istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/_docs/tasks/basic-access-control.md

3.7 KiB
Raw Blame History

title overview order layout type
Enabling Simple Access Control This task shows how to use Istio to control access to a service. 90 docs markdown

{% include home.html %}

This task shows how to use Istio to control access to a service.

Before you begin

  • Setup Istio by following the instructions in the Installation guide.

  • Deploy the BookInfo sample application.

  • Initialize the application version routing by either first performing the request routing task or by running the following commands:

    istioctl create -f samples/apps/bookinfo/route-rule-all-v1.yaml
istioctl replace -f samples/apps/bookinfo/route-rule-reviews-v2-v3.yaml

  • Ensure that you can use istioctl mixer by setting up port forwarding if needed.

Access control using denials

Using Istio you can control access to a service based on any attributes that are available within Mixer. This simple form of access control is based on conditionally denying requests using Mixer selectors.

Consider the BookInfo sample application where the ratings service is accessed by multiple versions of the reviews service. We would like to cut off access to version v3 of this service.

  1. Check that versions v2,v3 of the reviews service can access the ratings service. You should see red and black stars alternate when repeatedly visiting http://$GATEWAY_URL/productpage in a browser.

  2. Explicitly deny access to version v3 of the reviews service.

    istioctl mixer rule create global ratings.default.svc.cluster.local -f deny-reviews.yml

where deny-reviews.yml is

rules:
- selector: source.labels["app"]=="reviews" && source.labels["version"] == "v3"  
  aspects:
  - kind: denials

This rule uses the denials aspect to deny requests coming from version v3 of the reviews service. The denials aspect always denies requests with a pre-configured status code and message. The status code and the message is specified in the DenyChecker adapter configuration.

Access control using whitelists

Istio also supports attribute-based white and blacklists. Using a whitelist is a two step process.

  1. Add an adapter definition for the genericListChecker adapter that lists versions v1, v2:

    - name: versionList
  impl: genericListChecker
  params:
    listEntries: ["v1", "v2"]

  2. Enable whitelist checking by using the lists aspect:

    rules:
  aspects:
  - kind: lists
    adapter: versionList
    params:
      blacklist: false
      checkExpression: source.labels["version"]

    checkExpression is evaluated and checked against the list [v1, v2]. The check behavior can be changed to a blacklist by specifying blacklist: true. The expression evaluator returns the value of the version label as specified by the checkExpression key.

What's next