diff --git a/content/en/about/faq/metrics-and-logs/mixer-migration.md b/content/en/about/faq/metrics-and-logs/mixer-migration.md index 97c05c651b..6b3a3cfdab 100644 --- a/content/en/about/faq/metrics-and-logs/mixer-migration.md +++ b/content/en/about/faq/metrics-and-logs/mixer-migration.md @@ -11,6 +11,6 @@ For built-in adapters, several alternatives are provided: * `Prometheus` and `Stackdriver` integrations are implemented as [proxy extensions](/docs/reference/config/proxy_extensions/). Customization of telemetry generated by these two extensions can be achieved via [request classification](/docs/tasks/observability/metrics/classify-metrics/) and [Prometheus metrics customization](/docs/tasks/observability/metrics/customize-metrics/).. * Global and Local Rate-Limiting (`memquota` and `redisquota` adapters) functionality is provided through the [Envoy-based rate-limiting solution](/docs/tasks/policy-enforcement/rate-limit/). -* `OPA` adapter is replaced by the [Envoy ext-authz based solution](/docs/tasks/security/authorization/authz-custom/), which supports [integration with OPA policy agent](https://www.openpolicyagent.org/docs/latest/envoy-authorization/). +* `OPA` adapter is replaced by the [Envoy ext-authz based solution](/docs/tasks/security/authorization/authz-custom/), which supports [integration with OPA policy agent](https://www.openpolicyagent.org/docs/latest/envoy-introduction/). For custom out-of-process adapters, migration to Wasm-based extensions is strongly encouraged. Please refer to the guides on [Wasm module development](https://github.com/istio-ecosystem/wasm-extensions/blob/master/doc/write-a-wasm-extension-with-cpp.md) and [extension distribution](/docs/ops/configuration/extensibility/wasm-module-distribution/). As a temporary solution, you can [enable Envoy ext-authz and gRPC access log API support in Mixer](https://github.com/istio/istio/wiki/Enabling-Envoy-Authorization-Service-and-gRPC-Access-Log-Service-With-Mixer), which allows you to upgrade Istio to post 1.7 versions while still using 1.7 Mixer with out-of-process adapters. This will give you more time to migrate to Wasm-based extensions. Note this temporary solution is not battle-tested and will unlikely get patch fixes, since it is only available on the Istio 1.7 branch which is out of support window after Feb 2021. diff --git a/content/en/blog/2021/better-external-authz/index.md b/content/en/blog/2021/better-external-authz/index.md index 9448c606b1..8289a4a412 100644 --- a/content/en/blog/2021/better-external-authz/index.md +++ b/content/en/blog/2021/better-external-authz/index.md @@ -19,7 +19,7 @@ cannot be supported with this model, for example: - You have your own in-house authorization system that cannot be easily migrated to, or cannot be easily replaced by, the authorization policy. -- You want to integrate with a 3rd-party solution (e.g. [Open Policy Agent](https://www.openpolicyagent.org/docs/latest/envoy-authorization/) +- You want to integrate with a 3rd-party solution (e.g. [Open Policy Agent](https://www.openpolicyagent.org/docs/latest/envoy-introduction/) or [`oauth2` proxy](https://github.com/oauth2-proxy/oauth2-proxy)) which may require use of the [low-level Envoy configuration APIs](/docs/reference/config/networking/envoy-filter/) in Istio, or may not be possible at all. diff --git a/content/en/docs/tasks/security/authorization/authz-custom/index.md b/content/en/docs/tasks/security/authorization/authz-custom/index.md index 6a4d8c3dc2..6b57043b8a 100644 --- a/content/en/docs/tasks/security/authorization/authz-custom/index.md +++ b/content/en/docs/tasks/security/authorization/authz-custom/index.md @@ -8,7 +8,7 @@ test: yes --- This task shows you how to set up an Istio authorization policy using a new experimental value for the [action field](/docs/reference/config/security/authorization-policy/#AuthorizationPolicy-Action), `CUSTOM`, -to delegate the access control to an external authorization system. This can be used to integrate with [OPA authorization](https://www.openpolicyagent.org/docs/latest/envoy-authorization/), +to delegate the access control to an external authorization system. This can be used to integrate with [OPA authorization](https://www.openpolicyagent.org/docs/latest/envoy-introduction/), [`oauth2-proxy`](https://github.com/oauth2-proxy/oauth2-proxy), your own custom external authorization server and more. {{< boilerplate experimental-feature-warning >}}