就 Istio 政策而言,`peer` 和 `origin` 是什么意思?
What does `peer` and `origin` means in term of Istio Policy?
我是安全方面的新手。我刚刚了解了 Istio 并了解了它的安全方面。 Istio(https://istio.io/docs/reference/config/istio.authentication.v1alpha1/)中定义的身份验证有一些我不知道含义的基本术语:peer和origin。
谁能解释一下它是什么,有什么区别?
我的猜测:
- peer = 用于服务到服务的通信,因此对等身份是基于机器的身份(附加到该机器的服务帐户)
- origin = 用于最终用户与服务的通信。通常是基于人的身份,但也可以是服务帐户身份(如机器人用户)。
我的理解对吗?也许有人可以解释和详细说明它们?
谢谢,
阿贡
- peer = for service to service communication, hence the peer identity is a machine-based identity (service account attached to
that
- machine) origin = for end-user to service communication. Usually it is human-based identity, but also can be a service account identity
(like bot user).
是的,你没看错。
Peer 用于服务 --> 服务,origin 主要用于最终用户与服务的通信。但它也可以用于服务帐户身份。
同行:
List of authentication methods that can be used for peer
authentication. They will be evaluated in order; the first validate
one will be used to set peer identity (source.user) and other peer
attributes. If none of these methods pass, and peerisoptional flag is
false (see below), request will be rejected with authentication failed
error (401). Leave the list empty if peer authentication is not
required
来源:
List of authentication methods that can be used for origin
authentication. Similar to peers, these will be evaluated in order;
the first validate one will be used to set origin identity and
attributes (i.e request.auth.user, request.auth.issuer etc). If none
of these methods pass, and originisoptional is false (see below),
request will be rejected with authentication failed error (401). Leave
the list empty if origin authentication is not required.
也很适合阅读 Increasing Security with a Service Mesh 文章。
我是安全方面的新手。我刚刚了解了 Istio 并了解了它的安全方面。 Istio(https://istio.io/docs/reference/config/istio.authentication.v1alpha1/)中定义的身份验证有一些我不知道含义的基本术语:peer和origin。
谁能解释一下它是什么,有什么区别? 我的猜测:
- peer = 用于服务到服务的通信,因此对等身份是基于机器的身份(附加到该机器的服务帐户)
- origin = 用于最终用户与服务的通信。通常是基于人的身份,但也可以是服务帐户身份(如机器人用户)。
我的理解对吗?也许有人可以解释和详细说明它们?
谢谢, 阿贡
- peer = for service to service communication, hence the peer identity is a machine-based identity (service account attached to that
- machine) origin = for end-user to service communication. Usually it is human-based identity, but also can be a service account identity
(like bot user).
是的,你没看错。
Peer 用于服务 --> 服务,origin 主要用于最终用户与服务的通信。但它也可以用于服务帐户身份。
同行:
List of authentication methods that can be used for peer authentication. They will be evaluated in order; the first validate one will be used to set peer identity (source.user) and other peer attributes. If none of these methods pass, and peerisoptional flag is false (see below), request will be rejected with authentication failed error (401). Leave the list empty if peer authentication is not required
来源:
List of authentication methods that can be used for origin authentication. Similar to peers, these will be evaluated in order; the first validate one will be used to set origin identity and attributes (i.e request.auth.user, request.auth.issuer etc). If none of these methods pass, and originisoptional is false (see below), request will be rejected with authentication failed error (401). Leave the list empty if origin authentication is not required.
也很适合阅读 Increasing Security with a Service Mesh 文章。