anonymous consumer don't trigger ip restriction plugins with this consumer id set

[pheex]

Summary

I try to use Kong for my internal clients and my external clients, i want no auth for my internal clients and basic auth for externals.

I enable basic auth with anonymous defined to a consumer
I enable ip restriction with the consumer id set (with the consumer defined in basic auth anonymous field)

to blacklist WAN ip only if no auth is provided

I expected when no basic auth is supply, the anonymous consumer "trigger" the ip restriction plugin but that's not the case.

If i call my api with basic auth header (with the consumer defined in ip restriction) then the ip restriction works (LAN authorized, WAN unauthorized). but that's not my need.

Is it an issue ? There is another way to achieve my goal ?

• Kong version 0.10.1

[p0pr0ck5]

@Tieske might this be resolved by #2222?

[Tieske]

No #2222 is related to multiple auth, here there seems to be only 1 auth method.

[pheex]

Yes only 1 auth method is used.

[Tieske]

Let me get this correct:

• you created an api
• you created 2 consumers
  1. regular consumers
  2. anonymous consumer
• you added the basic-auth plugin, while setting config.anonymous=<anonymous_consumer_id>
• you added basic-auth credentials for the regular consumers
• you added the ip-restriction plugin on the anonymous consumer, blacklisting your wan ip address.

correct?

[pheex]

yes, exactly.

[Tieske]

The auth plugins run at priority 1000, while the ip-restriction has priority 990. So that doesn't seem to be the issue.

[Tieske]

so I recreated the issue (using key-auth instead). I first tested the ip-ranges by configuring them on the api, and then it gets blocked properly.

When I configure the same ip's on the consumer (anonymous) then it does not block them. This confirms the issue @pheex is seeing.

When looking at the logs I only see the key-auth plugin being executed:

2017/04/20 07:53:58 [debug] 15683#0: *217 [lua] cluster.lua:20: log(): [cluster] sending keepalive event to datastore
2017/04/20 07:54:12 [debug] 15682#0: *249 [lua] balancer.lua:33: cb(): fetching all upstreams
2017/04/20 07:54:12 [debug] 15682#0: *249 [lua] base_plugin.lua:17: access():  executing plugin "key-auth": access
2017/04/20 07:54:13 [debug] 15682#0: *249 [lua] base_plugin.lua:21: header_filter():  executing plugin "key-auth": header_filter
2017/04/20 07:54:13 [debug] 15682#0: *249 [lua] base_plugin.lua:25: body_filter():  executing plugin "key-auth": body_filter
2017/04/20 07:54:13 [debug] 15682#0: *249 [lua] base_plugin.lua:25: body_filter():  executing plugin "key-auth": body_filter
2017/04/20 07:54:13 [debug] 15682#0: *249 [lua] base_plugin.lua:29: log():  executing plugin "key-auth": log
2017/04/20 07:54:13 [info] 15682#0: *249 client 10.0.2.2 closed keepalive connection
2017/04/20 07:54:28 [debug] 15683#0: *282 [lua] cluster.lua:20: log(): [cluster] sending keepalive event to datastore
2017/04/20 07:54:58 [debug] 15682#0: *347 [lua] cluster.lua:20: log(): [cluster] sending keepalive event to datastore
2017/04/20 07:55:28 [debug] 15683#0: *409 [lua] cluster.lua:20: log(): [cluster] sending keepalive event to datastore

Cause:

In the access phase the iterator that runs the plugins creates a list to run and then executes them one by one. What this iterator doesn't take into account is that during this loop the conditions change (the consumer is identified), and new plugins should be added to the list it is executing.
And hence it foregoes on the ip-restriction plugin, and simply doesn't execute it.

[Tieske]

forget about the above, sorry for the noise.

Culprit is in the iterator for plugin execution, it checks on credentials being available, instead of the consumer_id that was set. In case of anonymous there are no credentials, hence it doesn't run the specified plugins.

[pheex]

thanks @Tieske for explanations

[Tieske]

fix is in #2424. Closing this now.