istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.0/help/ops/security/debugging-authorization/index.html

139 lines
36 KiB
HTML
Raw Permalink Blame History

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content="#466BB0"><meta name=title content="Debugging Authorization"><meta name=description content="Demonstrates how to debug authorization."><meta name=keywords content="microservices,services,mesh,debug,security,authorization,RBAC"><meta property="og:title" content="Debugging Authorization"><meta property="og:type" content="website"><meta property="og:description" content="Demonstrates how to debug authorization."><meta property="og:url" content="/v1.0/help/ops/security/debugging-authorization/"><meta property="og:image" content="/v1.0/img/istio-logo-blue-background.svg"><meta property="og:image:alt" content="Istio Logo"><meta property="og:image:width" content="112"><meta property="og:image:height" content="150"><meta property="og:site_name" content="Istio"><meta name=twitter:card content="summary"><meta name=twitter:site content="@IstioMesh"><title>Istioldie 1.0 / Debugging Authorization</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}
gtag('js',new Date());gtag('config','UA-98480406-2');</script><script>var branchName="release-1.0";var docTitle="Debugging Authorization";</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.0/feed.xml><link rel="shortcut icon" href=/v1.0/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.0/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.0/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.0/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.0/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.0/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.0/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.0/favicons/android-96x196.png sizes=96x196><link rel=icon type=image/png href=/v1.0/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.0/favicons/android-192x192.png sizes=192x192><link rel=manifest href=/v1.0/manifest.json><meta name=apple-mobile-web-app-title content="Istio"><meta name=application-name content="Istio"><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Chivo:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic"><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Work Sans:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic"><link rel=stylesheet href=https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css integrity=sha384-Gn5384xqQ1aoWXA+058RXPxPg6fy4IWvTNh0E263XmFcJlSAwiGgFAW/dAiS6JXm crossorigin=anonymous><link rel=stylesheet href=https://use.fontawesome.com/releases/v5.0.6/css/all.css><link rel=stylesheet href=/v1.0/css/light_theme_archive.css title=light><link rel="alternate stylesheet" href=/v1.0/css/dark_theme_archive.css title=dark><script src=/v1.0/js/styleSwitcher.min.js></script></head><body class=language-unknown><header><nav class="navbar navbar-expand-md navbar-dark fixed-top bg-dark justify-content-between"><a class=navbar-brand href=/v1.0/><span class=logo><svg viewBox="0 0 300 300"><circle cx="150" cy="150" r="150" stroke-width="2" /><polygon points="65,240 225,240 125,270"/><polygon points="65,230 125,220 125,110"/><polygon points="135,220 225,230 135,30"/></svg></span><span class=brand-name>Istioldie 1.0</span></a>
<button class=navbar-toggler type=button data-toggle=collapse data-target=#navbarCollapse aria-controls=navbarCollapse aria-expanded=false aria-label="Toggle navigation">
<span class=navbar-toggler-icon></span></button><div class="collapse navbar-collapse justify-content-end" id=navbarCollapse><ul id=navbar-links class="navbar-nav active"><li class=nav-item><a class=nav-link title="Learn how to deploy, use, and operate Istio." href=/v1.0/docs/>Docs</a></li><li class=nav-item><a class=nav-link title="Posts about using Istio." href=/v1.0/blog/2019/announcing-1.0.6/>Blog</a></li><li class=nav-item><a class="nav-link active" title="A bunch of resources to help you deploy, configure and use Istio." href=/v1.0/help/>Help</a></li><li class=nav-item><a class=nav-link title="Get a bit more in-depth info about the Istio project." href=/v1.0/about/>About</a></li><li class="nav-item dropdown" id=gearDropdown style=white-space:nowrap><a title="Options and Settings" href class=nav-link data-toggle=dropdown aria-label=Tools aria-haspopup=true aria-expanded=false><i style=width:1em class="fa fa-lg fa-cog"></i></a><div class="dropdown-menu dropdown-menu-right" aria-labelledby=gearDropdown><a class=dropdown-item id=light-theme-item href onclick="setActiveStyleSheet('light');return false;">Light Theme</a>
<a class=dropdown-item id=dark-theme-item href onclick="setActiveStyleSheet('dark');return false;">Dark Theme</a><div class=dropdown-divider></div><h6 class=dropdown-header>Other versions of this site</h6><a href=https://istio.io class=dropdown-item>Current Release</a>
<a href=https://preliminary.istio.io class=dropdown-item>Next Release</a>
<a href=https://archive.istio.io class=dropdown-item>Older Releases</a></div></li><li class=nav-item><a id=search_show class=nav-link href title="Search istio.io" aria-label=Search><i style=width:1em class="fa fa-lg fa-search"></i></a></li></ul><form name=cse id=search_form class="form-inline mr-sm-2" role=search><input type=hidden name=cx value=013699703217164175118:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search_page_url value=/v1.0/search.html>
<input id=search_textbox class=form-control name=q type=text aria-label="Search this site">
<button id=search_close type=reset aria-label="Cancel Search"><i class="far fa-lg fa-times-circle"></i></button></form></div></nav></header><div class=container-fluid><div class="row row-offcanvas"><div class="col-0 col-md-3 col-xl-2 sidebar-offcanvas"><nav class="sidebar d-print-none"><div class=spacer></div><div class=directory role=tablist><div class=card><div class=card-header role=tab><div title="A bunch of resources to help you deploy, configure and use Istio."><img src=/v1.0/img/help.svg alt=Icon class=page_icon>
Need Help?</div></div><div role=tabpanel aria-labelledby=header0><div class=card-body><ul class=tree><li class=sublist><label class=tree-toggle><i class="fa fa-lg fa-caret-down"></i><a title="Hints, tips, tricks about running an Istio mesh." href=/v1.0/help/ops/>Operations Guide</a></label><ul class=tree><li><a title="Describes how to use component-level logging to get insights into a running component's behavior." href=/v1.0/help/ops/component-logging/>Component Logging</a></li><li><a title="Describes how to use ControlZ to get insight into individual running components." href=/v1.0/help/ops/controlz/>Component Introspection</a></li><li><a title="How to do low-level debugging of Istio components." href=/v1.0/help/ops/component-debugging/>Component Debugging</a></li><li class=sublist><label class=tree-toggle><i class="fa fa-lg fa-caret-right"></i><a title="Helps you manage the networking aspects of a running mesh." href=/v1.0/help/ops/traffic-management/>Traffic Management</a></label><ul class="tree collapse"><li><a title="Demonstrates how to debug Pilot and Envoy." href=/v1.0/help/ops/traffic-management/proxy-cmd/>Debugging Envoy and Pilot</a></li><li><a title="Provides specific deployment and configuration guidelines." href=/v1.0/help/ops/traffic-management/deploy-guidelines/>Deployment and Configuration Guidelines</a></li><li><a title="An introduction to Istio networking operational aspects." href=/v1.0/help/ops/traffic-management/introduction/>Introduction to Network Operations</a></li><li><a title="Describes tools and techniques to observe traffic management or issues related to traffic management." href=/v1.0/help/ops/traffic-management/observing/>Observing Traffic Management</a></li><li><a title="Describes tools and techniques that can be used to root cause networking issues." href=/v1.0/help/ops/traffic-management/troubleshooting/>Troubleshooting Networking Issues</a></li></ul></li><li class=sublist><label class=tree-toggle><i class="fa fa-lg fa-caret-down"></i><a title="Helps you manage the security aspects of a running mesh." href=/v1.0/help/ops/security/>Security</a></label><ul class=tree><li><span class=current title="Demonstrates how to debug authorization.">Debugging Authorization</span></li><li><a title="What to do if Citadel is not behaving properly." href=/v1.0/help/ops/security/repairing-citadel/>Repairing Citadel</a></li><li><a title="What to do if you suspect problems with Istio keys and certificates." href=/v1.0/help/ops/security/keys-and-certs/>Keys and Certificates</a></li><li><a title="What to do if mutual TLS authentication isn't working." href=/v1.0/help/ops/security/mutual-tls/>Mutual TLS</a></li><li><a title="How to get health checks working when mutual TLS is enabled." href=/v1.0/help/ops/security/health-checks-and-mtls/>Health Checks and Mutual TLS</a></li><li><a title="Authorization is enabled, but requests make it through anyway." href=/v1.0/help/ops/security/authorization-permissive/>Authorization Too Permissive</a></li><li><a title="Authorization is enabled and no requests make it through to the service." href=/v1.0/help/ops/security/authorization-restrictive/>Authorization Too Restrictive</a></li><li><a title="What to do if end-user authentication doesn't work." href=/v1.0/help/ops/security/end-user-auth/>End User Authentication</a></li></ul></li><li class=sublist><label class=tree-toggle><i class="fa fa-lg fa-caret-right"></i><a title="Helps you manage telemetry collection and visualization in a running mesh." href=/v1.0/help/ops/telemetry/>Telemetry</a></label><ul class="tree collapse"><li><a href=/v1.0/help/ops/telemetry/missing-metrics/>Missing Metrics</a></li><li><a title="Dealing with Grafana issues." href=/v1.0/help/ops/telemetry/grafana/>Grafana</a></li></ul></li><li class=sublist><label class=tree-toggle><i class="fa fa-lg fa-caret-right"></i><a title="Helps you diagnose and repair Istio installations." href=/v1.0/help/ops/setup/>Installation and Setup</a></label><ul class="tree collapse"><li><a title="Provides a general overview of Istio's use of Kubernetes webhooks and the related issues that can arise." href=/v1.0/help/ops/setup/webhook/>Dynamic Admission Webhooks Overview</a></li><li><a title="Describes Istio's use of Kubernetes webhooks for server-side configuration validation." href=/v1.0/help/ops/setup/validation/>Configuration Validation Webhook</a></li><li><a title="Describes Istio's use of Kubernetes webhooks for automatic sidecar injection." href=/v1.0/help/ops/setup/injection/>Sidecar Injection Webhook</a></li></ul></li><li><a title="Advice on tackling common problems with Istio." href=/v1.0/help/ops/misc/>Miscellaneous</a></li></ul></li><li class=sublist><label class=tree-toggle><i class="fa fa-lg fa-caret-right"></i><a title="Frequently Asked Questions about Istio." href=/v1.0/help/faq/>FAQ</a></label><ul class="tree collapse"><li><a title="General Q & A." href=/v1.0/help/faq/general/>General</a></li><li><a title="Setup Q & A." href=/v1.0/help/faq/setup/>Setup</a></li><li><a title="Security Q & A." href=/v1.0/help/faq/security/>Security</a></li><li><a title="Mixer Q & A." href=/v1.0/help/faq/mixer/>Mixer</a></li><li><a title="Telemetry Q & A." href=/v1.0/help/faq/telemetry/>Telemetry</a></li><li><a title="Traffic Management Q & A." href=/v1.0/help/faq/traffic-management/>Traffic Management</a></li></ul></li><li><a title="A glossary of common Istio terms." href=/v1.0/help/glossary/>Glossary</a></li></ul></div></div></div></div></nav></div><div class="col-12 col-md-9 col-xl-8"><p class=d-md-none><label class=sidebar-toggler data-toggle=offcanvas><i class="fa fa-sign-out-alt"></i></label></p><main aria-labelledby=title><div class=pagenav><p><a href=/v1.0/help/ops/security/ title="Helps you manage the security aspects of a running mesh."><i style=transform:scaleX(-1) class="fa fa-level-up-alt"></i>&nbsp;Security</a></p></div><h1 id=title>Debugging Authorization</h1><nav class="toc-inlined d-xl-none d-print-none"><hr><div class=directory role=directory><nav id=InlinedTableOfContents><ul><li><a href=#ensure-authorization-is-enabled-correctly>Ensure Authorization is Enabled Correctly</a></li><li><a href=#ensure-pilot-accepts-the-policies>Ensure Pilot Accepts the Policies</a></li><li><a href=#ensure-pilot-distributes-policies-to-proxies-correctly>Ensure Pilot Distributes Policies to Proxies Correctly</a></li><li><a href=#ensure-proxies-enforce-policies-correctly>Ensure Proxies Enforce Policies Correctly</a></li><li><a href=#see-also>See also</a></li></ul></nav></div><hr></nav><p>This page demonstrates how to debug Istio authorization.</p><blockquote><p><img src=/v1.0/img/bulb.svg alt=Bulb title=Idea style=width:1.5rem;height:2.14rem;display:inline>
It would be very helpful to also include a cluster state archive in your email by following instructions in
<a href=/v1.0/about/bugs>reporting bugs</a>.</p></blockquote><h2 id=ensure-authorization-is-enabled-correctly>Ensure Authorization is Enabled Correctly</h2><p>The <code>rbacConfig</code> default cluster level singleton custom resource controls the authorization functionality globally.</p><ol><li><p>Run the following command to list existing <code>RbacConfig</code>:</p><pre><code class=language-command>$ kubectl get rbacconfigs.rbac.istio.io --all-namespaces</code></pre></li><li><p>Verify there is only <strong>one</strong> instance of <code>RbacConfig</code> with name <code>default</code>. Otherwise, Istio disables the
authorization functionality and ignores all policies.</p><pre><code class=language-plain>NAMESPACE NAME AGE
default default 1d</code></pre></li><li><p>If there is more than one <code>RbacConfig</code> instance, remove any additional <code>RbacConfig</code> instances and
ensure <strong>only one</strong> instance is named <code>default</code>.</p></li></ol><h2 id=ensure-pilot-accepts-the-policies>Ensure Pilot Accepts the Policies</h2><p>Pilot converts and distributes your authorization policies to the proxies. The following steps help
you ensure Pilot is working as expected:</p><ol><li><p>Run the following command to export the Pilot <code>ControlZ</code>:</p><pre><code class=language-command>$ kubectl port-forward $(kubectl -n istio-system get pods -l istio=pilot -o jsonpath=&#39;{.items[0].metadata.name}&#39;) -n istio-system 9876:9876</code></pre></li><li><p>Verify you see the following output:</p><pre><code class=language-plain>Forwarding from 127.0.0.1:9876 -&gt; 9876</code></pre></li><li><p>Start your browser and open the <code>ControlZ</code> page at <code>http://127.0.0.1:9876/scopez/</code>.</p></li><li><p>Change the <code>rbac</code> Output Level to <code>debug</code>.</p></li><li><p>Use <code>Ctrl+C</code> in the terminal you started in step 1 to stop the port-forward command.</p></li><li><p>Print the log of Pilot and search for <code>rbac</code> with the following command:</p><blockquote><p>Note: You probably need to first delete and then re-apply your authorization policies so that
the debug output is generated for these policies.</p></blockquote><pre><code class=language-command>$ kubectl logs $(kubectl -n istio-system get pods -l istio=pilot -o jsonpath=&#39;{.items[0].metadata.name}&#39;) -c discovery -n istio-system | grep rbac</code></pre></li><li><p>Check the output and verify:</p><ul><li>There are no errors.</li><li>There is a <code>"built filter config for ..."</code> message which means the filter is generated
for the target service.</li></ul></li><li><p>For example, you might see something similar to the following:</p><pre><code class=language-plain>2018-07-26T22:25:41.009838Z debug rbac building filter config for {sleep.foo.svc.cluster.local map[app:sleep pod-template-hash:3326367878] map[destination.name:sleep destination.namespace:foo destination.user:default]}
2018-07-26T22:25:41.009915Z info rbac no service role in namespace foo
2018-07-26T22:25:41.009957Z info rbac no service role binding in namespace foo
2018-07-26T22:25:41.010000Z debug rbac generated filter config: { }
2018-07-26T22:25:41.010114Z info rbac built filter config for sleep.foo.svc.cluster.local
2018-07-26T22:25:41.182400Z debug rbac building filter config for {productpage.default.svc.cluster.local map[pod-template-hash:2600844901 version:v1 app:productpage] map[destination.name:productpage destination.namespace:default destination.user:bookinfo-productpage]}
2018-07-26T22:25:41.183131Z debug rbac checking role app2-grpc-viewer
2018-07-26T22:25:41.183214Z debug rbac role skipped for no AccessRule matched
2018-07-26T22:25:41.183255Z debug rbac checking role productpage-viewer
2018-07-26T22:25:41.183281Z debug rbac matched AccessRule[0]
2018-07-26T22:25:41.183390Z debug rbac generated filter config: {policies:&lt;key:&#34;productpage-viewer&#34; value:&lt;permissions:&lt;and_rules:&lt;rules:&lt;or_rules:&lt;rules:&lt;header:&lt;name:&#34;:method&#34; exact_match:&#34;GET&#34; &gt; &gt; &gt; &gt; &gt; &gt; principals:&lt;and_ids:&lt;ids:&lt;any:true &gt; &gt; &gt; &gt; &gt; }
2018-07-26T22:25:41.184407Z info rbac built filter config for productpage.default.svc.cluster.local</code></pre><p>It means Pilot generated:</p><ul><li><p>An empty config for <code>sleep.foo.svc.cluster.local</code> as there is no authorization policies matched
and Istio denies all requests sent to this service by default.</p></li><li><p>An config for <code>productpage.default.svc.cluster.local</code> and Istio will allow anyone to access it
with GET method.</p></li></ul></li></ol><h2 id=ensure-pilot-distributes-policies-to-proxies-correctly>Ensure Pilot Distributes Policies to Proxies Correctly</h2><p>Pilot distributes the authorization policies to proxies. The following steps help you ensure Pilot
is working as expected:</p><blockquote><p>Note: The command used in this section assumes you have deployed <a href=/v1.0/docs/examples/bookinfo/>Bookinfo application</a>,
otherwise you should replace <code>"-l app=productpage"</code> with your actual pod.</p></blockquote><ol><li><p>Run the following command to get the proxy configuration dump for the <code>productpage</code> service:</p><pre><code class=language-command>$ kubectl exec $(kubectl get pods -l app=productpage -o jsonpath=&#39;{.items[0].metadata.name}&#39;) -c istio-proxy -- curl localhost:15000/config_dump -s</code></pre></li><li><p>Check the log and verify:</p><ul><li>The log includes an <code>envoy.filters.http.rbac</code> filter to enforce the authorization policy
on each incoming request.</li><li>Istio updates the filter accordingly after you update your authorization policy.</li></ul></li><li><p>The following output means the proxy of <code>productpage</code> has enabled the <code>envoy.filters.http.rbac</code> filter
with rules that allows anyone to access it via <code>GET</code> method. The <code>shadow_rules</code> are not used and you can ignored them safely.</p><pre><code class=language-plain>{
&#34;name&#34;: &#34;envoy.filters.http.rbac&#34;,
&#34;config&#34;: {
&#34;rules&#34;: {
&#34;policies&#34;: {
&#34;productpage-viewer&#34;: {
&#34;permissions&#34;: [
{
&#34;and_rules&#34;: {
&#34;rules&#34;: [
{
&#34;or_rules&#34;: {
&#34;rules&#34;: [
{
&#34;header&#34;: {
&#34;exact_match&#34;: &#34;GET&#34;,
&#34;name&#34;: &#34;:method&#34;
}
}
]
}
}
]
}
}
],
&#34;principals&#34;: [
{
&#34;and_ids&#34;: {
&#34;ids&#34;: [
{
&#34;any&#34;: true
}
]
}
}
]
}
}
},
&#34;shadow_rules&#34;: {
&#34;policies&#34;: {}
}
}
},</code></pre></li></ol><h2 id=ensure-proxies-enforce-policies-correctly>Ensure Proxies Enforce Policies Correctly</h2><p>Proxies eventually enforce the authorization policies. The following steps help you ensure the proxy
is working as expected:</p><blockquote><p>Note: The command used in this section assumes you have deployed <a href=/v1.0/docs/examples/bookinfo/>Bookinfo application</a>.
otherwise you should replace <code>"-l app=productpage"</code> with your actual pod.</p></blockquote><ol><li><p>Turn on the authorization debug logging in proxy with the following command:</p><pre><code class=language-command>$ kubectl exec $(kubectl get pods -l app=productpage -o jsonpath=&#39;{.items[0].metadata.name}&#39;) -c istio-proxy -- curl localhost:15000/logging?rbac=debug -s</code></pre></li><li><p>Verify you see the following output:</p><pre><code class=language-plain>active loggers:
... ...
rbac: debug
... ...</code></pre></li><li><p>Visit the <code>productpage</code> in your browser to generate some logs.</p></li><li><p>Print the proxy logs with the following command:</p><pre><code class=language-command>$ kubectl logs $(kubectl get pods -l app=productpage -o jsonpath=&#39;{.items[0].metadata.name}&#39;) -c istio-proxy</code></pre></li><li><p>Check the output and verify:</p><ul><li><p>The output log shows either <code>enforced allowed</code> or <code>enforced denied</code> depending on whether the request
was allowed or denied respectively.</p></li><li><p>Your authorization policy expects the data extracted from the request.</p></li></ul></li><li><p>The following output means there is a <code>GET</code> request at path <code>/productpage</code> and the policy allows the request.
The <code>shadow denied</code> has no effect and you can ignore it safely.</p><pre><code class=language-plain>...
[2018-07-26 20:39:18.060][152][debug][rbac] external/envoy/source/extensions/filters/http/rbac/rbac_filter.cc:79] checking request: remoteAddress: 10.60.0.139:51158, localAddress: 10.60.0.93:9080, ssl: uriSanPeerCertificate: spiffe://cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account, subjectPeerCertificate: O=, headers: &#39;:authority&#39;, &#39;35.238.0.62&#39;
&#39;:path&#39;, &#39;/productpage&#39;
&#39;:method&#39;, &#39;GET&#39;
&#39;upgrade-insecure-requests&#39;, &#39;1&#39;
&#39;user-agent&#39;, &#39;Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36&#39;
&#39;dnt&#39;, &#39;1&#39;
&#39;accept&#39;, &#39;text/html,application/xhtml&#43;xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8&#39;
&#39;accept-encoding&#39;, &#39;gzip, deflate&#39;
&#39;accept-language&#39;, &#39;en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7&#39;
&#39;x-forwarded-for&#39;, &#39;10.60.0.1&#39;
&#39;x-forwarded-proto&#39;, &#39;http&#39;
&#39;x-request-id&#39;, &#39;e23ea62d-b25d-91be-857c-80a058d746d4&#39;
&#39;x-b3-traceid&#39;, &#39;5983108bf6d05603&#39;
&#39;x-b3-spanid&#39;, &#39;5983108bf6d05603&#39;
&#39;x-b3-sampled&#39;, &#39;1&#39;
&#39;x-istio-attributes&#39;, &#39;CikKGGRlc3RpbmF0aW9uLnNlcnZpY2UubmFtZRINEgtwcm9kdWN0cGFnZQoqCh1kZXN0aW5hdGlvbi5zZXJ2aWNlLm5hbWVzcGFjZRIJEgdkZWZhdWx0Ck8KCnNvdXJjZS51aWQSQRI/a3ViZXJuZXRlczovL2lzdGlvLWluZ3Jlc3NnYXRld2F5LTc2NjY0Y2NmY2Ytd3hjcjQuaXN0aW8tc3lzdGVtCj4KE2Rlc3RpbmF0aW9uLnNlcnZpY2USJxIlcHJvZHVjdHBhZ2UuZGVmYXVsdC5zdmMuY2x1c3Rlci5sb2NhbApDChhkZXN0aW5hdGlvbi5zZXJ2aWNlLmhvc3QSJxIlcHJvZHVjdHBhZ2UuZGVmYXVsdC5zdmMuY2x1c3Rlci5sb2NhbApBChdkZXN0aW5hdGlvbi5zZXJ2aWNlLnVpZBImEiRpc3RpbzovL2RlZmF1bHQvc2VydmljZXMvcHJvZHVjdHBhZ2U=&#39;
&#39;content-length&#39;, &#39;0&#39;
&#39;x-envoy-internal&#39;, &#39;true&#39;
&#39;sec-istio-authn-payload&#39;, &#39;CkVjbHVzdGVyLmxvY2FsL25zL2lzdGlvLXN5c3RlbS9zYS9pc3Rpby1pbmdyZXNzZ2F0ZXdheS1zZXJ2aWNlLWFjY291bnQSRWNsdXN0ZXIubG9jYWwvbnMvaXN0aW8tc3lzdGVtL3NhL2lzdGlvLWluZ3Jlc3NnYXRld2F5LXNlcnZpY2UtYWNjb3VudA==&#39;
, dynamicMetadata: filter_metadata {
key: &#34;istio_authn&#34;
value {
fields {
key: &#34;request.auth.principal&#34;
value {
string_value: &#34;cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account&#34;
}
}
fields {
key: &#34;source.principal&#34;
value {
string_value: &#34;cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account&#34;
}
}
}
}
[2018-07-26 20:39:18.060][152][debug][rbac] external/envoy/source/extensions/filters/http/rbac/rbac_filter.cc:88] shadow denied
[2018-07-26 20:39:18.060][152][debug][rbac] external/envoy/source/extensions/filters/http/rbac/rbac_filter.cc:98] enforced allowed
...</code></pre></li></ol><h2 id=see-also>See also</h2><div class=see-also><div class=container-fluid><div class=row><div class="col-xs-12 col-sm-6 col-xl-4"><p class=link><a href=/v1.0/blog/2018/istio-authorization/>Micro-Segmentation with Istio Authorization</a></p><p class=desc>Describe Istio's authorization feature and how to use it in various use cases.</p></div><div class="col-xs-12 col-sm-6 col-xl-4"><p class=link><a href=/v1.0/docs/tasks/security/role-based-access-control/>Authorization</a></p><p class=desc>Shows how to set up role-based access control for services in the mesh.</p></div><div class="col-xs-12 col-sm-6 col-xl-4"><p class=link><a href=/v1.0/docs/concepts/security/>Security</a></p><p class=desc>Describes Istio's authorization and authentication functionality.</p></div><div class="col-xs-12 col-sm-6 col-xl-4"><p class=link><a href=/v1.0/docs/tasks/security/authn-policy/>Authentication Policy</a></p><p class=desc>Shows you how to use Istio authentication policy to setup mutual TLS and basic end-user authentication.</p></div><div class="col-xs-12 col-sm-6 col-xl-4"><p class=link><a href=/v1.0/docs/tasks/security/health-check/>Citadel health checking</a></p><p class=desc>Shows how to enable Citadel health checking with Kubernetes.</p></div><div class="col-xs-12 col-sm-6 col-xl-4"><p class=link><a href=/v1.0/help/ops/traffic-management/proxy-cmd/>Debugging Envoy and Pilot</a></p><p class=desc>Demonstrates how to debug Pilot and Envoy.</p></div></div></div></div></main><div class="container-fluid d-print-none"><br><div class=row><div class="col-6 pagenav"></div><div class="col-6 pagenav" style=text-align:right><p><a title="What to do if Citadel is not behaving properly." href=/v1.0/help/ops/security/repairing-citadel/>Repairing Citadel
<i class="fa fa-long-arrow-alt-right"></i></a></p></div></div></div><div class="d-none d-print-block" aria-hidden=true><h2>Links</h2><ol id=endnotes></ol></div></div><div class="col-12 col-md-2 d-none d-xl-block d-print-none"><nav class=toc><div class=spacer></div><div id=toc class=directory role=directory><nav id=TableOfContents><ul><li><a href=#ensure-authorization-is-enabled-correctly>Ensure Authorization is Enabled Correctly</a></li><li><a href=#ensure-pilot-accepts-the-policies>Ensure Pilot Accepts the Policies</a></li><li><a href=#ensure-pilot-distributes-policies-to-proxies-correctly>Ensure Pilot Distributes Policies to Proxies Correctly</a></li><li><a href=#ensure-proxies-enforce-policies-correctly>Ensure Proxies Enforce Policies Correctly</a></li><li><a href=#see-also>See also</a></li></ul></nav></div></nav></div></div></div><footer class="d-print-none container-fluid"><div class=row><div class="col-5 col-lg-4" role=navigation><div class=container-fluid><div class=row><div class=icon><span>discuss</span>
<a title="Join the Istio discussion board to participate in discussions and get help troubleshooting problems" href=https://discuss.istio.io aria-label="Istio discussion board"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M225.9 32C103.3 32 0 130.5.0 252.1.0 256 .1 480 .1 480l225.8-.2c122.7.0 222.1-102.3 222.1-223.9S348.6 32 225.9 32zM224 384c-19.4.0-37.9-4.3-54.4-12.1L88.5 392l22.9-75c-9.8-18.1-15.4-38.9-15.4-61 0-70.7 57.3-128 128-128s128 57.3 128 128-57.3 128-128 128z" /></svg></a></div><div class=icon><span>slack</span>
<a title="Interactively discuss issues with the Istio community on Slack" href=https://istio.slack.com aria-label=slack><svg viewBox="0 0 31.444 31.443"><path d="M31.202 16.369c-.62-1.388-2.249-2.011-3.637-1.391l-1.325.594-3.396-7.591 1.325-.592c1.388-.622 2.01-2.25 1.389-3.637-.62-1.389-2.248-2.012-3.637-1.39l-1.324.593-.593-1.326c-.621-1.388-2.249-2.009-3.637-1.388-1.388.62-2.009 2.247-1.389 3.637l.593 1.325L7.98 8.598 7.388 7.273c-.621-1.39-2.249-2.009-3.637-1.39C2.363 6.504 1.742 8.132 2.362 9.52l.592 1.324L1.63 11.438c-1.388.621-2.01 2.247-1.389 3.636.62 1.388 2.249 2.01 3.637 1.39l1.325-.594 3.394 7.592-1.325.592c-1.388.621-2.009 2.25-1.389 3.637.621 1.389 2.249 2.011 3.637 1.391l1.324-.593.593 1.325c.621 1.389 2.249 2.01 3.637 1.389 1.387-.62 2.009-2.248 1.388-3.636l-.591-1.326 7.591-3.394.592 1.321c.621 1.391 2.248 2.013 3.637 1.392 1.388-.619 2.01-2.248 1.389-3.637l-.592-1.324 1.323-.594C31.201 19.384 31.823 17.757 31.202 16.369zM13.623 21.215l-3.395-7.593 7.591-3.394 3.395 7.591L13.623 21.215z"/></svg></a></div><div class=icon><span>twitter</span>
<a title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><svg viewBox="0 0 310 310"><path d="M302.973 57.388c-4.87 2.16-9.877 3.983-14.993 5.463 6.057-6.85 10.675-14.91 13.494-23.73.632-1.977-.023-4.141-1.648-5.434-1.623-1.294-3.878-1.449-5.665-.39-10.865 6.444-22.587 11.075-34.878 13.783-12.381-12.098-29.197-18.983-46.581-18.983-36.695.0-66.549 29.853-66.549 66.547.0 2.89.183 5.764.545 8.598C101.163 99.244 58.83 76.863 29.76 41.204c-1.036-1.271-2.632-1.956-4.266-1.825-1.635.128-3.104 1.05-3.93 2.467-5.896 10.117-9.013 21.688-9.013 33.461.0 16.035 5.725 31.249 15.838 43.137-3.075-1.065-6.059-2.396-8.907-3.977-1.529-.851-3.395-.838-4.914.033-1.52.871-2.473 2.473-2.513 4.224-.007.295-.007.59-.007.889.0 23.935 12.882 45.484 32.577 57.229-1.692-.169-3.383-.414-5.063-.735-1.732-.331-3.513.276-4.681 1.597-1.17 1.32-1.557 3.16-1.018 4.84 7.29 22.76 26.059 39.501 48.749 44.605-18.819 11.787-40.34 17.961-62.932 17.961-4.714.0-9.455-.277-14.095-.826-2.305-.274-4.509 1.087-5.294 3.279-.785 2.193.047 4.638 2.008 5.895 29.023 18.609 62.582 28.445 97.047 28.445 67.754.0 110.139-31.95 133.764-58.753 29.46-33.421 46.356-77.658 46.356-121.367.0-1.826-.028-3.67-.084-5.508 11.623-8.757 21.63-19.355 29.773-31.536 1.237-1.85 1.103-4.295-.33-5.998C307.394 57.037 305.009 56.486 302.973 57.388z"/></svg></a></div><div class=icon><span>stack overflow</span>
<a title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><svg viewBox="0 0 120 120"><polygon points="84.4,93.8 84.4,70.6 92.1,70.6 92.1,101.5 22.6,101.5 22.6,70.6 30.3,70.6 30.3,93.8"/><path d="M38.8 68.4l37.8 7.9 1.6-7.6-37.8-7.9L38.8 68.4zM43.8 50.4l35 16.3 3.2-7-35-16.4L43.8 50.4zM53.5 33.2l29.7 24.7 4.9-5.9L58.4 27.3 53.5 33.2zM72.7 14.9l-6.2 4.6 23 31 6.2-4.6-23-31zM38 86h38.6v-7.7H38V86z"/></svg></a></div></div><div class="tag row d-none d-lg-flex">for everyone</div></div></div><div class="col-7 col-lg-4"><p class="text-center copyright" role=contentinfo>Istio
Archive
1.0<br>&copy; 2019 Istio Authors, <a href=https://policies.google.com/privacy>Privacy Policy</a><br>Archived on March 19, 2019</p></div><div class="col-6 col-lg-4 d-none d-lg-flex" role=navigation><div class=container-fluid><div class="row justify-content-end"><div class=icon><span>github</span>
<a title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><svg viewBox="0 0 478.165 478.165"><path d="M349.22 55.768c6.136 14.046 10.241 37.556 4.224 54.69 24.426 20.999 33.073 71.904 21.079 113.704 35.006 2.73 76.666-1.235 103.642 9.484-25.183-3.248-59.651-9.563-91.987-7.431-6.136.458-15.361-.239-14.903 8.408 37.735 3.008 75.092 6.117 105.894 15.779-30.702-4.981-67.74-12.552-105.894-13.668-15.54 30.921-47.239 46.262-90.991 49.49 4.682 10.261 13.847 14.066 15.879 30.702 3.267 24.406-4.881 60.328 3.208 76.686 4.064 7.89 10.579 8.009 14.863 14.604-10.699 12.871-37.257-1.395-40.186-14.604-5.14-22.852 7.89-58.256-6.415-73.737.996 24.865-5.718 59.85.996 82.145 2.789 8.806 10.659 12.113 8.647 20.063-49.809 5.08-28.989-64.373-37.177-105.356-7.471.697-4.204 11.197-4.224 15.76-.199 40.106 8.189 94.836-34.846 89.556-1.315-8.348 5.838-11.217 8.467-19.007 7.91-22.434-1.454-56.045 2.112-83.161-16.417 12.512 1.793 55.666-8.428 77.961-5.838 12.671-24.785 18.27-39.19 12.651 1.873-9.464 11.695-7.989 15.879-16.875 5.818-12.452.02-30.244 2.092-48.494-30.423 6.097-53.993-.877-65.608-20.023-5.12-8.507-6.356-18.708-12.632-26.219-6.117-7.551-16.098-8.507-19.087-18.808 37.755-9.185 39.17 38.771 73.06 39.807 10.44.418 15.799-2.909 25.402-5.16 2.749-12.113 8.428-21.039 16.875-27.494-42.078-5.658-76.865-18.788-93.023-50.466-38.293 1.893-73.339 7.013-105.894 14.843 29.547-10.679 65.807-14.604 104.778-15.819-2.351-13.807-22.434-10.022-34.866-9.543C47.677 227.17 18.449 230.138.0 233.645c26.817-9.543 64.233-8.348 100.454-8.428-11.038-34.767-7.232-90.014 17.015-110.615-6.854-17.254-4.722-45.346 4.184-58.834 27.036 1.175 43.374 12.891 60.388 24.247 21.019-6.017 43.035-9.045 71.904-7.451 12.133.677 24.705 6.097 33.731 5.32 8.906-.877 18.728-10.898 27.534-14.843C326.507 58.099 336.17 56.206 349.22 55.768z"/></svg></a></div><div class=icon><span>drive</span>
<a title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><svg viewBox="0 0 207.027 207.027"><path d="M69.866 15.557.0 138.919l28.732 52.552 143.288-.029 35.008-59.588L136.39 15.735 69.866 15.557zM17.166 139.046 74.268 38.205 91.21 67.783 33.24 168.447 17.166 139.046zM99.841 82.851l23.805 41.558-47.732-.006L99.841 82.851zM163.434 176.443l-117.332.024 21.53-37.065 64.606.008.067.119 52.865-.085L163.434 176.443zM140.932 124.411 90.157 35.767l-2.966-5.178 40.751.121 57.003 93.706L140.932 124.411z"/></svg></a></div><div class=icon><span>working groups</span>
<a title="If you'd like to contribute to the Istio project, consider participating in our working groups" href=https://github.com/istio/community/blob/master/WORKING-GROUPS.md aria-label="working groups"><svg viewBox="0 -45 439.833 439.833"><polygon points="246.048,195.833 299.966,235.085 319.497,227.296 276.278,195.833"/><polygon points="193.786,195.833 163.556,195.833 120.33,227.3 139.862,235.089"/><path d="M219.927 11.558c-23.854.0-37.057 12.362-36.814 36.182.348 32.623 14.211 52.414 36.814 52.068.0.0 36.802 1.492 36.802-52.068C256.729 23.918 244.294 11.558 219.927 11.558z"/><path d="M285.017 124.567l-36.77-14.659-8.608-7.256c-2.274-1.922-5.636-1.78-7.741.317l-11.973 11.904-12.008-11.907c-2.109-2.094-5.465-2.229-7.736-.313l-8.611 7.256-36.77 14.661c-11.842 4.715-11.83 46.647-12.848 50.497h155.93C296.866 171.228 296.862 129.28 285.017 124.567z"/><path d="M77.976 228.568s36.801 1.492 36.801-52.068c0-23.82-12.434-36.182-36.801-36.182-23.854.0-37.057 12.362-36.814 36.182C41.509 209.124 55.372 228.915 77.976 228.568z"/><path d="M143.065 253.329l-36.77-14.658-8.609-7.256c-2.275-1.923-5.635-1.781-7.742.315l-11.971 11.904-12.008-11.908c-2.109-2.094-5.465-2.229-7.736-.312l-8.611 7.256-36.77 14.66C1.006 258.045 1.018 299.977.0 303.827h155.93C154.915 299.988 154.911 258.042 143.065 253.329z"/><path d="M361.878 228.568s36.801 1.492 36.801-52.068c0-23.82-12.434-36.182-36.801-36.182-23.854.0-37.057 12.362-36.812 36.182C325.411 209.124 339.274 228.915 361.878 228.568z"/><path d="M426.968 253.329l-36.77-14.658-8.609-7.256c-2.273-1.923-5.635-1.781-7.742.315l-11.971 11.904-12.008-11.908c-2.109-2.094-5.465-2.229-7.736-.312l-8.61 7.256-36.771 14.66c-11.842 4.715-11.83 46.646-12.848 50.497h155.93C438.817 299.988 438.812 258.042 426.968 253.329z"/></svg></a></div></div><div class="tag row justify-content-end text-right">for developers</div></div></div></div></footer><div class="d-xl-none d-print-none"><button id=scroll-to-top aria-hidden=true onclick=scrollToTop() title="Back to top"><i class="fa fa-lg fa-arrow-up"></i></button></div><script src=https://code.jquery.com/jquery-3.2.1.slim.min.js integrity=sha384-KJ3o2DKtIkvYIK3UENzmM7KCkRr/rE9/Qpg6aAZGJwFDMVNA/GpGFF93hXpG5KkN crossorigin=anonymous></script><script src=https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js integrity=sha384-JZR6Spejh4U02d8jOt6vLEHfe/JQGiRRSQQxSfFWpi1MquVdAyjUar5+76PVCmYl crossorigin=anonymous></script><script src=https://cdnjs.cloudflare.com/ajax/libs/clipboard.js/1.7.1/clipboard.min.js></script><script src="https://www.google.com/cse/brand?form=search_form"></script><script src=/v1.0/js/all.min.js data-manual></script></body></html>
Reference in New Issue View Git Blame Copy Permalink