Authentication and Authorization in Kong Manager

    Kong Gateway comes packaged with authentication plugins that can be used to secure Kong Manager. To enable to an authentication plugin for only Kong Manager, you need to set the following properties in kong.conf:

    • Set to on
    • Set admin_gui_auth to the desired authentication type (for example, basic-auth)
    • Configure with a session secret
    • Optionally configure admin_gui_auth_conf with custom configuration for your authentication type

    The configuration details depend on your authentication type.

    Kong Manager currently supports the following authentication plugins:

    The Sessions plugin (configured with admin_gui_session_conf) requires a secret and is configured securely by default.

    • Under all circumstances, the secret must be manually set to a string.
    • If using HTTP instead of HTTPS, must be manually set to false.
    • If using different domains for the Admin API and Kong Manager, cookie_samesite must be set to off.

    Learn more about these properties in , and see example configurations.

    Access control with roles and workspaces

    Many organizations have strict security requirements. For example, organizations need the ability to segregate the duties of an administrator to ensure that a mistake or malicious act by one administrator doesn’t cause an outage. Kong Gateway provides a number of security capabilities to help customers secure the administration environment.

    Kong Gateway does all of this through Role-Based Access Control (RBAC). All administrators can be given specific roles, whether you are using Kong Manager or the Admin API, which control and limit the scope of administrative privileges within specific workspaces.

    User types in Kong Manager:

    • : An admin belongs to a workspace and should have at least one role with a set of permissions. If an admin is in a workspace without a role, they can’t see or interact with anything. Admins can manage entities inside workspaces, including users and their roles.

    • RBAC users: RBAC users without administrator permissions. They have access to manage Kong Gateway, but can’t adjust teams, groups, or user permissions.

    Admins are assigned roles that have clearly defined permissions. In Kong Manager, limiting permissions also restricts the visibility of the application interface and navigation.