mirror of https://github.com/istio/istio.io.git
175 lines
4.3 KiB
HTML
175 lines
4.3 KiB
HTML
---
|
|
title: Authorization
|
|
description: A template used to represent an access control query.
|
|
location: https://istio.io/docs/reference/config/policy-and-telemetry/templates/authorization.html
|
|
layout: protoc-gen-docs
|
|
generator: protoc-gen-docs
|
|
aliases:
|
|
- /docs/reference/config/template/authorization.html
|
|
number_of_entries: 3
|
|
---
|
|
<p>The <code>authorization</code> template defines parameters for performing policy
|
|
enforcement within Istio. It is primarily concerned with enabling Mixer</p>
|
|
|
|
<p>Example config:</p>
|
|
|
|
<pre><code class="language-yaml">apiVersion: "config.istio.io/v1alpha2"
|
|
kind: authorization
|
|
metadata:
|
|
name: authinfo
|
|
namespace: istio-system
|
|
spec:
|
|
subject:
|
|
user: source.user | request.auth.token[user] | ""
|
|
groups: request.auth.token[groups]
|
|
properties:
|
|
iss: request.auth.token["iss"]
|
|
action:
|
|
namespace: destination.namespace | "default"
|
|
service: destination.service | ""
|
|
path: request.path | "/"
|
|
method: request.method | "post"
|
|
properties:
|
|
version: destination.labels[version] | ""
|
|
</code></pre>
|
|
|
|
<h2 id="Action">Action</h2>
|
|
<section>
|
|
<p>An action defines “how a resource is accessed”.</p>
|
|
|
|
<table class="message-fields">
|
|
<thead>
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr id="Action-namespace">
|
|
<td><code>namespace</code></td>
|
|
<td><code>string</code></td>
|
|
<td>
|
|
<p>Namespace the target action is taking place in.</p>
|
|
|
|
</td>
|
|
</tr>
|
|
<tr id="Action-service">
|
|
<td><code>service</code></td>
|
|
<td><code>string</code></td>
|
|
<td>
|
|
<p>The Service the action is being taken on.</p>
|
|
|
|
</td>
|
|
</tr>
|
|
<tr id="Action-method">
|
|
<td><code>method</code></td>
|
|
<td><code>string</code></td>
|
|
<td>
|
|
<p>What action is being taken.</p>
|
|
|
|
</td>
|
|
</tr>
|
|
<tr id="Action-path">
|
|
<td><code>path</code></td>
|
|
<td><code>string</code></td>
|
|
<td>
|
|
<p>HTTP REST path within the service</p>
|
|
|
|
</td>
|
|
</tr>
|
|
<tr id="Action-properties">
|
|
<td><code>properties</code></td>
|
|
<td><code>map<string, <a href="/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1.html#Value">istio.policy.v1beta1.Value</a>></code></td>
|
|
<td>
|
|
<p>Additional data about the action for use in policy.</p>
|
|
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</section>
|
|
<h2 id="Subject">Subject</h2>
|
|
<section>
|
|
<p>A subject contains a list of attributes that identify
|
|
the caller identity.</p>
|
|
|
|
<table class="message-fields">
|
|
<thead>
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr id="Subject-user">
|
|
<td><code>user</code></td>
|
|
<td><code>string</code></td>
|
|
<td>
|
|
<p>The user name/ID that the subject represents.</p>
|
|
|
|
</td>
|
|
</tr>
|
|
<tr id="Subject-groups">
|
|
<td><code>groups</code></td>
|
|
<td><code>string</code></td>
|
|
<td>
|
|
<p>Groups the subject belongs to depending on the authentication mechanism,
|
|
“groups” are normally populated from JWT claim or client certificate.
|
|
The operator can define how it is populated when creating an instance of
|
|
the template.</p>
|
|
|
|
</td>
|
|
</tr>
|
|
<tr id="Subject-properties">
|
|
<td><code>properties</code></td>
|
|
<td><code>map<string, <a href="/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1.html#Value">istio.policy.v1beta1.Value</a>></code></td>
|
|
<td>
|
|
<p>Additional attributes about the subject.</p>
|
|
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</section>
|
|
<h2 id="Template">Template</h2>
|
|
<section>
|
|
<p>The <code>authorization</code> template defines parameters for performing policy
|
|
enforcement within Istio. It is primarily concerned with enabling Mixer
|
|
adapters to make decisions about who is allowed to do what.
|
|
In this template, the “who” is defined in a Subject message. The “what” is
|
|
defined in an Action message. During a Mixer Check call, these values
|
|
will be populated based on configuration from request attributes and
|
|
passed to individual authorization adapters to adjudicate.</p>
|
|
|
|
<table class="message-fields">
|
|
<thead>
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr id="Template-subject">
|
|
<td><code>subject</code></td>
|
|
<td><code><a href="#Subject">Subject</a></code></td>
|
|
<td>
|
|
<p>A subject contains a list of attributes that identify
|
|
the caller identity.</p>
|
|
|
|
</td>
|
|
</tr>
|
|
<tr id="Template-action">
|
|
<td><code>action</code></td>
|
|
<td><code><a href="#Action">Action</a></code></td>
|
|
<td>
|
|
<p>An action defines “how a resource is accessed”.</p>
|
|
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</section>
|