mirror of https://github.com/istio/istio.io.git
Yangmin Zhu
Martin Taillefer
parent
a58be77595
commit
afea7b3c06
|
|
@ -444,18 +444,23 @@ mutual TLS implementations.
|
|||
|
||||
The `origins:` section defines authentication methods and associated parameters
|
||||
supported for origin authentication. Istio only supports JWT origin
|
||||
authentication. However, a policy can list multiple JWTs by different issuers.
|
||||
authentication. You can specify allowed JWT issuers, and enable or disable JWT authentication for a
|
||||
specific path. If all JWTs are disabled for a request path, authentication also passes as if there is
|
||||
none defined.
|
||||
Similar to peer authentication, only one of the listed methods must be
|
||||
satisfied for the authentication to pass.
|
||||
|
||||
The following example policy specifies an `origins:` section for origin
|
||||
authentication that accepts JWTs issued by Google:
|
||||
The following example policy specifies an `origins:` section for origin authentication that accepts
|
||||
JWTs issued by Google. JWT authentication for path `/health` is disabled.
|
||||
|
||||
{{< text yaml >}}
|
||||
origins:
|
||||
- jwt:
|
||||
issuer: "https://accounts.google.com"
|
||||
jwksUri: "https://www.googleapis.com/oauth2/v3/certs"
|
||||
trigger_rules:
|
||||
- excluded_paths:
|
||||
- exact: /health
|
||||
{{< /text >}}
|
||||
|
||||
#### Principal binding
|
||||
|
|
|
|||
|
|
@ -570,6 +570,96 @@ $ for i in `seq 1 10`; do curl --header "Authorization: Bearer $TOKEN" $INGRESS_
|
|||
401
|
||||
{{< /text >}}
|
||||
|
||||
### End-user authentication with per-path requirements
|
||||
|
||||
End-user authentication can be enabled or disabled based on request path. This is useful if you want to
|
||||
disable authentication for some paths, for example, the path used for health check or status report.
|
||||
You can also specify different JWT requirements on different paths.
|
||||
|
||||
#### Disable End-user authentication for specific paths
|
||||
|
||||
Modify the `jwt-example` policy to disable End-user authentication for path `/user-agent`:
|
||||
|
||||
{{< text bash >}}
|
||||
$ cat <<EOF | kubectl apply -n foo -f -
|
||||
apiVersion: "authentication.istio.io/v1alpha1"
|
||||
kind: "Policy"
|
||||
metadata:
|
||||
name: "jwt-example"
|
||||
spec:
|
||||
targets:
|
||||
- name: httpbin
|
||||
origins:
|
||||
- jwt:
|
||||
issuer: "testing@secure.istio.io"
|
||||
jwksUri: "https://raw.githubusercontent.com/istio/istio/master/security/tools/jwt/samples/jwks.json"
|
||||
trigger_rules:
|
||||
- excluded_paths:
|
||||
- exact: /user-agent
|
||||
principalBinding: USE_ORIGIN
|
||||
EOF
|
||||
{{< /text >}}
|
||||
|
||||
Confirm it's allowed to access the path `/user-agent` without JWT tokens:
|
||||
|
||||
{{< text bash >}}
|
||||
$ curl $INGRESS_HOST/user-agent -s -o /dev/null -w "%{http_code}\n"
|
||||
200
|
||||
{{< /text >}}
|
||||
|
||||
Confirm it's denied to access paths other than `/user-agent` without JWT tokens:
|
||||
|
||||
{{< text bash >}}
|
||||
$ curl $INGRESS_HOST/headers -s -o /dev/null -w "%{http_code}\n"
|
||||
401
|
||||
{{< /text >}}
|
||||
|
||||
#### Enable End-user authentication for specific paths
|
||||
|
||||
Modify the `jwt-example` policy to enable End-user authentication only for path `/ip`:
|
||||
|
||||
{{< text bash >}}
|
||||
$ cat <<EOF | kubectl apply -n foo -f -
|
||||
apiVersion: "authentication.istio.io/v1alpha1"
|
||||
kind: "Policy"
|
||||
metadata:
|
||||
name: "jwt-example"
|
||||
spec:
|
||||
targets:
|
||||
- name: httpbin
|
||||
origins:
|
||||
- jwt:
|
||||
issuer: "testing@secure.istio.io"
|
||||
jwksUri: "{{< github_file >}}/security/tools/jwt/samples/jwks.json"
|
||||
trigger_rules:
|
||||
- included_paths:
|
||||
- exact: /ip
|
||||
principalBinding: USE_ORIGIN
|
||||
EOF
|
||||
{{< /text >}}
|
||||
|
||||
Confirm it's allowed to access paths other than `/ip` without JWT tokens:
|
||||
|
||||
{{< text bash >}}
|
||||
$ curl $INGRESS_HOST/user-agent -s -o /dev/null -w "%{http_code}\n"
|
||||
200
|
||||
{{< /text >}}
|
||||
|
||||
Confirm it's denied to access the path `/ip` without JWT tokens:
|
||||
|
||||
{{< text bash >}}
|
||||
$ curl $INGRESS_HOST/ip -s -o /dev/null -w "%{http_code}\n"
|
||||
401
|
||||
{{< /text >}}
|
||||
|
||||
Confirm it's allowed to access the path `/ip` with a valid JWT token:
|
||||
|
||||
{{< text bash >}}
|
||||
$ TOKEN=$(curl {{< github_file >}}/security/tools/jwt/samples/demo.jwt -s)
|
||||
$ curl --header "Authorization: Bearer $TOKEN" $INGRESS_HOST/ip -s -o /dev/null -w "%{http_code}\n"
|
||||
200
|
||||
{{< /text >}}
|
||||
|
||||
### End-user authentication with mutual TLS
|
||||
|
||||
End-user authentication and mutual TLS can be used together. Modify the policy above to define both mutual TLS and end-user JWT authentication:
|
||||
|
|
|
|||
Loading…
Reference in New Issue