bcgov / gwa

Gateway Administration
https://catalogue.data.gov.bc.ca/dataset/api-gateway-administration
Apache License 2.0
7 stars 3 forks source link

Access Expiry #57

Open BK01 opened 6 years ago

BK01 commented 6 years ago

Is your feature request related to a problem? Please describe.

Currently, API owners can add and remove developer access to an API anytime. However, as the number of developers grows it is hard to keep track of who needs continued access when dealing with 'secure' APIs.

Describe the solution you'd like

Provide API Owners with the ability to grant an account with access to an API (in GWA) for a defined length of time. For example, a secure API for which the API owner wants to grant a temporary employee or contractor’s GitHub account access until a specific date.

pauldaustin commented 6 years ago

Brian,

Kong doesn't offer this level of control. In fact it's even more limited to consumers and acls (which are group like but not really as it's just textual names).

So it doesn't even support granting access to individual users.

So what you would need to do is create an acl for this specific access duration. Then maintain a separate table that has the expiry on it.

Other alternative is a new plugin that allows for defining user's access to an api and include an expiry on that.

All this might be easier if we start the project to separate the GWA admin to use a separate config database and then sync across to kong.

Sometimes I think we're trying to bend kong to work in ways it wasn't designed to.