istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Refactor the authorization task (#3150) 

* Refactor the authorization task

- Move the permissive mode to a standalone task
- Rename the group/list claim support to align with other tasks
- Re-order to put the basic HTTP/TCP task first

Signed-off-by: Yangmin Zhu <ymzhu@google.com>

* Fix links.

* resove comments.

* Address comments.
This commit is contained in:
Yangmin Zhu 2019-02-05 12:49:22 -08:00 committed by istio-bot
parent 6af1bb77c1
commit 1126638238
4 changed files with 187 additions and 229 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

233
content/docs/tasks/security/authz-http/index.md
View File

@ -1,7 +1,7 @@
---
title: Authorization for HTTP Services
description: Shows how to set up role-based access control for HTTP services.
weight: 40
weight: 10
keywords: [security,access-control,rbac,authorization]
aliases:
- /docs/tasks/security/role-based-access-control.html
@ -16,22 +16,15 @@ a basic tutorial in Istio Security Basics.
The activities in this task assume that you:
* Understand [authorization](/docs/concepts/security/#authorization) concepts.
* Read the [authorization concept](/docs/concepts/security/#authorization).
* Have set up Istio on Kubernetes **with authentication enabled** by following the instructions in the
[quick start](/docs/setup/kubernetes/quick-start/), this tutorial requires mutual TLS to work. Mutual TLS
authentication should be enabled in the [installation steps](/docs/setup/kubernetes/quick-start/#installation-steps).
* Follow the instructions in the [Kubernetes quick start](/docs/setup/kubernetes/quick-start/) to
install Istio **with mutual TLS enabled**.
* Deploy the [Bookinfo](/docs/examples/bookinfo/) sample application.
* In this task, we will enable access control based on Service Accounts, which are cryptographically authenticated in the mesh.
In order to give different microservices different access privileges, we will create some service accounts and redeploy Bookinfo
microservices running under them.
Run the following command to
* Create service account `bookinfo-productpage`, and redeploy the service `productpage` with the service account.
* Create service account `bookinfo-reviews`, and redeploy the services `reviews` (deployments `reviews-v2` and `reviews-v3`)
with the service account.
* Create service accounts and for the Bookinfo application. Run the following command to create service
account `bookinfo-productpage` for `productpage` and service account `bookinfo-reviews` for `reviews`:
{{< text bash >}}
$ kubectl apply -f <(istioctl kube-inject -f @samples/bookinfo/platform/kube/bookinfo-add-serviceaccount.yaml@)
@ -70,220 +63,6 @@ for the list of supported keys in `constraints` and `properties`.
If you refresh the page several times, you should see different versions of reviews shown in the product page,
presented in a round robin style (red stars, black stars, no stars)
## Authorization permissive mode
The authorization permissive mode is an experimental feature in Istio's 1.1 release. Its interface can change in future releases.
You can skip enabling the permissive mode and directly [enable Istio authorization](#enabling-istio-authorization)
if you do not want to try out the permissive mode feature.
This section shows how to use authorization permissive mode in below two scenarios:
* In environment without authorization, test whether it's safe to enable authorization.
* In environment already with authorization enabled, test whether it's safe to add a new authorization policy.
### Testing whether it's safe to turn on authorization globally
This tasks show how to use authorization permissive mode to test whether it's safe to
turn on authorization globally.
Before you start, please make sure that you have finished [preparation task](#before-you-begin).
1. Set the global authorization configuration to permissive mode.
Run the following command:
{{< text bash >}}
$ kubectl apply -f - <<EOF
apiVersion: "rbac.istio.io/v1alpha1"
kind: ClusterRbacConfig
metadata:
name: default
spec:
mode: 'ON_WITH_INCLUSION'
inclusion:
namespaces: ["default"]
enforcement_mode: PERMISSIVE
EOF
{{< /text >}}
Point your browser at the Bookinfo `productpage` (`http://$GATEWAY_URL/productpage`), you should
see everything works fine, same as in [preparation task](#before-you-begin).
1. Apply YAML file for the permissive mode metric collection.
Run the following command:
{{< text bash >}}
$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/rbac-permissive-telemetry.yaml@
logentry.config.istio.io/rbacsamplelog created
stdio.config.istio.io/rbacsamplehandler created
rule.config.istio.io/rabcsamplestdio created
{{< /text >}}
1. Send traffic to the sample application.
For the Bookinfo sample, visit `http://$GATEWAY_URL/productpage` in your web
browser or issue the following command:
{{< text bash >}}
$ curl http://$GATEWAY_URL/productpage
{{< /text >}}
Point your browser at the Bookinfo `productpage` (`http://$GATEWAY_URL/productpage`), you should
see everything works fine.
1. Verify the logs stream has been created and check `permissiveResponseCode`.
In a Kubernetes environment, search through the `istio-telemetry`
pods' logs as follows:
{{< text bash json >}}
$ kubectl -n istio-system logs -l istio-mixer-type=telemetry -c mixer | grep \"instance\":\"rbacsamplelog.logentry.istio-system\"
{"level":"warn","time":"2018-08-30T21:53:42.059444Z","instance":"rbacsamplelog.logentry.istio-system","destination":"ratings","latency":"9.158879ms","permissiveResponseCode":"denied","permissiveResponsePolicyID":"","responseCode":200,"responseSize":48,"source":"reviews","user":"cluster.local/ns/default/sa/bookinfo-reviews"}
{"level":"warn","time":"2018-08-30T21:53:41.037824Z","instance":"rbacsamplelog.logentry.istio-system","destination":"reviews","latency":"1.091670916s","permissiveResponseCode":"denied","permissiveResponsePolicyID":"","responseCode":200,"responseSize":379,"source":"productpage","user":"cluster.local/ns/default/sa/bookinfo-productpage"}
{"level":"warn","time":"2018-08-30T21:53:41.019851Z","instance":"rbacsamplelog.logentry.istio-system","destination":"productpage","latency":"1.112521495s","permissiveResponseCode":"denied","permissiveResponsePolicyID":"","responseCode":200,"responseSize":5723,"source":"istio-ingressgateway","user":"cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"}
{{< /text >}}
In the above telemetry logs, the `responseCode` is 200 which is what user see now.
The `permissiveResponseCode` is `denied` which is what user will see after switching
global authorization configuration from `PERMISSIVE` mode to `ENFORCED` mode, which
indicates the global authorization configuration will work as expected after rolling
to production.
1. Before rolling out a new authorization policy in production, apply it in permissive mode.
`Note`, when global authorization configuration is in permissive mode, all policies will be in
permissive mode by default.
Run the following command:
{{< text bash >}}
$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/productpage-policy.yaml@
{{< /text >}}
1. Send traffic to the sample application again.
For the Bookinfo sample, visit `http://$GATEWAY_URL/productpage` in your web
browser or issue the following command:
{{< text bash >}}
$ curl http://$GATEWAY_URL/productpage
{{< /text >}}
Point your browser at the Bookinfo `productpage` (`http://$GATEWAY_URL/productpage`), you should
see everything works fine.
1. Verify the logs and check `permissiveResponseCode` again.
In a Kubernetes environment, search through the `istio-telemetry`
pods's logs as follows:
{{< text bash json >}}
$ kubectl -n istio-system logs -l istio-mixer-type=telemetry -c mixer | grep \"instance\":\"rbacsamplelog.logentry.istio-system\"
{"level":"warn","time":"2018-08-30T21:55:53.590430Z","instance":"rbacsamplelog.logentry.istio-system","destination":"ratings","latency":"4.415633ms","permissiveResponseCode":"denied","permissiveResponsePolicyID":"","responseCode":200,"responseSize":48,"source":"reviews","user":"cluster.local/ns/default/sa/bookinfo-reviews"}
{"level":"warn","time":"2018-08-30T21:55:53.565914Z","instance":"rbacsamplelog.logentry.istio-system","destination":"reviews","latency":"32.97524ms","permissiveResponseCode":"denied","permissiveResponsePolicyID":"","responseCode":200,"responseSize":379,"source":"productpage","user":"cluster.local/ns/default/sa/bookinfo-productpage"}
{"level":"warn","time":"2018-08-30T21:55:53.544441Z","instance":"rbacsamplelog.logentry.istio-system","destination":"productpage","latency":"57.800056ms","permissiveResponseCode":"allowed","permissiveResponsePolicyID":"productpage-viewer","responseCode":200,"responseSize":5723,"source":"istio-ingressgateway","user":"cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"}
{{< /text >}}
In telemetry logs above, the `responseCode` is 200 which is what user see now.
The `permissiveResponseCode` is `allowed` for productpage service, 403 for ratings
and reviews services, which are what user will see after switching
policy mode from `PERMISSIVE` mode to `ENFORCED` mode; the result aligns with
[step 1](#step-1-allowing-access-to-the-productpage-service).
1. Remove permissive mode related yaml files:
{{< text bash >}}
$ kubectl delete -f @samples/bookinfo/platform/kube/rbac/productpage-policy.yaml@
$ kubectl delete -f @samples/bookinfo/platform/kube/rbac/rbac-config-on-permissive.yaml@
$ kubectl delete -f @samples/bookinfo/platform/kube/rbac/rbac-permissive-telemetry.yaml@
{{< /text >}}
1. Now we have verified authorization will work as expected when turning it on,
it's safe following below [Enabling Istio authorization](#enabling-istio-authorization) to turn on authorization.
### Testing new authorization policy works as expected before rolling to production
This tasks shows how to use authorization permissive mode to test a new authorization policy works
as expected in environment with authorization already enabled.
Before you start, please make sure that you have finished [step 1](#step-1-allowing-access-to-the-productpage-service).
1. Before applying a new policy, test it by setting its mode to permissive:
Run the following command:
{{< text bash >}}
$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/details-reviews-policy-permissive.yaml@
{{< /text >}}
The policy is the same as defined in [allowing access to the details and
reviews services](#step-2-allowing-access-to-the-details-and-reviews-services), except `PERMISSIVE` mode is set in ServiceRoleBinding.
{{< text yaml >}}
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
name: bind-details-reviews
namespace: default
spec:
subjects:
- user: "cluster.local/ns/default/sa/bookinfo-productpage"
roleRef:
kind: ServiceRole
name: "details-reviews-viewer"
mode: PERMISSIVE
{{< /text >}}
Point your browser at the Bookinfo `productpage` (`http://$GATEWAY_URL/productpage`), you should still
see there are errors `Error fetching product details` and `Error fetching
product reviews` on the page. These errors are expected because the policy is
in `PERMISSIVE` mode.
1. Apply YAML file for the permissive mode metric collection.
Run the following command:
{{< text bash >}}
$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/rbac-permissive-telemetry.yaml@
{{< /text >}}
1. Send traffic to the sample application.
For the Bookinfo sample, visit `http://$GATEWAY_URL/productpage` in your web
browser or issue the following command:
{{< text bash >}}
$ curl http://$GATEWAY_URL/productpage
{{< /text >}}
1. Verify the logs and check `permissiveResponseCode` again.
In a Kubernetes environment, search through the `istio-telemetry`
pods' logs as follows:
{{< text bash json >}}
$ kubectl -n istio-system logs -l istio-mixer-type=telemetry -c mixer | grep \"instance\":\"rbacsamplelog.logentry.istio-system\"
{"level":"warn","time":"2018-08-30T22:59:42.707093Z","instance":"rbacsamplelog.logentry.istio-system","destination":"details","latency":"423.381µs","permissiveResponseCode":"allowed","permissiveResponsePolicyID":"details-reviews-viewer","responseCode":403,"responseSize":19,"source":"productpage","user":"cluster.local/ns/default/sa/bookinfo-productpage"}
{"level":"warn","time":"2018-08-30T22:59:42.763423Z","instance":"rbacsamplelog.logentry.istio-system","destination":"reviews","latency":"237.333µs","permissiveResponseCode":"allowed","permissiveResponsePolicyID":"details-reviews-viewer","responseCode":403,"responseSize":19,"source":"productpage","user":"cluster.local/ns/default/sa/bookinfo-productpage"}
{{< /text >}}
In telemetry logs above, the `responseCode` is 403 for ratings
and reviews services, which is what users see now.
The `permissiveResponseCode` is `allowed` for ratings and reviews services,
which is what users will see after switching policy mode from `PERMISSIVE` mode
to `ENFORCED` mode; it indicates the new authorization policy will work as expected
after rolling to production.
1. Remove permissive mode related yaml files:
{{< text bash >}}
$ kubectl delete -f @samples/bookinfo/platform/kube/rbac/details-reviews-policy-permissive.yaml@
$ kubectl delete -f @samples/bookinfo/platform/kube/rbac/rbac-permissive-telemetry.yaml@
{{< /text >}}
1. Now we have verified the new policy will work as expected, it's safe
following [step 2](#step-2-allowing-access-to-the-details-and-reviews-services) to apply the policy.
## Enabling Istio authorization
Run the following command to enable Istio authorization for the `default` namespace:

179
content/docs/tasks/security/authz-permissive/index.md Normal file
View File

@ -0,0 +1,179 @@
---
title: Authorization permissive mode
description: Shows how to use Authorization permissive mode.
weight: 10
keywords: [security,access-control,rbac,authorization]
---
The [authorization permissive mode](/docs/concepts/security/#authorization-permissive-mode) allows
you to verify authorization policies before applying them in a production environment.
The authorization permissive mode is an experimental feature in version 1.1. Its interface can change
in future releases. If you do not want to try out the permissive mode feature, you can directly
[enable Istio authorization](/docs/tasks/security/authz-http#enabling-istio-authorization) to skip
enabling the permissive mode.
This task covers two scenarios regarding the use of the permissive mode for authorization:
* For environments where **authorization is disabled**, this task helps you test whether it's safe to
enable the authorization.
* For environments where **authorization is enabled**, this task helps you test whether it's safe to
add a new authorization policy.
## Before you begin
To complete this task, you should first take the following actions:
* Read the [authorization concept](/docs/concepts/security/#authorization).
* Follow the instructions in the [Kubernetes quick start](/docs/setup/kubernetes/quick-start/) to
install Istio **with mutual TLS enabled**.
* Deploy the [Bookinfo](/docs/examples/bookinfo/) sample application.
* Create service accounts for the Bookinfo application. Run the following command to create service
account `bookinfo-productpage` for `productpage` and service account `bookinfo-reviews` for `reviews`:
{{< text bash >}}
$ kubectl apply -f <(istioctl kube-inject -f @samples/bookinfo/platform/kube/bookinfo-add-serviceaccount.yaml@)
{{< /text >}}
### Test enabling authorization globally
The following steps show you how to use authorization permissive mode to test whether it's safe to
turn on authorization globally:
1. To enable the permissive mode in the global authorization configuration, run the following command:
{{< text bash >}}
$ kubectl apply -f - <<EOF
apiVersion: "rbac.istio.io/v1alpha1"
kind: ClusterRbacConfig
metadata:
name: default
spec:
mode: 'ON_WITH_INCLUSION'
inclusion:
namespaces: ["default"]
enforcement_mode: PERMISSIVE
EOF
{{< /text >}}
1. Go to the `productpage` at `http://$GATEWAY_URL/productpage` and verify that everything works fine.
1. Apply the `rbac-permissive-telemetry.yaml` YAML file to enable the metric collection for the permissive mode:
{{< text bash >}}
$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/rbac-permissive-telemetry.yaml@
logentry.config.istio.io/rbacsamplelog created
stdio.config.istio.io/rbacsamplehandler created
rule.config.istio.io/rabcsamplestdio created
{{< /text >}}
1. Send traffic to the sample application with the following command:
{{< text bash >}}
$ curl http://$GATEWAY_URL/productpage
{{< /text >}}
1. Go to the `productpage` at `http://$GATEWAY_URL/productpage` and verify that everything works fine.
1. Get the log for telemetry and search for the `permissiveResponseCode` with the following command:
{{< text bash json >}}
$ kubectl -n istio-system logs -l istio-mixer-type=telemetry -c mixer | grep \"instance\":\"rbacsamplelog.logentry.istio-system\"
{"level":"warn","time":"2018-08-30T21:53:42.059444Z","instance":"rbacsamplelog.logentry.istio-system","destination":"ratings","latency":"9.158879ms","permissiveResponseCode":"denied","permissiveResponsePolicyID":"","responseCode":200,"responseSize":48,"source":"reviews","user":"cluster.local/ns/default/sa/bookinfo-reviews"}
{"level":"warn","time":"2018-08-30T21:53:41.037824Z","instance":"rbacsamplelog.logentry.istio-system","destination":"reviews","latency":"1.091670916s","permissiveResponseCode":"denied","permissiveResponsePolicyID":"","responseCode":200,"responseSize":379,"source":"productpage","user":"cluster.local/ns/default/sa/bookinfo-productpage"}
{"level":"warn","time":"2018-08-30T21:53:41.019851Z","instance":"rbacsamplelog.logentry.istio-system","destination":"productpage","latency":"1.112521495s","permissiveResponseCode":"denied","permissiveResponsePolicyID":"","responseCode":200,"responseSize":5723,"source":"istio-ingressgateway","user":"cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"}
{{< /text >}}
1. Verify that the the log shows a `responseCode` of `200` and a `permissiveResponseCode` of `denied`.
1. Apply the `productpage-policy.yaml` authorization policy in permissive mode with the following command:
{{< text bash >}}
$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/productpage-policy.yaml@
{{< /text >}}
1. Send traffic to the sample application with the following command:
{{< text bash >}}
$ curl http://$GATEWAY_URL/productpage
{{< /text >}}
1. Get the log for telemetry and search for the `permissiveResponseCode` with the following command:
{{< text bash json >}}
$ kubectl -n istio-system logs -l istio-mixer-type=telemetry -c mixer | grep \"instance\":\"rbacsamplelog.logentry.istio-system\"
{"level":"warn","time":"2018-08-30T21:55:53.590430Z","instance":"rbacsamplelog.logentry.istio-system","destination":"ratings","latency":"4.415633ms","permissiveResponseCode":"denied","permissiveResponsePolicyID":"","responseCode":200,"responseSize":48,"source":"reviews","user":"cluster.local/ns/default/sa/bookinfo-reviews"}
{"level":"warn","time":"2018-08-30T21:55:53.565914Z","instance":"rbacsamplelog.logentry.istio-system","destination":"reviews","latency":"32.97524ms","permissiveResponseCode":"denied","permissiveResponsePolicyID":"","responseCode":200,"responseSize":379,"source":"productpage","user":"cluster.local/ns/default/sa/bookinfo-productpage"}
{"level":"warn","time":"2018-08-30T21:55:53.544441Z","instance":"rbacsamplelog.logentry.istio-system","destination":"productpage","latency":"57.800056ms","permissiveResponseCode":"allowed","permissiveResponsePolicyID":"productpage-viewer","responseCode":200,"responseSize":5723,"source":"istio-ingressgateway","user":"cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"}
{{< /text >}}
1. Verify that the the log shows a `responseCode` of `200` and a `permissiveResponseCode` of `allowed`
for `productpage` service.
1. Remove the YAML files related to enabling the permissive mode:
{{< text bash >}}
$ kubectl delete -f @samples/bookinfo/platform/kube/rbac/productpage-policy.yaml@
$ kubectl delete -f @samples/bookinfo/platform/kube/rbac/rbac-config-on-permissive.yaml@
$ kubectl delete -f @samples/bookinfo/platform/kube/rbac/rbac-permissive-telemetry.yaml@
{{< /text >}}
1. Congratulations! You tested an authorization policy with permissive mode and verified it works
as expected. To enable the authorization policy, follow the steps described in the
[Enabling Istio authorization task](/docs/tasks/security/authz-http#enabling-istio-authorization).
### Test adding authorization policy
The following steps show how to test a new authorization policy with permissive mode when authorization
has already been enabled.
1. Allow access to the `producepage` service by following the instructions in
[Enabling authorization for HTTP services step 1](/docs/tasks/security/authz-http#step-1-allowing-access-to-the-productpage-service).
1. Allow access to the details and reviews service in permissive mode with the following command:
{{< text bash >}}
$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/details-reviews-policy-permissive.yaml@
{{< /text >}}
1. Verify there are errors `Error fetching product details` and `Error fetching product reviews` on
the Bookinfo `productpage` by pointing your browser at the `productpage` (`http://$GATEWAY_URL/productpage`),
These errors are expected because the policy is in `PERMISSIVE` mode.
1. Apply the `rbac-permissive-telemetry.yaml` YAML file to enable the permissive mode metric collection.
{{< text bash >}}
$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/rbac-permissive-telemetry.yaml@
{{< /text >}}
1. Send traffic to the sample application:
{{< text bash >}}
$ curl http://$GATEWAY_URL/productpage
{{< /text >}}
1. Get the log for telemetry and search for the `permissiveResponseCode` with the following command:
{{< text bash json >}}
$ kubectl -n istio-system logs -l istio-mixer-type=telemetry -c mixer | grep \"instance\":\"rbacsamplelog.logentry.istio-system\"
{"level":"warn","time":"2018-08-30T22:59:42.707093Z","instance":"rbacsamplelog.logentry.istio-system","destination":"details","latency":"423.381µs","permissiveResponseCode":"allowed","permissiveResponsePolicyID":"details-reviews-viewer","responseCode":403,"responseSize":19,"source":"productpage","user":"cluster.local/ns/default/sa/bookinfo-productpage"}
{"level":"warn","time":"2018-08-30T22:59:42.763423Z","instance":"rbacsamplelog.logentry.istio-system","destination":"reviews","latency":"237.333µs","permissiveResponseCode":"allowed","permissiveResponsePolicyID":"details-reviews-viewer","responseCode":403,"responseSize":19,"source":"productpage","user":"cluster.local/ns/default/sa/bookinfo-productpage"}
{{< /text >}}
1. Verify that the the log shows a `responseCode` of `403` and a `permissiveResponseCode` of `allowed`
for ratings and reviews services.
1. Remove the YAML files related to enabling the permissive mode:
{{< text bash >}}
$ kubectl delete -f @samples/bookinfo/platform/kube/rbac/details-reviews-policy-permissive.yaml@
$ kubectl delete -f @samples/bookinfo/platform/kube/rbac/rbac-permissive-telemetry.yaml@
{{< /text >}}
1. Congratulations! You tested adding an authorization policy with permissive mode and verified it will
work as expected. To add the authorization policy, follow the steps described in the
[Enabling Istio authorization task](/docs/tasks/security/authz-http#enabling-istio-authorization).

2
content/docs/tasks/security/authz-tcp/index.md
View File

@ -1,7 +1,7 @@
---
title: Authorization for TCP Services
description: Shows how to set up role-based access control for TCP services.
weight: 40
weight: 10
keywords: [security,access-control,rbac,tcp,authorization]
---

2
content/docs/tasks/security/rbac-groups/index.md
View File

@ -1,5 +1,5 @@
---
title: Groups-Based Authorization and Authorization for List-Typed Claims
title: Authorization for groups and list claims
description: Tutorial on how to configure the groups-base authorization and configure the authorization of list-typed claims in Istio.
weight: 10
keywords: [security,authorization]