Securing Kong Manager

    The following document summarizes Kong Manager’s controls for authentication and authorization.

    Kong Gateway comes packaged with Authentication Plugins that can be used to secure Kong Manager. Unlike enabling a Plugin on an entity or cluster, enabling an Authentication Plugin for only Kong Manager requires turning on , setting admin_gui_auth to the desired type, proper configuration of admin_gui_session_conf, and configuring if needed.

    In addition to the Authentication Plugins above, the new is now required when RBAC is enabled. It sends HTTP cookies to authenticate client requests and maintain session information.

    The Sessions Plugin requries a secret and is configured securely by default.

    • Under all circumstances, the secret must be manually set to a string.
    • If using HTTP instead of HTTPS, cookie_secure must be manually set to .

    Access Control with Roles and Workspaces

    By creating separate , an organization with multiple teams can segment its Kong cluster so that different teams do not have access to each other’s Kong entities.

    Kong Gateway implements Role-Based Access Control (RBAC). Admins are assigned Roles that have clearly defined Permissions. A Super Admin has the ability to:

    • Further customize Permissions
    • Create entirely new Roles
    • Invite or deactivate Admins