Delete "basic access control" and "secure access control" pages. (#1780)

* Delete "basic access control" and "secure access control" pages. These pages were there before Istio RBAC was introduced. We should remove them now to avoid confusion. * Added aliases for deleted pages.
2018-07-12 15:58:43 -07:00 · 2018-07-12 15:58:43 -07:00 · 81cd374bc7
parent 16aa14e376
commit 81cd374bc7
3 changed files with 2 additions and 312 deletions
--- a/content/docs/tasks/security/_index.md
+++ b/content/docs/tasks/security/_index.md
@ -5,4 +5,6 @@ weight: 19
 type: section-index
 aliases:
    - /docs/tasks/istio-auth.html
+    - /docs/tasks/security/basic-access-control/index.html
+    - /docs/tasks/security/secure-access-control/index.html
 ---
--- a/content/docs/tasks/security/basic-access-control/index.md
+++ b/content/docs/tasks/security/basic-access-control/index.md
@ -1,216 +0,0 @@
---
-title: Basic Access Control
-description: Shows how to control access to a service using the Kubernetes labels.
-weight: 20
-keywords: [security,access-control]
-aliases:
-    - /docs/tasks/basic-access-control.html
---
-
-This task shows how to control access to a service using the Kubernetes labels.
-
-## Before you begin
-
-* Set up Istio on Kubernetes by following the instructions in the
-  [Installation guide](/docs/setup/kubernetes/).
-
-* Deploy the [Bookinfo](/docs/examples/bookinfo/) sample application.
-
-* The Bookinfo sample deploys multiple versions of each microservice, so you will start by creating destination rules
-that define the service subsets corresponding to each version.
-
-    {{< text bash >}}
-    $ istioctl create -f @samples/bookinfo/networking/destination-rule-all.yaml@
-    {{< /text >}}
-
-    If you enabled mutual TLS, please run the following instead
-
-    {{< text bash >}}
-    $ istioctl create -f @samples/bookinfo/networking/destination-rule-all-mtls.yaml@
-    {{< /text >}}
-
-    You can display the destination rules with the following command:
-
-    {{< text bash >}}
-    $ istioctl get destinationrules -o yaml
-    {{< /text >}}
-
-    Since the subset references in virtual services rely on the destination rules,
-    wait a few seconds for destination rules to propagate before adding virtual services that refer to these subsets.
-
-* Initialize the application version routing to direct `reviews` service requests from
-  test user "jason" to version v2 and requests from any other user to v3.
-
-    {{< text bash >}}
-    $ istioctl create -f @samples/bookinfo/networking/virtual-service-all-v1.yaml@
-    {{< /text >}}
-
-    and then run the following command:
-
-    {{< text bash >}}
-    $ istioctl replace -f @samples/bookinfo/networking/virtual-service-reviews-jason-v2-v3.yaml@
-    {{< /text >}}
-
-    > If you have conflicting rules that you set in previous tasks,
-    > use `istioctl replace` instead of `istioctl create`.
-    >
-    > If you are using a namespace other than `default`,
-    > use `istioctl -n namespace ...` to specify the namespace.
-
-## Access control using _denials_
-
-Using Istio you can control access to a service based on any attributes that are available within Mixer.
-This simple form of access control is based on conditionally denying requests using Mixer selectors.
-
-Consider the [Bookinfo](/docs/examples/bookinfo/) sample application where the `ratings` service is accessed by multiple versions
-of the `reviews` service. We would like to cut off access to version `v3` of the `reviews` service.
-
-1.  Point your browser at the Bookinfo `productpage` (http://$GATEWAY_URL/productpage).
-
-    If you log in as user "jason", you should see black rating stars with each review,
-    indicating that the `ratings` service is being called by the "v2" version of the `reviews` service.
-
-    If you log in as any other user (or logout) you should see red rating stars with each review,
-    indicating that the `ratings` service is being called by the "v3" version of the `reviews` service.
-
-1.  Explicitly deny access to version `v3` of the `reviews` service.
-
-    Run the following command to set up the deny rule along with a handler and an instance.
-
-    {{< text bash >}}
-    $ istioctl create -f @samples/bookinfo/policy/mixer-rule-deny-label.yaml@
-    Created config denier/default/denyreviewsv3handler at revision 2882105
-    Created config checknothing/default/denyreviewsv3request at revision 2882106
-    Created config rule/default/denyreviewsv3 at revision 2882107
-    {{< /text >}}
-
-    Notice the following in the `denyreviewsv3` rule:
-
-    {{< text plain >}}
-    match: destination.labels["app"] == "ratings" && source.labels["app"]=="reviews" && source.labels["version"] == "v3"
-    {{< /text >}}
-
-    It matches requests coming from the service `reviews` with label `v3` to the service `ratings`.
-
-    This rule uses the `denier` adapter to deny requests coming from version `v3` of the reviews service.
-    The adapter always denies requests with a preconfigured status code and message.
-    The status code and the message is specified in the [denier](/docs/reference/config/policy-and-telemetry/adapters/denier/)
-    adapter configuration.
-
-1.  Refresh the `productpage` in your browser.
-
-    If you are logged out or logged in as any user other than "jason" you will no longer see red ratings stars because
-    the `reviews:v3` service has been denied access to the `ratings` service.
-    In contrast, if you log in as user "jason" (the `reviews:v2` user) you continue to see
-    the black ratings stars.
-
-## Access control using _whitelists_
-
-Istio also supports attribute-based whitelists and blacklists. The following whitelist configuration is equivalent to the
-`denier` configuration in the previous section. The rule effectively rejects requests from version `v3` of the `reviews` service.
-
-1.  Remove the denier configuration that you added in the previous section.
-
-    {{< text bash >}}
-    $ istioctl delete -f @samples/bookinfo/policy/mixer-rule-deny-label.yaml@
-    {{< /text >}}
-
-1. Verify that when you access the Bookinfo `productpage` (http://$GATEWAY_URL/productpage) without logging in, you see red stars.
-   After performing the following steps you will no longer be able to see stars unless you are logged in as "jason".
-
-1.  Create configuration for the [`list`](/docs/reference/config/policy-and-telemetry/adapters/list/)
-    adapter that lists versions `v1, v2`.
-    Save the following YAML snippet as `whitelist-handler.yaml`:
-
-    {{< text yaml >}}
-    apiVersion: config.istio.io/v1alpha2
-    kind: listchecker
-    metadata:
-      name: whitelist
-    spec:
-      # providerUrl: ordinarily black and white lists are maintained
-      # externally and fetched asynchronously using the providerUrl.
-      overrides: ["v1", "v2"]  # overrides provide a static list
-      blacklist: false
-    {{< /text >}}
-
-    and then run the following command:
-
-    {{< text bash >}}
-    $ istioctl create -f whitelist-handler.yaml
-    {{< /text >}}
-
-1.  Extract the version label by creating an instance of the [`listentry`](/docs/reference/config/policy-and-telemetry/templates/listentry/) template.
-Save the following YAML snippet as `appversion-instance.yaml`:
-
-    {{< text yaml >}}
-    apiVersion: config.istio.io/v1alpha2
-    kind: listentry
-    metadata:
-      name: appversion
-    spec:
-      value: source.labels["version"]
-    {{< /text >}}
-
-    and then run the following command:
-
-    {{< text bash >}}
-    $ istioctl create -f appversion-instance.yaml
-    {{< /text >}}
-
-1.  Enable `whitelist` checking for the ratings service.
-Save the following YAML snippet as `checkversion-rule.yaml`:
-
-    {{< text yaml >}}
-    apiVersion: config.istio.io/v1alpha2
-    kind: rule
-    metadata:
-      name: checkversion
-    spec:
-      match: destination.labels["app"] == "ratings"
-      actions:
-      - handler: whitelist.listchecker
-        instances:
-        - appversion.listentry
-    {{< /text >}}
-
-    and then run the following command:
-
-    {{< text bash >}}
-    $ istioctl create -f checkversion-rule.yaml
-    {{< /text >}}
-
-1. Verify that when you access the Bookinfo `productpage` (http://$GATEWAY_URL/productpage) without logging in, you see **no** stars.
-Verify that after logging in as "jason" you see black stars.
-
-## Cleanup
-
-*   Remove the mixer configuration:
-
-    {{< text bash >}}
-    $ istioctl delete -f checkversion-rule.yaml
-    $ istioctl delete -f appversion-instance.yaml
-    $ istioctl delete -f whitelist-handler.yaml
-    {{< /text >}}
-
-*   Remove the application routing rules:
-
-    {{< text bash >}}
-    $ istioctl delete -f @samples/bookinfo/networking/virtual-service-all-v1.yaml@
-    {{< /text >}}
-
-*   Remove the application destination rules:
-
-    {{< text bash >}}
-    $ istioctl delete -f @samples/bookinfo/networking/destination-rule-all.yaml@
-    {{< /text >}}
-
-    If you enabled mutual TLS, please run the following instead
-
-    {{< text bash >}}
-    $ istioctl delete -f @samples/bookinfo/networking/destination-rule-all-mtls.yaml@
-    {{< /text >}}
-
-* If you are not planning to explore any follow-on tasks, refer to the
-  [Bookinfo cleanup](/docs/examples/bookinfo/#cleanup) instructions
-  to shutdown the application.
--- a/content/docs/tasks/security/secure-access-control/index.md
+++ b/content/docs/tasks/security/secure-access-control/index.md
@ -1,96 +0,0 @@
---
-title: Secure Access Control
-description: Shows how to securely control access to a service using service accounts.
-weight: 30
-keywords: [security,access-control]
---
-
-This task shows how to securely control access to a service,
-using the service accounts provided by Istio authentication.
-
-When Istio mutual TLS authentication is enabled, the server authenticates the client according to its certificate, and obtains the client's
-service account from the certificate. The service account is in the `source.user` attribute.
-For the format of the service account in Istio, please refer to the
-[Istio auth identity](/docs/concepts/security/#identity).
-
-## Before you begin
-
-* Set up Istio on auth-enabled Kubernetes by following the instructions in the
-  [quick start](/docs/setup/kubernetes/quick-start/).
-  Note that authentication should be enabled at step 5 in the
-  [installation steps](/docs/setup/kubernetes/quick-start/#installation-steps).
-
-* Deploy the [Bookinfo](/docs/examples/bookinfo/) sample application.
-
-*   Run the following command to create service account `bookinfo-productpage`,
-    and redeploy the service `productpage` with the service account.
-
-    {{< text bash >}}
-    $ kubectl apply -f <(istioctl kube-inject -f @samples/bookinfo/platform/kube/bookinfo-add-serviceaccount.yaml@)
-    serviceaccount "bookinfo-productpage" created
-    deployment.extensions "productpage-v1" configured
-    serviceaccount "bookinfo-reviews" created
-    deployment.extensions "reviews-v2" configured
-    deployment.extensions "reviews-v3" configured
-    {{< /text >}}
-
-> If you are using a namespace other than `default`,
-use `$ istioctl -n namespace ...` to specify the namespace.
-
-## Access control using _denials_
-
-In the [Bookinfo](/docs/examples/bookinfo/) sample application, the `productpage` service is accessing
-both the `reviews` service and the `details` service. We would like the `details` service to deny the requests from
-the `productpage` service.
-
-1.  Point your browser at the Bookinfo `productpage` (http://$GATEWAY_URL/productpage).
-
-    You should see the "Book Details" section in the lower left part of the page, including type, pages, publisher, etc.
-    The `productpage` service obtains the "Book Details" information from the `details` service.
-
-1.  Explicitly deny the requests from `productpage` to `details`.
-
-    Run the following command to set up the deny rule along with a handler and an instance.
-
-    {{< text bash >}}
-    $ istioctl create -f @samples/bookinfo/policy/mixer-rule-deny-serviceaccount.yaml@
-    Created config denier/default/denyproductpagehandler at revision 2877836
-    Created config checknothing/default/denyproductpagerequest at revision 2877837
-    Created config rule/default/denyproductpage at revision 2877838
-    {{< /text >}}
-
-    Notice the following in the `denyproductpage` rule:
-
-    {{< text plain >}}
-    match: destination.labels["app"] == "details" && source.user == "cluster.local/ns/default/sa/bookinfo-productpage"
-    {{< /text >}}
-
-    It matches requests coming from the service account
-    "_cluster.local/ns/default/sa/bookinfo-productpage_" on the `details` service.
-
-    > If you are using a namespace other than `default`, replace the `default` with your namespace in the value of `source.user`.
-
-    This rule uses the `denier` adapter to deny these requests.
-    The adapter always denies requests with a preconfigured status code and message.
-    The status code and message are specified in the [denier](/docs/reference/config/policy-and-telemetry/adapters/denier/)
-    adapter configuration.
-
-1.  Refresh the `productpage` in your browser.
-
-    You will see the message
-
-    "_Error fetching product details! Sorry, product details are currently unavailable for this book._"
-
-    in the lower left section of the page. This validates that the access from `productpage` to `details` is denied.
-
-## Cleanup
-
-*   Remove the mixer configuration:
-
-    {{< text bash >}}
-    $ istioctl delete -f @samples/bookinfo/policy/mixer-rule-deny-serviceaccount.yaml@
-    {{< /text >}}
-
-* If you are not planning to explore any follow-on tasks, refer to the
-  [Bookinfo cleanup](/docs/examples/bookinfo/#cleanup) instructions
-  to shutdown the application.