Istio request.auth.claims[cognito:groups] 不工作
Istio request.auth.claims[cognito:groups] is not working
apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
name: "jwt-example"
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
jwtRules:
- issuer: "https://cognito-idp.ap-southeast-1.amazonaws.com/ap-southeast-xxxxx"
jwksUri: "https://cognito-idp.ap-southeast-1.amazonaws.com/ap-southeast-xxxxx/.well-known/jwks.json"
和
spec:
selector:
matchLabels:
istio: ingressgateway
action: ALLOW
rules:
- from:
- source:
notRequestPrincipals: ["*"]
to:
- operation:
paths: ["/api/v1/*"]
when:
- key: request.auth.claims[cognito:groups]
values: ["testing"]
如果 JWT 令牌基于 AWS Cognito 的 testing 组,我尝试使用上面的代码片段来允许访问使用 /api/v1/*。不幸的是,它现在正在显示 RBAC: access denied。请让我知道如何解决它?
问题
使用您当前的 AuthorizationPolicy,您可以使用 403 RBAC: access denied.
阻止每个使用正确令牌的请求
我最近用 AuthorizationPolicy 做了 few tests,值得花点时间了解它是如何工作的。
解决方案
正如我们在评论中讨论的那样,有 2 种方法可以实际完成这项工作。
有action:ALLOW和requestPrincipals
spec:
selector:
matchLabels:
istio: ingressgateway
action: ALLOW
rules:
- from:
- source:
requestPrincipals: ["*"]
或action:DENY和NotRequestPrincipals
spec:
selector:
matchLabels:
istio: ingressgateway
action: DENY
rules:
- from:
- source:
notRequestPrincipals: ["*"]
例子
istio in action 书中有一个例子。
Denying requests without JWT Tokens
Let’s create an authorization policy that denies requests targeting the API Gateway without a JWT Token:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: app-gw-requires-jwt
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
action: DENY
rules:
- from:
- source:
notRequestPrincipals: ["*"]
to:
- operation:
hosts: ["apiserver.istioinaction.io"]
This policy makes use of the property notRequestPrincipals and the "*" value, which means that the source matches for all requests that lack the request principal property. The Request Principal property gets its value from two claims that are extracted by the Request Authentication filter from the token and stored in filter metadata. The two claims being issuer and subject in the format iss/sub.
apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
name: "jwt-example"
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
jwtRules:
- issuer: "https://cognito-idp.ap-southeast-1.amazonaws.com/ap-southeast-xxxxx"
jwksUri: "https://cognito-idp.ap-southeast-1.amazonaws.com/ap-southeast-xxxxx/.well-known/jwks.json"
和
spec:
selector:
matchLabels:
istio: ingressgateway
action: ALLOW
rules:
- from:
- source:
notRequestPrincipals: ["*"]
to:
- operation:
paths: ["/api/v1/*"]
when:
- key: request.auth.claims[cognito:groups]
values: ["testing"]
如果 JWT 令牌基于 AWS Cognito 的 testing 组,我尝试使用上面的代码片段来允许访问使用 /api/v1/*。不幸的是,它现在正在显示 RBAC: access denied。请让我知道如何解决它?
问题
使用您当前的 AuthorizationPolicy,您可以使用 403 RBAC: access denied.
我最近用 AuthorizationPolicy 做了 few tests,值得花点时间了解它是如何工作的。
解决方案
正如我们在评论中讨论的那样,有 2 种方法可以实际完成这项工作。
有action:ALLOW和requestPrincipals
spec:
selector:
matchLabels:
istio: ingressgateway
action: ALLOW
rules:
- from:
- source:
requestPrincipals: ["*"]
或action:DENY和NotRequestPrincipals
spec:
selector:
matchLabels:
istio: ingressgateway
action: DENY
rules:
- from:
- source:
notRequestPrincipals: ["*"]
例子
istio in action 书中有一个例子。
Denying requests without JWT Tokens
Let’s create an authorization policy that denies requests targeting the API Gateway without a JWT Token:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: app-gw-requires-jwt
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
action: DENY
rules:
- from:
- source:
notRequestPrincipals: ["*"]
to:
- operation:
hosts: ["apiserver.istioinaction.io"]
This policy makes use of the property notRequestPrincipals and the "*" value, which means that the source matches for all requests that lack the request principal property. The Request Principal property gets its value from two claims that are extracted by the Request Authentication filter from the token and stored in filter metadata. The two claims being issuer and subject in the format iss/sub.