istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.1/help/ops/security/debugging-authorization/index.html

148 lines
32 KiB
HTML
Raw Blame History

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content=#466BB0><meta name=title content="Debugging Authorization"><meta name=description content="Demonstrates how to debug authorization."><meta name=keywords content=microservices,services,mesh,debug,security,authorization,rbac><meta property=og:title content="Debugging Authorization"><meta property=og:type content=website><meta property=og:description content="Demonstrates how to debug authorization."><meta property=og:url content=/v1.1/help/ops/security/debugging-authorization/><meta property=og:image content=/v1.1/img/istio-whitelogo-bluebackground-framed.svg><meta property=og:image:alt content="Istio Logo"><meta property=og:image:width content=112><meta property=og:image:height content=150><meta property=og:site_name content=Istio><meta name=twitter:card content=summary><meta name=twitter:site content=@IstioMesh><title>Istioldie 1.1 / Debugging Authorization</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}
gtag('js',new Date());gtag('config','UA-98480406-2');</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.1/feed.xml><link rel="shortcut icon" href=/v1.1/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.1/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.1/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.1/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.1/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.1/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.1/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.1/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.1/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.1/favicons/android-192x192.png sizes=192x192><link rel=manifest href=/v1.1/manifest.json><meta name=apple-mobile-web-app-title content=Istio><meta name=application-name content=Istio><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Work+Sans:400|Chivo:400|Work+Sans:500,300,600,300italic,400italic,500italic,600italic|Chivo:500,300,600,300italic,400italic,500italic,600italic"><link rel=stylesheet href=/v1.1/css/all.css></head><body class="language-unknown archive-site"><script src=/v1.1/js/themes_init.min.js></script><script>const branchName="release-1.1";const docTitle="Debugging Authorization";const iconFile="\/v1.1/img/icons.svg";const buttonCopy='Copy to clipboard';const buttonPrint='Print';const buttonDownload='Download';</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.1/js/all.min.js data-manual defer></script><header><nav><a id=brand href=/v1.1/><span class=logo><svg viewBox="0 0 300 300"><circle cx="150" cy="150" r="146" stroke-width="2" /><path d="M65 240H225L125 270z"/><path d="M65 230l60-10V110z"/><path d="M135 220l90 10L135 30z"/></svg></span><span class=name>Istioldie 1.1</span></a><div id=hamburger><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#hamburger"/></svg></div><div id=header-links><a title="Learn how to deploy, use, and operate Istio." href=/v1.1/docs/>Docs</a>
<a title="Posts about using Istio." href=/v1.1/blog/2019/announcing-1.1.9/>Blog</a>
<span title="A bunch of resources to help you deploy, configure and use Istio.">Help</span>
<a title="Get a bit more in-depth info about the Istio project." href=/v1.1/about/>About</a><div class=menu><button id=gearDropdownButton class=menu-trigger title="Options and settings" aria-label="Options and Settings" aria-controls=gearDropdownContent><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#gear"/></svg></button><div id=gearDropdownContent class=menu-content aria-labelledby=gearDropdownButton role=menu><a tabindex=-1 role=menuitem lang=en id=switch-lang-en class=active>English</a>
<a tabindex=-1 role=menuitem lang=zh id=switch-lang-zh>中文</a><div role=separator></div><a tabindex=-1 role=menuitem class=active id=light-theme-item>Light Theme</a>
<a tabindex=-1 role=menuitem id=dark-theme-item>Dark Theme</a><div role=separator></div><a tabindex=-1 role=menuitem id=syntax-coloring-item>Color Examples</a><div role=separator></div><h6>Other versions of this site</h6><a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://istio.io/help\/ops\/security\/debugging-authorization\/');return false;">Current Release</a>
<a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://preliminary.istio.io/help\/ops\/security\/debugging-authorization\/');return false;">Next Release</a>
<a tabindex=-1 role=menuitem href=https://archive.istio.io>Older Releases</a></div></div><button id=search-show title="Search this site" aria-label=Search><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#magnifier"/></svg></button></div><form id=search-form name=cse role=search><input type=hidden name=cx value=013699703217164175118:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-page-url value=/v1.1/search.html>
<input id=search-textbox class=form-control name=q type=search aria-label="Search this site">
<button id=search-close title="Cancel search" type=reset aria-label="Cancel search"><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#cancel-x"/></svg></button></form></nav></header><main class=primary><div id=sidebar-container class="sidebar-container sidebar-offcanvas"><nav id=sidebar aria-label="Section Navigation"><div class=directory><div class=card><div id=header0 class=header title="A bunch of resources to help you deploy, configure and use Istio."><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#help"/></svg>Need Help?</div><div class="body default" aria-labelledby=header0><ul role=tree aria-expanded=true aria-labelledby=header0><li role=treeitem aria-label="Operations Guide"><button class=show aria-hidden=true></button><a title="Hints, tips, tricks about running an Istio mesh." href=/v1.1/help/ops/>Operations Guide</a><ul role=group aria-expanded=true><li role=none><a role=treeitem title="Describes how to use component-level logging to get insights into a running component's behavior." href=/v1.1/help/ops/component-logging/>Component Logging</a></li><li role=none><a role=treeitem title="Describes how to use ControlZ to get insight into individual running components." href=/v1.1/help/ops/controlz/>Component Introspection</a></li><li role=none><a role=treeitem title="How to do low-level debugging of Istio components." href=/v1.1/help/ops/component-debugging/>Component Debugging</a></li><li role=treeitem aria-label="Traffic Management"><button aria-hidden=true></button><a title="Helps you manage the networking aspects of a running mesh." href=/v1.1/help/ops/traffic-management/>Traffic Management</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="An introduction to Istio networking operational aspects." href=/v1.1/help/ops/traffic-management/introduction/>Introduction to Network Operations</a></li><li role=none><a role=treeitem title="Provides specific deployment and configuration guidelines." href=/v1.1/help/ops/traffic-management/deploy-guidelines/>Deployment and Configuration Guidelines</a></li><li role=none><a role=treeitem title="Describes common networking issues and how to recognize and avoid them." href=/v1.1/help/ops/traffic-management/troubleshooting/>Troubleshooting Networking Issues</a></li><li role=none><a role=treeitem title="Describes tools and techniques to diagnose Envoy configuration issues related to traffic management." href=/v1.1/help/ops/traffic-management/proxy-cmd/>Debugging Envoy and Pilot</a></li><li role=none><a role=treeitem title="Information on how to enable and understand Locality Load Balancing." href=/v1.1/help/ops/traffic-management/locality-load-balancing/>Locality Load Balancing</a></li></ul></li><li role=treeitem aria-label=Security><button class=show aria-hidden=true></button><a title="Helps you manage the security aspects of a running mesh." href=/v1.1/help/ops/security/>Security</a><ul role=group aria-expanded=true class=leaf-section><li role=none><span role=treeitem class=current title="Demonstrates how to debug authorization.">Debugging Authorization</span></li><li role=none><a role=treeitem title="What to do if Citadel is not behaving properly." href=/v1.1/help/ops/security/repairing-citadel/>Repairing Citadel</a></li><li role=none><a role=treeitem title="What to do if you suspect problems with Istio keys and certificates." href=/v1.1/help/ops/security/keys-and-certs/>Keys and Certificates</a></li><li role=none><a role=treeitem title="What to do if mutual TLS authentication isn't working." href=/v1.1/help/ops/security/mutual-tls/>Mutual TLS</a></li><li role=none><a role=treeitem title="Authorization is enabled, but requests make it through anyway." href=/v1.1/help/ops/security/authorization-permissive/>Authorization Too Permissive</a></li><li role=none><a role=treeitem title="Authorization is enabled and no requests make it through to the service." href=/v1.1/help/ops/security/authorization-restrictive/>Authorization Too Restrictive</a></li><li role=none><a role=treeitem title="What to do if end-user authentication doesn't work." href=/v1.1/help/ops/security/end-user-auth/>End User Authentication</a></li><li role=none><a role=treeitem title="Learn how to extend the lifetime of the Istio self-signed root certificate." href=/v1.1/help/ops/security/root-transition/>Extending Self-Signed Certificate Lifetime</a></li></ul></li><li role=treeitem aria-label=Telemetry><button aria-hidden=true></button><a title="Helps you manage telemetry collection and visualization in a running mesh." href=/v1.1/help/ops/telemetry/>Telemetry</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Diagnose problems where metrics are not being collected." href=/v1.1/help/ops/telemetry/missing-metrics/>Missing Metrics</a></li><li role=none><a role=treeitem title="Dealing with Grafana issues." href=/v1.1/help/ops/telemetry/grafana/>Grafana</a></li><li role=none><a role=treeitem title="Fine-grained control of Envoy statistics." href=/v1.1/help/ops/telemetry/envoy-stats/>Envoy Statistics</a></li></ul></li><li role=treeitem aria-label="Installation and Setup"><button aria-hidden=true></button><a title="Helps you diagnose and repair Istio installations." href=/v1.1/help/ops/setup/>Installation and Setup</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Provides a general overview of Istio's use of Kubernetes webhooks and the related issues that can arise." href=/v1.1/help/ops/setup/webhook/>Dynamic Admission Webhooks Overview</a></li><li role=none><a role=treeitem title="Describes Istio's use of Kubernetes webhooks for server-side configuration validation." href=/v1.1/help/ops/setup/validation/>Configuration Validation Webhook</a></li><li role=none><a role=treeitem title="Describes Istio's use of Kubernetes webhooks for automatic sidecar injection." href=/v1.1/help/ops/setup/injection/>Sidecar Injection Webhook</a></li><li role=none><a role=treeitem title="Describes how to check which capabilities are allowed for your pods." href=/v1.1/help/ops/setup/required-pod-capabilities/>Required Pod Capabilities</a></li><li role=none><a role=treeitem title="Shows how to do health checking for Istio services." href=/v1.1/help/ops/setup/app-health-check/>Health Checking of Istio Services</a></li></ul></li><li role=none><a role=treeitem title="Advice on tackling common problems with Istio." href=/v1.1/help/ops/misc/>Miscellaneous</a></li></ul></li><li role=treeitem aria-label=FAQ><button aria-hidden=true></button><a title="Frequently Asked Questions about Istio." href=/v1.1/help/faq/>FAQ</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="General Q &amp; A." href=/v1.1/help/faq/general/>General</a></li><li role=none><a role=treeitem title="Setup Q &amp; A." href=/v1.1/help/faq/setup/>Setup</a></li><li role=none><a role=treeitem title="Security Q &amp; A." href=/v1.1/help/faq/security/>Security</a></li><li role=none><a role=treeitem title="Mixer Q &amp; A." href=/v1.1/help/faq/mixer/>Mixer</a></li><li role=none><a role=treeitem title="Metrics and Logs Q &amp; A." href=/v1.1/help/faq/metrics-and-logs/>Metrics and Logs</a></li><li role=none><a role=treeitem title="Distributed Tracing Q &amp; A." href=/v1.1/help/faq/distributed-tracing/>Distributed Tracing</a></li><li role=none><a role=treeitem title="Traffic Management Q &amp; A." href=/v1.1/help/faq/traffic-management/>Traffic Management</a></li></ul></li><li role=none><a role=treeitem title="A glossary of common Istio terms." href=/v1.1/help/glossary/>Glossary</a></li></ul></div></div></div></nav></div><div class=article-container><button tabindex=-1 id=sidebar-toggler title="Toggle the navigation bar"><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#pull"/></svg></button><nav aria-label=Breadcrumb><ol><li><a href=/v1.1/ title="Connect, secure, control, and observe services.">Istio</a></li><li><a href=/v1.1/help/ title="A bunch of resources to help you deploy, configure and use Istio.">Help</a></li><li><a href=/v1.1/help/ops/ title="Hints, tips, tricks about running an Istio mesh.">Operations Guide</a></li><li><a href=/v1.1/help/ops/security/ title="Helps you manage the security aspects of a running mesh.">Security</a></li><li>Debugging Authorization</li></ol></nav><article aria-labelledby=title><div class=title-area><div><h1 id=title>Debugging Authorization</h1><p class=byline><span title="949 words"><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#clock"/></svg><span>&nbsp;</span>5 minute read</span></p></div></div><nav class=toc-inlined aria-label="Table of Contents"><div><hr><ol><li role=none aria-label="Ensure Authorization is Enabled Correctly"><a href=#ensure-authorization-is-enabled-correctly>Ensure Authorization is Enabled Correctly</a><li role=none aria-label="Ensure Pilot Accepts the Policies"><a href=#ensure-pilot-accepts-the-policies>Ensure Pilot Accepts the Policies</a><li role=none aria-label="Ensure Pilot Distributes Policies to Proxies Correctly"><a href=#ensure-pilot-distributes-policies-to-proxies-correctly>Ensure Pilot Distributes Policies to Proxies Correctly</a><li role=none aria-label="Ensure Proxies Enforce Policies Correctly"><a href=#ensure-proxies-enforce-policies-correctly>Ensure Proxies Enforce Policies Correctly</a><li role=none aria-label="See also"><a href=#see-also>See also</a></li></ol><hr></div></nav><p>This page demonstrates how to debug Istio authorization.</p><div><aside class="callout idea"><div class=type><svg class="large-icon"><use xlink:href="/v1.1/img/icons.svg#callout-idea"/></svg></div><div class=content>It would be very helpful to also include a cluster state archive in your email by following instructions in
<a href=/v1.1/about/bugs>reporting bugs</a>.</div></aside></div><h2 id=ensure-authorization-is-enabled-correctly>Ensure Authorization is Enabled Correctly</h2><p>The <code>ClusterRbacConfig</code> default cluster level singleton custom resource controls the authorization functionality globally.</p><ol><li><p>Run the following command to list existing <code>ClusterRbacConfig</code>:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl get clusterrbacconfigs.rbac.istio.io --all-namespaces
</code></pre></li><li><p>Verify there is only <strong>one</strong> instance of <code>ClusterRbacConfig</code> with name <code>default</code>. Otherwise, Istio disables the
authorization functionality and ignores all policies.</p><pre><code class=language-plain data-expandlinks=true>NAMESPACE NAME AGE
default default 1d
</code></pre></li><li><p>If there is more than one <code>ClusterRbacConfig</code> instance, remove any additional <code>ClusterRbacConfig</code> instances and
ensure <strong>only one</strong> instance is named <code>default</code>.</p></li></ol><h2 id=ensure-pilot-accepts-the-policies>Ensure Pilot Accepts the Policies</h2><p>Pilot converts and distributes your authorization policies to the proxies. The following steps help
you ensure Pilot is working as expected:</p><ol><li><p>Run the following command to export the Pilot <code>ControlZ</code>:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl port-forward $(kubectl -n istio-system get pods -l istio=pilot -o jsonpath=&#39;{.items[0].metadata.name}&#39;) -n istio-system 9876:9876
</code></pre></li><li><p>Verify you see the following output:</p><pre><code class=language-plain data-expandlinks=true>Forwarding from 127.0.0.1:9876 -&gt; 9876
</code></pre></li><li><p>Start your browser and open the <code>ControlZ</code> page at <code>http://127.0.0.1:9876/scopez/</code>.</p></li><li><p>Change the <code>rbac</code> Output Level to <code>debug</code>.</p></li><li><p>Use <code>Ctrl+C</code> in the terminal you started in step 1 to stop the port-forward command.</p></li><li><p>Print the log of Pilot and search for <code>rbac</code> with the following command:</p><div><aside class="callout tip"><div class=type><svg class="large-icon"><use xlink:href="/v1.1/img/icons.svg#callout-tip"/></svg></div><div class=content>You probably need to first delete and then re-apply your authorization policies so that
the debug output is generated for these policies.</div></aside></div><pre><code class=language-bash data-expandlinks=true>$ kubectl logs $(kubectl -n istio-system get pods -l istio=pilot -o jsonpath=&#39;{.items[0].metadata.name}&#39;) -c discovery -n istio-system | grep rbac
</code></pre></li><li><p>Check the output and verify:</p><ul><li>There are no errors.</li><li>There is a <code>&quot;built filter config for ...&quot;</code> message which means the filter is generated
for the target service.</li></ul></li><li><p>For example, you might see something similar to the following:</p><pre><code class=language-plain data-expandlinks=true>2018-07-26T22:25:41.009838Z debug rbac building filter config for {sleep.foo.svc.cluster.local map[app:sleep pod-template-hash:3326367878] map[destination.name:sleep destination.namespace:foo destination.user:default]}
2018-07-26T22:25:41.009915Z info rbac no service role in namespace foo
2018-07-26T22:25:41.009957Z info rbac no service role binding in namespace foo
2018-07-26T22:25:41.010000Z debug rbac generated filter config: { }
2018-07-26T22:25:41.010114Z info rbac built filter config for sleep.foo.svc.cluster.local
2018-07-26T22:25:41.182400Z debug rbac building filter config for {productpage.default.svc.cluster.local map[pod-template-hash:2600844901 version:v1 app:productpage] map[destination.name:productpage destination.namespace:default destination.user:bookinfo-productpage]}
2018-07-26T22:25:41.183131Z debug rbac checking role app2-grpc-viewer
2018-07-26T22:25:41.183214Z debug rbac role skipped for no AccessRule matched
2018-07-26T22:25:41.183255Z debug rbac checking role productpage-viewer
2018-07-26T22:25:41.183281Z debug rbac matched AccessRule[0]
2018-07-26T22:25:41.183390Z debug rbac generated filter config: {policies:&lt;key:&#34;productpage-viewer&#34; value:&lt;permissions:&lt;and_rules:&lt;rules:&lt;or_rules:&lt;rules:&lt;header:&lt;name:&#34;:method&#34; exact_match:&#34;GET&#34; &gt; &gt; &gt; &gt; &gt; &gt; principals:&lt;and_ids:&lt;ids:&lt;any:true &gt; &gt; &gt; &gt; &gt; }
2018-07-26T22:25:41.184407Z info rbac built filter config for productpage.default.svc.cluster.local
</code></pre><p>It means Pilot generated:</p><ul><li><p>An empty config for <code>sleep.foo.svc.cluster.local</code> as there is no authorization policies matched
and Istio denies all requests sent to this service by default.</p></li><li><p>An config for <code>productpage.default.svc.cluster.local</code> and Istio will allow anyone to access it
with GET method.</p></li></ul></li></ol><h2 id=ensure-pilot-distributes-policies-to-proxies-correctly>Ensure Pilot Distributes Policies to Proxies Correctly</h2><p>Pilot distributes the authorization policies to proxies. The following steps help you ensure Pilot
is working as expected:</p><div><aside class="callout tip"><div class=type><svg class="large-icon"><use xlink:href="/v1.1/img/icons.svg#callout-tip"/></svg></div><div class=content>The command used in this section assumes you have deployed <a href=/v1.1/docs/examples/bookinfo/>Bookinfo application</a>,
otherwise you should replace <code>&quot;-l app=productpage&quot;</code> with your actual pod.</div></aside></div><ol><li><p>Run the following command to get the proxy configuration dump for the <code>productpage</code> service:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl exec $(kubectl get pods -l app=productpage -o jsonpath=&#39;{.items[0].metadata.name}&#39;) -c istio-proxy -- curl localhost:15000/config_dump -s
</code></pre></li><li><p>Check the log and verify:</p><ul><li>The log includes an <code>envoy.filters.http.rbac</code> filter to enforce the authorization policy
on each incoming request.</li><li>Istio updates the filter accordingly after you update your authorization policy.</li></ul></li><li><p>The following output means the proxy of <code>productpage</code> has enabled the <code>envoy.filters.http.rbac</code> filter
with rules that allows anyone to access it via <code>GET</code> method. The <code>shadow_rules</code> are not used and you can ignored them safely.</p><pre><code class=language-plain data-expandlinks=true>{
&#34;name&#34;: &#34;envoy.filters.http.rbac&#34;,
&#34;config&#34;: {
&#34;rules&#34;: {
&#34;policies&#34;: {
&#34;productpage-viewer&#34;: {
&#34;permissions&#34;: [
{
&#34;and_rules&#34;: {
&#34;rules&#34;: [
{
&#34;or_rules&#34;: {
&#34;rules&#34;: [
{
&#34;header&#34;: {
&#34;exact_match&#34;: &#34;GET&#34;,
&#34;name&#34;: &#34;:method&#34;
}
}
]
}
}
]
}
}
],
&#34;principals&#34;: [
{
&#34;and_ids&#34;: {
&#34;ids&#34;: [
{
&#34;any&#34;: true
}
]
}
}
]
}
}
},
&#34;shadow_rules&#34;: {
&#34;policies&#34;: {}
}
}
},
</code></pre></li></ol><h2 id=ensure-proxies-enforce-policies-correctly>Ensure Proxies Enforce Policies Correctly</h2><p>Proxies eventually enforce the authorization policies. The following steps help you ensure the proxy
is working as expected:</p><div><aside class="callout tip"><div class=type><svg class="large-icon"><use xlink:href="/v1.1/img/icons.svg#callout-tip"/></svg></div><div class=content>The command used in this section assumes you have deployed <a href=/v1.1/docs/examples/bookinfo/>Bookinfo application</a>.
otherwise you should replace <code>&quot;-l app=productpage&quot;</code> with your actual pod.</div></aside></div><ol><li><p>Turn on the authorization debug logging in proxy with the following command:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl exec $(kubectl get pods -l app=productpage -o jsonpath=&#39;{.items[0].metadata.name}&#39;) -c istio-proxy -- curl -X POST localhost:15000/logging?rbac=debug -s
</code></pre></li><li><p>Verify you see the following output:</p><pre><code class=language-plain data-expandlinks=true>active loggers:
... ...
rbac: debug
... ...
</code></pre></li><li><p>Visit the <code>productpage</code> in your browser to generate some logs.</p></li><li><p>Print the proxy logs with the following command:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl logs $(kubectl get pods -l app=productpage -o jsonpath=&#39;{.items[0].metadata.name}&#39;) -c istio-proxy
</code></pre></li><li><p>Check the output and verify:</p><ul><li><p>The output log shows either <code>enforced allowed</code> or <code>enforced denied</code> depending on whether the request
was allowed or denied respectively.</p></li><li><p>Your authorization policy expects the data extracted from the request.</p></li></ul></li><li><p>The following output means there is a <code>GET</code> request at path <code>/productpage</code> and the policy allows the request.
The <code>shadow denied</code> has no effect and you can ignore it safely.</p><pre><code class=language-plain data-expandlinks=true>...
[2018-07-26 20:39:18.060][152][debug][rbac] external/envoy/source/extensions/filters/http/rbac/rbac_filter.cc:79] checking request: remoteAddress: 10.60.0.139:51158, localAddress: 10.60.0.93:9080, ssl: uriSanPeerCertificate: spiffe://cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account, subjectPeerCertificate: O=, headers: &#39;:authority&#39;, &#39;35.238.0.62&#39;
&#39;:path&#39;, &#39;/productpage&#39;
&#39;:method&#39;, &#39;GET&#39;
&#39;upgrade-insecure-requests&#39;, &#39;1&#39;
&#39;user-agent&#39;, &#39;Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36&#39;
&#39;dnt&#39;, &#39;1&#39;
&#39;accept&#39;, &#39;text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8&#39;
&#39;accept-encoding&#39;, &#39;gzip, deflate&#39;
&#39;accept-language&#39;, &#39;en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7&#39;
&#39;x-forwarded-for&#39;, &#39;10.60.0.1&#39;
&#39;x-forwarded-proto&#39;, &#39;http&#39;
&#39;x-request-id&#39;, &#39;e23ea62d-b25d-91be-857c-80a058d746d4&#39;
&#39;x-b3-traceid&#39;, &#39;5983108bf6d05603&#39;
&#39;x-b3-spanid&#39;, &#39;5983108bf6d05603&#39;
&#39;x-b3-sampled&#39;, &#39;1&#39;
&#39;x-istio-attributes&#39;, &#39;CikKGGRlc3RpbmF0aW9uLnNlcnZpY2UubmFtZRINEgtwcm9kdWN0cGFnZQoqCh1kZXN0aW5hdGlvbi5zZXJ2aWNlLm5hbWVzcGFjZRIJEgdkZWZhdWx0Ck8KCnNvdXJjZS51aWQSQRI/a3ViZXJuZXRlczovL2lzdGlvLWluZ3Jlc3NnYXRld2F5LTc2NjY0Y2NmY2Ytd3hjcjQuaXN0aW8tc3lzdGVtCj4KE2Rlc3RpbmF0aW9uLnNlcnZpY2USJxIlcHJvZHVjdHBhZ2UuZGVmYXVsdC5zdmMuY2x1c3Rlci5sb2NhbApDChhkZXN0aW5hdGlvbi5zZXJ2aWNlLmhvc3QSJxIlcHJvZHVjdHBhZ2UuZGVmYXVsdC5zdmMuY2x1c3Rlci5sb2NhbApBChdkZXN0aW5hdGlvbi5zZXJ2aWNlLnVpZBImEiRpc3RpbzovL2RlZmF1bHQvc2VydmljZXMvcHJvZHVjdHBhZ2U=&#39;
&#39;content-length&#39;, &#39;0&#39;
&#39;x-envoy-internal&#39;, &#39;true&#39;
&#39;sec-istio-authn-payload&#39;, &#39;CkVjbHVzdGVyLmxvY2FsL25zL2lzdGlvLXN5c3RlbS9zYS9pc3Rpby1pbmdyZXNzZ2F0ZXdheS1zZXJ2aWNlLWFjY291bnQSRWNsdXN0ZXIubG9jYWwvbnMvaXN0aW8tc3lzdGVtL3NhL2lzdGlvLWluZ3Jlc3NnYXRld2F5LXNlcnZpY2UtYWNjb3VudA==&#39;
, dynamicMetadata: filter_metadata {
key: &#34;istio_authn&#34;
value {
fields {
key: &#34;request.auth.principal&#34;
value {
string_value: &#34;cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account&#34;
}
}
fields {
key: &#34;source.principal&#34;
value {
string_value: &#34;cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account&#34;
}
}
}
}
[2018-07-26 20:39:18.060][152][debug][rbac] external/envoy/source/extensions/filters/http/rbac/rbac_filter.cc:88] shadow denied
[2018-07-26 20:39:18.060][152][debug][rbac] external/envoy/source/extensions/filters/http/rbac/rbac_filter.cc:98] enforced allowed
...
</code></pre></li></ol><nav id=see-also><h2>See also</h2><div class=see-also><div class=entry><p class=link><a data-skipendnotes=true href=/v1.1/blog/2018/istio-authorization/>Micro-Segmentation with Istio Authorization</a></p><p class=desc>Describe Istio&#39;s authorization feature and how to use it in various use cases.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.1/docs/tasks/security/authz-http/>Authorization for HTTP Services</a></p><p class=desc>Shows how to set up role-based access control for HTTP services.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.1/docs/tasks/security/authz-tcp/>Authorization for TCP Services</a></p><p class=desc>Shows how to set up role-based access control for TCP services.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.1/docs/tasks/security/authz-permissive/>Authorization permissive mode</a></p><p class=desc>Shows how to use Authorization permissive mode.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.1/docs/concepts/security/>Security</a></p><p class=desc>Describes Istio&#39;s authorization and authentication functionality.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.1/docs/tasks/security/rbac-groups/>Authorization for groups and list claims</a></p><p class=desc>Tutorial on how to configure the groups-base authorization and configure the authorization of list-typed claims in Istio.</p></div></div></nav></article><nav class=pagenav><div class=left></div><div class=right><a title="What to do if Citadel is not behaving properly." href=/v1.1/help/ops/security/repairing-citadel/>Repairing Citadel<svg class="icon"><use xlink:href="/v1.1/img/icons.svg#right-arrow"/></svg></a></div></nav><div id=endnotes-container aria-hidden=true><h2>Links</h2><ol id=endnotes></ol></div></div><div class=toc-container><nav class=toc aria-label="Table of Contents"><div id=toc><ol><li role=none aria-label="Ensure Authorization is Enabled Correctly"><a href=#ensure-authorization-is-enabled-correctly>Ensure Authorization is Enabled Correctly</a><li role=none aria-label="Ensure Pilot Accepts the Policies"><a href=#ensure-pilot-accepts-the-policies>Ensure Pilot Accepts the Policies</a><li role=none aria-label="Ensure Pilot Distributes Policies to Proxies Correctly"><a href=#ensure-pilot-distributes-policies-to-proxies-correctly>Ensure Pilot Distributes Policies to Proxies Correctly</a><li role=none aria-label="Ensure Proxies Enforce Policies Correctly"><a href=#ensure-proxies-enforce-policies-correctly>Ensure Proxies Enforce Policies Correctly</a><li role=none aria-label="See also"><a href=#see-also>See also</a></li></ol></div></nav></div></main><footer><div class=user-links><a class=channel title="Go download Istio 1.1.9 now" href=https://github.com/istio/istio/releases/tag/1.1.9 aria-label="Download Istio"><span>download</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#download"/></svg>
</a><a class=channel title="Join the Istio discussion board to participate in discussions and get help troubleshooting problems" href=https://discuss.istio.io aria-label="Istio discussion board"><span>discuss</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#discourse"/></svg></a>
<a class=channel title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><span>stack overflow</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#stackoverflow"/></svg></a>
<a class=channel title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><span>twitter</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#twitter"/></svg></a><div class=tag>for everyone</div></div><div class=info><p class=copyright>Istio Archive
1.1.9<br>&copy; 2019 Istio Authors, <a href=https://policies.google.com/privacy>Privacy Policy</a><br>Archived on June 18, 2019</p></div><div class=dev-links><a class=channel title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><span>github</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#github"/></svg></a>
<a class=channel title="Interactively discuss issues with the Istio community on Slack" href=https://istio.slack.com aria-label=slack><span>slack</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#slack"/></svg></a>
<a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><span>drive</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#drive"/></svg></a>
<a class=channel title="If you'd like to contribute to the Istio project, consider participating in our working groups" href=https://github.com/istio/community/blob/master/WORKING-GROUPS.md aria-label="working groups"><span>working groups</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#working-groups"/></svg></a><div class=tag>for developers</div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title="Back to top"><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#top"/></svg></button></div></body></html>
Reference in New Issue View Git Blame Copy Permalink