istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.12/zh/blog/2018/istio-authorization/index.html

100 lines
28 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!doctype html><html lang=zh itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content="#466BB0"><meta name=title content="基于 Istio 授权的 Micro-Segmentation"><meta name=description content="描述 Istio 的授权功能以及如何在各种用例中使用它。"><meta name=author content="Limin Wang"><meta name=keywords content="microservices,services,mesh,authorization,rbac,security"><meta property="og:title" content="基于 Istio 授权的 Micro-Segmentation"><meta property="og:type" content="website"><meta property="og:description" content="描述 Istio 的授权功能以及如何在各种用例中使用它。"><meta property="og:url" content="/v1.12/zh/blog/2018/istio-authorization/"><meta property="og:image" content="https://raw.githubusercontent.com/istio/istio.io/master/static/img/istio-whitelogo-bluebackground-framed.svg"><meta property="og:image:alt" content="Istio Logo"><meta property="og:image:width" content="1024"><meta property="og:image:height" content="1024"><meta property="og:site_name" content="Istio"><meta name=twitter:card content="summary"><meta name=twitter:site content="@IstioMesh"><title>Istioldie 1.12 / 基于 Istio 授权的 Micro-Segmentation</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}
gtag('js',new Date());gtag('config','UA-98480406-2');</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.12/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.12/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.12/feed.xml><link rel="shortcut icon" href=/v1.12/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.12/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.12/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.12/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.12/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.12/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.12/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.12/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.12/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.12/favicons/android-192x192.png sizes=192x192><link rel=mask-icon href=/v1.12/favicons/safari-pinned-tab.svg color=#466bb0><link rel=manifest href=/v1.12/manifest.json><meta name=apple-mobile-web-app-title content="Istio"><meta name=application-name content="Istio"><meta name=msapplication-config content="/browserconfig.xml"><meta name=msapplication-TileColor content="#466BB0"><meta name=theme-color content="#466BB0"><link rel=stylesheet href=/v1.12/css/all.css><link rel=preconnect href=https://fonts.gstatic.com><link rel=stylesheet href="https://fonts.googleapis.com/css2?family=Barlow:ital,wght@0,400;0,500;0,600;0,700;1,400;1,600&display=swap"><script src=/v1.12/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.12";const docTitle="基于 Istio 授权的 Micro-Segmentation";const iconFile="\/v1.12/img/icons.svg";const buttonCopy='复制到剪切板';const buttonPrint='打印';const buttonDownload='下载';</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.12/js/all.min.js data-manual defer></script><header class=main-navigation><nav class="main-navigation-wrapper container-l"><div class=main-navigation-header><a id=brand href=/v1.12/zh/><span class=logo><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371 7.869 7.869.0 013.066-4.178 9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></span></a><button id=hamburger class=main-navigation-toggle aria-label="Open navigation"><svg class="icon menu-hamburger"><use xlink:href="/v1.12/img/icons.svg#menu-hamburger"/></svg></button>
<button id=menu-close class=main-navigation-toggle aria-label="Close navigation"><svg class="icon menu-close"><use xlink:href="/v1.12/img/icons.svg#menu-close"/></svg></button></div><div id=header-links class=main-navigation-links-wrapper><ul class=main-navigation-links><li class=main-navigation-links-item><a class="main-navigation-links-link has-dropdown"><span>关于</span><svg class="icon dropdown-arrow"><use xlink:href="/v1.12/img/icons.svg#dropdown-arrow"/></svg></a><ul class=main-navigation-links-dropdown><li class=main-navigation-links-dropdown-item><a href=/v1.12/zh/about/service-mesh class=main-navigation-links-link>服务网格</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.12/zh/about/solutions class=main-navigation-links-link>解决方案</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.12/zh/about/case-studies class=main-navigation-links-link>案例学习</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.12/zh/about/ecosystem class=main-navigation-links-link>生态系统</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.12/zh/about/deployment class=main-navigation-links-link>部署</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.12/zh/about/faq class=main-navigation-links-link>FAQ</a></li></ul></li><li class=main-navigation-links-item><a href=/v1.12/zh/blog/ class=main-navigation-links-link><span>博客</span></a></li><li class=main-navigation-links-item><a href=/v1.12/zh/news/ class=main-navigation-links-link><span>新闻</span></a></li><li class=main-navigation-links-item><a href=/v1.12/zh/get-involved/ class=main-navigation-links-link><span>加入我们</span></a></li><li class=main-navigation-links-item><a href=/v1.12/zh/docs/ class=main-navigation-links-link><span>文档</span></a></li></ul><div class=main-navigation-footer><button id=search-show class=search-show title="搜索 istio.io" aria-label=搜索><svg class="icon magnifier"><use xlink:href="/v1.12/img/icons.svg#magnifier"/></svg></button>
<a href=/v1.12/zh/docs/setup/getting-started class="btn btn--primary" id=try-istio>试用 Istio</a></div></div><form id=search-form class=search name=cse role=search><input type=hidden name=cx value=002184991200833970123:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=zh>
<input type=hidden id=search-page-url value=/zh/search>
<input id=search-textbox class="search-textbox form-control" name=q type=search aria-label="搜索 istio.io" placeholder=搜索>
<button id=search-close title=取消搜索 type=reset aria-label=取消搜索><svg class="icon menu-close"><use xlink:href="/v1.12/img/icons.svg#menu-close"/></svg></button></form></nav></header><div class=banner-container></div><article class=post itemscope itemtype=http://schema.org/BlogPosting><div class=header-content><h1>基于 Istio 授权的 Micro-Segmentation</h1><p>描述 Istio 的授权功能以及如何在各种用例中使用它。</p></div><p class=post-author>Jul 20, 2018 <span>|</span> By Limin Wang</p><div><p>Micro-Segmentation 是一种安全技术,可在云部署中创建安全区域,并允许各组织将工作负载彼此隔离以单独保护它们。
<a href=/v1.12/zh/docs/concepts/security/#authorization>Istio 的授权功能</a>也称为 Istio 基于角色的访问控制,为 Istio 网格中的服务提供
Micro-Segmentation。它的特点是</p><ul><li>不同粒度级别的授权,包括命名空间级别、服务级别和方法级别。</li><li>服务间和最终用户到服务授权。</li><li>高性能,因为它在 Envoy 上本地执行。</li><li>基于角色的语义,使其易于使用。</li><li>灵活性高,因为它允许用户使用<a href=/v1.12/zh/docs/reference/config/security/constraints-and-properties>组合属性</a>定义条件。</li></ul><p>在这篇博客文章中,您将了解主要授权功能以及如何在不同情况下使用它们。</p><h2 id=characteristics>特点</h2><h3 id=RPC-level-authorization>RPC 级别授权</h3><p>授权在各个 RPC 级别执行。具体来说,它控制“谁可以访问我的 <code>bookstore</code> 服务”,或者“谁可以在我的 <code>bookstore</code> 服务中访问
<code>getBook</code> 方法 ”。它不是为了控制对于应用程序具体资源实例的访问而设计的,例如访问“存储桶 X ”或访问“第二层架上的第 3 本书”。目前这种应用特定的访问控制逻辑需要由应用程序本身处理。</p><h3 id=role-based-access-control-with-conditions>具有条件的基于角色的访问控制</h3><p>授权是<a href=https://en.wikipedia.org/wiki/Role-based_access_control>基于角色的访问控制RBAC</a> 系统,
将此与<a href=https://en.wikipedia.org/wiki/Attribute-based_access_control>基于属性的访问控制ABAC</a> 系统对比。
与 ABAC 相比RBAC 具有以下优势:</p><ul><li><p><strong>角色允许对属性进行分组。</strong> 角色是权限组,用于指定允许的操作在系统上执行。用户根据组织内的角色进行分组。
您可以针对不同的情况定义角色并重用他们。</p></li><li><p><strong>关于谁有权访问,更容易理解和推理。</strong> RBAC 概念自然地映射到业务概念。例如,数据库管理员可能拥有对数据库后端服务的所有访问权限,
而 Web 客户端可能只能查看数据库后端服务前端服务。</p></li><li><p><strong>它减少了无意的错误。</strong> RBAC 策略使得复杂的安全更改变得更加容易。你不会有在多个位置重复配置,以后在需要进行更改时忘记更新其中一些配置。</p></li></ul><p>另一方面Istio 的授权系统不是传统的 RBAC 系统。它还允许用户使用定义<strong>条件</strong><a href=/v1.12/zh/docs/reference/config/security/constraints-and-properties>属性组合</a>。这给了 Istio 表达复杂的访问控制策略的灵活性。实际上,<strong>Istio 授权采用“RBAC + 条件”模型,具有 RBAC 系统的所有优点,并支持通常是 ABAC 系统提供的灵活性。</strong>你会在下面看到一些<a href=#examples>示例</a></p><h3 id=high-performance>高性能</h3><p>由于其简单的语义Istio 授权直接在 Envoy 本地执行。在运行时,授权决策完全在 Envoy 过滤器内部完成,不依赖于任何外部模块。
这允许 Istio 授权实现高性能和可用性。</p><h3 id=work-with-without-primary-identities>使用/不使用主要标识</h3><p>与任何其他 RBAC 系统一样Istio 授权具有身份识别功能。在 Istio 授权政策中,有一个主要的
身份称为 <code>user</code>,代表客户的主体。</p><p>除主要标识外,您还可以自己定义标识。例如,您可以将客户端标识指定为“用户 <code>Alice</code><code>Bookstore</code> 前端服务调用”,在这种情况下,
你有一个调用服务(<code>Bookstore frontend</code>)和最终用户(<code>Alice</code>)的组合身份。</p><p>要提高安全性,您应该启用<a href=/v1.12/zh/docs/concepts/security/#authentication>认证功能</a>, 并在授权策略中使用经过验证的身份。但是,
使用授权不强迫一定要有身份验证。Istio 授权可以使用或不使用身份。如果您正在使用遗留系统,您可能没有网格的双向 TLS 或 JWT 身份验证
设置。在这种情况下,识别客户端的唯一方法是,例如,通过 IP。您仍然可以使用 Istio 授权来控制允许哪些 IP 地址或 IP 范围访问您的服务。</p><h2 id=examples>示例</h2><p><a href=/v1.12/zh/docs/tasks/security/authorization/authz-http>授权任务</a>通过 <a href=/v1.12/zh/docs/examples/bookinfo>Bookinfo 应用</a>向您展示如何使用 Istio 的授权功能来控制命名空间级别
和服务级别的访问。在本节中,您将看到更多使用 Istio 授权进行权限细分的示例。</p><h3 id=namespace-level-segmentation-via-rbac-conditions>通过 RBAC + 条件进行命名空间级别细分</h3><p>假设你在 <code>frontend</code><code>backend</code> 命名空间中有服务。您想要允许所有在 <code>frontend</code> 命名空间中的服务访问 <code>backend</code> 命名空间中标记
<code>external</code> 的所有服务。</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
kind: ServiceRole
metadata:
name: external-api-caller
namespace: backend
spec:
rules:
- services: [&#34;*&#34;]
methods: [&#34;*”]
constraints:
- key: &#34;destination.labels[visibility]”
values: [&#34;external&#34;]
---
apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
kind: ServiceRoleBinding
metadata:
name: external-api-caller
namespace: backend
spec:
subjects:
- properties:
source.namespace: &#34;frontend”
roleRef:
kind: ServiceRole
name: &#34;external-api-caller&#34;
</code></pre><p>上面的 <code>ServiceRole</code><code>ServiceRoleBinding</code> 表示“允许<em></em><em>什么条件</em> RBAC + 条件)下执行<em>什么</em> ”。其中:</p><ul><li><strong>“谁”</strong><code>frontend</code> 命名空间中的服务。</li><li><strong>“什么”</strong> 是在 <code>backend</code> 命名空间中调用服务。</li><li><strong>“条件”</strong> 是具有值 <code>external</code> 的目标服务的 <code>visibility</code> 标签。</li></ul><h3 id=service-method-level-isolation-with-without-primary-identities>具有/不具有主要身份的服务/方法级别隔离</h3><p>这是演示另一个服务/方法级别的细粒度访问控制的示例。第一步是定义一个 <code>book-reader</code> <code>ServiceRole</code>,它允许对 <code>bookstore</code> 服务中的 <code>/books/*</code> 资源进行 READ 访问。</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
kind: ServiceRole
metadata:
name: book-reader
namespace: default
spec:
rules:
- services: [&#34;bookstore.default.svc.cluster.local&#34;]
paths: [&#34;/books/*”]
methods: [&#34;GET”]
</code></pre><h4 id=using-authenticated-client-identities>使用经过身份验证的客户端身份</h4><p>假设你想把这个 <code>book-reader</code> 角色授予你的 <code>bookstore-frontend</code> 服务。如果您已启用
您的网格的<a href=/v1.12/zh/docs/concepts/security/#mutual-TLS-authentication>双向 TLS 身份验证</a>, 您可以使用服务帐户,以识别您的 <code>bookstore-frontend</code> 服务。授予 <code>book-reader</code> 角色到 <code>bookstore-frontend</code> 服务可以通过创建一个 <code>ServiceRoleBinding</code> 来完成,如下所示:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
kind: ServiceRoleBinding
metadata:
name: book-reader
namespace: default
spec:
subjects:
- user: &#34;cluster.local/ns/default/sa/bookstore-frontend”
roleRef:
kind: ServiceRole
name: &#34;book-reader&#34;
</code></pre><p>您可能希望通过添加“仅属于 <code>qualified-reviewer</code> 组的用户的条件来进一步限制此操作允许阅读书籍“。<code>qualified-reviewer</code> 组是经过身份验证的最终用户身份 <a href=/v1.12/zh/docs/concepts/security/#authorization>JWT 身份验证</a>。在这种情况下,客户端服务标识(<code>bookstore-frontend</code>)和最终用户身份(<code>qualified-reviewer</code>)的组合将用于授权策略。</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
kind: ServiceRoleBinding
metadata:
name: book-reader
namespace: default
spec:
subjects:
- user: &#34;cluster.local/ns/default/sa/bookstore-frontend”
properties:
request.auth.claims[group]: &#34;qualified-reviewer”
roleRef:
kind: ServiceRole
name: &#34;book-reader&#34;
</code></pre><h4 id=client-does-not-have-identity>无身份客户</h4><p>强烈建议在授权策略中使用经过身份验证的身份以确保安全性。但是,如果你有一个如果遗留系统不支持身份验证,您可能没有经过身份验证的身份验证。即使没有经过身份验证的身份,您仍然可以使用 Istio 授权来保护您的服务。以下示例表明您可以在授权策略中指定允许的源 IP 范围。</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
kind: ServiceRoleBinding
metadata:
name: book-reader
namespace: default
spec:
subjects:
- properties:
source.ip: 10.20.0.0/9
roleRef:
kind: ServiceRole
name: &#34;book-reader&#34;
</code></pre><h2 id=summary>概要</h2><p>Istio 在命名空间级别,服务级别和方法级别粒度上提供授权功能。它采用“ RBAC + 条件”模型,使其成为易于使用和理解的 RBAC 系统,同时提供 ABAC 系统级别的灵活性。由于 Istio 授权在 Envoy 上本地运行它有很高的性能。Istio 授权既可以与 <a href=/v1.12/zh/docs/concepts/security/#authentication>Istio 认证功能</a>一起提供最佳的安全性,也可以用于为没有身份验证的旧系统提供访问控制。</p></div><nav class=pagenav><div class=left><a title="使用 AppSwitch 自动接入应用并降低延迟。" href=/v1.12/zh/blog/2018/delayering-istio/ class=next-link><svg class="icon left-arrow"><use xlink:href="/v1.12/img/icons.svg#left-arrow"/></svg>使用 AppSwitch 精简 Istio 层次</a></div><div class=right><a title="如何通过 Stackdriver 将 Istio 访问日志导出到 BigQuery、GCS、Pub/Sub 等不同的接收器。" href=/v1.12/zh/blog/2018/export-logs-through-stackdriver/ class=next-link>通过 Stackdriver 将日志导出到 BigQuery、GCS、Pub/Sub<svg class="icon right-arrow"><use xlink:href="/v1.12/img/icons.svg#right-arrow"/></svg></a></div></nav></article><footer class=footer><div class="footer-wrapper container-l"><div class="user-links footer-links"><a class=channel title="Istio 的代码在 GitHub 上开发" href=https://github.com/istio/community aria-label=GitHub><svg class="icon github"><use xlink:href="/v1.12/img/icons.svg#github"/></svg></a><a class=channel title="如果您想深入了解 Istio 的技术细节,请查看我们日益完善的设计文档" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><svg class="icon drive"><use xlink:href="/v1.12/img/icons.svg#drive"/></svg></a><a class=channel title="在 Slack 上与 Istio 社区交互讨论开发问题(仅限邀请)" href=https://slack.istio.io aria-label=slack><svg class="icon slack"><use xlink:href="/v1.12/img/icons.svg#slack"/></svg></a><a class=channel title="Stack Overflow 中列举了针对实际问题以及部署、配置和使用 Istio 的各项回答" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><svg class="icon stackoverflow"><use xlink:href="/v1.12/img/icons.svg#stackoverflow"/></svg></a><a class=channel title="关注我们的 Twitter 来获取最新信息" href=https://twitter.com/IstioMesh aria-label=Twitter><svg class="icon twitter"><use xlink:href="/v1.12/img/icons.svg#twitter"/></svg></a></div><hr class=footer-separator role=separator><div class="info footer-info"><a class=logo href=/v1.12/zh/><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371 7.869 7.869.0 013.066-4.178 9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></a><div class=footer-languages><a tabindex=-1 role=menuitem lang=en id=switch-lang-en class=footer-languages-item>English</a>
<a tabindex=-1 role=menuitem lang=zh id=switch-lang-zh class="footer-languages-item active"><svg class="icon tick"><use xlink:href="/v1.12/img/icons.svg#tick"/></svg>中文</a></div></div><ul class=footer-policies><li class=footer-policies-item><a class=footer-policies-link href=https://policies.google.com/privacy>隐私政策</a> |
<a class=footer-policies-link href=https://github.com/istio/istio.io/edit/release-1.12/content/zh/blog/2018/istio-authorization/index.md>在 GitHub 上编辑此页</a></li></ul><div class=footer-base><span class=footer-base-copyright>&copy; 2021 Istio Authors.</span>
<span class=footer-base-version>部分内容可能滞后于英文版本,同步工作正在进行中<br>Version
Istio 归档
1.12.3</span><ul class=footer-base-releases><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link role=menuitem onclick="navigateToUrlOrRoot('https://istio.io/blog\/2018\/istio-authorization\/');return false;">当前版本</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link role=menuitem onclick="navigateToUrlOrRoot('https://preliminary.istio.io/blog\/2018\/istio-authorization\/');return false;">下个版本</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link role=menuitem href=https://istio.io/archive>旧版本</a></li></ul></div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title=回到顶部><svg class="icon top"><use xlink:href="/v1.12/img/icons.svg#top"/></svg></button></div></body></html>
Reference in New Issue View Git Blame Copy Permalink