</code> listed all routes, they would only get the entities they have access to in the response, even though there could be more in the workspace:</p> <div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>curl <span class="nt">-i</span> <span class="nt">-X</span> GET http://localhost:8001/teamA/routes <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'Kong-Admin-Token:sUnv6uBehM91amYRNWESsgX3HzqoBnR5'</span> </code></pre></div></div> <p>Response:</p> <div class="language-json highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="p">{</span><span class="w"> </span><span class="nl">"next"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="p">,</span><span class="w"> </span><span class="nl">"data"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531066253</span><span class="p">,</span><span class="w"> </span><span class="nl">"updated_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531066253</span><span class="p">,</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"d25afc46-dc59-48b2-b04f-d3ebe19f6d4b"</span><span class="p">,</span><span class="w"> </span><span class="nl">"hosts"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="p">,</span><span class="w"> </span><span class="nl">"preserve_host"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"regex_priority"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="nl">"service"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"3ed24101-19a7-4a0b-a10f-2f47bcd4ff43"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"paths"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"/anything"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"methods"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="p">,</span><span class="w"> </span><span class="nl">"strip_path"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"protocols"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"http"</span><span class="p">,</span><span class="w"> </span><span class="s2">"https"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div></div> <p>Some Kong endpoints carry a <code class="language-plaintext highlighter-rouge">total</code> field in responses. With entity-level RBAC enabled, the global count of entities is displayed, but only entities the user has access to are themselves shown.</p> <p>For example, if Team A has a number of plugins configured, but <code class="language-plaintext highlighter-rouge">qux</code> only has access to one of them, the following would be the expected output for a GET request to <code class="language-plaintext highlighter-rouge">/teamA/plugins</code>:</p> <div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>curl <span class="nt">-i</span> <span class="nt">-X</span> GET http://localhost:8001/teamA/plugins <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'Kong-Admin-Token:sUnv6uBehM91amYRNWESsgX3HzqoBnR5'</span> </code></pre></div></div> <p>Response:</p> <div class="language-json highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="p">{</span><span class="w"> </span><span class="nl">"total"</span><span class="p">:</span><span class="w"> </span><span class="mi">2</span><span class="p">,</span><span class="w"> </span><span class="nl">"data"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531070344</span><span class="p">,</span><span class="w"> </span><span class="nl">"updated_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531070344</span><span class="p">,</span><span class="w"> </span><span class="nl">"config"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"key_in_body"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"run_on_preflight"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"anonymous"</span><span class="p">:</span><span class="w"> </span><span class="s2">""</span><span class="p">,</span><span class="w"> </span><span class="nl">"hide_credentials"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"key_names"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"apikey"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"8813dd0b-3e9d-4bcf-8a10-3112654f86e7"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"key-auth"</span><span class="p">,</span><span class="w"> </span><span class="nl">"enabled"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div></div> <p>Notice the <code class="language-plaintext highlighter-rouge">total</code> field is 2, but <code class="language-plaintext highlighter-rouge">qux</code> only got one entity in the response.</p> <h3 id="creating-entities-in-entity-level-rbac">Creating entities in entity-level RBAC</h3> <p>As entity-level RBAC provides access control to individual existing entities, it does not apply to creation of new entities. For that, endpoint-level permissions must be configured and enforced.</p> <p>For example, if endpoint-level permissions are not enforced, <code class="language-plaintext highlighter-rouge">qux</code> will be able to create new entities, and will automatically have permissions to perform any actions to entities they create:</p> <div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>curl <span class="nt">-i</span> <span class="nt">-X</span> POST http://localhost:8001/teamA/routes <span class="se">\</span> <span class="nt">--data</span> paths[]<span class="o">=</span>/anything <span class="se">\</span> <span class="nt">--data</span> service.id<span class="o">=</span>3ed24101-19a7-4a0b-a10f-2f47bcd4ff43 <span class="se">\</span> <span class="nt">--data</span> <span class="nv">strip_path</span><span class="o">=</span><span class="nb">false</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'Kong-Admin-Token:sUnv6uBehM91amYRNWESsgX3HzqoBnR5'</span> </code></pre></div></div> <p>Response:</p> <div class="language-json highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="p">{</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531070828</span><span class="p">,</span><span class="w"> </span><span class="nl">"updated_at"</span><span class="p">:</span><span class="w"> </span><span class="mi">1531070828</span><span class="p">,</span><span class="w"> </span><span class="nl">"strip_path"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"hosts"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="p">,</span><span class="w"> </span><span class="nl">"preserve_host"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"regex_priority"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="nl">"paths"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"/anything"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"service"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"3ed24101-19a7-4a0b-a10f-2f47bcd4ff43"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"methods"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="p">,</span><span class="w"> </span><span class="nl">"protocols"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"http"</span><span class="p">,</span><span class="w"> </span><span class="s2">"https"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"6ee76f74-3c96-46a9-ae48-72df0717d244"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div></div> </div> </div> </div> <div id="scroll-to-top-button"> <i class="fas fa-chevron-up"></i> </div> <div class="feedback-widget-container"> <input id="feedback-widget-checkbox" type="checkbox"> <label for="feedback-widget-checkbox"> <img src="/assets/images/icons/feedback-widget.svg" alt="Feedback widget"> </label> <div class="feedback-container"> <div class="feedback-thankyou"> Thank you for your feedback. </div> <div class="feedback-comment"> <textarea id="feedback-comment-text" rows="3" placeholder="Please let us know what we can improve on this page..."></textarea> <div class="feedback-comment-buttons"> <button id="feedback-comment-button-back">Back</button> <button id="feedback-comment-button-submit" class="button-primary">Submit</button> </div> </div> <div class="feedback-options"> <div class="feedback-options-title">Was this page useful?</div> <div class="feedback-options-buttons"> <i data-feedback-result="yes" class="feedback-options-button far fa-thumbs-up"></i> <i data-feedback-result="no" class="feedback-options-button far fa-thumbs-down"></i> </div> </div> </div> </div> </div> <div id="image-modal" data-image-expand-disabled=""> <div class="image-modal-backdrop"></div> <div class="image-container"> <img src="" alt=""> <i class="fa fa-times"></i> </div> </div> <div class="modal closed" id="modal" role="dialog" aria-hidden="true" aria-labelledby="title" aria-describedby="description"> <div class="konnect-cta-card"> <div class="title"> Too much on your plate? <a href="#" class="cta-card-close modal-close" id="modal-close"> <img src="/assets/images/icons/documentation/close.svg" alt="close cta icon"> </a> </div> <div class="description"> More features, less infrastructure with Kong Konnect. 1M requests per month for free. </div> <a href="https://konghq.com/products/kong-konnect/register?utm_medium=referral&amp;utm_source=docs&amp;utm_campaign=gateway-konnect&amp;utm_campaign=right-nav-card&amp;utm_content=gateway" class="button" target="_blank" rel="noopener nofollow noreferrer "> Try it for Free </a> </div> </div> <div id="modal-open" class="modal-open"></div> <div class="modal-overlay closed" id="modal-overlay"></div> <footer class="marketing-footer--light-gray"> <section> <ul class="newsletter"> <li class="logo-wrapper"> <div class="logo"> <img src="/assets/images/logos/konglogo-light-theme-primary.svg" alt="Kong"> </div> <div class="footer-title">Powering the API world</div> <p> Increase developer productivity, security, and performance at scale with the unified platform for API management, service mesh, and ingress controller. </p> <div class="footer-form-container"> <form id="subscribe-form" method="POST" action="/assets/javascripts/subscribe.js"> <input required id="subscribe-input" type="email" name="email" placeholder="Email" aria-required="true" aria-invalid="false"> <input id="footer-form-button" type="submit" form="subscribe-form" value="Subscribe"> </form> <div id="form-response"></div> </div> </li> <li class="footer-columns"> <ul class="footer-columns-product-list"> <li> <nav> <div class="footer-category">Products</div> <ul> <li> <a href="https://konghq.com/products/kong-konnect" target="_blank" rel="noopener nofollow noreferrer ">Kong Konnect</a> </li> <li> <a href="https://konghq.com/products/kong-enterprise" target="_blank" rel="noopener nofollow noreferrer ">Kong Gateway Enterprise</a> </li> <li> <a href="https://konghq.com/products/kong-gateway" target="_blank" rel="noopener nofollow noreferrer ">Kong Gateway</a> </li> <li> <a href="https://konghq.com/products/kong-mesh" target="_blank" rel="noopener nofollow noreferrer ">Kong Mesh</a> </li> <li> <a href="https://konghq.com/products/kong-ingress-controller" target="_blank" rel="noopener nofollow noreferrer ">Kong Ingress Controller</a> </li> <li> <a href="https://insomnia.rest/" target="_blank" rel="noopener nofollow noreferrer noopener nofollow noreferrer">Kong Insomnia</a> </li> <li> <a href="https://konghq.com/product-updates" target="_blank" rel="noopener nofollow noreferrer ">Product Updates</a> </li> <li> <a href="https://konghq.com/contact-sales" target="_blank" rel="noopener nofollow noreferrer ">Get Started</a> </li> </ul> </nav> </li> <li> <nav> <div class="footer-category">Documentation</div> <ul> <li> <a href="/konnect/">Kong Konnect Docs</a> </li> <li> <a href="/gateway/latest/">Kong Gateway Docs</a> </li> <li> <a href="/gateway/latest/kong-enterprise/">Kong Gateway Enterprise Docs</a> </li> <li> <a href="/mesh/latest/">Kong Mesh Docs</a> </li> <li> <a href="https://docs.insomnia.rest/" target="_blank" rel="noopener nofollow noreferrer noopener nofollow noreferrer">Kong Insomnia Docs</a> </li> <li> <a href="/hub/">Kong Konnect Plugin Hub</a> </li> </ul> </nav> </li> <li> <nav> <div class="footer-category">Open Source</div> <ul> <li> <a href="https://konghq.com/install/#kong-community" target="_blank" rel="noopener nofollow noreferrer ">Kong Gateway</a> </li> <li> <a href="https://kuma.io/" target="_blank" rel="noopener nofollow noreferrer noopener nofollow noreferrer">Kuma</a> </li> <li> <a href="https://insomnia.rest/" target="_blank" rel="noopener nofollow noreferrer noopener nofollow noreferrer">Insomnia</a> </li> <li> <a href="https://konghq.com/community" target="_blank" rel="noopener nofollow noreferrer ">Kong Community</a> </li> </ul> </nav> </li> <li> <nav> <div class="footer-category">Company</div> <ul> <li> <a href="https://konghq.com/company/about-us" target="_blank" rel="noopener nofollow noreferrer ">About Kong</a> </li> <li> <a href="https://konghq.com/customers" target="_blank" rel="noopener nofollow noreferrer ">Customers</a> </li> <li> <a href="https://konghq.com/company/careers" target="_blank" rel="noopener nofollow noreferrer ">Careers</a> </li> <li> <a href="https://konghq.com/press-room" target="_blank" rel="noopener nofollow noreferrer ">Press</a> </li> <li> <a href="https://konghq.com/events" target="_blank" rel="noopener nofollow noreferrer ">Events</a> </li> <li> <a href="https://konghq.com/company/contact-us" target="_blank" rel="noopener nofollow noreferrer ">Contact</a> </li> </ul> </nav> </li> </ul> </li> </ul> </section> <section class="legal"> <div class="container d-flex"> <div class="social"> <div class="social-link"> <a href="https://www.facebook.com/konghq/" title="Facebook" target="_blank" rel="noopener nofollow noreferrer "><i aria-label="Facebook" class="fa fa-facebook-official" aria-hidden="true"></i></a> </div> <div class="social-link"> <a href="https://twitter.com/thekonginc" title="Twitter" target="_blank" rel="noopener nofollow noreferrer "><i aria-label="Twitter" class="fa fa-twitter" aria-hidden="true"></i></a> </div> <div class="social-link"> <a href="https://www.meetup.com/topics/kong/all/" title="Meetup" target="_blank" rel="noopener nofollow noreferrer "><i aria-label="Meetup" class="fa fa-meetup" aria-hidden="true"></i></a> </div> <div class="social-link"> <a href="https://linkedin.com/company/278819" title="LinkedIn" target="_blank" rel="noopener nofollow noreferrer "><i aria-label="GitHub" class="fa fa-linkedin" aria-hidden="true"></i></a> </div> <div class="social-link"> <a href="https://github.com/kong/kong" target="_blank" class="btn-gh" title="GitHub" rel="noopener nofollow noreferrer "> <i class="fa fa-github" aria-hidden="true" aria-label="GitHub"></i> </a> </div> </div> <ul> <li> <span class="mashape-footer-content"> <a href="https://konghq.com/legal/terms-of-use" target="_blank" rel="noopener nofollow noreferrer ">Terms</a><b>•</b> <a href="https://konghq.com/legal/privacy-policy" target="_blank" rel="noopener nofollow noreferrer ">Privacy</a><b>•</b> <a href="https://konghq.com/compliance" target="_blank" rel="noopener nofollow noreferrer ">Trust and Compliance</a> </span> </li> </ul> <div> <span>© Kong Inc. 2024  </span> </div> </div> </section> </footer> <script> var anchorForId = function (id) { var anchor = document.createElement("a"); anchor.className = "header-link"; anchor.href = "#" + id; anchor.innerHTML = "<i class=\"fa fa-link\"></i>"; anchor.title = `${id} Permalink`; return anchor; }; document.onreadystatechange = function () { if (this.readyState === "complete") { var className = ".show-anchor-links h1, .show-anchor-links h2, .show-anchor-links h3, " + ".show-anchor-links h4, .show-anchor-links h5, .show-anchor-links h6"; var headers = document.querySelectorAll(className); for (var i = 0; i < headers.length; i++) { var header = headers[i]; if (typeof header.id !== "undefined" && header.id !== "") { header.prepend(anchorForId(header.id)); } } } }; </script> <script> !function(){var i="analytics",analytics=window[i]=window[i]||[];if(!analytics.initialize)if(analytics.invoked)window.console&&console.error&&console.error("Segment snippet included twice.");else{analytics.invoked=!0;analytics.methods=["trackSubmit","trackClick","trackLink","trackForm","pageview","identify","reset","group","track","ready","alias","debug","page","screen","once","off","on","addSourceMiddleware","addIntegrationMiddleware","setAnonymousId","addDestinationMiddleware","register"];analytics.factory=function(e){return function(){if(window[i].initialized)return window[i][e].apply(window[i],arguments);var n=Array.prototype.slice.call(arguments);if(["track","screen","alias","group","page","identify"].indexOf(e)>-1){var c=document.querySelector("link[rel='canonical']");n.push({__t:"bpc",c:c&&c.getAttribute("href")||void 0,p:location.pathname,u:location.href,s:location.search,t:document.title,r:document.referrer})}n.unshift(e);analytics.push(n);return analytics}};for(var n=0;n<analytics.methods.length;n++){var key=analytics.methods[n];analytics[key]=analytics.factory(key)}analytics.load=function(key,n){var t=document.createElement("script");t.type="text/javascript";t.async=!0;t.setAttribute("data-global-segment-analytics-key",i);t.src="https://cdn.segment.com/analytics.js/v1/" + key + "/analytics.min.js";var r=document.getElementsByTagName("script")[0];r.parentNode.insertBefore(t,r);analytics._loadOptions=n};analytics._writeKey="X7EZTdbdUKQ8M6x42SHHPWiEhjsfs1EQ";;analytics.SNIPPET_VERSION="5.2.0"; analytics.load("X7EZTdbdUKQ8M6x42SHHPWiEhjsfs1EQ"); analytics.page(); }}(); </script> <div id="fb-root"></div> <script id="github-bjs" src="https://buttons.github.io/buttons.js" async defer></script> <script type="text/javascript"> var _vwo_code = (function() { var account_id = 125292, settings_tolerance = 2000, library_tolerance = 2500, use_existing_jquery = true, // DO NOT EDIT BELOW THIS LINE f = false, d = document; return { use_existing_jquery: function() { return use_existing_jquery; }, library_tolerance: function() { return library_tolerance; }, finish: function() { if (!f) { f = true; var a = d.getElementById('_vis_opt_path_hides'); if (a) a.parentNode.removeChild(a); } }, finished: function() { return f; }, load: function(a) { var b = d.createElement('script'); b.src = a; b.type = 'text/javascript'; b.innerText; b.onerror = function() { _vwo_code.finish(); }; d.getElementsByTagName('head')[0].appendChild(b); }, init: function() { settings_timer = setTimeout( '_vwo_code.finish()', settings_tolerance ); this.load( '//dev.visualwebsiteoptimizer.com/j.php?a=' + account_id + '&u=' + encodeURIComponent(d.URL) + '&r=' + Math.random() ); var a = d.createElement('style'), b = '', h = d.getElementsByTagName('head')[0]; a.setAttribute('id', '_vis_opt_path_hides'); a.setAttribute('type', 'text/css'); if (a.styleSheet) a.styleSheet.cssText = b; else a.appendChild(d.createTextNode(b)); h.appendChild(a); return settings_timer; } }; })(); _vwo_settings_timer = _vwo_code.init(); </script> <script src="https://cdn.jsdelivr.net/npm/@docsearch/js@3"></script> <script type="text/javascript"> docsearch({ appId: '05Y6TLHNFZ', apiKey: '80483bfe28d9fd036a11a6f6a06454f8', indexName: 'konghq', container: '#getkong-algolia-search-input', disableUserPersonalization: true, placeholder: 'Search the docs...', // Override selected event to allow for local environment navigation transformItems(items) { return items.map((item) => { var modifiedUrl = window.location.protocol + '//' + window.location.host + item.url.split('docs.konghq.com')[1]; return { ...item, url: modifiedUrl }; }); }, translations: { button: { buttonText: 'Search the docs..', buttonAriaLabel: 'Search the docs...' } }, resultsFooterComponent({ state }) { var facetParameters = {}; facetParameters = {"version[0]":"3.7.x","product[0]":"Kong Gateway"}; var queryParams = new URLSearchParams(facetParameters); queryParams.set('query', state.query); return { // The HTML `tag` type: 'a', ref: undefined, constructor: undefined, key: state.query, // Its props props: { href: `/search/?${queryParams.toString()}`, target: '_blank', // Raw text rendered in the HTML element children: 'See more >' }, __v: null, }; }, searchParameters: { optionalFilters: ['product:deck<score=1>', 'product:Plugin Hub<score=2>', 'product:Kong Gateway<score=3>'], facetFilters: [ 'version:3.7.x'] } }); </script> </div> </body> </html>