zh-translation:zh\docs\tasks\security\authentication (#10542)

* zh-translationzh\docs\tasks\security\authentication * Update index.md * fix: correct symbols to fix lint errors * new change * Update content/zh/docs/tasks/security/authentication/jwt-route/index.md Co-authored-by: Kebe <mail@kebe7jun.com> * Update content/zh/docs/tasks/security/authentication/jwt-route/index.md Co-authored-by: Kebe <mail@kebe7jun.com> * Update content/zh/docs/tasks/security/authentication/jwt-route/index.md Co-authored-by: Kebe <mail@kebe7jun.com> Co-authored-by: Xunzhuo <mixdeers@gmail.com> Co-authored-by: Kebe <mail@kebe7jun.com>
2021-11-30 16:48:02 +08:00 · 2021-11-30 16:48:02 +08:00 · f5859fe55d
parent bf8f94dc29
commit f5859fe55d
3 changed files with 369 additions and 0 deletions
--- a/content/zh/docs/tasks/security/authentication/jwt-route/index.md
+++ b/content/zh/docs/tasks/security/authentication/jwt-route/index.md
@ -0,0 +1,172 @@
+---
+title: 基于 JWT 声明的路由
+description: 演示如何使用基于 JWT 声明路由请求的 Istio 身份验证策略。
+weight: 10
+keywords: [security,authentication,jwt,route]
+owner: istio/wg-security-maintainers
+test: yes
+status: Experimental
+---
+
+本任务向您展示如何实现基于 Istio 入口网关上的 JWT 声明路由请求，来使用请求身份认证
+和虚拟服务。
+
+注意：该特性只支持 Istio 入口网关，并且需要使用请求身份验证和虚拟
+服务来根据 JWT 声明进行正确的验证和路由。
+
+{{< boilerplate experimental-feature-warning >}}
+
+## 开始之前{#before-you-begin}
+
+* 理解 Istio [身份认证策略](/zh/docs/concepts/security/#authentication-policies)和[虚拟服务](/zh/docs/concepts/traffic-management/#virtual-services)相关概念。
+
+* 使用 [Istio 安装指南](/zh/docs/setup/install/istioctl/)安装 Istio 。
+
+* 在 `foo` 命名空间中，部署一个 `httpbin` 工作负载 ，
+并通过 Istio 入口网关使用以下命令暴露它：
+
+    {{< text bash >}}
+    $ kubectl create ns foo
+    $ kubectl apply -f <(istioctl kube-inject -f @samples/httpbin/httpbin.yaml@) -n foo
+    $ kubectl apply -f <(istioctl kube-inject -f @samples/httpbin/httpbin-gateway.yaml@) -n foo
+    {{< /text >}}
+
+*  按照
+   [确定入口的 IP 和端口](/zh/docs/tasks/traffic-management/ingress/ingress-control/#determining-the-ingress-ip-and-ports)
+   使用说明来定义 `INGRESS_HOST` 和 `INGRESS_PORT` 环境变量。
+
+* 使用下面的命令验证 `httpbin` 工作负载和入口网关是否按照预期正常工作：
+
+    {{< text bash >}}
+    $ curl "$INGRESS_HOST:$INGRESS_PORT"/headers -s -o /dev/null -w "%{http_code}\n"
+    200
+    {{< /text >}}
+
+{{< warning >}}
+如果您没有看到预期的输出，请在几秒钟后重试。因为缓存和传输的开销会导致延迟。
+{{< /warning >}}
+
+## 基于 JWT 声明配置入站路由{#configuring-ingress-routing-based-on-JWT-claims}
+
+Istio 入口网关支持基于经过身份验证的 JWT 的路由，这对于基于最终用户身份的路由非常有用，并且比使用未经身份验证的 HTTP 属性（例如：路径或消息头）更安全。
+
+1. 为了基于 JWT 声明进行路由，首先创建请求身份验证以启用 JWT 验证：
+
+    {{< text bash >}}
+    $ kubectl apply -f - <<EOF
+    apiVersion: security.istio.io/v1beta1
+    kind: RequestAuthentication
+    metadata:
+      name: ingress-jwt
+      namespace: istio-system
+    spec:
+      selector:
+        matchLabels:
+          istio: ingressgateway
+      jwtRules:
+      - issuer: "testing@secure.istio.io"
+        jwksUri: "{{< github_file >}}/security/tools/jwt/samples/jwks.json"
+    EOF
+    {{< /text >}}
+
+    这个请求身份验证将在 Istio 网关上启用 JWT 校验，以便验证过的 JWT 声明稍后可以在虚拟服务中用于路由功能。
+
+    这个请求身份验证只应用于入口网关，因为基于路由的 JWT 声明仅在入口网关上得到支持。
+
+    注意：请求身份验证将只检查请求中是否存在 JWT。要使 JWT 成为必要条件，如果请求中不包含 JWT 的时候就拒绝请求，请应用[任务](/zh/docs/tasks/security/authentication/authn-policy#require-a-valid-token)中指定的授权策略。
+
+1. 根据经过验证的 JWT 声明将虚拟服务更新到路由：
+
+    {{< text bash >}}
+    $ kubectl apply -f - <<EOF
+    apiVersion: networking.istio.io/v1alpha3
+    kind: VirtualService
+    metadata:
+      name: httpbin
+      namespace: foo
+    spec:
+      hosts:
+      - "*"
+      gateways:
+      - httpbin-gateway
+      http:
+      - match:
+        - uri:
+            prefix: /headers
+          headers:
+            "@request.auth.claims.groups":
+              exact: group1
+        route:
+        - destination:
+            port:
+              number: 8000
+            host: httpbin
+    EOF
+    {{< /text >}}
+
+    虚拟服务使用保留的消息头 `"@request.auth.claims.groups"` 来匹配 JWT 声明中的 `groups` 。
+    前缀的 `@` 表示它与来自 JWT 验证的元数据匹配，而不是与 HTTP 消息头匹配。
+    JWT 支持字符串类型的声明、字符串列表和嵌套声明。使用 `.` 作为嵌套声明名称的分隔符。
+    例如， `"@request.auth.claims.name.givenName"` 匹配嵌套声明 `name` 和 `givenName` 。 当前不支持使用 `.` 字符作为声明名称。
+
+## 基于 JWT 声明验证入口路由{#validating-ingress-routing-based-on-JWT-claims}
+
+1. 验证入口网关返回没有 JWT 的 HTTP 404 代码：
+
+    {{< text bash >}}
+    $ curl -s -I "http://$INGRESS_HOST:$INGRESS_PORT/headers"
+    HTTP/1.1 404 Not Found
+    ...
+    {{< /text >}}
+
+    您还可以创建授权策略，以便在缺少 JWT 时使用 HTTP 403 代码显式拒绝请求。
+
+1. 验证入口网关返回带有无效 JWT 的 HTTP 401 代码：
+
+    {{< text bash >}}
+    $ curl -s -I "http://$INGRESS_HOST:$INGRESS_PORT/headers" -H "Authorization: Bearer some.invalid.token"
+    HTTP/1.1 401 Unauthorized
+    ...
+    {{< /text >}}
+
+    401 是由请求身份验证返回的，因为 JWT 声明验证失败。
+
+1. 使用包含 `groups: group1` 声明的有效 JWT 令牌验证入口网关路由请求：
+
+    {{< text syntax="bash" expandlinks="false" >}}
+    $ TOKEN_GROUP=$(curl {{< github_file >}}/security/tools/jwt/samples/groups-scope.jwt -s) && echo "$TOKEN_GROUP" | cut -d '.' -f2 - | base64 --decode -
+    {"exp":3537391104,"groups":["group1","group2"],"iat":1537391104,"iss":"testing@secure.istio.io","scope":["scope1","scope2"],"sub":"testing@secure.istio.io"}
+    {{< /text >}}
+
+    {{< text bash >}}
+    $ curl -s -I "http://$INGRESS_HOST:$INGRESS_PORT/headers" -H "Authorization: Bearer $TOKEN_GROUP"
+    HTTP/1.1 200 OK
+    ...
+    {{< /text >}}
+
+1. 验证入口网关，返回了带有有效 JWT 的 HTTP 404 代码，但不包含 `groups: group1` 声明：
+
+    {{< text syntax="bash" expandlinks="false" >}}
+    $ TOKEN_NO_GROUP=$(curl {{< github_file >}}/security/tools/jwt/samples/demo.jwt -s) && echo "$TOKEN_NO_GROUP" | cut -d '.' -f2 - | base64 --decode -
+    {"exp":4685989700,"foo":"bar","iat":1532389700,"iss":"testing@secure.istio.io","sub":"testing@secure.istio.io"}
+    {{< /text >}}
+
+    {{< text bash >}}
+    $ curl -s -I "http://$INGRESS_HOST:$INGRESS_PORT/headers" -H "Authorization: Bearer $TOKEN_NO_GROUP"
+    HTTP/1.1 404 Not Found
+    ...
+    {{< /text >}}
+
+## 清除{#cleanup}
+
+* 移除名称为 foo 的命名空间：
+
+    {{< text bash >}}
+    $ kubectl delete namespace foo
+    {{< /text >}}
+
+* 移除身份认证：
+
+    {{< text bash >}}
+    $ kubectl delete requestauthentication ingress-jwt -n istio-system
+    {{< /text >}}
--- a/content/zh/docs/tasks/security/authentication/jwt-route/snips.sh
+++ b/content/zh/docs/tasks/security/authentication/jwt-route/snips.sh
@ -0,0 +1,139 @@
+#!/bin/bash
+# shellcheck disable=SC2034,SC2153,SC2155,SC2164
+
+# Copyright Istio Authors. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+####################################################################################################
+# WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE:
+#          docs/tasks/security/authentication/jwt-route/index.md
+####################################################################################################
+
+snip_before_you_begin_1() {
+kubectl create ns foo
+kubectl apply -f <(istioctl kube-inject -f samples/httpbin/httpbin.yaml) -n foo
+kubectl apply -f <(istioctl kube-inject -f samples/httpbin/httpbin-gateway.yaml) -n foo
+}
+
+snip_before_you_begin_2() {
+curl "$INGRESS_HOST:$INGRESS_PORT"/headers -s -o /dev/null -w "%{http_code}\n"
+}
+
+! read -r -d '' snip_before_you_begin_2_out <<\ENDSNIP
+200
+ENDSNIP
+
+snip_configuring_ingress_routing_based_on_jwt_claims_1() {
+kubectl apply -f - <<EOF
+apiVersion: security.istio.io/v1beta1
+kind: RequestAuthentication
+metadata:
+  name: ingress-jwt
+  namespace: istio-system
+spec:
+  selector:
+    matchLabels:
+      istio: ingressgateway
+  jwtRules:
+  - issuer: "testing@secure.istio.io"
+    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/security/tools/jwt/samples/jwks.json"
+EOF
+}
+
+snip_configuring_ingress_routing_based_on_jwt_claims_2() {
+kubectl apply -f - <<EOF
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: httpbin
+  namespace: foo
+spec:
+  hosts:
+  - "*"
+  gateways:
+  - httpbin-gateway
+  http:
+  - match:
+    - uri:
+        prefix: /headers
+      headers:
+        "@request.auth.claims.groups":
+          exact: group1
+    route:
+    - destination:
+        port:
+          number: 8000
+        host: httpbin
+EOF
+}
+
+snip_validating_ingress_routing_based_on_jwt_claims_1() {
+curl -s -I "http://$INGRESS_HOST:$INGRESS_PORT/headers"
+}
+
+! read -r -d '' snip_validating_ingress_routing_based_on_jwt_claims_1_out <<\ENDSNIP
+HTTP/1.1 404 Not Found
+...
+ENDSNIP
+
+snip_validating_ingress_routing_based_on_jwt_claims_2() {
+curl -s -I "http://$INGRESS_HOST:$INGRESS_PORT/headers" -H "Authorization: Bearer some.invalid.token"
+}
+
+! read -r -d '' snip_validating_ingress_routing_based_on_jwt_claims_2_out <<\ENDSNIP
+HTTP/1.1 401 Unauthorized
+...
+ENDSNIP
+
+snip_validating_ingress_routing_based_on_jwt_claims_3() {
+TOKEN_GROUP=$(curl https://raw.githubusercontent.com/istio/istio/master/security/tools/jwt/samples/groups-scope.jwt -s) && echo "$TOKEN_GROUP" | cut -d '.' -f2 - | base64 --decode -
+}
+
+! read -r -d '' snip_validating_ingress_routing_based_on_jwt_claims_3_out <<\ENDSNIP
+{"exp":3537391104,"groups":["group1","group2"],"iat":1537391104,"iss":"testing@secure.istio.io","scope":["scope1","scope2"],"sub":"testing@secure.istio.io"}
+ENDSNIP
+
+snip_validating_ingress_routing_based_on_jwt_claims_4() {
+curl -s -I "http://$INGRESS_HOST:$INGRESS_PORT/headers" -H "Authorization: Bearer $TOKEN_GROUP"
+}
+
+! read -r -d '' snip_validating_ingress_routing_based_on_jwt_claims_4_out <<\ENDSNIP
+HTTP/1.1 200 OK
+...
+ENDSNIP
+
+snip_validating_ingress_routing_based_on_jwt_claims_5() {
+TOKEN_NO_GROUP=$(curl https://raw.githubusercontent.com/istio/istio/master/security/tools/jwt/samples/demo.jwt -s) && echo "$TOKEN_NO_GROUP" | cut -d '.' -f2 - | base64 --decode -
+}
+
+! read -r -d '' snip_validating_ingress_routing_based_on_jwt_claims_5_out <<\ENDSNIP
+{"exp":4685989700,"foo":"bar","iat":1532389700,"iss":"testing@secure.istio.io","sub":"testing@secure.istio.io"}
+ENDSNIP
+
+snip_validating_ingress_routing_based_on_jwt_claims_6() {
+curl -s -I "http://$INGRESS_HOST:$INGRESS_PORT/headers" -H "Authorization: Bearer $TOKEN_NO_GROUP"
+}
+
+! read -r -d '' snip_validating_ingress_routing_based_on_jwt_claims_6_out <<\ENDSNIP
+HTTP/1.1 404 Not Found
+...
+ENDSNIP
+
+snip_cleanup_1() {
+kubectl delete namespace foo
+}
+
+snip_cleanup_2() {
+kubectl delete requestauthentication ingress-jwt -n istio-system
+}
--- a/content/zh/docs/tasks/security/authentication/jwt-route/test.sh
+++ b/content/zh/docs/tasks/security/authentication/jwt-route/test.sh
@ -0,0 +1,58 @@
+#!/usr/bin/env bash
+# shellcheck disable=SC1090,SC2154
+
+# Copyright Istio Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -e
+set -u
+set -o pipefail
+
+# @setup profile=default
+
+# Set retries to a higher value because config update is slow.
+export VERIFY_TIMEOUT=300
+
+snip_before_you_begin_1
+
+_wait_for_deployment foo httpbin
+
+# Export the INGRESS_ environment variables
+_set_ingress_environment_variables
+
+_verify_same snip_before_you_begin_2 "$snip_before_you_begin_2_out"
+
+# Apply the request authentication and virtual service.
+snip_configuring_ingress_routing_based_on_jwt_claims_1
+snip_configuring_ingress_routing_based_on_jwt_claims_2
+
+_verify_elided snip_validating_ingress_routing_based_on_jwt_claims_1 "$snip_validating_ingress_routing_based_on_jwt_claims_1_out"
+_verify_elided snip_validating_ingress_routing_based_on_jwt_claims_2 "$snip_validating_ingress_routing_based_on_jwt_claims_2_out"
+
+# Pull the Istio branch from the docs configuration file.
+ISTIO_BRANCH=$(yq r "${REPO_ROOT}"/data/args.yml 'source_branch_name')
+
+TOKEN_GROUP_URL="https://raw.githubusercontent.com/istio/istio/${ISTIO_BRANCH}/security/tools/jwt/samples/groups-scope.jwt"
+export TOKEN_GROUP
+TOKEN_GROUP=$(curl "${TOKEN_GROUP_URL}" -s)
+_verify_elided snip_validating_ingress_routing_based_on_jwt_claims_4 "$snip_validating_ingress_routing_based_on_jwt_claims_4_out"
+
+TOKEN_NO_GROUP_URL="https://raw.githubusercontent.com/istio/istio/${ISTIO_BRANCH}/security/tools/jwt/samples/demo.jwt"
+export TOKEN_NO_GROUP
+TOKEN_NO_GROUP=$(curl "${TOKEN_NO_GROUP_URL}" -s)
+_verify_elided snip_validating_ingress_routing_based_on_jwt_claims_6 "$snip_validating_ingress_routing_based_on_jwt_claims_6_out"
+
+# @cleanup
+snip_cleanup_1
+snip_cleanup_2