mirror of https://github.com/istio/istio.io.git
351 lines
39 KiB
HTML
351 lines
39 KiB
HTML
<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content="#466BB0"><meta name=title content="Better External Authorization"><meta name=description content="AuthorizationPolicy now supports CUSTOM action to delegate the authorization to external system."><meta name=author content="Yangmin Zhu (Google)"><meta name=keywords content="microservices,services,mesh,authorization,access control,opa,oauth2"><meta property="og:title" content="Better External Authorization"><meta property="og:type" content="website"><meta property="og:description" content="AuthorizationPolicy now supports CUSTOM action to delegate the authorization to external system."><meta property="og:url" content="/v1.14/blog/2021/better-external-authz/"><meta property="og:image" content="https://raw.githubusercontent.com/istio/istio.io/master/static/img/istio-whitelogo-bluebackground-framed.svg"><meta property="og:image:alt" content="Istio Logo"><meta property="og:image:width" content="1024"><meta property="og:image:height" content="1024"><meta property="og:site_name" content="Istio"><meta name=twitter:card content="summary"><meta name=twitter:site content="@IstioMesh"><title>Istioldie 1.14 / Better External Authorization</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script>
|
|
<script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments)}gtag("js",new Date),gtag("config","UA-98480406-2")</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.14/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.14/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.14/feed.xml><link rel="shortcut icon" href=/v1.14/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.14/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.14/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.14/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.14/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.14/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.14/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.14/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.14/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.14/favicons/android-192x192.png sizes=192x192><link rel=icon type=image/svg+xml href=/v1.14/favicons/favicon.svg><link rel=icon type=image/png href=/v1.14/favicons/favicon.png><link rel=mask-icon href=/v1.14/favicons/safari-pinned-tab.svg color=#466bb0><link rel=manifest href=/v1.14/manifest.json><meta name=apple-mobile-web-app-title content="Istio"><meta name=application-name content="Istio"><meta name=msapplication-config content="/browserconfig.xml"><meta name=msapplication-TileColor content="#466BB0"><meta name=theme-color content="#466BB0"><link rel=stylesheet href=/v1.14/css/all.css><link rel=preconnect href=https://fonts.gstatic.com><link rel=stylesheet href="https://fonts.googleapis.com/css2?family=Barlow:ital,wght@0,400;0,500;0,600;0,700;1,400;1,600&display=swap"><script src=/v1.14/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.14",docTitle="Better External Authorization",iconFile="/v1.14/img/icons.svg",buttonCopy="Copy to clipboard",buttonPrint="Print",buttonDownload="Download"</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script>
|
|
<script src=/v1.14/js/all.min.js data-manual defer></script><header class=main-navigation><nav class="main-navigation-wrapper container-l"><div class=main-navigation-header><a id=brand href=/v1.14/ aria-label=logotype><span class=logo><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></span></a><button id=hamburger class=main-navigation-toggle aria-label="Open navigation"><svg class="icon menu-hamburger"><use xlink:href="/v1.14/img/icons.svg#menu-hamburger"/></svg></button>
|
|
<button id=menu-close class=main-navigation-toggle aria-label="Close navigation"><svg class="icon menu-close"><use xlink:href="/v1.14/img/icons.svg#menu-close"/></svg></button></div><div id=header-links class=main-navigation-links-wrapper><ul class=main-navigation-links><li class=main-navigation-links-item><a class="main-navigation-links-link has-dropdown"><span>About</span><svg class="icon dropdown-arrow"><use xlink:href="/v1.14/img/icons.svg#dropdown-arrow"/></svg></a><ul class=main-navigation-links-dropdown><li class=main-navigation-links-dropdown-item><a href=/v1.14/about/service-mesh class=main-navigation-links-link>Service mesh</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.14/about/solutions class=main-navigation-links-link>Solutions</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.14/about/case-studies class=main-navigation-links-link>Case studies</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.14/about/ecosystem class=main-navigation-links-link>Ecosystem</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.14/about/deployment class=main-navigation-links-link>Deployment</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.14/about/faq class=main-navigation-links-link>FAQ</a></li></ul></li><li class=main-navigation-links-item><a href=/v1.14/blog/ class=main-navigation-links-link><span>Blog</span></a></li><li class=main-navigation-links-item><a href=/v1.14/news/ class=main-navigation-links-link><span>News</span></a></li><li class=main-navigation-links-item><a href=/v1.14/get-involved/ class=main-navigation-links-link><span>Get involved</span></a></li><li class=main-navigation-links-item><a href=/v1.14/docs/ class=main-navigation-links-link><span>Documentation</span></a></li></ul><div class=main-navigation-footer><button id=search-show class=search-show title="Search this site" aria-label=Search><svg class="icon magnifier"><use xlink:href="/v1.14/img/icons.svg#magnifier"/></svg></button>
|
|
<a href=/v1.14/docs/setup/getting-started class="btn btn--primary" id=try-istio>Try Istio</a></div></div><form id=search-form class=search name=cse role=search><input type=hidden name=cx value=002184991200833970123:iwwf17ikgf4>
|
|
<input type=hidden name=ie value=utf-8>
|
|
<input type=hidden name=hl value=en>
|
|
<input type=hidden id=search-page-url value=/search>
|
|
<input id=search-textbox class="search-textbox form-control" name=q type=search aria-label="Search this site" placeholder=Search>
|
|
<button id=search-close title="Cancel search" type=reset aria-label="Cancel search"><svg class="icon menu-close"><use xlink:href="/v1.14/img/icons.svg#menu-close"/></svg></button></form></nav></header><div class=banner-container></div><article class=post itemscope itemtype=http://schema.org/BlogPosting><div class=header-content><h1>Better External Authorization</h1><p>AuthorizationPolicy now supports CUSTOM action to delegate the authorization to external system.</p></div><p class=post-author>Feb 9, 2021 <span>|</span> By Yangmin Zhu - Google</p><div><h2 id=background>Background</h2><p>Istio’s authorization policy provides access control for services in the mesh. It is fast, powerful and a widely used
|
|
feature. We have made continuous improvements to make policy more flexible since its first release in Istio 1.4, including
|
|
the <a href=/v1.14/docs/tasks/security/authorization/authz-deny/><code>DENY</code> action</a>, <a href=/v1.14/docs/tasks/security/authorization/authz-deny/>exclusion semantics</a>,
|
|
<a href=/v1.14/docs/tasks/security/authorization/authz-ingress/><code>X-Forwarded-For</code> header support</a>, <a href=/v1.14/docs/tasks/security/authorization/authz-jwt/>nested JWT claim support</a>
|
|
and more. These features improve the flexibility of the authorization policy, but there are still many use cases that
|
|
cannot be supported with this model, for example:</p><ul><li><p>You have your own in-house authorization system that cannot be easily migrated to, or cannot be easily replaced by, the
|
|
authorization policy.</p></li><li><p>You want to integrate with a 3rd-party solution (e.g. <a href=https://www.openpolicyagent.org/docs/latest/envoy-introduction/>Open Policy Agent</a>
|
|
or <a href=https://github.com/oauth2-proxy/oauth2-proxy><code>oauth2</code> proxy</a>) which may require use of the
|
|
<a href=/v1.14/docs/reference/config/networking/envoy-filter/>low-level Envoy configuration APIs</a> in Istio, or may not be possible
|
|
at all.</p></li><li><p>Authorization policy lacks necessary semantics for your use case.</p></li></ul><h2 id=solution>Solution</h2><p>In Istio 1.9, we have implemented extensibility into authorization policy by introducing a <a href=/v1.14/docs/reference/config/security/authorization-policy/#AuthorizationPolicy-Action><code>CUSTOM</code> action</a>,
|
|
which allows you to delegate the access control decision to an external authorization service.</p><p>The <code>CUSTOM</code> action allows you to integrate Istio with an external authorization system that implements its own custom
|
|
authorization logic. The following diagram shows the high level architecture of this integration:</p><figure style=width:100%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:48.573838213459645%><a data-skipendnotes=true href=/v1.14/blog/2021/better-external-authz/external_authz.svg title="External Authorization Architecture"><img class=element-to-stretch src=/v1.14/blog/2021/better-external-authz/external_authz.svg alt="External Authorization Architecture"></a></div><figcaption>External Authorization Architecture</figcaption></figure><p>At configuration time, the mesh admin configures an authorization policy with a <code>CUSTOM</code> action to enable the
|
|
external authorization on a proxy (either gateway or sidecar). The admin should verify the external auth service is up
|
|
and running.</p><p>At runtime,</p><ol><li><p>A request is intercepted by the proxy, and the proxy will send check requests to the external auth service, as
|
|
configured by the user in the authorization policy.</p></li><li><p>The external auth service will make the decision whether to allow it or not.</p></li><li><p>If allowed, the request will continue and will be enforced by any local authorization defined by <code>ALLOW</code>/<code>DENY</code> action.</p></li><li><p>If denied, the request will be rejected immediately.</p></li></ol><p>Let’s look at an example authorization policy with the <code>CUSTOM</code> action:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: security.istio.io/v1beta1
|
|
kind: AuthorizationPolicy
|
|
metadata:
|
|
name: ext-authz
|
|
namespace: istio-system
|
|
spec:
|
|
# The selector applies to the ingress gateway in the istio-system namespace.
|
|
selector:
|
|
matchLabels:
|
|
app: istio-ingressgateway
|
|
# The action "CUSTOM" delegates the access control to an external authorizer, this is different from
|
|
# the ALLOW/DENY action that enforces the access control right inside the proxy.
|
|
action: CUSTOM
|
|
# The provider specifies the name of the external authorizer defined in the meshconfig, which tells where and how to
|
|
# talk to the external auth service. We will cover this more later.
|
|
provider:
|
|
name: "my-ext-authz-service"
|
|
# The rule specifies that the access control is triggered only if the request path has the prefix "/admin/".
|
|
# This allows you to easily enable or disable the external authorization based on the requests, avoiding the external
|
|
# check request if it is not needed.
|
|
rules:
|
|
- to:
|
|
- operation:
|
|
paths: ["/admin/*"]
|
|
</code></pre><p>It refers to a provider called <code>my-ext-authz-service</code> which is defined in the mesh config:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>extensionProviders:
|
|
# The name "my-ext-authz-service" is referred to by the authorization policy in its provider field.
|
|
- name: "my-ext-authz-service"
|
|
# The "envoyExtAuthzGrpc" field specifies the type of the external authorization service is implemented by the Envoy
|
|
# ext-authz filter gRPC API. The other supported type is the Envoy ext-authz filter HTTP API.
|
|
# See more in https://www.envoyproxy.io/docs/envoy/v1.16.2/intro/arch_overview/security/ext_authz_filter.
|
|
envoyExtAuthzGrpc:
|
|
# The service and port specifies the address of the external auth service, "ext-authz.istio-system.svc.cluster.local"
|
|
# means the service is deployed in the mesh. It can also be defined out of the mesh or even inside the pod as a separate
|
|
# container.
|
|
service: "ext-authz.istio-system.svc.cluster.local"
|
|
port: 9000
|
|
</code></pre><p>The authorization policy of <a href=/v1.14/docs/reference/config/security/authorization-policy/#AuthorizationPolicy-Action><code>CUSTOM</code> action</a>
|
|
enables the external authorization in runtime, it could be configured to trigger the external authorization conditionally
|
|
based on the request using the same rule that you have already been using with other actions.</p><p>The external authorization service is currently defined in the <a href=/v1.14/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig-ExtensionProvider><code>meshconfig</code> API</a>
|
|
and referred to by its name. It could be deployed in the mesh with or without proxy. If with the proxy, you could
|
|
further use <code>PeerAuthentication</code> to enable mTLS between the proxy and your external authorization service.</p><p>The <code>CUSTOM</code> action is currently in the <strong>experimental stage</strong>; the API might change in a non-backward compatible way based on user feedback.
|
|
The authorization policy rules currently don’t support authentication fields (e.g. source principal or JWT claim) when used with the
|
|
<code>CUSTOM</code> action. Only one provider is allowed for a given workload, but you can still use different providers on different workloads.</p><p>For more information, please see the <a href=https://docs.google.com/document/d/1V4mCQCw7mlGp0zSQQXYoBdbKMDnkPOjeyUb85U07iSI/edit#>Better External Authorization design doc</a>.</p><h2 id=example-with-opa>Example with OPA</h2><p>In this section, we will demonstrate using the <code>CUSTOM</code> action with the Open Policy Agent as the external authorizer on
|
|
the ingress gateway. We will conditionally enable the external authorization on all paths except <code>/ip</code>.</p><p>You can also refer to the <a href=/v1.14/docs/tasks/security/authorization/authz-custom/>external authorization task</a> for a more
|
|
basic introduction that uses a sample <code>ext-authz</code> server.</p><h3 id=create-the-example-opa-policy>Create the example OPA policy</h3><p>Run the following command create an OPA policy that allows the request if the prefix of the path is matched with the
|
|
claim “path” (base64 encoded) in the JWT token:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ cat > policy.rego <<EOF
|
|
package envoy.authz
|
|
|
|
import input.attributes.request.http as http_request
|
|
|
|
default allow = false
|
|
|
|
token = {"valid": valid, "payload": payload} {
|
|
[_, encoded] := split(http_request.headers.authorization, " ")
|
|
[valid, _, payload] := io.jwt.decode_verify(encoded, {"secret": "secret"})
|
|
}
|
|
|
|
allow {
|
|
is_token_valid
|
|
action_allowed
|
|
}
|
|
|
|
is_token_valid {
|
|
token.valid
|
|
now := time.now_ns() / 1000000000
|
|
token.payload.nbf <= now
|
|
now < token.payload.exp
|
|
}
|
|
|
|
action_allowed {
|
|
startswith(http_request.path, base64url.decode(token.payload.path))
|
|
}
|
|
EOF
|
|
$ kubectl create secret generic opa-policy --from-file policy.rego
|
|
</code></pre><h3 id=deploy-httpbin-and-opa>Deploy httpbin and OPA</h3><p>Enable the sidecar injection:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl label ns default istio-injection=enabled
|
|
</code></pre><p>Run the following command to deploy the example application httpbin and OPA. The OPA could be deployed either as a
|
|
separate container in the httpbin pod or completely in a separate pod:</p><div id=tabset-blog-2021-better-external-authz-1 role=tablist class=tabset><div class=tab-strip data-category-name=opa-deploy><button aria-selected=true data-category-value=opa-same aria-controls=tabset-blog-2021-better-external-authz-1-0-panel id=tabset-blog-2021-better-external-authz-1-0-tab role=tab><span>Deploy OPA in the same pod</span>
|
|
</button><button tabindex=-1 data-category-value=opa-standalone aria-controls=tabset-blog-2021-better-external-authz-1-1-panel id=tabset-blog-2021-better-external-authz-1-1-tab role=tab><span>Deploy OPA in a separate pod</span></button></div><div class=tab-content><div id=tabset-blog-2021-better-external-authz-1-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-blog-2021-better-external-authz-1-0-tab><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f - <<EOF
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: httpbin-with-opa
|
|
labels:
|
|
app: httpbin-with-opa
|
|
service: httpbin-with-opa
|
|
spec:
|
|
ports:
|
|
- name: http
|
|
port: 8000
|
|
targetPort: 80
|
|
selector:
|
|
app: httpbin-with-opa
|
|
---
|
|
# Define the service entry for the local OPA service on port 9191.
|
|
apiVersion: networking.istio.io/v1alpha3
|
|
kind: ServiceEntry
|
|
metadata:
|
|
name: local-opa-grpc
|
|
spec:
|
|
hosts:
|
|
- "local-opa-grpc.local"
|
|
endpoints:
|
|
- address: "127.0.0.1"
|
|
ports:
|
|
- name: grpc
|
|
number: 9191
|
|
protocol: GRPC
|
|
resolution: STATIC
|
|
---
|
|
kind: Deployment
|
|
apiVersion: apps/v1
|
|
metadata:
|
|
name: httpbin-with-opa
|
|
labels:
|
|
app: httpbin-with-opa
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: httpbin-with-opa
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: httpbin-with-opa
|
|
spec:
|
|
containers:
|
|
- image: docker.io/kennethreitz/httpbin
|
|
imagePullPolicy: IfNotPresent
|
|
name: httpbin
|
|
ports:
|
|
- containerPort: 80
|
|
- name: opa
|
|
image: openpolicyagent/opa:latest-envoy
|
|
securityContext:
|
|
runAsUser: 1111
|
|
volumeMounts:
|
|
- readOnly: true
|
|
mountPath: /policy
|
|
name: opa-policy
|
|
args:
|
|
- "run"
|
|
- "--server"
|
|
- "--addr=localhost:8181"
|
|
- "--diagnostic-addr=0.0.0.0:8282"
|
|
- "--set=plugins.envoy_ext_authz_grpc.addr=:9191"
|
|
- "--set=plugins.envoy_ext_authz_grpc.query=data.envoy.authz.allow"
|
|
- "--set=decision_logs.console=true"
|
|
- "--ignore=.*"
|
|
- "/policy/policy.rego"
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /health?plugins
|
|
scheme: HTTP
|
|
port: 8282
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 5
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /health?plugins
|
|
scheme: HTTP
|
|
port: 8282
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 5
|
|
volumes:
|
|
- name: proxy-config
|
|
configMap:
|
|
name: proxy-config
|
|
- name: opa-policy
|
|
secret:
|
|
secretName: opa-policy
|
|
EOF
|
|
</code></pre></div><div hidden id=tabset-blog-2021-better-external-authz-1-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-blog-2021-better-external-authz-1-1-tab><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f - <<EOF
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: opa
|
|
labels:
|
|
app: opa
|
|
spec:
|
|
ports:
|
|
- name: grpc
|
|
port: 9191
|
|
targetPort: 9191
|
|
selector:
|
|
app: opa
|
|
---
|
|
kind: Deployment
|
|
apiVersion: apps/v1
|
|
metadata:
|
|
name: opa
|
|
labels:
|
|
app: opa
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: opa
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: opa
|
|
spec:
|
|
containers:
|
|
- name: opa
|
|
image: openpolicyagent/opa:latest-envoy
|
|
securityContext:
|
|
runAsUser: 1111
|
|
volumeMounts:
|
|
- readOnly: true
|
|
mountPath: /policy
|
|
name: opa-policy
|
|
args:
|
|
- "run"
|
|
- "--server"
|
|
- "--addr=localhost:8181"
|
|
- "--diagnostic-addr=0.0.0.0:8282"
|
|
- "--set=plugins.envoy_ext_authz_grpc.addr=:9191"
|
|
- "--set=plugins.envoy_ext_authz_grpc.query=data.envoy.authz.allow"
|
|
- "--set=decision_logs.console=true"
|
|
- "--ignore=.*"
|
|
- "/policy/policy.rego"
|
|
ports:
|
|
- containerPort: 9191
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /health?plugins
|
|
scheme: HTTP
|
|
port: 8282
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 5
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /health?plugins
|
|
scheme: HTTP
|
|
port: 8282
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 5
|
|
volumes:
|
|
- name: proxy-config
|
|
configMap:
|
|
name: proxy-config
|
|
- name: opa-policy
|
|
secret:
|
|
secretName: opa-policy
|
|
EOF
|
|
</code></pre><p>Deploy the httpbin as well:</p><div><a data-skipendnotes=true style=display:none href=https://raw.githubusercontent.com/istio/istio/release-1.14/samples/httpbin/httpbin.yaml>Zip</a><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f @samples/httpbin/httpbin.yaml@
|
|
</code></pre></div></div></div></div><h3 id=define-external-authorizer>Define external authorizer</h3><p>Run the following command to edit the <code>meshconfig</code>:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl edit configmap istio -n istio-system
|
|
</code></pre><p>Add the following <code>extensionProviders</code> to the <code>meshconfig</code>:</p><div id=tabset-blog-2021-better-external-authz-2 role=tablist class=tabset><div class=tab-strip data-category-name=opa-deploy><button aria-selected=true data-category-value=opa-same aria-controls=tabset-blog-2021-better-external-authz-2-0-panel id=tabset-blog-2021-better-external-authz-2-0-tab role=tab><span>Deploy OPA in the same pod</span>
|
|
</button><button tabindex=-1 data-category-value=opa-standalone aria-controls=tabset-blog-2021-better-external-authz-2-1-panel id=tabset-blog-2021-better-external-authz-2-1-tab role=tab><span>Deploy OPA in a separate pod</span></button></div><div class=tab-content><div id=tabset-blog-2021-better-external-authz-2-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-blog-2021-better-external-authz-2-0-tab><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: v1
|
|
data:
|
|
mesh: |-
|
|
# Add the following contents:
|
|
extensionProviders:
|
|
- name: "opa.local"
|
|
envoyExtAuthzGrpc:
|
|
service: "local-opa-grpc.local"
|
|
port: "9191"
|
|
</code></pre></div><div hidden id=tabset-blog-2021-better-external-authz-2-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-blog-2021-better-external-authz-2-1-tab><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: v1
|
|
data:
|
|
mesh: |-
|
|
# Add the following contents:
|
|
extensionProviders:
|
|
- name: "opa.default"
|
|
envoyExtAuthzGrpc:
|
|
service: "opa.default.svc.cluster.local"
|
|
port: "9191"
|
|
</code></pre></div></div></div><h3 id=create-an-authorizationpolicy-with-a-custom-action>Create an AuthorizationPolicy with a CUSTOM action</h3><p>Run the following command to create the authorization policy that enables the external authorization on all paths
|
|
except <code>/ip</code>:</p><div id=tabset-blog-2021-better-external-authz-3 role=tablist class=tabset><div class=tab-strip data-category-name=opa-deploy><button aria-selected=true data-category-value=opa-same aria-controls=tabset-blog-2021-better-external-authz-3-0-panel id=tabset-blog-2021-better-external-authz-3-0-tab role=tab><span>Deploy OPA in the same pod</span>
|
|
</button><button tabindex=-1 data-category-value=opa-standalone aria-controls=tabset-blog-2021-better-external-authz-3-1-panel id=tabset-blog-2021-better-external-authz-3-1-tab role=tab><span>Deploy OPA in a separate pod</span></button></div><div class=tab-content><div id=tabset-blog-2021-better-external-authz-3-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-blog-2021-better-external-authz-3-0-tab><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f - <<EOF
|
|
apiVersion: security.istio.io/v1beta1
|
|
kind: AuthorizationPolicy
|
|
metadata:
|
|
name: httpbin-opa
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
app: httpbin-with-opa
|
|
action: CUSTOM
|
|
provider:
|
|
name: "opa.local"
|
|
rules:
|
|
- to:
|
|
- operation:
|
|
notPaths: ["/ip"]
|
|
EOF
|
|
</code></pre></div><div hidden id=tabset-blog-2021-better-external-authz-3-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-blog-2021-better-external-authz-3-1-tab><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f - <<EOF
|
|
apiVersion: security.istio.io/v1beta1
|
|
kind: AuthorizationPolicy
|
|
metadata:
|
|
name: httpbin-opa
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
app: httpbin
|
|
action: CUSTOM
|
|
provider:
|
|
name: "opa.default"
|
|
rules:
|
|
- to:
|
|
- operation:
|
|
notPaths: ["/ip"]
|
|
EOF
|
|
</code></pre></div></div></div><h3 id=test-the-opa-policy>Test the OPA policy</h3><ol><li><p>Create a client pod to send the request:</p><div><a data-skipendnotes=true style=display:none href=https://raw.githubusercontent.com/istio/istio/release-1.14/samples/sleep/sleep.yaml>Zip</a><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f @samples/sleep/sleep.yaml@
|
|
$ export SLEEP_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})
|
|
</code></pre></div></li><li><p>Use a test JWT token signed by the OPA:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ export TOKEN_PATH_HEADERS="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJwYXRoIjoiTDJobFlXUmxjbk09IiwibmJmIjoxNTAwMDAwMDAwLCJleHAiOjE5MDAwMDAwMDB9.9yl8LcZdq-5UpNLm0Hn0nnoBHXXAnK4e8RSl9vn6l98"
|
|
</code></pre><p>The test JWT token has the following claims:</p><pre><code class=language-json data-expandlinks=true data-repo=istio>{
|
|
"path": "L2hlYWRlcnM=",
|
|
"nbf": 1500000000,
|
|
"exp": 1900000000
|
|
}
|
|
</code></pre><p>The <code>path</code> claim has value <code>L2hlYWRlcnM=</code> which is the base64 encode of <code>/headers</code>.</p></li><li><p>Send a request to path <code>/headers</code> without a token. This should be rejected with 403 because there is no JWT token:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl exec ${SLEEP_POD} -c sleep -- curl http://httpbin-with-opa:8000/headers -s -o /dev/null -w "%{http_code}\n"
|
|
403
|
|
</code></pre></li><li><p>Send a request to path <code>/get</code> with a valid token. This should be rejected with 403 because the path <code>/get</code> is not matched with the token <code>/headers</code>:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl exec ${SLEEP_POD} -c sleep -- curl http://httpbin-with-opa:8000/get -H "Authorization: Bearer $TOKEN_PATH_HEADERS" -s -o /dev/null -w "%{http_code}\n"
|
|
403
|
|
</code></pre></li><li><p>Send a request to path <code>/headers</code> with valid token. This should be allowed with 200 because the path is matched with the token:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl exec ${SLEEP_POD} -c sleep -- curl http://httpbin-with-opa:8000/headers -H "Authorization: Bearer $TOKEN_PATH_HEADERS" -s -o /dev/null -w "%{http_code}\n"
|
|
200
|
|
</code></pre></li><li><p>Send request to path <code>/ip</code> without token. This should be allowed with 200 because the path <code>/ip</code> is excluded from
|
|
authorization:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl exec ${SLEEP_POD} -c sleep -- curl http://httpbin-with-opa:8000/ip -s -o /dev/null -w "%{http_code}\n"
|
|
200
|
|
</code></pre></li><li><p>Check the proxy and OPA logs to confirm the result.</p></li></ol><h2 id=summary>Summary</h2><p>In Istio 1.9, the <code>CUSTOM</code> action in the authorization policy allows you to easily integrate Istio with any external
|
|
authorization system with the following benefits:</p><ul><li><p>First-class support in the authorization policy API</p></li><li><p>Ease of usage: define the external authorizer simply with a URL and enable with the authorization policy, no more
|
|
hassle with the <code>EnvoyFilter</code> API</p></li><li><p>Conditional triggering, allowing improved performance</p></li><li><p>Support for various deployment type of the external authorizer:</p><ul><li><p>A normal service and pod with or without proxy</p></li><li><p>Inside the workload pod as a separate container</p></li><li><p>Outside the mesh</p></li></ul></li></ul><p>We’re working to promote this feature to a more stable stage in following versions and welcome your feedback at
|
|
<a href=https://discuss.istio.io/c/security/>discuss.istio.io</a>.</p><h2 id=acknowledgements>Acknowledgements</h2><p>Thanks to <code>Craig Box</code>, <code>Christian Posta</code> and <code>Limin Wang</code> for reviewing drafts of this blog.</p></div><nav class=pagenav><div class=left><a title="Learn about sessions, panels, workshops and more on the IstioCon website." href=/v1.14/blog/2021/istiocon-2021-program/ class=next-link><svg class="icon left-arrow"><use xlink:href="/v1.14/img/icons.svg#left-arrow"/></svg>IstioCon 2021: Schedule Is Live!</a></div><div class=right></div></nav></article><footer class=footer><div class="footer-wrapper container-l"><div class="user-links footer-links"><a class=channel title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><svg class="icon github"><use xlink:href="/v1.14/img/icons.svg#github"/></svg></a><a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><svg class="icon drive"><use xlink:href="/v1.14/img/icons.svg#drive"/></svg></a><a class=channel title="Interactively discuss issues with the Istio community on Slack" href=https://slack.istio.io aria-label=slack><svg class="icon slack"><use xlink:href="/v1.14/img/icons.svg#slack"/></svg></a><a class=channel title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><svg class="icon stackoverflow"><use xlink:href="/v1.14/img/icons.svg#stackoverflow"/></svg></a><a class=channel title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><svg class="icon twitter"><use xlink:href="/v1.14/img/icons.svg#twitter"/></svg></a></div><hr class=footer-separator role=separator><div class="info footer-info"><a class=logo href=/v1.14/ aria-label=logotype><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></a><div class=footer-languages><a tabindex=-1 lang=en id=switch-lang-en class="footer-languages-item active"><svg class="icon tick"><use xlink:href="/v1.14/img/icons.svg#tick"/></svg>English</a>
|
|
<a tabindex=-1 lang=zh id=switch-lang-zh class=footer-languages-item>中文</a></div></div><ul class=footer-policies><li class=footer-policies-item><a class=footer-policies-link href=https://policies.google.com/privacy>Privacy policy</a> |
|
|
<a class=footer-policies-link href=https://github.com/istio/istio.io/edit/release-1.14/content/en/blog/2021/better-external-authz/index.md>Edit this Page on GitHub</a></li></ul><div class=footer-base><span class=footer-base-copyright>© 2022 Istio Authors.</span>
|
|
<span class=footer-base-version>Version
|
|
Archive
|
|
1.14.3</span><ul class=footer-base-releases><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://istio.io/blog/2021/better-external-authz/"),!1'>current release</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://preliminary.istio.io/blog/2021/better-external-authz/"),!1'>next release</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link href=https://istio.io/archive>older releases</a></li></ul></div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title="Back to top" tabindex=-1><svg class="icon top"><use xlink:href="/v1.14/img/icons.svg#top"/></svg></button></div></body></html> |