Lightweight TechStack for role based authentication


#1

Hi All,

I want to use Tyk-Gateway to realize a role based authentication.
The roles will be defined as policies.

Tyk-gateway ist running as Docker and the config,apps and policies are mounted into the docker.
I’ve created a basic auth user with a policy(“admin”) and checked an api for the new added key. It’s working, but when I’m try to proxy a request to the api, I’m getting the following error:

time=“2016-05-18T14:30:04Z” level=warning msg=“Invalid key detected, not found in storage engine”
time=“2016-05-18T14:30:04Z” level=info msg=“Attempted access with non-existent user.” key=SomeTestKey origin=“someIP” path=“somePath”

I can call /tyk/keys?api_id=myApi and see the correct key…It seems that the key is not persisted correctly.
Is there something more I have to configure to realize this lightweight Authentication?

Another topic:
Do I need tyk-pump, when I’m not using analytics?

Best regards,
Stefan


#2

How did you create he basic auth key? And did yu set the key meta data up to be a basic auth key?


#3

Thanks for the quick response.

I’ve used the Add key endpoint to create the key “test” with pw “test123”.
When checking the key for api 1234 I’ve got the “test” key as result. But cannot send requests to the api itself, because of the error described above.

Endpoint:

myDomain.com/tyk/keys/test

Payload:

{
“allowance”: 1000,
“rate”: 1000,
“per”: 60,
“expires”: -1,
“quota_max”: -1,
“quota_renews”: 1406121006,
“quota_remaining”: 0,
“quota_renewal_rate”: 60,
“access_rights”: {
“1234”:{
“apiname”:“someApi”,
“apiid”:“1234”,
“versions”:[
“Default”
]
}
},
“basic_auth_data”: {
“password”: “test123”,
“hash_type”: “”
},
“hmac_enabled”: false,
“hmac_string”: “”,
“is_inactive”: false,
“apply_policy_id”: “admin”
}


#4

Based on your description, I am assuming that:

  1. you have key hashing disabled
  2. you are not using the dashboard
  3. you have enabled master keys

Does the API you are targeting have an org-id set?


#5
  1. Yes hashing keys is disabled
  2. Thats correct. I want the tech-stack as small as possible. So the dashboard and mongoDb are not used.
  3. No Masterkeys are disabled, because I want to control the access with the policies. The “admin” policy have access rights for all apis, so this would be equal to a master key.

Yes, the api definitions were exported from an older installation of tyk which was using the dashboard. According to you question I assume this orgId could be the issue?


#6

If the APIs are loading with an OrgID, then Tyk will be looking for BA users within that Org key-space, If you blank the Org IDs in the API Definitions and policies then when Tyk does the user lookup, the prefix keyspace will be blank and you should be abel to log in.


#7

Thank you so much!

I’ve removed the org_id. now everything is working as intended.

Best regards,
Stefan