authorization template defines parameters for performing policy enforcement within Istio. It is primarily concerned with enabling Mixer
apiVersion: "config.istio.io/v1alpha2" kind: authorization metadata: name: authinfo namespace: istio-system spec: subject: user: source.user | request.auth.token[user] | "" groups: request.auth.token[groups] properties: iss: request.auth.token["iss"] action: namespace: destination.namespace | "default" service: destination.service | "" path: request.path | "/" method: request.method | "post" properties: version: destination.labels[version] | ""
An action defines “how a resource is accessed”.
A subject contains a list of attributes that identify the caller identity.
authorization template defines parameters for performing policy enforcement within Istio. It is primarily concerned with enabling Mixer adapters to make decisions about who is allowed to do what. In this template, the “who” is defined in a Subject message. The “what” is defined in an Action message. During a Mixer Check call, these values will be populated based on configuration from request attributes and passed to individual authorization adapters to adjudicate.
An instance field of type Value denotes that the expression for the field is of dynamic type and can evalaute to any ValueType enum values. For example, when authoring an instance configuration for a template that has a field
data of type
istio.policy.v1beta1.Value, both of the following expressions are valid
data: source.ip | ip("0.0.0.0"),
data: request.id | ""; the resulting type is either ValueType.IP_ADDRESS or ValueType.STRING for the two cases respectively.
Objects of type Value are also passed to the adapters during request-time. There is a 1:1 mapping between oneof fields in
Value and enum values inside
ValueType. Depending on the expression’s evaluated
ValueType, the equivalent oneof field in
Value is populated by Mixer and passed to the adapters.