[plugin] RBAC

[sonicaghi]

We currently have ACL plugin for simple operations. But the next iteration is having a RBAC plugin for complex operations. The main difference is that RBAC has way more granular control and can offer mandatory access control and discretionary access control.

Reference:

• http://www.wikiwand.com/en/Role-based_access_control
• [request] ACL #225
• https://getkong.org/plugins/acl/

[jakubriedl]

+1 for us, we are looking for RBAC as well.

[jmdacruz]

I'd suggest you guys also consider ABAC or "Attribute Based Access Control" (http://csrc.nist.gov/projects/abac/), which is more generic than RBAC. RBAC deals with roles, and in that model roles can be inherited, and so on so forth. ABAC on the other hand is based on attributes, and is closer to what XACML provides.

I think ABAC is easier to implement than RBAC, and RBAC can be implemented (not painlessly though... the role inheritance is hard to model on XACML) on top of ABAC.

[jmdacruz]

Couple of interesting articles on how ABAC is taking over RBAC:

• http://csrc.nist.gov/groups/SNS/rbac/documents/coyne-weil-13.pdf (May, 2013)
• http://www.tripwire.com/state-of-security/security-data-protection/security-controls/rbac-is-dead-now-what/ (March 4, 2015)

On the last link, in reference to ABAC:

This method of Access Control has made Gartner predict, “By 2020, 70% of all businesses will use ABAC as the dominant mechanism to protect critical assets, up from 5% today.”

[awfm9]

No movement on this?

[coopr]

@awishformore @jakubriedl @jmdacruz are you seeking RBAC on the proxied APIs, or on Kong's Admin API? I ask because we recently released the latter, as part of Kong Enterprise Edition https://www.mashape.com/enterprise/

[jmdacruz]

@coopr My original thought was on the proxied APIs, but good to hear there is also the option for RBAC on the admin APIs.

[m4r10k]

The Kong concept is great and it would be a real benefit to get authorization layers on API's without modifying the original service. For example, there is a Docker RBAC plugin to apply policies (GET,...) onto API paths. But this requires to add the plugin to the Docker engine which can be a troublesome at some point. Therefore it would be cool to have a Kong method to apply policies like described here: https://github.com/casbin/casbin-authz-plugin for proxied API's.