在 Istio 中隐藏有关策略失败的错误消息
Hide error message on Policy failure in Istio
如果我在 Istio 中定义了一个 AuthorizationPolicy 被违反了,错误消息会返回给我,例如:
INTERNAL:performing check operation failed: 1 error occurred:%0A%09* rpc error: code = PermissionDenied desc = RBAC: access denied%0A%0A
有什么方法可以隐藏消息吗?
Istio 版本:1.4.5
基于以下 istio github code
// CheckRBACRequest checks if a request is successful under RBAC policies.
// Under RBAC policies, a request is consider successful if:
// * If the policy is allow:
// *** Response code is 200
// * If the policy is deny:
// *** For HTTP: response code is 403.
// *** For TCP: EOF error
func (tc TestCase) CheckRBACRequest() error {
req := tc.Request
headers := make(http.Header)
if len(tc.Jwt) > 0 {
headers.Add("Authorization", "Bearer "+tc.Jwt)
}
for k, v := range tc.Headers {
headers.Add(k, v)
}
tc.Request.Options.Headers = headers
resp, err := req.From.Call(tc.Request.Options)
if tc.ExpectAllowed {
if err == nil {
err = resp.CheckOK()
}
if err != nil {
return getError(req, "allow with code 200", fmt.Sprintf("error: %v", err))
}
} else {
if req.Options.PortName == "tcp" || req.Options.PortName == "grpc" {
expectedErrMsg := "EOF" // TCP deny message.
if req.Options.PortName == "grpc" {
expectedErrMsg = "rpc error: code = PermissionDenied desc = RBAC: access denied"
}
if err == nil || !strings.Contains(err.Error(), expectedErrMsg) {
expect := fmt.Sprintf("deny with %s error", expectedErrMsg)
actual := fmt.Sprintf("error: %v", err)
return getError(req, expect, actual)
}
} else {
if err != nil {
return getError(req, "deny with code 403", fmt.Sprintf("error: %v", err))
}
var result string
if len(resp) == 0 {
result = "no response"
} else if resp[0].Code != response.StatusCodeForbidden {
result = resp[0].Code
}
if result != "" {
return getError(req, "deny with code 403", result)
}
}
}
return nil
}
就我而言,根据上面的代码,您必须实际更改 istio 代码才能实现您的需要。
如果我在 Istio 中定义了一个 AuthorizationPolicy 被违反了,错误消息会返回给我,例如:
INTERNAL:performing check operation failed: 1 error occurred:%0A%09* rpc error: code = PermissionDenied desc = RBAC: access denied%0A%0A
有什么方法可以隐藏消息吗?
Istio 版本:1.4.5
基于以下 istio github code
// CheckRBACRequest checks if a request is successful under RBAC policies.
// Under RBAC policies, a request is consider successful if:
// * If the policy is allow:
// *** Response code is 200
// * If the policy is deny:
// *** For HTTP: response code is 403.
// *** For TCP: EOF error
func (tc TestCase) CheckRBACRequest() error {
req := tc.Request
headers := make(http.Header)
if len(tc.Jwt) > 0 {
headers.Add("Authorization", "Bearer "+tc.Jwt)
}
for k, v := range tc.Headers {
headers.Add(k, v)
}
tc.Request.Options.Headers = headers
resp, err := req.From.Call(tc.Request.Options)
if tc.ExpectAllowed {
if err == nil {
err = resp.CheckOK()
}
if err != nil {
return getError(req, "allow with code 200", fmt.Sprintf("error: %v", err))
}
} else {
if req.Options.PortName == "tcp" || req.Options.PortName == "grpc" {
expectedErrMsg := "EOF" // TCP deny message.
if req.Options.PortName == "grpc" {
expectedErrMsg = "rpc error: code = PermissionDenied desc = RBAC: access denied"
}
if err == nil || !strings.Contains(err.Error(), expectedErrMsg) {
expect := fmt.Sprintf("deny with %s error", expectedErrMsg)
actual := fmt.Sprintf("error: %v", err)
return getError(req, expect, actual)
}
} else {
if err != nil {
return getError(req, "deny with code 403", fmt.Sprintf("error: %v", err))
}
var result string
if len(resp) == 0 {
result = "no response"
} else if resp[0].Code != response.StatusCodeForbidden {
result = resp[0].Code
}
if result != "" {
return getError(req, "deny with code 403", result)
}
}
}
return nil
}
就我而言,根据上面的代码,您必须实际更改 istio 代码才能实现您的需要。