AI Gateway: Create how-to for using MCP ACLs for aggregated MCP servers

[tomek-labuk]

Jobs to be done

We need to publish a how-to for using ACLs with aggregated MCP Serevers via the AI MCP Proxy plugin. The key here is the include_consumer_groups: true setting on the MCP listener level, which ensures that aggregated tools are filtered out correctly by the configured ACLs.

NOTE: This is not available yet, we're waiting for the patch release.

_format_version: "3.0"

services:
  - name: weather-internet-service
    url: https://api.weatherapi.com
    plugins:
    - name: request-transformer-advanced
      config:
        add:
          querystring:
          - key:<redacted_key>
      tags:
      - ai-gateway-mcp
    routes:
    - name: weather-internet-direct
      strip_path: true
      paths:
      - /mcp/weather-internet/direct
      tags:
      - ai-gateway-mcp
    - name: weather-internet-mcp
      strip_path: true
      paths:
      - /mcp/weather-internet
      plugins:
      - name: ai-mcp-proxy
        config:
          mode: conversion-only
          # default_acl:
          # - scope: tools
          #   allow:
          #     - gold-partner
          #   deny:
          #     - silver-partner
          #     - bronze-partner
          logging:
            log_audits: true
            log_payloads: true
            log_statistics: true
          tools:
          - description: Get current weather for a location
            name: weather-internet
            acl:
              allow:
              - gold-partner
              deny:
              - silver-partner
              - bronze-partner
            method: GET
            path: "./v1/current.json"
            parameters:
            - name: q
              in: query
              required: true
              schema:
                type: string
                default: London
              description: Location query. Accepts US Zipcode, UK Postcode, Canada Postalcode, IP address, latitude/longitude, or city name.
        tags:
        - ai-gateway-mcp-aggregation
      tags:
      - ai-gateway-mcp
    tags:
    - ai-gateway-mcp

routes:
  - name: mcp-aggregation
    paths:
    - /mcp/aggregation
    plugins:
    - name: key-auth
      config:
        key_names:
          - apikey
    - name: ai-mcp-proxy
      config:
        mode: listener
        include_consumer_groups: true
        server:
          tag: ai-gateway-mcp-aggregation
          timeout: 45000
        logging:
          log_audits: true
          log_statistics: true
          log_payloads: true
        max_request_body_size: 32768
      tags:
      - ai-gateway-mcp-aggregation
    - name: file-log
      config:
        path: /tmp/ai.log
    tags:
    - ai-gateway-mcp-aggregation

consumer_groups:
  - name: gold-partner
  - name: silver-partner
  - name: bronze-partner

consumers:
  - username: alice
    groups:
      - name: gold-partner
    keyauth_credentials:
      - key: alice-key

  - username: bob
    groups:
      - name: silver-partner
    keyauth_credentials:
      - key: bob-key

  - username: carol
    groups:
      - name: bronze-partner
    keyauth_credentials:
      - key: carol-key

  - username: eason
    keyauth_credentials:
      - key: eason-key

Definition of done

• How-to published and tested

Info

Person of contact: Eason

Size

M