Policy Path-based permissions for multi-tenant

hieenf · June 4, 2018, 11:08am

Hello,
I am using Tyk Gateway 2.6.1 and Tyk Dashboard 1.6.1 and having a problem with policy Path-based Permissions configuration.

I have an API which supports multi tenants. Its url pattern is /base_path/TENANT_STRING/api_path
I created 2 policies for two tenants: tenant_1 and tenant_2 with Path-based permissions /tenant_1/(.) for policy_1 and /tenant_2/(.) for policy_2

image.png730×213 12.8 KB
I requested a key for access to tenant_1 - policy_1

image.png578×524 15.1 KB

The problem I am seeing is I can access to any tenants with that returned key
Any suggestions on where to look or how to fix my problem?
Thanks,
Hieenf

hieenf · June 6, 2018, 2:28am

Can anyone help on this? FYI: Path-based Permission works if I specify exact url (not using regex).
Thanks

Josh · June 7, 2018, 10:30am

I think the solution here is to fill in the allowed urls sections on your keys as in the documentation here:

https://tyk.io/docs/security/security-policies/secure-apis-method-path/#setting-granular-paths-on-a-per-key-basis

Thanks
Josh

hieenf · June 7, 2018, 11:59am

Thanks for your reply

We want to use Tyk because we dont have to create an access token and give it to 3rd party to access our api. We want they to request a key through dev portal then key issued to different user can access to different part of api so allowed urls wont do.

Regards,
Hien

Josh · June 7, 2018, 1:02pm

Can you share your policies and api definition with me please and i’ll do a test of the feature to see if i can understand what you are trying to do here.

hieenf · June 8, 2018, 3:58am

Hi Josh,
Here is my api definition and policies. Basically I used default settings except Path-based Permissions. What I am trying to do is a client can only request key with policy_1 so they can access to TENANT_1 but TENANT_2

Thanks,
Hien

API Definition:

{
“id”: “5ab9c107a15ffb4e090586fd”,
“name”: “api-product”,
“slug”: “api-product”,
“api_id”: “a17fa63d04b14919607255094cf4d077”,
“org_id”: “5a04451ca15ffb61bf6211a2”,
“use_keyless”: false,
“use_oauth2”: false,
“use_openid”: false,
“openid_options”: {
“providers”: ,
“segregate_by_client”: false
},
“oauth_meta”: {
“allowed_access_types”: ,
“allowed_authorize_types”: ,
“auth_login_redirect”: “”
},
“auth”: {
“use_param”: false,
“param_name”: “”,
“use_cookie”: false,
“cookie_name”: “”,
“auth_header_name”: “Authorization”,
“use_certificate”: false
},
“use_basic_auth”: false,
“use_mutual_tls_auth”: false,
“client_certificates”: ,
“upstream_certificates”: {},
“pinned_public_keys”: {},
“enable_jwt”: false,
“use_standard_auth”: true,
“enable_coprocess_auth”: false,
“jwt_signing_method”: “”,
“jwt_source”: “”,
“jwt_identity_base_field”: “”,
“jwt_client_base_field”: “”,
“jwt_policy_field_name”: “”,
“notifications”: {
“shared_secret”: “”,
“oauth_on_keychange_url”: “”
},
“enable_signature_checking”: false,
“hmac_allowed_clock_skew”: -1,
“base_identity_provided_by”: “”,
“definition”: {
“location”: “header”,
“key”: “x-api-version”
},
“version_data”: {
“not_versioned”: true,
“default_version”: “”,
“versions”: {
“Default”: {
“name”: “Default”,
“expires”: “”,
“paths”: {
“ignored”: ,
“white_list”: ,
“black_list”:
},
“use_extended_paths”: true,
“extended_paths”: {},
“global_headers”: {},
“global_headers_remove”: ,
“global_size_limit”: 0,
“override_target”: “”
}
}
},
“uptime_tests”: {
“check_list”: ,
“config”: {
“expire_utime_after”: 0,
“service_discovery”: {
“use_discovery_service”: false,
“query_endpoint”: “”,
“use_nested_query”: false,
“parent_data_path”: “”,
“data_path”: “”,
“port_data_path”: “”,
“target_path”: “”,
“use_target_list”: false,
“cache_timeout”: 60,
“endpoint_returns_list”: false
},
“recheck_wait”: 0
}
},
“proxy”: {
“preserve_host_header”: false,
“listen_path”: “/api-product/”,
“target_url”: “http://192.168.11.48:2000/api/v0/”,
“strip_listen_path”: true,
“enable_load_balancing”: false,
“target_list”: ,
“check_host_against_uptime_tests”: false,
“service_discovery”: {
“use_discovery_service”: false,
“query_endpoint”: “”,
“use_nested_query”: false,
“parent_data_path”: “”,
“data_path”: “”,
“port_data_path”: “”,
“target_path”: “”,
“use_target_list”: false,
“cache_timeout”: 0,
“endpoint_returns_list”: false
},
“transport”: {
“ssl_ciphers”: ,
“ssl_min_version”: 0,
“proxy_url”: “”
}
},
“disable_rate_limit”: false,
“disable_quota”: false,
“custom_middleware”: {
“pre”: ,
“post”: ,
“post_key_auth”: ,
“auth_check”: {
“name”: “”,
“path”: “”,
“require_session”: false
},
“response”: ,
“driver”: “”,
“id_extractor”: {
“extract_from”: “”,
“extract_with”: “”,
“extractor_config”: {}
}
},
“custom_middleware_bundle”: “”,
“cache_options”: {
“cache_timeout”: 60,
“enable_cache”: false,
“cache_all_safe_requests”: false,
“cache_response_codes”: ,
“enable_upstream_cache_control”: false,
“cache_control_ttl_header”: “”
},
“session_lifetime”: 0,
“active”: true,
“auth_provider”: {
“name”: “”,
“storage_engine”: “”,
“meta”: {}
},
“session_provider”: {
“name”: “”,
“storage_engine”: “”,
“meta”: {}
},
“event_handlers”: {
“events”: {}
},
“enable_batch_request_support”: false,
“enable_ip_whitelisting”: false,
“allowed_ips”: ,
“enable_ip_blacklisting”: false,
“blacklisted_ips”: ,
“dont_set_quota_on_create”: false,
“expire_analytics_after”: 0,
“response_processors”: ,
“CORS”: {
“enable”: false,
“allowed_origins”: [
“*”
],
“allowed_methods”: [
“GET”,
“POST”
],
“allowed_headers”: [
“Authorization”,
“Accept”
],
“exposed_headers”: ,
“allow_credentials”: false,
“max_age”: 24,
“options_passthrough”: true,
“debug”: false
},
“domain”: “”,
“do_not_track”: false,
“tags”: ,
“enable_context_vars”: false,
“config_data”: {},
“tag_headers”: ,
“global_rate_limit”: {
“rate”: 0,
“per”: 0
},
“strip_auth_data”: false
}

Policies

{“_id”:“5b14ebcea15ffb1608f6b83f”,“id”:“”,“org_id”:“5a04451ca15ffb61bf6211a2”,“rate”:1000,“per”:60,“quota_max”:-1,“quota_renewal_rate”:3600,“access_rights”:{“a17fa63d04b14919607255094cf4d077”:{“api_name”:“api-product”,“api_id”:“a17fa63d04b14919607255094cf4d077”,“versions”:[“Default”],“allowed_urls”:[{“url”:“/TENANT_1/(.*)”,“methods”:[“GET”,“POST”]}]}},“hmac_enabled”:false,“active”:true,“name”:“policy_1”,“is_inactive”:false,“date_created”:“2018-06-04T15:35:42.425+08:00”,“tags”:,“key_expires_in”:3600,“partitions”:{“quota”:false,“rate_limit”:false,“acl”:false},“last_updated”:“1528252044”}

{“_id”:“5b14ebfba15ffb1608f6b840”,“id”:“”,“org_id”:“5a04451ca15ffb61bf6211a2”,“rate”:1000,“per”:60,“quota_max”:-1,“quota_renewal_rate”:3600,“access_rights”:{“a17fa63d04b14919607255094cf4d077”:{“api_name”:“api-product”,“api_id”:“a17fa63d04b14919607255094cf4d077”,“versions”:[“Default”],“allowed_urls”:[{“url”:“/TENANT_2/icc”,“methods”:[“GET”,“POST”]}]}},“hmac_enabled”:false,“active”:true,“name”:“policy_2”,“is_inactive”:false,“date_created”:“2018-06-04T15:36:27.311+08:00”,“tags”:,“key_expires_in”:3600,“partitions”:{“quota”:false,“rate_limit”:false,“acl”:false},“last_updated”:“1528252046”}

hieenf · June 14, 2018, 11:56am

Hi Josh,

Did you get a chance to test the feature Path-based permissions in Policy? Did it work for you?

Regards,
Hien