bonobo
Self serve key management for Kong
Bonobo provides the interface for the general public to request Content API keys and Guardian staff to manage them.
ie.
https://open-platform.theguardian.com/access/
https://bonobo.capi.gutools.co.uk/register/developer
Bonobo manages the keys in Kong via the Kong API.
Prerequisites for development
Bonobo needs an instance of Kong to connect to, so you will need Kong and it's PostgreSQL running somewhere. We recommend running them in Docker containers. See instructions below on how to set this up.
To run locally using Docker - INTEL-BASED MACHINE
- Ensure Docker Desktop is running.
- Ensure you have Content API developer credentials (from Janus)
- Ensure you're compiling and running the application using Java 8. (It is best to run the application in an sbt shell that uses JDK 1.8)
- Run the
configure-docker.sh
script:
cd scripts
./configure-docker.sh
If this fails with the following error message;
ERROR: Network kong-net declared as external, but could not be found. Please create the network manually using `docker network create kong-net` and try again.
Just run the command it suggests (docker network create kong-net
) and start ./configure-docker.sh
again
This will create two containers for Kong and it's PostgreSQL/ It will run Kong's database migration scripts to setup the schema. Then it will add an API in Kong with the key-auth plugin enabled.
- Edit
conf/application.conf
to pointkong.apiAddress
at your Kong cluster (in this example:http://192.168.99.100:8001
). In the same file you should configureaws.dynamo.usersTableName
,aws.dynamo.keysTableName
andaws.dynamo.labelsTableName
to point to the DynamoDB tables you are going to use. You do not need to change the play.http.secret.key to run the app locally.
Note: In CODE and PROD the app does NOT use the configurations in the conf/application.conf
file. Instead, it pulls its configurations from a bonobo.conf
file which you can find on the live instance(s).
- Then start the Play app:
$ sbt run
It should now be running at http://localhost:9000/
You will need a Guardian Google account in order to login.
To run locally using Docker - APPLE SILICON / ARM
The current Kong version we are using is not supported at all on Arm hardware. Version 1.5 can run on Arm via amd64 emulation but that changes a couple of parameter names which makes the code incompatible with the existing CODE and PROD environments (upgrade work is in progress).
For the time being, if you need to develop Bonobo locally on Apple silicon you have two options:
- Do nothing, just run without any Kong. The app will work but you won't be able to test creating users, updating keys etc.
- Point your local instance to the CODE deployment of Kong. This is as simple as editing the
kong.apiAddress
line inapplication.conf
and setting it to the URL of the CODE Kong internal load-balancer. - You can find the URL of the CODE Kong internal load-balancer in the AWS Console.
- Go to "Cloudformation"
- Find the stack
content-api-kong-{x}-CODE
({x}
is either'a'
or'b'
) - Go to the "Resources" tab and search for "Loadbalancer"
- You'll see
InternalLoadBalancer
andInternalLoadBalancer
. You want the first. - Click the link under "Physical ID" to jump to the load balancer configuration page in EC2
- Find the field "DNS Name" listed in the load balancer configuration.
- Copy this value and paste it into you application.conf. Pre-pend
https://
to make it a URI.
- Now you should be able to work as if you are in the CODE environment.
To run the integration tests
The integration tests rely on Docker to run Kong.
Make sure you have completed step 1 and 2 from the previous section and then run:
$ sbt it:test
Developer Tier
Keys issued under the Developer
tier can be periodically deleted by Gibbons.
Therefore, if an API key is intended to be used by a service, it should not be issued under the Developer
tier.
DB Backups
Bonobo table backups are handled using DynamoDB's Point In Time Recovery.
More info on restoring a table to a certain point in time can be found here.
The AWS Data Pipeline 'bonobo-PROD-backup-to-s3', which handled backing up Bonobo tables to an S3 bucket, is deactivated and no longer in use.