Istio 授权 - Istio 'paths' 字段中的模式匹配
Istio authorization - Pattern matching in Istio 'paths' field
我想在 Istio 授权中创建一条规则:
- to:
- operation:
methods: [ "POST" ]
paths: [ "/data/api/v1/departments/*/users/*/position" ]
when:
- key: request.auth.claims[resource_access][roles]
values: [ "edit" ]
所以我想在这里使用路径变量(在 '*' 的地方)。我应该用什么代替 '*' 来让它工作?
它在当前设置中不起作用。
我得到 'RBAC denied',我有一个角色 'edit',并且到该角色的路径没问题。它适用于没有 '*' 符号
的端点
将此答案作为社区 Wiki 发布,因为此处已经回答了类似的问题:
部分问题:
- operation:
methods: ["PUT"]
paths: ["/my-service/docs/*/activate/*"]
答案:
According to istio documentation:
Rule
Rule matches requests from a list of sources that perform a list of
operations subject to a list of conditions. A match occurs when at
least one source, operation and condition matches the request. An
empty rule is always matched.
Any string field in the rule supports Exact, Prefix, Suffix and
Presence match:
- Exact match: “abc” will match on value “abc”.
- Prefix match: “abc*” will match on value “abc” and “abcd”.
- Suffix match: “*abc” will match on value “abc” and “xabc”.
- Presence match: “*” will match when value is not empty.
因此授权策略确实支持通配符,但我认为问题出在 */activate/* 路径上,因为路径只能在开头、结尾或整个字符串使用通配符,双通配符不起作用。
有相关的未解决 github 问题:
我想在 Istio 授权中创建一条规则:
- to:
- operation:
methods: [ "POST" ]
paths: [ "/data/api/v1/departments/*/users/*/position" ]
when:
- key: request.auth.claims[resource_access][roles]
values: [ "edit" ]
所以我想在这里使用路径变量(在 '*' 的地方)。我应该用什么代替 '*' 来让它工作?
它在当前设置中不起作用。
我得到 'RBAC denied',我有一个角色 'edit',并且到该角色的路径没问题。它适用于没有 '*' 符号
将此答案作为社区 Wiki 发布,因为此处已经回答了类似的问题:
部分问题:
- operation: methods: ["PUT"] paths: ["/my-service/docs/*/activate/*"]
答案:
According to istio documentation:
Rule
Rule matches requests from a list of sources that perform a list of operations subject to a list of conditions. A match occurs when at least one source, operation and condition matches the request. An empty rule is always matched.
Any string field in the rule supports Exact, Prefix, Suffix and Presence match:
- Exact match: “abc” will match on value “abc”.
- Prefix match: “abc*” will match on value “abc” and “abcd”.
- Suffix match: “*abc” will match on value “abc” and “xabc”.
- Presence match: “*” will match when value is not empty.
因此授权策略确实支持通配符,但我认为问题出在
*/activate/*路径上,因为路径只能在开头、结尾或整个字符串使用通配符,双通配符不起作用。有相关的未解决 github 问题: