How to handle the anonymous field on auth plugins

[eamonnmcevoy]

If I want to configure the anonymous field on a jwt plugin, is there a way to handle this in deck?

Its tricky because this field requires the consumer id, which we cannot know until the consumer has been created already.

It would be useful if we could set this field using 'username' in deck, and to have the ability to list some users in the config so that deck will ensure they exist, even when the --skip-consumers flag is used (or maybe have another flag to enable this).

Update:

I see that using the kong admin api I can create a consumer and specify the id so i guess that part should be possible to get working in deck

As for the issue of synching only certain consumers, I have 2 suggestions.

1. include a parameter to only create consumers and ignore updates or deletions --create-consumers
2. alternatively, a flag to sync consumers with a particular tag(s). For example, --sync-consumer-tags=anonymous will perform synchronize actions on users with the anonymous tag and ignore others.

[hbagdi]

As for the issue of synching only certain consumers, I have 2 suggestions.

This is a very common issue that comes up far too often and decK has concept of select-tags.

You can configure decK to perform a sync/diff only for a sub-set of entire Kong configuration.

Please take a look at: https://github.com/hbagdi/deck/blob/master/kong.yaml#L2

You can then manage only a subset of consumers of plugins or any entity you would like.
With this, you can have a state file to manage a single anonymous consumer.
And then the other state file can manage rest of the configuration.

[eamonnmcevoy]

Perfect, select-tags does the trick.

For the anonymous user id, what do you think about decK setting the consumer id directly?
An alternative approach could be to have a new tag that acts like a function to fetch a consumerid based on the consumer username:

_info:
  select_tags:
  - managed_by_deck

services:

  - name: service1
    host: httpbin.org
    path: /
    protocol: http
    port: 80
    connect_timeout: 60000
    read_timeout: 60000
    write_timeout: 60000
    retries: 5
    tags:
    - managed_by_deck
    routes:
    - name: service1_route1
      paths:
      - /
      preserve-host: false
      methods:
      - GET
      protocols:
      - http
      - https
      regex_priority: 0
      strip_path: true
      tags:
      - managed_by_deck
      plugins:
      - name: key-auth
        tags:
        - managed_by_deck
        config:
          anonymous: _consumer_id(anonymous)

consumers:
- username: anonymous
  custom_id: anonymous
  tags:
  - managed_by_deck
  

[hbagdi]

@eamonnmcevoy That sounds like a good idea to me but it opens up a flood-gate of issues with itself as users then would like to template a lot of other things as well. If there are more use-cases for templating than this, we can come with a design for it and then see if it makes sense.

For this current issue, there are two approaches that I've in mind:

• Fix the plugin in Kong to lookup the anonymous consumer by username in addition to id, this will not just only help deck but other methods of configuration too.
• Populate data in Kong with deterministic UUIDs: feature: add support to specify IDs for entities #29, which can easily solve this.

[eamonnmcevoy]

Good point about the templating, it could get messy.

Regarding the plugin, it seems strange to me that we need to specify an anonymous consumer at all. When first looking into this functionality I expected the anonymous field to be a boolean, or at least have the option to allow traffic for unauthenticated users.

I think #29 is a good solution.

[hbagdi]

Kong/kong#4972 will fix this problem.

[hbagdi]

The above feature will be included in Kong 1.4 and solve this problem.
I've also started working on #29 as well.
Closing this.

[teunis90]

@hbagdi I'm running on version 2.0.0 and can still reproduce this issue:

	while processing event: {Update} failed: 400 Bad Request {"message":"schema violation (config.anonymous: expected a valid UUID)","name":"schema violation","fields":{"config":{"anonymous":"expected a valid UUID"}},"code":2}
	while processing event: {Update} failed: 400 Bad Request {"message":"schema violation (config.anonymous: expected a valid UUID)","name":"schema violation","fields":{"config":{"anonymous":"expected a valid UUID"}},"code":2}

Any suggestions on how to patch this? Will you port your fix also to the 2.x branches?

[hbagdi]

No. Please upgrade.

[teunis90]

I believe I run the last docker version available:

kong                     2.0                 13f14d790da4        12 days ago         144MB
kong                     latest              13f14d790da4        12 days ago         144MB

[hbagdi]

Please upgrade decK, Kong should be fine.

[teunis90]

I run decK from a the official Docker Hub latest image: https://hub.docker.com/r/hbagdi/deck, digest: 9fe912c36ca143dbd110b4f38610e492b987ebfeef6c0df9fa299a4a05f2ba81.

Is the container far behind? Would you be so kind to release a new version 😃

[hbagdi]

No, that's the latest one. Something got messed up in Kong. I'll investigate.

[teunis90]

@hbagdi should I create a ticket at https://github.com/Kong/kong?

[hbagdi]

Yes, please.

[3to1null]

I recreated this problem without DecK and created an issue in the Kong repo. Kong/kong#5551

[teunis90]

Thanks @3to1null