istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/content/zh/docs/reference/config/security/request_authentication/index.html

574 lines
18 KiB
HTML
Raw Blame History

---
WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
source_repo: https://github.com/istio/api
title: RequestAuthentication
description: Request authentication configuration for workloads.
location: https://istio.io/docs/reference/config/security/request_authentication.html
layout: protoc-gen-docs
generator: protoc-gen-docs
schema: istio.security.v1beta1.RequestAuthentication
aliases: [/zh/docs/reference/config/security/v1beta1/request_authentication, /docs/reference/config/security/v1beta1/jwt, /docs/reference/config/security/v1beta1/jwt.html]
number_of_entries: 4
---
<h2 id="RequestAuthentication">RequestAuthentication</h2>
<section>
<p>RequestAuthentication defines what request authentication methods are supported by a workload.
It will reject a request if the request contains invalid authentication information, based on the
configured authentication rules. A request that does not contain any authentication credentials
will be accepted but will not have any authenticated identity. To restrict access to authenticated
requests only, this should be accompanied by an authorization rule.
Examples:</p>
<ul>
<li>Require JWT for all request for workloads that have label <code>app:httpbin</code></li>
</ul>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1
kind: RequestAuthentication
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
jwtRules:
- issuer: &quot;issuer-foo&quot;
jwksUri: https://example.com/.well-known/jwks.json
---
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
rules:
- from:
- source:
requestPrincipals: [&quot;*&quot;]
</code></pre>
<ul>
<li>A policy in the root namespace (&ldquo;istio-system&rdquo; by default) applies to workloads in all namespaces
in a mesh. The following policy makes all workloads only accept requests that contain a
valid JWT token.</li>
</ul>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1
kind: RequestAuthentication
metadata:
name: req-authn-for-all
namespace: istio-system
spec:
jwtRules:
- issuer: &quot;issuer-foo&quot;
jwksUri: https://example.com/.well-known/jwks.json
---
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: require-jwt-for-all
namespace: istio-system
spec:
rules:
- from:
- source:
requestPrincipals: [&quot;*&quot;]
</code></pre>
<ul>
<li>The next example shows how to set a different JWT requirement for a different <code>host</code>. The <code>RequestAuthentication</code>
declares it can accept JWTs issued by either <code>issuer-foo</code> or <code>issuer-bar</code> (the public key set is implicitly
set from the OpenID Connect spec).</li>
</ul>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1
kind: RequestAuthentication
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
jwtRules:
- issuer: &quot;issuer-foo&quot;
- issuer: &quot;issuer-bar&quot;
---
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
rules:
- from:
- source:
requestPrincipals: [&quot;issuer-foo/*&quot;]
to:
- operation:
hosts: [&quot;example.com&quot;]
- from:
- source:
requestPrincipals: [&quot;issuer-bar/*&quot;]
to:
- operation:
hosts: [&quot;another-host.com&quot;]
</code></pre>
<ul>
<li>You can fine tune the authorization policy to set different requirement per path. For example,
to require JWT on all paths, except /healthz, the same <code>RequestAuthentication</code> can be used, but the
authorization policy could be:</li>
</ul>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
rules:
- from:
- source:
requestPrincipals: [&quot;*&quot;]
- to:
- operation:
paths: [&quot;/healthz&quot;]
</code></pre>
<p>[Experimental] Routing based on derived <a href="/latest/docs/reference/config/security/conditions/">metadata</a>
is now supported. A prefix &lsquo;@&rsquo; is used to denote a match against internal metadata instead of the headers in the request.
Currently this feature is only supported for the following metadata:</p>
<ul>
<li><code>request.auth.claims.{claim-name}[.{nested-claim}]*</code> which are extracted from validated JWT tokens.
Use the <code>.</code> or <code>[]</code> as a separator for nested claim names.
Examples: <code>request.auth.claims.sub</code>, <code>request.auth.claims.name.givenName</code> and <code>request.auth.claims[foo.com/name]</code>.
For more information, see <a href="/latest/docs/tasks/security/authentication/jwt-route/">JWT claim based routing</a>.</li>
</ul>
<p>The use of matches against JWT claim metadata is only supported in Gateways. The following example shows:</p>
<ul>
<li>RequestAuthentication to decode and validate a JWT. This also makes the <code>@request.auth.claims</code> available for use in the VirtualService.</li>
<li>AuthorizationPolicy to check for valid principals in the request. This makes the JWT required for the request.</li>
<li>VirtualService to route the request based on the &ldquo;sub&rdquo; claim.</li>
</ul>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1
kind: RequestAuthentication
metadata:
name: jwt-on-ingress
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
jwtRules:
- issuer: &quot;example.com&quot;
jwksUri: https://example.com/.well-known/jwks.json
---
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: require-jwt
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
rules:
- from:
- source:
requestPrincipals: [&quot;*&quot;]
---
apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
name: route-jwt
spec:
hosts:
- foo.prod.svc.cluster.local
gateways:
- istio-ingressgateway
http:
- name: &quot;v2&quot;
match:
- headers:
&quot;@request.auth.claims.sub&quot;:
exact: &quot;dev&quot;
route:
- destination:
host: foo.prod.svc.cluster.local
subset: v2
- name: &quot;default&quot;
route:
- destination:
host: foo.prod.svc.cluster.local
subset: v1
</code></pre>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="RequestAuthentication-selector">
<td><code>selector</code></td>
<td><code><a href="/zh/docs/reference/config/type/workload-selector/#WorkloadSelector">WorkloadSelector</a></code></td>
<td>
<p>Optional. The selector decides where to apply the request authentication policy. The selector will match with workloads
in the same namespace as the request authentication policy. If the request authentication policy is in the root namespace,
the selector will additionally match with workloads in all namespaces.</p>
<p>If not set, the selector will match all workloads.</p>
<p>At most one of <code>selector</code> or <code>targetRefs</code> can be set for a given policy.</p>
</td>
<td>
No
</td>
</tr>
<tr id="RequestAuthentication-targetRefs">
<td><code>targetRefs</code></td>
<td><code><a href="/zh/docs/reference/config/type/workload-selector/#PolicyTargetReference">PolicyTargetReference[]</a></code></td>
<td>
<p>Optional. The targetRefs specifies a list of resources the policy should be
applied to. The targeted resources specified will determine which workloads
the policy applies to.</p>
<p>Currently, the following resource attachment types are supported:</p>
<ul>
<li><code>kind: Gateway</code> with <code>group: gateway.networking.k8s.io</code> in the same namespace.</li>
<li><code>kind: Service</code> with <code>&quot;&quot;</code> in the same namespace. This type is only supported for waypoints.</li>
</ul>
<p>If not set, the policy is applied as defined by the selector.
At most one of the selector and targetRefs can be set.</p>
<p>NOTE: If you are using the <code>targetRefs</code> field in a multi-revision environment with Istio versions prior to 1.22,
it is highly recommended that you pin the policy to a revision running 1.22+ via the <code>istio.io/rev</code> label.
This is to prevent proxies connected to older control planes (that don&rsquo;t know about the <code>targetRefs</code> field)
from misinterpreting the policy as namespace-wide during the upgrade process.</p>
<p>NOTE: Waypoint proxies are required to use this field for policies to apply; <code>selector</code> policies will be ignored.</p>
</td>
<td>
No
</td>
</tr>
<tr id="RequestAuthentication-jwt_rules">
<td><code>jwtRules</code></td>
<td><code><a href="#JWTRule">JWTRule[]</a></code></td>
<td>
<p>Define the list of JWTs that can be validated at the selected workloads&rsquo; proxy. A valid token
will be used to extract the authenticated identity.
Each rule will be activated only when a token is presented at the location recognized by the
rule. The token will be validated based on the JWT rule config. If validation fails, the request will
be rejected.
Note: Requests with multiple tokens (at different locations) are not supported, the output principal of
such requests is undefined.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="JWTRule">JWTRule</h2>
<section>
<p>JSON Web Token (JWT) token format for authentication as defined by
<a href="https://tools.ietf.org/html/rfc7519">RFC 7519</a>. See <a href="https://tools.ietf.org/html/rfc6749">OAuth 2.0</a> and
<a href="http://openid.net/connect">OIDC 1.0</a> for how this is used in the whole
authentication flow.</p>
<p>Examples:</p>
<p>Spec for a JWT that is issued by <code>https://example.com</code>, with the audience claims must be either
<code>bookstore_android.apps.example.com</code> or <code>bookstore_web.apps.example.com</code>.
The token should be presented at the <code>Authorization</code> header (default). The JSON Web Key Set (JWKS)
will be discovered following OpenID Connect protocol.</p>
<pre><code class="language-yaml">issuer: https://example.com
audiences:
- bookstore_android.apps.example.com
bookstore_web.apps.example.com
</code></pre>
<p>This example specifies a token in a non-default location (<code>x-goog-iap-jwt-assertion</code> header). It also
defines the URI to fetch JWKS explicitly.</p>
<pre><code class="language-yaml">issuer: https://example.com
jwksUri: https://example.com/.secret/jwks.json
fromHeaders:
- &quot;x-goog-iap-jwt-assertion&quot;
</code></pre>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="JWTRule-issuer">
<td><code>issuer</code></td>
<td><code>string</code></td>
<td>
<p>Identifies the issuer that issued the JWT. See
<a href="https://tools.ietf.org/html/rfc7519#section-4.1.1">issuer</a>
A JWT with different <code>iss</code> claim will be rejected.</p>
<p>Example: <code>https://foobar.auth0.com</code>
Example: <code>1234567-compute@developer.gserviceaccount.com</code></p>
</td>
<td>
Yes
</td>
</tr>
<tr id="JWTRule-audiences">
<td><code>audiences</code></td>
<td><code>string[]</code></td>
<td>
<p>The list of JWT
<a href="https://tools.ietf.org/html/rfc7519#section-4.1.3">audiences</a>
that are allowed to access. A JWT containing any of these
audiences will be accepted.</p>
<p>The service name will be accepted if audiences is empty.</p>
<p>Example:</p>
<pre><code class="language-yaml">audiences:
- bookstore_android.apps.example.com
bookstore_web.apps.example.com
</code></pre>
</td>
<td>
No
</td>
</tr>
<tr id="JWTRule-jwks_uri">
<td><code>jwksUri</code></td>
<td><code>string</code></td>
<td>
<p>URL of the provider&rsquo;s public key set to validate signature of the
JWT. See <a href="https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata">OpenID Discovery</a>.</p>
<p>Optional if the key set document can either (a) be retrieved from
<a href="https://openid.net/specs/openid-connect-discovery-1_0.html">OpenID
Discovery</a> of
the issuer or (b) inferred from the email domain of the issuer (e.g. a
Google service account).</p>
<p>Example: <code>https://www.googleapis.com/oauth2/v1/certs</code></p>
<p>Note: Only one of <code>jwksUri</code> and <code>jwks</code> should be used.</p>
</td>
<td>
No
</td>
</tr>
<tr id="JWTRule-jwks">
<td><code>jwks</code></td>
<td><code>string</code></td>
<td>
<p>JSON Web Key Set of public keys to validate signature of the JWT.
See <a href="https://auth0.com/docs/jwks">https://auth0.com/docs/jwks</a>.</p>
<p>Note: Only one of <code>jwksUri</code> and <code>jwks</code> should be used.</p>
</td>
<td>
No
</td>
</tr>
<tr id="JWTRule-from_headers">
<td><code>fromHeaders</code></td>
<td><code><a href="#JWTHeader">JWTHeader[]</a></code></td>
<td>
<p>List of header locations from which JWT is expected. For example, below is the location spec
if JWT is expected to be found in <code>x-jwt-assertion</code> header, and have <code>Bearer</code> prefix:</p>
<pre><code class="language-yaml"> fromHeaders:
- name: x-jwt-assertion
prefix: &quot;Bearer &quot;
</code></pre>
<p>Note: Requests with multiple tokens (at different locations) are not supported, the output principal of
such requests is undefined.</p>
</td>
<td>
No
</td>
</tr>
<tr id="JWTRule-from_params">
<td><code>fromParams</code></td>
<td><code>string[]</code></td>
<td>
<p>List of query parameters from which JWT is expected. For example, if JWT is provided via query
parameter <code>my_token</code> (e.g <code>/path?my_token=&lt;JWT&gt;</code>), the config is:</p>
<pre><code class="language-yaml"> fromParams:
- &quot;my_token&quot;
</code></pre>
<p>Note: Requests with multiple tokens (at different locations) are not supported, the output principal of
such requests is undefined.</p>
</td>
<td>
No
</td>
</tr>
<tr id="JWTRule-output_payload_to_header">
<td><code>outputPayloadToHeader</code></td>
<td><code>string</code></td>
<td>
<p>This field specifies the header name to output a successfully verified JWT payload to the
backend. The forwarded data is <code>base64_encoded(jwt_payload_in_JSON)</code>. If it is not specified,
the payload will not be emitted.</p>
</td>
<td>
No
</td>
</tr>
<tr id="JWTRule-from_cookies">
<td><code>fromCookies</code></td>
<td><code>string[]</code></td>
<td>
<p>List of cookie names from which JWT is expected. //
For example, if config is:</p>
<pre><code class="language-yaml"> from_cookies:
- auth-token
</code></pre>
<p>Then JWT will be extracted from <code>auth-token</code> cookie in the request.</p>
<p>Note: Requests with multiple tokens (at different locations) are not supported, the output principal of
such requests is undefined.</p>
</td>
<td>
No
</td>
</tr>
<tr id="JWTRule-forward_original_token">
<td><code>forwardOriginalToken</code></td>
<td><code>bool</code></td>
<td>
<p>If set to true, the original token will be kept for the upstream request. Default is false.</p>
</td>
<td>
No
</td>
</tr>
<tr id="JWTRule-output_claim_to_headers">
<td><code>outputClaimToHeaders</code></td>
<td><code><a href="#ClaimToHeader">ClaimToHeader[]</a></code></td>
<td>
<p>This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.
This differs from the <code>output_payload_to_header</code> by allowing outputting individual claims instead of the whole payload.
The header specified in each operation in the list must be unique. Nested claims of type string/int/bool is supported as well.</p>
<pre><code> outputClaimToHeaders:
- header: x-my-company-jwt-group
claim: my-group
- header: x-test-environment-flag
claim: test-flag
- header: x-jwt-claim-group
claim: nested.key.group
</code></pre>
<p>[Experimental] This feature is a experimental feature.</p>
</td>
<td>
No
</td>
</tr>
<tr id="JWTRule-timeout">
<td><code>timeout</code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration">Duration</a></code></td>
<td>
<p>The maximum amount of time that the resolver, determined by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable,
will spend waiting for the JWKS to be fetched. Default is 5s.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="JWTHeader">JWTHeader</h2>
<section>
<p>This message specifies a header location to extract JWT token.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="JWTHeader-name">
<td><code>name</code></td>
<td><code>string</code></td>
<td>
<p>The HTTP header name.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="JWTHeader-prefix">
<td><code>prefix</code></td>
<td><code>string</code></td>
<td>
<p>The prefix that should be stripped before decoding the token.
For example, for <code>Authorization: Bearer &lt;token&gt;</code>, prefix=<code>Bearer</code> with a space at the end.
If the header doesn&rsquo;t have this exact prefix, it is considered invalid.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="ClaimToHeader">ClaimToHeader</h2>
<section>
<p>This message specifies the detail for copying claim to header.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="ClaimToHeader-header">
<td><code>header</code></td>
<td><code>string</code></td>
<td>
<p>The name of the header to be created. The header will be overridden if it already exists in the request.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="ClaimToHeader-claim">
<td><code>claim</code></td>
<td><code>string</code></td>
<td>
<p>The name of the claim to be copied from. Only claim of type string/int/bool is supported.
The header will not be there if the claim does not exist or the type of the claim is not supported.</p>
</td>
<td>
Yes
</td>
</tr>
</tbody>
</table>
</section>
Reference in New Issue View Git Blame Copy Permalink