Lightweight TechStack for role based authentication

Stefan_Harenkamp · May 18, 2016, 3:13pm

Hi All,

I want to use Tyk-Gateway to realize a role based authentication.
The roles will be defined as policies.

Tyk-gateway ist running as Docker and the config,apps and policies are mounted into the docker.
I’ve created a basic auth user with a policy(“admin”) and checked an api for the new added key. It’s working, but when I’m try to proxy a request to the api, I’m getting the following error:

time=“2016-05-18T14:30:04Z” level=warning msg=“Invalid key detected, not found in storage engine”
time=“2016-05-18T14:30:04Z” level=info msg=“Attempted access with non-existent user.” key=SomeTestKey origin=“someIP” path=“somePath”

I can call /tyk/keys?api_id=myApi and see the correct key…It seems that the key is not persisted correctly.
Is there something more I have to configure to realize this lightweight Authentication?

Another topic:
Do I need tyk-pump, when I’m not using analytics?

Best regards,
Stefan

Martin · May 18, 2016, 5:17pm

How did you create he basic auth key? And did yu set the key meta data up to be a basic auth key?

Stefan_Harenkamp · May 18, 2016, 5:37pm

Thanks for the quick response.

I’ve used the Add key endpoint to create the key “test” with pw “test123”.
When checking the key for api 1234 I’ve got the “test” key as result. But cannot send requests to the api itself, because of the error described above.

Endpoint:

myDomain.com/tyk/keys/test

Payload:

{
“allowance”: 1000,
“rate”: 1000,
“per”: 60,
“expires”: -1,
“quota_max”: -1,
“quota_renews”: 1406121006,
“quota_remaining”: 0,
“quota_renewal_rate”: 60,
“access_rights”: {
“1234”:{
“apiname”:“someApi”,
“apiid”:“1234”,
“versions”:[
“Default”
]
}
},
“basic_auth_data”: {
“password”: “test123”,
“hash_type”: “”
},
“hmac_enabled”: false,
“hmac_string”: “”,
“is_inactive”: false,
“apply_policy_id”: “admin”
}

Martin · May 18, 2016, 6:28pm

Based on your description, I am assuming that:

you have key hashing disabled
you are not using the dashboard
you have enabled master keys

Does the API you are targeting have an org-id set?

Stefan_Harenkamp · May 19, 2016, 8:11am

Yes hashing keys is disabled
Thats correct. I want the tech-stack as small as possible. So the dashboard and mongoDb are not used.
No Masterkeys are disabled, because I want to control the access with the policies. The “admin” policy have access rights for all apis, so this would be equal to a master key.

Yes, the api definitions were exported from an older installation of tyk which was using the dashboard. According to you question I assume this orgId could be the issue?

Martin · May 19, 2016, 8:48am

If the APIs are loading with an OrgID, then Tyk will be looking for BA users within that Org key-space, If you blank the Org IDs in the API Definitions and policies then when Tyk does the user lookup, the prefix keyspace will be blank and you should be abel to log in.

Stefan_Harenkamp · May 19, 2016, 9:19am

Thank you so much!

I’ve removed the org_id. now everything is working as intended.

Best regards,
Stefan