Istio 策略不对 JWT 进行身份验证
Istio policy not authenticating JWT
我已经实施了一个 istio 政策,这样用户将需要一个 JWT 令牌来访问我的后端和 admin-backend 服务。但是,它并没有让我通过有效的令牌。我在 minikube 上 运行 istio-demo,除了为 auth0 配置出口外,我没有对我的部署做任何事情。然后,当我去应用我的政策时,我无法再根据我的请求访问这些服务。
rbac-policy.yaml
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
name: rbac
namespace: default
spec:
targets:
- name: backend
- name: admin-backend
peers:
- mtls: {}
origins:
- jwt:
issuer: "https://jor2.eu.auth0.com/"
jwksUri: "https://jor2.eu.auth0.com/.well-known/jwks.json"
principalBinding: USE_ORIGIN
这是在我的 get 和 post 请求中传递的内容 headers(HEADERS 的值):
{
"Authorization": "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik5VVkdPREl4UVRoQlFrWTJOakV4UWpnek1FSkVNalZCUVRjM1FUaEJOVFk0UVRZM016aEVNQSJ9.eyJpc3MiOiJodHRwczovL2pvcjIuZXUuYXV0aDAuY29tLyIsInN1YiI6IlRsdmg5OFl4Wkc2anFpNmRVclhlN2RIejVwZzFiaHR1QGNsaWVudHMiLCJhdWQiOiJodHRwczovL3JiYS5jb20vYWRtaW4iLCJpYXQiOjE1NTI1NTU0NjUsImV4cCI6MTU1MjY0MTg2NSwiYXpwIjoiVGx2aDk4WXhaRzZqcWk2ZFVyWGU3ZEh6NXBnMWJodHUiLCJzY29wZSI6IkFkbWluIiwiZ3R5IjoiY2xpZW50LWNyZWRlbnRpYWxzIn0.grrHHrS_Ey63Tmo1KL9gUmelouYaSj0rPlv04tpJxBeVct-KRA30I1ieVgncmojRBXcdgvfpWKjeGLbb2Q7X6QwkdT0LyO3jmOBgabcTIsnnbCEg4gywc7WrN5_H_bWNiToIsouagJqiAOQ35wrVa9SVK_InR0QVEnV3yvuug042yMiMmFriG6qN2J8HPgXCE440hpSXBIIKuoBqmNZGSjZV3YvQXaLmigCNl2_PUXb52urrQqHEh06dMIT2FFfD5Cdc1RGrRT2o4krMWF2mJMOWXK1sgEOv4FfsOrdkPka24MuGViED514EoJ9a2n2QEK10zxDtv42opYT9Wjmubg"
}
功能正确 header(应该工作)但不显示任何响应。
@app.route("/view_patients/", methods=['GET', 'POST'])
def view_patients():
global HEADERS
patients = invoke_backend(page_name="view_patients", headers=HEADERS)
return render_template(
'view_patients.html',
patients=patients
)
测试以确保令牌在无效的 jwt 上失败:
@app.route("/test/view_patients/", methods=['GET', 'POST'])
def test_view_patients_invalid_jwt():
jwt = "1nv4l1DJwT"
header = {
'Authorization': "Bearer " + jwt
}
patients = invoke_backend(page_name="view_patients", headers=header)
return render_template(
'view_patients.html',
patients=patients
)
几天前我想通了,但忘了 post 答案。我需要从配置中删除 mtls。
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: auth-policy
spec:
targets:
- name: backend
- name: admin-backend
origins:
- jwt:
issuer: "https://jor2.eu.auth0.com/"
jwksUri: "https://jor2.eu.auth0.com/.well-known/jwks.json"
principalBinding: USE_ORIGIN
我已经实施了一个 istio 政策,这样用户将需要一个 JWT 令牌来访问我的后端和 admin-backend 服务。但是,它并没有让我通过有效的令牌。我在 minikube 上 运行 istio-demo,除了为 auth0 配置出口外,我没有对我的部署做任何事情。然后,当我去应用我的政策时,我无法再根据我的请求访问这些服务。
rbac-policy.yaml
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
name: rbac
namespace: default
spec:
targets:
- name: backend
- name: admin-backend
peers:
- mtls: {}
origins:
- jwt:
issuer: "https://jor2.eu.auth0.com/"
jwksUri: "https://jor2.eu.auth0.com/.well-known/jwks.json"
principalBinding: USE_ORIGIN
这是在我的 get 和 post 请求中传递的内容 headers(HEADERS 的值):
{
"Authorization": "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik5VVkdPREl4UVRoQlFrWTJOakV4UWpnek1FSkVNalZCUVRjM1FUaEJOVFk0UVRZM016aEVNQSJ9.eyJpc3MiOiJodHRwczovL2pvcjIuZXUuYXV0aDAuY29tLyIsInN1YiI6IlRsdmg5OFl4Wkc2anFpNmRVclhlN2RIejVwZzFiaHR1QGNsaWVudHMiLCJhdWQiOiJodHRwczovL3JiYS5jb20vYWRtaW4iLCJpYXQiOjE1NTI1NTU0NjUsImV4cCI6MTU1MjY0MTg2NSwiYXpwIjoiVGx2aDk4WXhaRzZqcWk2ZFVyWGU3ZEh6NXBnMWJodHUiLCJzY29wZSI6IkFkbWluIiwiZ3R5IjoiY2xpZW50LWNyZWRlbnRpYWxzIn0.grrHHrS_Ey63Tmo1KL9gUmelouYaSj0rPlv04tpJxBeVct-KRA30I1ieVgncmojRBXcdgvfpWKjeGLbb2Q7X6QwkdT0LyO3jmOBgabcTIsnnbCEg4gywc7WrN5_H_bWNiToIsouagJqiAOQ35wrVa9SVK_InR0QVEnV3yvuug042yMiMmFriG6qN2J8HPgXCE440hpSXBIIKuoBqmNZGSjZV3YvQXaLmigCNl2_PUXb52urrQqHEh06dMIT2FFfD5Cdc1RGrRT2o4krMWF2mJMOWXK1sgEOv4FfsOrdkPka24MuGViED514EoJ9a2n2QEK10zxDtv42opYT9Wjmubg"
}
功能正确 header(应该工作)但不显示任何响应。
@app.route("/view_patients/", methods=['GET', 'POST'])
def view_patients():
global HEADERS
patients = invoke_backend(page_name="view_patients", headers=HEADERS)
return render_template(
'view_patients.html',
patients=patients
)
测试以确保令牌在无效的 jwt 上失败:
@app.route("/test/view_patients/", methods=['GET', 'POST'])
def test_view_patients_invalid_jwt():
jwt = "1nv4l1DJwT"
header = {
'Authorization': "Bearer " + jwt
}
patients = invoke_backend(page_name="view_patients", headers=header)
return render_template(
'view_patients.html',
patients=patients
)
几天前我想通了,但忘了 post 答案。我需要从配置中删除 mtls。
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: auth-policy
spec:
targets:
- name: backend
- name: admin-backend
origins:
- jwt:
issuer: "https://jor2.eu.auth0.com/"
jwksUri: "https://jor2.eu.auth0.com/.well-known/jwks.json"
principalBinding: USE_ORIGIN