Update Istio RBAC document to relfect sample changes. (#1062)

2018-03-07 13:16:58 -08:00 · 2018-03-07 13:16:58 -08:00 · 273c11cfcb
parent daa19368f0
commit 273c11cfcb
2 changed files with 67 additions and 57 deletions
--- a/_docs/concepts/security/rbac.md
+++ b/_docs/concepts/security/rbac.md
@ -52,8 +52,8 @@ Below we show an example "requestcontext".
     namespace: istio-system
   spec:
     subject:
-       user: request.auth.principal | ""
-       groups: request.auth.principal | ""
+       user: source.user | ""
+       groups: ""
       properties:
         service: source.service | ""
         namespace: source.namespace | ""
@ -98,8 +98,7 @@ Here is an example of a simple role "service-admin", which has full access to al
       methods: ["*"]
 ```

-Here is another role "products-viewer", which has read ("GET" and "HEAD") access to service "products.default.svc.cluster.local"
-in "default" namespace.
+Here is another role "products-viewer", which has read ("GET" and "HEAD") access to "products" service in "default" namespace.

 ```rule
   apiVersion: "config.istio.io/v1alpha2"
@ -109,7 +108,7 @@ in "default" namespace.
     namespace: default
   spec:
     rules:
-     - services: ["products.default.svc.cluster.local"]
+     - services: ["products"]
       methods: ["GET", "HEAD"]
 ```

@ -117,7 +116,7 @@ In addition, we support **prefix match** and **suffix match** for all the fields
 has the following permissions in "default" namespace:
 * Full access to all services with prefix "test-" (e.g, "test-bookstore", "test-performance", "test-api.default.svc.cluster.local").
 * Read ("GET") access to all paths with "/reviews" suffix (e.g, "/books/reviews", "/events/booksale/reviews", "/reviews")
-in service "bookstore.default.svc.cluster.local".
+in "bookstore" service.

 ```rule
   apiVersion: "config.istio.io/v1alpha2"
@ -129,7 +128,7 @@ in service "bookstore.default.svc.cluster.local".
     rules:
     - services: ["test-*"]
       methods: ["*"]
-     - services: ["bookstore.default.svc.cluster.local"]
+     - services: ["bookstore"]
       paths: ["*/reviews"]
       methods: ["GET"]
 ```
@ -150,7 +149,7 @@ being "v1" or "v2". Note that the "version" property is provided by `"action.pro
     namespace: default
   spec:
     rules:
-     - services: ["products.default.svc.cluster.local"]
+     - services: ["products"]
       methods: ["GET", "HEAD"]
       constraints:
       - key: "version"
@ -169,7 +168,7 @@ instance.

 Here is an example of ServiceRoleBinding object "test-binding-products", which binds two subjects to ServiceRole "product-viewer":
 * user "alice@yahoo.com".
-* "reviews.abc.svc.cluster.local" service in "abc" namespace.
+* "reviews" service in "abc" namespace.

 ```rule
   apiVersion: "config.istio.io/v1alpha2"
@ -181,23 +180,45 @@ Here is an example of ServiceRoleBinding object "test-binding-products", which b
     subjects:
     - user: "alice@yahoo.com"
     - properties:
-         service: "reviews.abc.svc.cluster.local"
+         service: "reviews"
         namespace: "abc"
     roleRef:
       kind: ServiceRole
       name: "products-viewer"
 ```

+In the case that you want to make a service(s) publically accessible, you can use set the subject to `user: "*"`. This will assign a ServiceRole
+to all users/services.
+
+```rule
+   apiVersion: "config.istio.io/v1alpha2"
+   kind: ServiceRoleBinding
+   metadata:
+     name: binding-products-allusers
+     namespace: default
+   spec:
+     subjects:
+     - user: "*"
+     roleRef:
+       kind: ServiceRole
+       name: "products-viewer"
+```
+
 ## Enabling Istio RBAC

 Istio RBAC can be enabled by adding the following Mixer adapter rule. The rule has two parts. The first part defines a RBAC handler.
-The `"config_store_url"` parameter specifies where RBAC engine fetches RBAC policies. The default value for "config_store_url" is `"k8s://"`,
-which means Kubernetes API server. Alternatively, if you are testing RBAC policy locally, you may set it to a local directory such as
-`"fs:///tmp/testdata/configroot"`.
+It has two parameters, `"config_store_url"` and `"cache_duration"`.
+* The `"config_store_url"` parameter specifies where RBAC engine fetches RBAC policies. The default value for `"config_store_url"` is
+`"k8s://"`, which means Kubernetes API server. Alternatively, if you are testing RBAC policy locally, you may set it to a local directory
+such as `"fs:///tmp/testdata/configroot"`.
+* The `"cache_duration"` parameter specifies the duration for which the authorization results may be cached on Mixer client (i.e., Istio proxy).
+The default value for `"cache_duration"` is 1 minute.

 The second part defines a rule, which specifies that the RBAC handler should be invoked with the "requestcontext" instance [defined
 earlier in the document](#request-context).

+In the following example, Istio RBAC is enabled for "default" namespace. And the cache duration is set to 30 seconds.
+
 ```rule
   apiVersion: "config.istio.io/v1alpha2"
   kind: rbac
@ -206,6 +227,7 @@ earlier in the document](#request-context).
     namespace: istio-system
   spec:
     config_store_url: "k8s://"
+     cache_duration: "30s"

   ---
   apiVersion: "config.istio.io/v1alpha2"
@ -214,6 +236,7 @@ earlier in the document](#request-context).
     name: rbaccheck
     namespace: istio-system
   spec:
+     match: destination.namespace == "default"
     actions:
     # handler and instance names default to the rule's namespace.
     - handler: handler.rbac
@ -221,3 +244,7 @@ earlier in the document](#request-context).
       - requestcontext.authorization
   ---
 ```
+
+## What's next
+
+Try out [Istio RBAC with BookInfo Sample]({{home}}/docs/tasks/security/role-based-access-control.html).
--- a/_docs/tasks/security/role-based-access-control.md
+++ b/_docs/tasks/security/role-based-access-control.md
@ -21,10 +21,10 @@ RBAC from [Istio RBAC concept page]({{home}}/docs/concepts/security/rbac.html).

 * Deploy the [Bookinfo]({{home}}/docs/guides/bookinfo.html) sample application.

- *> Note: Some sample configurations we use below are not in the current Istio release yet. So before you continue, you
+ *> Note: The current Istio release may not have the up-to-date Istio RBAC samples. So before you continue, you
 need to copy the following configuration files from https://github.com/istio/istio/tree/master/samples/bookinfo/kube to
- "samples/bookinfo/kube" directory under where you installed Istio. The files include `bookinfo-add-serviceaccount.yaml`
- (replace the original one), `istio-rbac-enable.yaml`, `istio-rbac-namespace.yaml`, `istio-rbac-productpage.yaml`,
+ "samples/bookinfo/kube" directory under where you installed Istio, and replace the original ones. The files include
+ `bookinfo-add-serviceaccount.yaml`, `istio-rbac-enable.yaml`, `istio-rbac-namespace.yaml`, `istio-rbac-productpage.yaml`,
 `istio-rbac-details-reviews.yaml`, `istio-rbac-ratings.yaml`.*

 * In this task, we will enable access control based on Service Accounts, which are cryptographically authenticated in the Istio mesh.
@ -59,7 +59,12 @@ Point your browser at the Bookinfo `productpage` (http://$GATEWAY_URL/productpag

 ## Enabling Istio RBAC

-Run the following command to enable Istio RBAC.
+Run the following command to enable Istio RBAC for "default" namespace.
+
+  > Note: if you are using a namespace other than `default`, edit the file `samples/bookinfo/kube/istio-rbac-enable.yaml`,
+    and specify the namespace, say `"your-namespace"`, in the `match` statement in `rule` spec
+    `"match: destination.namespace == "your-namespace"`.
+

 ```bash
 kubectl apply -f samples/bookinfo/kube/istio-rbac-enable.yaml
@ -81,9 +86,9 @@ Using Istio RBAC, you can easily setup namespace-level access control by specify
 in a namespace are accessible by services from another namespace.

 In our Bookinfo sample, the "productpage", "reviews", "details", "ratings" services are deployed in "default" namespace.
-The Istio components like "ingress" service are deployed in "istio-system" namespace. We can define a policy that all
-services in "default" namespace are accessible by services in the same namespace (i.e., "default" namespace) and
-services in "istio-system" namespace.
+The Istio components like "ingress" service are deployed in "istio-system" namespace. We can define a policy that
+any service in "default" namespace that has "app" label set to one of the values in ["productpage", "details", "reviews", "ratings"]
+is accessible by services in the same namespace (i.e., "default" namespace) and services in "istio-system" namespace.

 Run the following command to create a namespace-level access control policy.
 ```bash
@ -91,7 +96,9 @@ kubectl apply -f samples/bookinfo/kube/istio-rbac-namespace.yaml
 ```

 The policy does the following:
-* Creates a ServiceRole "service-viewer" which allows read access to any services in "default" namespace.
+* Creates a ServiceRole "service-viewer" which allows read access to any service in "default" namespace that has "app" label
+set to one of the values in ["productpage", "details", "reviews", "ratings"]. Note that there is a "constraint" specifying that
+the services must have one of the listed "app" labels.

  ```bash
  apiVersion: "config.istio.io/v1alpha2"
@ -103,6 +110,9 @@ The policy does the following:
    rules:
    - services: ["*"]
      methods: ["GET"]
+      constraints:
+      - key: "app"
+        values: ["productpage", "details", "reviews", "ratings"]
  ```

 * Creates a ServiceRoleBinding that assign the "service-viewer" role to all services in "istio-system" and "default" namespaces.
@ -174,11 +184,11 @@ The policy does the following:
    namespace: default
  spec:
    rules:
-    - services: ["productpage.default.svc.cluster.local"]
+    - services: ["productpage"]
      methods: ["GET"]
  ```

-* Creates a ServiceRoleBinding "bind-productpager-viewer" which assigns "productpage-viewer" role to services from "istio-system" namespace.
+* Creates a ServiceRoleBinding "bind-productpager-viewer" which assigns "productpage-viewer" role to all users/services.

  ```bash
  apiVersion: "config.istio.io/v1alpha2"
@ -188,8 +198,7 @@ The policy does the following:
    namespace: default
  spec:
    subjects:
-    - properties:
-        namespace: "istio-system"
+    - user: "*"
    roleRef:
      kind: ServiceRole
      name: "productpage-viewer"
@ -214,10 +223,7 @@ kubectl apply -f samples/bookinfo/kube/istio-rbac-details-reviews.yaml
 ```

 The policy does the following:
-* Creates a ServiceRole "details-reviews-viewer" which allows
-  * Read access to "details" service, and
-  * Read access to "reviews" services at versions "v2" and "v3". Note that there is a "constraint" specifying that "version" must be
-  "v2" or "v3".
+* Creates a ServiceRole "details-reviews-viewer" which allows read access to "details" and "reviews" services.

  ```bash
  apiVersion: "config.istio.io/v1alpha2"
@ -227,13 +233,8 @@ The policy does the following:
    namespace: default
  spec:
    rules:
-    - services: ["details.default.svc.cluster.local"]
+    - services: ["details", "reviews"]
      methods: ["GET"]
-    - services: ["reviews.default.svc.cluster.local"]
-      methods: ["GET"]
-      constraints:
-      - key: "version"
-        values: ["v2", "v3"]
  ```

 * Creates a ServiceRoleBinding "bind-details-reviews" which assigns "details-reviews-viewer" role to service
@ -255,30 +256,12 @@ account "cluster.local/ns/default/sa/bookinfo-productpage" (representing the "pr

 Point your browser at the Bookinfo `productpage` (http://$GATEWAY_URL/productpage). Now you should see "Bookinfo Sample"
 page with "Book Details" on the lower left part, and "Book Reviews" on the lower right part. However, in "Book Reviews" section,
-you see one of the following two errors:
-1. `"Error featching product reviews"`. This is because "productpage" service is only allowed to access "reviews" service with versions
-"v2" or "v3". The error occurs when "productpage" service is routed to "reviews" service at version "v1".
-2. "Book Reviews" section is shown on the lower right part of the page. But there is an error `"Ratings service currently unavailable"`. This
-is because "reviews" service does not have permission to access "ratings" service.
+there is an error `"Ratings service currently unavailable"`. This is because "reviews" service does not have permission to access
+"ratings" service. To fix this issue, you need to grant "reviews" service read access to "ratings" service.
+We will show how to do that in the next step.

  > Note: There may be delay due to caching on browser and Istio proxy.

-To fix the first error, you need to remove the "version" constraint, so that the "details-reviews-viewer" role look like the following:
-```bash
-apiVersion: "config.istio.io/v1alpha2"
-kind: ServiceRole
-metadata:
-  name: details-reviews-viewer
-  namespace: default
-spec:
-  rules:
-  - services: ["details.default.svc.cluster.local"]
-    methods: ["GET"]
-  - services: ["reviews.default.svc.cluster.local"]
-    methods: ["GET"]
-```
-
-To fix the second issue, you need to grant "reviews" service read access to "ratings" service. We will show how to do that in the next step.

 ### Step 3. allowing "reviews" service to access "ratings" service

@ -303,7 +286,7 @@ The policy does the following:
    namespace: default
  spec:
    rules:
-    - services: ["ratings.default.svc.cluster.local"]
+    - services: ["ratings"]
      methods: ["GET"]
  ```