istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.2/blog/2018/istio-authorization/index.html

140 lines
39 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content=#466BB0><meta name=title content="Micro-Segmentation with Istio Authorization"><meta name=description content="Describe Istio's authorization feature and how to use it in various use cases."><meta name=author content="Limin Wang"><meta name=keywords content=microservices,services,mesh,authorization,rbac,security><meta property=og:title content="Micro-Segmentation with Istio Authorization"><meta property=og:type content=website><meta property=og:description content="Describe Istio's authorization feature and how to use it in various use cases."><meta property=og:url content=/v1.2/blog/2018/istio-authorization/><meta property=og:image content=/v1.2/img/istio-whitelogo-bluebackground-framed.svg><meta property=og:image:alt content="Istio Logo"><meta property=og:image:width content=112><meta property=og:image:height content=150><meta property=og:site_name content=Istio><meta name=twitter:card content=summary><meta name=twitter:site content=@IstioMesh><title>Istioldie 1.2 / Micro-Segmentation with Istio Authorization</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}
gtag('js',new Date());gtag('config','UA-98480406-2');</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.2/feed.xml><link rel="shortcut icon" href=/v1.2/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.2/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.2/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.2/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.2/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.2/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.2/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.2/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.2/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.2/favicons/android-192x192.png sizes=192x192><link rel=manifest href=/v1.2/manifest.json><meta name=apple-mobile-web-app-title content=Istio><meta name=application-name content=Istio><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Work+Sans:400|Chivo:400|Work+Sans:500,300,600,300italic,400italic,500italic,600italic|Chivo:500,300,600,300italic,400italic,500italic,600italic"><link rel=stylesheet href=/v1.2/css/all.css><script src=/v1.2/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.2";const docTitle="Micro-Segmentation with Istio Authorization";const iconFile="\/v1.2/img/icons.svg";const buttonCopy='Copy to clipboard';const buttonPrint='Print';const buttonDownload='Download';</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.2/js/all.min.js data-manual defer></script><header><nav><a id=brand href=/v1.2/><span class=logo><svg viewBox="0 0 300 300"><circle cx="150" cy="150" r="146" stroke-width="2" /><path d="M65 240H225L125 270z"/><path d="M65 230l60-10V110z"/><path d="M135 220l90 10L135 30z"/></svg></span><span class=name>Istioldie 1.2</span></a><div id=hamburger><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#hamburger"/></svg></div><div id=header-links><a title="Learn how to deploy, use, and operate Istio." href=/v1.2/docs/>Docs</a>
<span title="Posts about using Istio.">Blog</span>
<a title="Frequently Asked Questions about Istio." href=/v1.2/faq/>FAQ</a>
<a title="Get a bit more in-depth info about the Istio project." href=/v1.2/about/>About</a><div class=menu><button id=gearDropdownButton class=menu-trigger title="Options and settings" aria-label="Options and Settings" aria-controls=gearDropdownContent><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#gear"/></svg></button><div id=gearDropdownContent class=menu-content aria-labelledby=gearDropdownButton role=menu><a tabindex=-1 role=menuitem lang=en id=switch-lang-en class=active>English</a>
<a tabindex=-1 role=menuitem lang=zh id=switch-lang-zh>中文</a><div role=separator></div><a tabindex=-1 role=menuitem class=active id=light-theme-item>Light Theme</a>
<a tabindex=-1 role=menuitem id=dark-theme-item>Dark Theme</a><div role=separator></div><a tabindex=-1 role=menuitem id=syntax-coloring-item>Color Examples</a><div role=separator></div><h6>Other versions of this site</h6><a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://istio.io/blog\/2018\/istio-authorization\/');return false;">Current Release</a>
<a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://preliminary.istio.io/blog\/2018\/istio-authorization\/');return false;">Next Release</a>
<a tabindex=-1 role=menuitem href=https://archive.istio.io>Older Releases</a></div></div><button id=search-show title="Search this site" aria-label=Search><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#magnifier"/></svg></button></div><form id=search-form name=cse role=search><input type=hidden name=cx value=013699703217164175118:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-page-url value=/v1.2/search.html>
<input id=search-textbox class=form-control name=q type=search aria-label="Search this site">
<button id=search-close title="Cancel search" type=reset aria-label="Cancel search"><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#cancel-x"/></svg></button></form></nav></header><main class=primary><div id=sidebar-container class="sidebar-container sidebar-offcanvas"><nav id=sidebar aria-label="Section Navigation"><div class=directory><div class=card><button class="header dynamic" id=card0 title="Blog posts for 2019." aria-controls=card0-body><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#blog"/></svg>2019 Posts</button><div class=body aria-labelledby=card0 role=region id=card0-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card0><li role=none><a role=treeitem title="Istio 1.1.14 patch release." href=/v1.2/blog/2019/announcing-1.1.14/>Announcing Istio 1.1.14</a></li><li role=none><a role=treeitem title="Istio 1.2.5 patch release." href=/v1.2/blog/2019/announcing-1.2.5/>Announcing Istio 1.2.5</a></li><li role=none><a role=treeitem title="Upcoming Istio 1.1 end of life announcement." href=/v1.2/blog/2019/announcing-1.1-eol/>Support for Istio 1.1 ends on September 19th, 2019</a></li><li role=none><a role=treeitem title="Istio 1.1.13 patch release." href=/v1.2/blog/2019/announcing-1.1.13/>Announcing Istio 1.1.13</a></li><li role=none><a role=treeitem title="Istio 1.2.4 patch release." href=/v1.2/blog/2019/announcing-1.2.4/>Announcing Istio 1.2.4</a></li><li role=none><a role=treeitem title="Security vulnerability disclosure for multiple CVEs." href=/v1.2/blog/2019/istio-security-003-004/>Security Update - ISTIO-SECURITY-003 and ISTIO-SECURITY-004</a></li><li role=none><a role=treeitem title="The design principles behind Istio's APIs and how those APIs are evolving." href=/v1.2/blog/2019/evolving-istios-apis/>The Evolution of Istio&#39;s APIs</a></li><li role=none><a role=treeitem title="Istio 1.1.12 patch release." href=/v1.2/blog/2019/announcing-1.1.12/>Announcing Istio 1.1.12</a></li><li role=none><a role=treeitem title="Istio 1.2.3 patch release." href=/v1.2/blog/2019/announcing-1.2.3/>Announcing Istio 1.2.3</a></li><li role=none><a role=treeitem title="Comparison of alternative solutions to control egress traffic including performance considerations." href=/v1.2/blog/2019/egress-traffic-control-in-istio-part-3/>Secure Control of Egress Traffic in Istio, part 3</a></li><li role=none><a role=treeitem title="Use Istio Egress Traffic Control to prevent attacks involving egress traffic." href=/v1.2/blog/2019/egress-traffic-control-in-istio-part-2/>Secure Control of Egress Traffic in Istio, part 2</a></li><li role=none><a role=treeitem title="Tools and guidance for evaluating Istio's data plane performance." href=/v1.2/blog/2019/performance-best-practices/>Best Practices: Benchmarking Service Mesh Performance</a></li><li role=none><a role=treeitem title="Istio 1.1.11 patch release." href=/v1.2/blog/2019/announcing-1.1.11/>Announcing Istio 1.1.11</a></li><li role=none><a role=treeitem title="Istio 1.0.9 patch release." href=/v1.2/blog/2019/announcing-1.0.9/>Announcing Istio 1.0.9</a></li><li role=none><a role=treeitem title="Istio 1.1.10 patch release." href=/v1.2/blog/2019/announcing-1.1.10/>Announcing Istio 1.1.10</a></li><li role=none><a role=treeitem title="Istio 1.2.2 patch release." href=/v1.2/blog/2019/announcing-1.2.2/>Announcing Istio 1.2.2</a></li><li role=none><a role=treeitem title="Security vulnerability disclosure for CVE-2019-12995." href=/v1.2/blog/2019/cve-2019-12995/>Security Update - CVE-2019-12995</a></li><li role=none><a role=treeitem title="Istio 1.2.1 patch release." href=/v1.2/blog/2019/announcing-1.2.1/>Announcing Istio 1.2.1</a></li><li role=none><a role=treeitem title="Istio 1.0 end of life announcement." href=/v1.2/blog/2019/announcing-1.0-eol-final/>Support for Istio 1.0 has ended</a></li><li role=none><a role=treeitem title="Istio 1.2 release announcement." href=/v1.2/blog/2019/announcing-1.2/>Announcing Istio 1.2</a></li><li role=none><a role=treeitem title="Istio 1.1.9 patch release." href=/v1.2/blog/2019/announcing-1.1.9/>Announcing Istio 1.1.9</a></li><li role=none><a role=treeitem title="Istio 1.0.8 patch release." href=/v1.2/blog/2019/announcing-1.0.8/>Announcing Istio 1.0.8</a></li><li role=none><a role=treeitem title="Learn how to extend the lifetime of Istio self-signed root certificate." href=/v1.2/blog/2019/root-transition/>Extending Istio Self-Signed Root Certificate Lifetime</a></li><li role=none><a role=treeitem title="Istio 1.1.8 patch release." href=/v1.2/blog/2019/announcing-1.1.8/>Announcing Istio 1.1.8</a></li><li role=none><a role=treeitem title="Security vulnerability disclosure for CVE-2019-12243." href=/v1.2/blog/2019/cve-2019-12243/>Security Update - CVE-2019-12243</a></li><li role=none><a role=treeitem title="Upcoming Istio 1.0 end of life announcement." href=/v1.2/blog/2019/announcing-1.0-eol/>Support for Istio 1.0 ends on June 19th, 2019</a></li><li role=none><a role=treeitem title="Attacks involving egress traffic and requirements for egress traffic control." href=/v1.2/blog/2019/egress-traffic-control-in-istio-part-1/>Secure Control of Egress Traffic in Istio, part 1</a></li><li role=none><a role=treeitem title="Istio 1.1.7 patch release." href=/v1.2/blog/2019/announcing-1.1.7/>Announcing Istio 1.1.7</a></li><li role=none><a role=treeitem title="Istio 1.1.6 patch release." href=/v1.2/blog/2019/announcing-1.1.6/>Announcing Istio 1.1.6</a></li><li role=none><a role=treeitem title="Istio 1.1.5 patch release." href=/v1.2/blog/2019/announcing-1.1.5/>Announcing Istio 1.1.5</a></li><li role=none><a role=treeitem title="Istio 1.1.4 patch release." href=/v1.2/blog/2019/announcing-1.1.4/>Announcing Istio 1.1.4</a></li><li role=none><a role=treeitem title="Istio 1.1.3 patch release." href=/v1.2/blog/2019/announcing-1.1.3/>Announcing Istio 1.1.3</a></li><li role=none><a role=treeitem title="Istio 1.0.7 patch releases." href=/v1.2/blog/2019/announcing-1.0.7/>Announcing Istio 1.0.7 with Important Security Update</a></li><li role=none><a role=treeitem title="Istio 1.1.2 patch release." href=/v1.2/blog/2019/announcing-1.1.2/>Announcing Istio 1.1.2 with Important Security Update</a></li><li role=none><a role=treeitem title="Istio 1.1.1 patch release." href=/v1.2/blog/2019/announcing-1.1.1/>Announcing Istio 1.1.1</a></li><li role=none><a role=treeitem title="Istio 1.1 release announcement." href=/v1.2/blog/2019/announcing-1.1/>Announcing Istio 1.1</a></li><li role=none><a role=treeitem title="An overview of Istio 1.1 performance." href=/v1.2/blog/2019/istio1.1_perf/>Architecting Istio 1.1 for Performance</a></li><li role=none><a role=treeitem title="Istio 1.0.6 patch release." href=/v1.2/blog/2019/announcing-1.0.6/>Announcing Istio 1.0.6</a></li><li role=none><a role=treeitem title="Configuring Istio route rules in a multicluster service mesh." href=/v1.2/blog/2019/multicluster-version-routing/>Version Routing in a Multicluster Service Mesh</a></li><li role=none><a role=treeitem title="Announces the new Istio blog policy." href=/v1.2/blog/2019/sail-the-blog/>Sail the Blog!</a></li><li role=none><a role=treeitem title="De-mystify how Istio manages to plugin its data-plane components into an existing deployment." href=/v1.2/blog/2019/data-plane-setup/>Demystifying Istio&#39;s Sidecar Injection Model</a></li><li role=none><a role=treeitem title="Verifies the performance impact of adding an egress gateway." href=/v1.2/blog/2019/egress-performance/>Egress Gateway Performance Investigation</a></li><li role=none><a role=treeitem title="Addressing application startup ordering and startup latency using AppSwitch." href=/v1.2/blog/2019/appswitch/>Sidestepping Dependency Ordering with AppSwitch</a></li><li role=none><a role=treeitem title="Istio has a new discussion board." href=/v1.2/blog/2019/announcing-discuss.istio.io/>Announcing discuss.istio.io</a></li><li role=none><a role=treeitem title="Describes how to deploy a custom ingress gateway using cert-manager manually." href=/v1.2/blog/2019/custom-ingress-gateway/>Deploy a Custom Ingress Gateway Using Cert-Manager</a></li></ul></div></div><div class=card><button class="header dynamic" id=card1 title="Blog posts for 2018." aria-controls=card1-body><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#blog"/></svg>2018 Posts</button><div class="body default" aria-labelledby=card1 role=region id=card1-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card1><li role=none><a role=treeitem title="Istio 1.0.5 patch release." href=/v1.2/blog/2018/announcing-1.0.5/>Announcing Istio 1.0.5</a></li><li role=none><a role=treeitem title="Istio 1.0.4 patch release." href=/v1.2/blog/2018/announcing-1.0.4/>Announcing Istio 1.0.4</a></li><li role=none><a role=treeitem title="How to use Istio for traffic management without deploying sidecar proxies." href=/v1.2/blog/2018/incremental-traffic-management/>Incremental Istio Part 1, Traffic Management</a></li><li role=none><a role=treeitem title="Describes a simple scenario based on Istio's Bookinfo example." href=/v1.2/blog/2018/egress-mongo/>Consuming External MongoDB Services</a></li><li role=none><a role=treeitem title="Istio 1.0.3 patch release." href=/v1.2/blog/2018/announcing-1.0.3/>Announcing Istio 1.0.3</a></li><li role=none><a role=treeitem title="Istio 1.0.2 patch release." href=/v1.2/blog/2018/announcing-1.0.2/>Announcing Istio 1.0.2</a></li><li role=none><a role=treeitem title="Istio 1.0.1 patch release." href=/v1.2/blog/2018/announcing-1.0.1/>Announcing Istio 1.0.1</a></li><li role=none><a role=treeitem title="Istio hosting an all day Twitch stream to celebrate the 1.0 release." href=/v1.2/blog/2018/istio-twitch-stream/>All Day Istio Twitch Stream</a></li><li role=none><a role=treeitem title="Istio is ready for production use with its 1.0 release." href=/v1.2/blog/2018/announcing-1.0/>Announcing Istio 1.0</a></li><li role=none><a role=treeitem title="How HP is building its next-generation footwear personalization platform on Istio." href=/v1.2/blog/2018/hp/>Istio a Game Changer for HP&#39;s FitStation Platform</a></li><li role=none><a role=treeitem title="Automatic application onboarding and latency optimizations using AppSwitch." href=/v1.2/blog/2018/delayering-istio/>Delayering Istio with AppSwitch</a></li><li role=none><span role=treeitem class=current title="Describe Istio's authorization feature and how to use it in various use cases.">Micro-Segmentation with Istio Authorization</span></li><li role=none><a role=treeitem title="How to export Istio Access Logs to different sinks like BigQuery, GCS, Pub/Sub through Stackdriver." href=/v1.2/blog/2018/export-logs-through-stackdriver/>Exporting Logs to BigQuery, GCS, Pub/Sub through Stackdriver</a></li><li role=none><a role=treeitem title="Describes how to configure Istio for monitoring and access policies of HTTP egress traffic." href=/v1.2/blog/2018/egress-monitoring-access-control/>Monitoring and Access Policies for HTTP Egress Traffic</a></li><li role=none><a role=treeitem title="Introduction, motivation and design principles for the Istio v1alpha3 routing API." href=/v1.2/blog/2018/v1alpha3-routing/>Introducing the Istio v1alpha3 routing API</a></li><li role=none><a role=treeitem title="Describes how to configure Istio ingress with a network load balancer on AWS." href=/v1.2/blog/2018/aws-nlb/>Configuring Istio Ingress with AWS NLB</a></li><li role=none><a role=treeitem title="Using Kubernetes namespaces and RBAC to create an Istio soft multi-tenancy environment." href=/v1.2/blog/2018/soft-multitenancy/>Istio Soft Multi-Tenancy Support</a></li><li role=none><a role=treeitem title="An introduction to safer, lower-risk deployments and release to production." href=/v1.2/blog/2018/traffic-mirroring/>Traffic Mirroring with Istio for Testing in Production</a></li><li role=none><a role=treeitem title="Describes a simple scenario based on Istio's Bookinfo example." href=/v1.2/blog/2018/egress-tcp/>Consuming External TCP Services</a></li><li role=none><a role=treeitem title="Describes a simple scenario based on Istio's Bookinfo example." href=/v1.2/blog/2018/egress-https/>Consuming External Web Services</a></li></ul></div></div><div class=card><button class="header dynamic" id=card2 title="Blog posts for 2017." aria-controls=card2-body><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#blog"/></svg>2017 Posts</button><div class=body aria-labelledby=card2 role=region id=card2-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card2><li role=none><a role=treeitem title="Improving availability and reducing latency." href=/v1.2/blog/2017/mixer-spof-myth/>Mixer and the SPOF Myth</a></li><li role=none><a role=treeitem title="Provides an overview of Mixer's plug-in architecture." href=/v1.2/blog/2017/adapter-model/>Mixer Adapter Model</a></li><li role=none><a role=treeitem title="Istio 0.2 announcement." href=/v1.2/blog/2017/0.2-announcement/>Announcing Istio 0.2</a></li><li role=none><a role=treeitem title="How Kubernetes Network Policy relates to Istio policy." href=/v1.2/blog/2017/0.1-using-network-policy/>Using Network Policy with Istio</a></li><li role=none><a role=treeitem title="Using Istio to create autoscaled canary deployments." href=/v1.2/blog/2017/0.1-canary/>Canary Deployments using Istio</a></li><li role=none><a role=treeitem title="Istio Auth 0.1 announcement." href=/v1.2/blog/2017/0.1-auth/>Using Istio to Improve End-to-End Security</a></li><li role=none><a role=treeitem title="Istio 0.1 announcement." href=/v1.2/blog/2017/0.1-announcement/>Introducing Istio</a></li></ul></div></div></div></nav></div><div class=article-container><button tabindex=-1 id=sidebar-toggler title="Toggle the navigation bar"><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#pull"/></svg></button><nav aria-label=Breadcrumb><ol><li><a href=/v1.2/ title="Connect, secure, control, and observe services.">Istio</a></li><li><a href=/v1.2/blog/ title="Posts about using Istio.">Blog</a></li><li><a href=/v1.2/blog/2018/ title="Blog posts for 2018.">2018 Posts</a></li><li>Micro-Segmentation with Istio Authorization</li></ol></nav><article aria-labelledby=title><div class=title-area><div><h1 id=title>Micro-Segmentation with Istio Authorization</h1><p class=byline><span>By</span>
<span class=attribution>Limin Wang</span><span> | </span><span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#calendar"/></svg><span>&nbsp;</span>July 20, 2018</span><span> | </span><span title="1184 words"><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#clock"/></svg><span>&nbsp;</span>6 minute read</span></p></div></div><nav class=toc-inlined aria-label="Table of Contents"><div><hr><ol><li role=none aria-label=Characteristics><a href=#characteristics>Characteristics</a><ol><li role=none aria-label="RPC level authorization"><a href=#rpc-level-authorization>RPC level authorization</a><li role=none aria-label="Role-based access control with conditions"><a href=#role-based-access-control-with-conditions>Role-based access control with conditions</a><li role=none aria-label="High performance"><a href=#high-performance>High performance</a><li role=none aria-label="Work with/without primary identities"><a href=#work-with-without-primary-identities>Work with/without primary identities</a></ol></li><li role=none aria-label=Examples><a href=#examples>Examples</a><ol><li role=none aria-label="Namespace level segmentation via RBAC &#43; conditions"><a href=#namespace-level-segmentation-via-rbac-conditions>Namespace level segmentation via RBAC + conditions</a><li role=none aria-label="Service/method level isolation with/without primary identities"><a href=#service-method-level-isolation-with-without-primary-identities>Service/method level isolation with/without primary identities</a><ol><li role=none aria-label="Using authenticated client identities"><a href=#using-authenticated-client-identities>Using authenticated client identities</a><li role=none aria-label="Client does not have identity"><a href=#client-does-not-have-identity>Client does not have identity</a></ol></li></ol></li><li role=none aria-label=Summary><a href=#summary>Summary</a><li role=none aria-label="See also"><a href=#see-also>See also</a></li></ol><hr></div></nav><p>Micro-segmentation is a security technique that creates secure zones in cloud deployments and allows organizations to
isolate workloads from one another and secure them individually.
<a href=/v1.2/docs/concepts/security/#authorization>Istio&rsquo;s authorization feature</a>, also known as Istio Role Based Access Control,
provides micro-segmentation for services in an Istio mesh. It features:</p><ul><li>Authorization at different levels of granularity, including namespace level, service level, and method level.</li><li>Service-to-service and end-user-to-service authorization.</li><li>High performance, as it is enforced natively on Envoy.</li><li>Role-based semantics, which makes it easy to use.</li><li>High flexibility as it allows users to define conditions using
<a href=/v1.2/docs/reference/config/authorization/constraints-and-properties/>combinations of attributes</a>.</li></ul><p>In this blog post, you&rsquo;ll learn about the main authorization features and how to use them in different situations.</p><h2 id=characteristics>Characteristics</h2><h3 id=rpc-level-authorization>RPC level authorization</h3><p>Authorization is performed at the level of individual RPCs. Specifically, it controls &ldquo;who can access my <code>bookstore</code> service”,
or &ldquo;who can access method <code>getBook</code> in my <code>bookstore</code> service”. It is not designed to control access to application-specific
resource instances, like access to &ldquo;storage bucket X” or access to &ldquo;3rd book on 2nd shelf”. Today this kind of application
specific access control logic needs to be handled by the application itself.</p><h3 id=role-based-access-control-with-conditions>Role-based access control with conditions</h3><p>Authorization is a <a href=https://en.wikipedia.org/wiki/Role-based_access_control>role-based access control (RBAC)</a> system,
contrast this to an <a href=https://en.wikipedia.org/wiki/Attribute-based_access_control>attribute-based access control (ABAC)</a>
system. Compared to ABAC, RBAC has the following advantages:</p><ul><li><p><strong>Roles allow grouping of attributes.</strong> Roles are groups of permissions, which specifies the actions you are allowed
to perform on a system. Users are grouped based on the roles within an organization. You can define the roles and reuse
them for different cases.</p></li><li><p><strong>It is easier to understand and reason about who has access.</strong> The RBAC concepts map naturally to business concepts.
For example, a DB admin may have all access to DB backend services, while a web client may only be able to view the
frontend service.</p></li><li><p><strong>It reduces unintentional errors.</strong> RBAC policies make otherwise complex security changes easier. You won&rsquo;t have
duplicate configurations in multiple places and later forget to update some of them when you need to make changes.</p></li></ul><p>On the other hand, Istio&rsquo;s authorization system is not a traditional RBAC system. It also allows users to define <strong>conditions</strong> using
<a href=/v1.2/docs/reference/config/authorization/constraints-and-properties/>combinations of attributes</a>. This gives Istio
flexibility to express complex access control policies. In fact, <strong>the &ldquo;RBAC + conditions” model
that Istio authorization adopts, has all the benefits an RBAC system has, and supports the level of flexibility that
normally an ABAC system provides.</strong> You&rsquo;ll see some <a href=#examples>examples</a> below.</p><h3 id=high-performance>High performance</h3><p>Because of its simple semantics, Istio authorization is enforced on Envoy as a native authorization support. At runtime, the
authorization decision is completely done locally inside an Envoy filter, without dependency to any external module.
This allows Istio authorization to achieve high performance and availability.</p><h3 id=work-with-without-primary-identities>Work with/without primary identities</h3><p>Like any other RBAC system, Istio authorization is identity aware. In Istio authorization policy, there is a primary
identity called <code>user</code>, which represents the principal of the client.</p><p>In addition to the primary identity, you can also specify any conditions that define the identities. For example,
you can specify the client identity as &ldquo;user Alice calling from Bookstore frontend service”, in which case,
you have a combined identity of the calling service (<code>Bookstore frontend</code>) and the end user (<code>Alice</code>).</p><p>To improve security, you should enable <a href=/v1.2/docs/concepts/security/#authentication>authentication features</a>,
and use authenticated identities in authorization policies. However, strongly authenticated identity is not required
for using authorization. Istio authorization works with or without identities. If you are working with a legacy system,
you may not have mutual TLS or JWT authentication setup for your mesh. In this case, the only way to identify the client is, for example,
through IP. You can still use Istio authorization to control which IP addresses or IP ranges are allowed to access your service.</p><h2 id=examples>Examples</h2><p>The <a href=/v1.2/docs/tasks/security/authz-http/>authorization task</a> shows you how to
use Istio&rsquo;s authorization feature to control namespace level and service level access using the
<a href=/v1.2/docs/examples/bookinfo/>Bookinfo application</a>. In this section, you&rsquo;ll see more examples on how to achieve
micro-segmentation with Istio authorization.</p><h3 id=namespace-level-segmentation-via-rbac-conditions>Namespace level segmentation via RBAC + conditions</h3><p>Suppose you have services in the <code>frontend</code> and <code>backend</code> namespaces. You would like to allow all your services
in the <code>frontend</code> namespace to access all services that are marked <code>external</code> in the <code>backend</code> namespace.</p><pre><code class=language-yaml data-expandlinks=true>apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
kind: ServiceRole
metadata:
name: external-api-caller
namespace: backend
spec:
rules:
- services: [&#34;*&#34;]
methods: [&#34;*”]
constraints:
- key: &#34;destination.labels[visibility]”
values: [&#34;external&#34;]
---
apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
kind: ServiceRoleBinding
metadata:
name: external-api-caller
namespace: backend
spec:
subjects:
- properties:
source.namespace: &#34;frontend”
roleRef:
kind: ServiceRole
name: &#34;external-api-caller&#34;
</code></pre><p>The <code>ServiceRole</code> and <code>ServiceRoleBinding</code> above expressed &ldquo;<em>who</em> is allowed to do <em>what</em> under *which conditions*”
(RBAC + conditions). Specifically:</p><ul><li><strong>&ldquo;who”</strong> are the services in the <code>frontend</code> namespace.</li><li><strong>&ldquo;what”</strong> is to call services in <code>backend</code> namespace.</li><li><strong>&ldquo;conditions”</strong> is the <code>visibility</code> label of the destination service having the value <code>external</code>.</li></ul><h3 id=service-method-level-isolation-with-without-primary-identities>Service/method level isolation with/without primary identities</h3><p>Here is another example that demonstrates finer grained access control at service/method level. The first step
is to define a <code>book-reader</code> <code>ServiceRole</code> that allows READ access to <code>/books/*</code> resource in <code>bookstore</code> service.</p><pre><code class=language-yaml data-expandlinks=true>apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
kind: ServiceRole
metadata:
name: book-reader
namespace: default
spec:
rules:
- services: [&#34;bookstore.default.svc.cluster.local&#34;]
paths: [&#34;/books/*”]
methods: [&#34;GET”]
</code></pre><h4 id=using-authenticated-client-identities>Using authenticated client identities</h4><p>Suppose you want to grant this <code>book-reader</code> role to your <code>bookstore-frontend</code> service. If you have enabled
<a href=/v1.2/docs/concepts/security/#mutual-tls-authentication>mutual TLS authentication</a> for your mesh, you can use a
service account to identify your <code>bookstore-frontend</code> service. Granting the <code>book-reader</code> role to the <code>bookstore-frontend</code>
service can be done by creating a <code>ServiceRoleBinding</code> as shown below:</p><pre><code class=language-yaml data-expandlinks=true>apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
kind: ServiceRoleBinding
metadata:
name: book-reader
namespace: default
spec:
subjects:
- user: &#34;cluster.local/ns/default/sa/bookstore-frontend”
roleRef:
kind: ServiceRole
name: &#34;book-reader&#34;
</code></pre><p>You may want to restrict this further by adding a condition that &ldquo;only users who belong to the <code>qualified-reviewer</code> group are
allowed to read books”. The <code>qualified-reviewer</code> group is the end user identity that is authenticated by
<a href=/v1.2/docs/concepts/security/#authentication>JWT authentication</a>. In this case, the combination of the client service identity
(<code>bookstore-frontend</code>) and the end user identity (<code>qualified-reviewer</code>) is used in the authorization policy.</p><pre><code class=language-yaml data-expandlinks=true>apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
kind: ServiceRoleBinding
metadata:
name: book-reader
namespace: default
spec:
subjects:
- user: &#34;cluster.local/ns/default/sa/bookstore-frontend”
properties:
request.auth.claims[group]: &#34;qualified-reviewer”
roleRef:
kind: ServiceRole
name: &#34;book-reader&#34;
</code></pre><h4 id=client-does-not-have-identity>Client does not have identity</h4><p>Using authenticated identities in authorization policies is strongly recommended for security. However, if you have a
legacy system that does not support authentication, you may not have authenticated identities for your services.
You can still use Istio authorization to protect your services even without authenticated identities. The example below
shows that you can specify allowed source IP range in your authorization policy.</p><pre><code class=language-yaml data-expandlinks=true>apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
kind: ServiceRoleBinding
metadata:
name: book-reader
namespace: default
spec:
subjects:
- properties:
source.ip: 10.20.0.0/9
roleRef:
kind: ServiceRole
name: &#34;book-reader&#34;
</code></pre><h2 id=summary>Summary</h2><p>Istios authorization feature provides authorization at namespace-level, service-level, and method-level granularity.
It adopts &ldquo;RBAC + conditions” model, which makes it easy to use and understand as an RBAC system, while providing the level of
flexibility that an ABAC system normally provides. Istio authorization achieves high performance as it is enforced
natively on Envoy. While it provides the best security by working together with
<a href=/v1.2/docs/concepts/security/#authentication>Istio authentication features</a>, Istio authorization can also be used to
provide access control for legacy systems that do not have authentication.</p><nav id=see-also><h2>See also</h2><div class=see-also><div class=entry><p class=link><a data-skipendnotes=true href=/v1.2/docs/tasks/security/authz-http/>Authorization for HTTP Services</a></p><p class=desc>Shows how to set up role-based access control for HTTP services.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.2/docs/tasks/security/authz-tcp/>Authorization for TCP Services</a></p><p class=desc>Shows how to set up role-based access control for TCP services.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.2/docs/tasks/security/authz-permissive/>Authorization permissive mode</a></p><p class=desc>Shows how to use Authorization permissive mode.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.2/docs/ops/security/debugging-authorization/>Debugging Authorization</a></p><p class=desc>Demonstrates how to debug authorization.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.2/docs/concepts/security/>Policies and Security</a></p><p class=desc>Describes Istio&#39;s authorization and authentication functionality.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.2/docs/tasks/security/rbac-groups/>Authorization for groups and list claims</a></p><p class=desc>Tutorial on how to configure the groups-base authorization and configure the authorization of list-typed claims in Istio.</p></div></div></nav></article><nav class=pagenav><div class=left><a title="Automatic application onboarding and latency optimizations using AppSwitch." href=/v1.2/blog/2018/delayering-istio/><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#left-arrow"/></svg>Delayering Istio with AppSwitch</a></div><div class=right><a title="How to export Istio Access Logs to different sinks like BigQuery, GCS, Pub/Sub through Stackdriver." href=/v1.2/blog/2018/export-logs-through-stackdriver/>Exporting Logs to BigQuery, GCS, Pub/Sub through Stackdriver<svg class="icon"><use xlink:href="/v1.2/img/icons.svg#right-arrow"/></svg></a></div></nav><div id=endnotes-container aria-hidden=true><h2>Links</h2><ol id=endnotes></ol></div></div><div class=toc-container><nav class=toc aria-label="Table of Contents"><div id=toc><ol><li role=none aria-label=Characteristics><a href=#characteristics>Characteristics</a><ol><li role=none aria-label="RPC level authorization"><a href=#rpc-level-authorization>RPC level authorization</a><li role=none aria-label="Role-based access control with conditions"><a href=#role-based-access-control-with-conditions>Role-based access control with conditions</a><li role=none aria-label="High performance"><a href=#high-performance>High performance</a><li role=none aria-label="Work with/without primary identities"><a href=#work-with-without-primary-identities>Work with/without primary identities</a></ol></li><li role=none aria-label=Examples><a href=#examples>Examples</a><ol><li role=none aria-label="Namespace level segmentation via RBAC &#43; conditions"><a href=#namespace-level-segmentation-via-rbac-conditions>Namespace level segmentation via RBAC + conditions</a><li role=none aria-label="Service/method level isolation with/without primary identities"><a href=#service-method-level-isolation-with-without-primary-identities>Service/method level isolation with/without primary identities</a><ol><li role=none aria-label="Using authenticated client identities"><a href=#using-authenticated-client-identities>Using authenticated client identities</a><li role=none aria-label="Client does not have identity"><a href=#client-does-not-have-identity>Client does not have identity</a></ol></li></ol></li><li role=none aria-label=Summary><a href=#summary>Summary</a><li role=none aria-label="See also"><a href=#see-also>See also</a></li></ol></div></nav></div></main><footer><div class=user-links><a class=channel title="Go download Istio 1.2.5 now" href=https://github.com/istio/istio/releases/tag/1.2.5 aria-label="Download Istio"><span>download</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#download"/></svg>
</a><a class=channel title="Join the Istio discussion board to participate in discussions and get help troubleshooting problems" href=https://discuss.istio.io aria-label="Istio discussion board"><span>discuss</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#discourse"/></svg></a>
<a class=channel title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><span>stack overflow</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#stackoverflow"/></svg></a>
<a class=channel title="Interactively discuss issues with the Istio community on Slack" href=https://istio.slack.com aria-label=slack><span>slack</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#slack"/></svg></a>
<a class=channel title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><span>twitter</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#twitter"/></svg></a><div class=tag>for everyone</div></div><div class=info><p class=copyright>Istio Archive
1.2.5<br>&copy; 2019 Istio Authors, <a href=https://policies.google.com/privacy>Privacy Policy</a><br>Archived on September 12, 2019</p></div><div class=dev-links><a class=channel title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><span>github</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#github"/></svg></a>
<a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><span>drive</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#drive"/></svg></a>
<a class=channel title="If you'd like to contribute to the Istio project, consider participating in our working groups" href=https://github.com/istio/community/blob/master/WORKING-GROUPS.md aria-label="working groups"><span>working groups</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#working-groups"/></svg></a><div class=tag>for developers</div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title="Back to top"><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#top"/></svg></button></div></body></html>
Reference in New Issue View Git Blame Copy Permalink