From 347e3709b0e2bcbef15f86c168e368b23d880aea Mon Sep 17 00:00:00 2001 From: Aron Eidelman Date: Thu, 2 May 2019 16:56:59 -0700 Subject: [PATCH] docs(35/*) provide security documentation (#270) --- app/_data/docs_nav_ee_0.35-x.yml | 2 + .../0.35-x/kong-manager/security.md | 40 ++++++++----------- 2 files changed, 19 insertions(+), 23 deletions(-) diff --git a/app/_data/docs_nav_ee_0.35-x.yml b/app/_data/docs_nav_ee_0.35-x.yml index 1e7b70f7b9c8..65894b13fc9c 100644 --- a/app/_data/docs_nav_ee_0.35-x.yml +++ b/app/_data/docs_nav_ee_0.35-x.yml @@ -100,6 +100,8 @@ url: /kong-manager/networking/configuration - text: Configuring Kong Manager to Send Email url: /kong-manager/networking/email + - text: Securing Kong Manager + url: /kong-manager/security - text: Authentication url: /kong-manager/authentication/super-admin items: diff --git a/app/enterprise/0.35-x/kong-manager/security.md b/app/enterprise/0.35-x/kong-manager/security.md index 1508e90ffe5f..214f2cf3c448 100644 --- a/app/enterprise/0.35-x/kong-manager/security.md +++ b/app/enterprise/0.35-x/kong-manager/security.md @@ -4,37 +4,31 @@ book: admin_gui --- ## What Can Admins Do in Kong Manager? -Kong Manager enables users with **Admin** accounts to interact with -Kong entitities such as **Services**,**Plugins**, and **Consumers** -using a graphical interface. +Kong Manager enables users with **Admin** accounts to access Kong entities such as **Services**, **Plugins**, and **Consumers.** -An **Admin** belongs to a **Workspace** and has at least one **Role** -with a set of **Priviliges**. - -The following document summarizes Kong Manager's -security controls for authentication and authorization. +The following document summarizes Kong Manager's controls for *authentication* and *authorization*. ## Authentication with Plugins -Kong Enterprise comes packaged with **Authentication Plugins** -that can be used to secure Kong Manager. Unlike enabling a **Plugin** -on an entity, using an **Authentication Plugin** for Kong Manager -simply requires enabling [`enforce_rbac`]() -and setting -[`admin_gui_auth`]() -to the desired **Plugin**. +Kong Enterprise comes packaged with **Authentication Plugins** that can be used to secure Kong Manager. Unlike enabling a **Plugin** on an entity or cluster, enabling an **Authentication Plugin** for Kong Manager *only* requires turning on `enforce_rbac`, setting `admin_gui_auth` to the desired type, and configuring `admin_gui_auth_conf` if needed. + +* [**Basic Auth**](https://kongdocs-private.netlify.com/enterprise/0.35-x/kong-manager/authentication/basic/) +* **[OIDC](https://kongdocs-private.netlify.com/enterprise/0.35-x/kong-manager/authentication/oidc/)** +* **[LDAP](https://kongdocs-private.netlify.com/enterprise/0.35-x/kong-manager/authentication/ldap/)** -To use **Basic Authentication** +In addition to the **Authentication Plugins** above, the new **[Sessions Plugin](https://kongdocs-private.netlify.com/enterprise/0.35-x/kong-manager/authentication/sessions/)** may be used to send HTTP cookies to authenticate client requests and maintain session information. -## Sessions +## Access Control with Roles and Workspaces -## Authorization with RBAC and Workspaces +An **Admin** belongs to a **Workspace** and should have at least one **Role** with a set of **Permissions**. If an **Admin** is in a **Workspace** *without* a **Role**, they will not have the ability to see or interact with anything. -### Workspaces +By creating separate** [Workspaces](https://kongdocs-private.netlify.com/enterprise/0.35-x/kong-manager/administration/workspaces/workspaces/)**, an organization with multiple teams can segment its Kong cluster so that different teams do not have access to each other's Kong entities. -### Role-Based Access Control +Kong Enterprise implements Role-Based Access Control ([RBAC](https://kongdocs-private.netlify.com/enterprise/0.35-x/kong-manager/administration/rbac/rbac/)). **Admins** are assigned **Roles** that have clearly defined **Permissions**. A **Super Admin** has the ability to: -## Network Configuration +* further customize **Permissions** +* create entirely new **Roles** +* invite or deactivate **Admins** +* assign or revoke their **Roles** -To support security at the network level, refer to Kong Manager's -[Custom Networking Configuration](/enterprise/{{page.kong_version}}/kong-manager/networking/configuration/#custom-configuration). \ No newline at end of file +In Kong Manager, limiting **Permissions** also restricts the visibility of the application interface and navigation. \ No newline at end of file