如何根据 JWT 声明的组设置 Istio RBAC?
How to set up Istio RBAC based on groups from JWT claims?
我有一个启用了 AuthenticationPolicy 和 Istio RBAC 的服务(授权上下文设置为使用来自 JWT 声明的组)但是,在进行调用时,istio 似乎没有考虑来自 JWT 声明的组属性。
作为IDP,我使用dex,并为其设置了相应的AuthnPolicy。
我已将授权上下文设置如下:
apiVersion: "config.istio.io/v1alpha2"
kind: authorization
metadata:
name: requestcontext
namespace: istio-system
spec:
subject:
user: source.user | request.auth.claims["email"] | ""
groups: request.auth.claims["groups"] | ""
properties:
namespace: source.namespace | ""
service: source.service | ""
iss: request.auth.claims["iss"] | ""
sub: request.auth.claims["sub"] | ""
action:
namespace: destination.namespace | ""
service: destination.service | ""
method: request.method | ""
path: request.path | ""
properties:
version: request.headers["version"] | ""
我启用了 RBAC 并创建了 ServiceRole。我添加了 ServiceRoleBinding 并将主题设置为名为 "admins" 的特定组:
apiVersion: "config.istio.io/v1alpha2"
kind: ServiceRoleBinding
metadata:
name: service-admin-binding
spec:
subjects:
- group: "admins"
roleRef:
kind: ServiceRole
name: "service-admin"
当在没有令牌的情况下进行调用时,AuthnPolicy 起作用,返回带有正确消息的 401。使用有效的 JWT 调用导致 403 权限被拒绝,因为组不匹配。当我将主题更改为 "all" 用户而不是组(- user: "*")
时,它工作正常
解码后获取的 JWT 中的组声明只是一个字符串数组:
"groups": [
"admins"
]
如果我在授权上下文中添加第一个具有硬编码值的非空运算符 "admins" - groups: request.auth.claims["groups"] | "admins") 它可以正常工作,但表示在混合器适配器解析阶段组为空?
如果我在授权上下文组中设置要从 request.auth.token["groups"] 中获取,就像在 docu 中提到的那样
混音器因错误而失败:
(...)'requestcontext.authorization.istio-system': failed to evaluate expression for field 'Subject'; failed to evaluate expression for field 'Subject.Groups': unknown attribute request.auth.token'.
当我查看 attribute vocabulary docu 时,它没有提到 request.auth 上的 token 属性,我也无法在代码中找到它。但是,我正在尝试使用 request.auth.claims。
我如何设置与 RBAC 一起使用的身份验证策略以使其与来自 JWT 的组一起工作?此外,是否可以在解决授权阶段时 log/debug 混合器,以查看确切评估的内容?
Piotr Mścichowski 在评论中回答:
我在 google groups 上收到回复,提到不支持作为字符串数组的组以及角色绑定主题中的组(可以通过属性解决):
Yangmin Zhu
We're currently working adding more documents in Istio 1.0, if you're
using the most recent daily release, you could try it with the
following steps:
1) We introduced a new global custom resource to control the RBAC
behavior in the mesh: RbacConfig. You could apply one like
this to enable RBAC for the "default" namespace,
2) We made some changes to the ServiceRole.Constraints and
ServiceRoleBinding.Properties about what keys are supported. See
this PR for an overview of the supported keys. Regarding your
ServiceRoleBinding, you could use the following config to check
against the claim from the JWT (Note: the group field is not used and
not supported, instead you could specify it in properties):
apiVersion: "config.istio.io/v1alpha2"
kind: ServiceRoleBinding
metadata:
name: service-admin-binding
spec:
subjects:
- properties:
request.auth.claims[groups]: "admins"
roleRef:
kind: ServiceRole
name: "service-admin"
I think you don't need special setting to make the authentication
policy work with RBAC, if you could successfully finish this
task, it should work with RBAC automatically.
You could turn on the debug logging of the envoy proxy of your
service. For rbac, there is a specific logging group named "rbac" in
envoy, you could access the enovy admin page locally (by default it's
http://127.0.0.1:15000/logging).
Limin Wang:
We currently haven't supported JWT claims that are non-strings. If your JWT group claim is set to a single string
(instead of an array), it will just work.
"group": "admin"
Also "group" under "subject" is not supported at the moment. But as
Yangmin suggested, you can use custom "properties" instead.
subjects:
- properties:
request.auth.claims[groups]: "admins"
Thanks for bring this issue to our attention, we plan to make
improvement to support such use case in future releases.
我有一个启用了 AuthenticationPolicy 和 Istio RBAC 的服务(授权上下文设置为使用来自 JWT 声明的组)但是,在进行调用时,istio 似乎没有考虑来自 JWT 声明的组属性。
作为IDP,我使用dex,并为其设置了相应的AuthnPolicy。
我已将授权上下文设置如下:
apiVersion: "config.istio.io/v1alpha2"
kind: authorization
metadata:
name: requestcontext
namespace: istio-system
spec:
subject:
user: source.user | request.auth.claims["email"] | ""
groups: request.auth.claims["groups"] | ""
properties:
namespace: source.namespace | ""
service: source.service | ""
iss: request.auth.claims["iss"] | ""
sub: request.auth.claims["sub"] | ""
action:
namespace: destination.namespace | ""
service: destination.service | ""
method: request.method | ""
path: request.path | ""
properties:
version: request.headers["version"] | ""
我启用了 RBAC 并创建了 ServiceRole。我添加了 ServiceRoleBinding 并将主题设置为名为 "admins" 的特定组:
apiVersion: "config.istio.io/v1alpha2"
kind: ServiceRoleBinding
metadata:
name: service-admin-binding
spec:
subjects:
- group: "admins"
roleRef:
kind: ServiceRole
name: "service-admin"
当在没有令牌的情况下进行调用时,AuthnPolicy 起作用,返回带有正确消息的 401。使用有效的 JWT 调用导致 403 权限被拒绝,因为组不匹配。当我将主题更改为 "all" 用户而不是组(- user: "*")
解码后获取的 JWT 中的组声明只是一个字符串数组:
"groups": [
"admins"
]
如果我在授权上下文中添加第一个具有硬编码值的非空运算符 "admins" - groups: request.auth.claims["groups"] | "admins") 它可以正常工作,但表示在混合器适配器解析阶段组为空?
如果我在授权上下文组中设置要从 request.auth.token["groups"] 中获取,就像在 docu 中提到的那样
混音器因错误而失败:
(...)'requestcontext.authorization.istio-system': failed to evaluate expression for field 'Subject'; failed to evaluate expression for field 'Subject.Groups': unknown attribute request.auth.token'.
当我查看 attribute vocabulary docu 时,它没有提到 request.auth 上的 token 属性,我也无法在代码中找到它。但是,我正在尝试使用 request.auth.claims。
我如何设置与 RBAC 一起使用的身份验证策略以使其与来自 JWT 的组一起工作?此外,是否可以在解决授权阶段时 log/debug 混合器,以查看确切评估的内容?
Piotr Mścichowski 在评论中回答:
我在 google groups 上收到回复,提到不支持作为字符串数组的组以及角色绑定主题中的组(可以通过属性解决):
Yangmin Zhu
We're currently working adding more documents in Istio 1.0, if you're using the most recent daily release, you could try it with the following steps:
1) We introduced a new global custom resource to control the RBAC behavior in the mesh: RbacConfig. You could apply one like this to enable RBAC for the "default" namespace,
2) We made some changes to the
ServiceRole.Constraints andServiceRoleBinding.Propertiesabout what keys are supported. See this PR for an overview of the supported keys. Regarding yourServiceRoleBinding, you could use the following config to check against the claim from the JWT (Note: the group field is not used and not supported, instead you could specify it in properties):apiVersion: "config.istio.io/v1alpha2" kind: ServiceRoleBinding metadata: name: service-admin-binding spec: subjects: - properties: request.auth.claims[groups]: "admins" roleRef: kind: ServiceRole name: "service-admin"I think you don't need special setting to make the authentication policy work with RBAC, if you could successfully finish this task, it should work with RBAC automatically.
You could turn on the debug logging of the envoy proxy of your service. For rbac, there is a specific logging group named "rbac" in envoy, you could access the enovy admin page locally (by default it's http://127.0.0.1:15000/logging).
Limin Wang:
We currently haven't supported JWT claims that are non-strings. If your JWT group claim is set to a single string (instead of an array), it will just work."group": "admin"Also "group" under "subject" is not supported at the moment. But as Yangmin suggested, you can use custom "properties" instead.
subjects: - properties: request.auth.claims[groups]: "admins"Thanks for bring this issue to our attention, we plan to make improvement to support such use case in future releases.