Developer's API key not honoring associated policies

Support
1

In the associated policy my pre-configured API catalog I put rate limit requests to be 1000 per 60s, and quota to -1. However developers got “rate limit exceeded” msg using the requested key even just for the first time. When looking up the key, every single field is showing the value “0”, which is not according to the policy.

Also when I tried to “Approve” a key request when it’s already approve by default, querying with the same key again will get the “Key not authorised” error. Please advise. Thanks.

2

It looks like the policy you have created is either not live on the gateway or it is not carrying an enforceable policy - i.e it is referencing an open API?

3

Pretty sure it’s a keyed API. An open API won’t have a developer’s page nor does it allow requesting for keys

4

Then your policy reference is wrong -or not loaded, what do your logs say when you save an API or policy - the reload will show which policies are live

5

This is what I get:

[Apr 21 00:26:43] INFO main: → Loading API: Visualization Editor
[Apr 21 00:26:43] INFO main: ----> Custom Domain: api.example.com
[Apr 21 00:26:43] INFO main: ----> Tracking: api.example.com
[Apr 21 00:26:43] INFO main: ----> Checking security policy: Token

It didn’t say which policy… Even though my API auth is Token based

6

There should eba section in the log that says Loading Policies: (or similar) with a list of policies after. If that isn;t there, then your policy is not live :slight_smile: Have you marked the policy as live in the editor?

7

I believe so yes. I also tried making it inactive and active again. Still not working. Can’t see the “Loading Policies” entries either. Anything else I can do?
Here is the screenshot of my key:

8

Hmmm, you might need to set a base rate limit - though I doubt it.

I think we need to look at your log output. Can you show me the policy page?

9

Here is my policy page:

10

What happens when you save it? Can you save it and share your Tyk Gateway logs - the endpoint should not reload and you should see the policy loader

11

When I save it or add another policy, it both prints the following results in the logs:

INFO pub-sub: Reloading endpoints

Apr 21 13:19:45] INFO main: Detected 3 APIs
[Apr 21 13:19:45] INFO main: → Loading API: Address Normalization API
[Apr 21 13:19:45] INFO main: ----> Custom Domain: api.example.com
[Apr 21 13:19:45] INFO main: ----> Tracking: api.example.com
[Apr 21 13:19:45] INFO main: ----> Checking security policy: Token
[Apr 21 13:19:45] INFO main: → Loading API: CTIS
[Apr 21 13:19:45] INFO main: ----> Custom Domain: api.example.com
[Apr 21 13:19:45] INFO main: ----> Tracking: api.example.com
[Apr 21 13:19:45] INFO main: ----> Checking security policy: Token
[Apr 21 13:19:45] INFO main: → Loading API: Visualization Editor
[Apr 21 13:19:45] INFO main: ----> Custom Domain: api.example.com
[Apr 21 13:19:45] INFO main: ----> Tracking: api.example.com
[Apr 21 13:19:45] INFO main: ----> Checking security policy: Token
[Apr 21 13:19:45] INFO host-check-mgr: Loading uptime tests…
[Apr 21 13:19:45] INFO main: API reload complete

There is no sign of policy being loaded in the logs. BTW my running gateway version is 2.0.0.0 and dashboard version is 1.0.0.0

12

Ok, let’s take a look at your Tyk.conf, what does the policies section look like?

It should have a policy source called “service” and a connection string that is the same URL as the dashboard.

It could be that the gateways isn’t even checking the service.

How did you set this installation up in the first place?

13

Martin:

I did upgrade from 1.9 and followed all the instructions in the “Upgrade to gateway 2.0” section. My policies section in tyk.conf is as follows:

“policies”: {
“policy_source”: “service”,
“policy_connection_string”: “http://localhost:3000
}

as I run tyk dashboard locally on port 3000. It is the same connection string that I use for db_app_conf_options and that has been working without a problem. Let me know if you need more information.

14

Any other diagnostic steps should I run to make this work? Thanks!

15

I really think this is a config issue - if you can’t see a policy load section in your startup something might be up - can you send me your tyk.conf and tyk_analytics.conf (security stuff removed obvs)?

Thanks,
Martin

16

Tyk dashboard config:

    "listen_port": 3000,
    "tyk_api_config": {
        "Host": "http://localhost",
        "Port": "9090",
        "Secret": "*****"
    },
    "mongo_url": "mongo_url",
    "page_size": 10,
    "admin_secret": "****",
    "shared_node_secret": "***",
    "redis_port": 6379,
    "redis_host": "redis_host",
    "redis_password": "",
    "force_api_defaults": false,
    "notify_on_change": true,
    "license_owner": "Zhou Tan",
    "license_key": "*****",
    "hash_keys": true,
    "email_backend": {},
    "hide_listen_path": false,
    "use_sentry": false,
    "sentry_code": "",
    "sentry_js_code": "",
    "show_org_id": false,
    "enable_duplicate_slugs": true,
    "host_config" : {
        "override_hostname": "api.example.com",
        "disable_org_slug_prefix": true,
        "enable_host_names": false,
        "hostname": "127.0.0.1",
        "portal_domains": {},
        "portal_root_path": "/portal"
    },
    "http_server_options": {
        "use_ssl": false,
        "certificates": [
            {}
        ]
    },
    "ui": {
        "login_page": {},
        "nav" : {},
        "uptime": {},
        "portal": {},
        "designer": {}
    },
    "home_dir": "/opt/tyk-dashboard"```

gateway config file:
```{
  "listen_port": 9090,
  "secret": "***",
  "template_path": "/opt/tyk-gateway/templates",
  "tyk_js_path": "/opt/tyk-gateway/js/tyk.js",
  "node_secret": "****",
  "use_db_app_configs": true,
  "db_app_conf_options": {
    "connection_string": "http://localhost:3000",
    "node_is_segmented": false,
    "tags": []
  },
  "app_path": "/opt/tyk-gateway/apps",
  "middleware_path": "/opt/tyk-gateway/middleware",
  "storage": {
    "type": "redis",
    "host": "redis.host.io",
    "port": 6379,
    "username": "",
    "password": "",
    "database": 0,
    "optimisation_max_idle": 500,
    "optimisation_max_active": 800
  },
  "enable_analytics": false,
  "health_check": {
    "enable_health_checks": true,
    "health_check_value_timeouts": 60
  },
  "optimisations_use_async_session_write": true,
  "allow_master_keys": false,
  "policies": {
    "policy_source": "service",
    "policy_connection_string": "http://localhost:3000"
  },
  "hash_keys": true,
  "suppress_redis_signal_reload": false,
  "close_connections": true,
  "local_session_cache": {
    "disable_cached_session_state": true
  },
  "uptime_tests": {
    "disable": false,
    "config": {
      "enable_uptime_analytics": true,
      "failure_trigger_sample_size": 3,
      "time_wait": 300,
      "checker_pool_size": 50
    }
  },
  "hostname": "",
  "enable_custom_domains": true,
  "enable_jsvm": true
}```

There might be some legacy config options there as I upgraded from v1.9
17

That all looks ok to me. So it might be something else.

  • Does the user that is creating the API / Policy belong to an organisation?
  • When you try to access the APi with a token that is like this, what is the gateway log output?
18

I’m also seeing this. I had an existing tyk mongo database, might that the issue be something to do with conflict with objects in the db?

19

Not really, we haven’t changed the storage from version to version - it should be fine to use an existing DB with a new version of Tyk. Usually this happens with incorrectly assigned Org IDs, and this usually happens when someone is using a super-user of some sort.

20

Well I was trying it as a super user. I can try and create a new user and see if that helps.