Authorization

The authorization template defines parameters for performing policy enforcement within Istio. It is primarily concerned with enabling Mixer

Action

An action defines “how a resource is accessed”.

Field	Type	Description
`namespace`	`string`	Namespace the target action is taking place in.
`service`	`string`	The Service the action is being taken on.
`method`	`string`	What action is being taken.
`path`	`string`	HTTP REST path within the service
`properties`	`map<string, istio.mixer.adapter.model.v1beta1.Value>`	Additional data about the action for use in policy.

Subject

A subject contains a list of attributes that identify the caller identity.

Field	Type	Description
`user`	`string`	The user name/ID that the subject represents.
`groups`	`string`	Groups the subject belongs to depending on the authentication mechanism, “groups” are normally populated from JWT claim or client certificate. The operator can define how it is populated when creating an instance of the template.
`properties`	`map<string, istio.mixer.adapter.model.v1beta1.Value>`	Additional attributes about the subject.

Template

The authorization template defines parameters for performing policy enforcement within Istio. It is primarily concerned with enabling Mixer adapters to make decisions about who is allowed to do what. In this template, the “who” is defined in a Subject message. The “what” is defined in an Action message. During a Mixer Check call, these values will be populated based on configuration from request attributes and passed to individual authorization adapters to adjudicate.

Example config:

apiVersion: "config.istio.io/v1alpha2"
kind: authorization
metadata:
  name: authinfo
  namespace: istio-system
spec:
 subject:
   user: source.user | request.auth.token[user] | ""
   groups: request.auth.token[groups]
   properties:
    iss: request.auth.token["iss"]
 action:
   namespace: destination.namespace | "default"
   service: destination.service | ""
   path: request.path | "/"
   method: request.method | "post"
   properties:
     version: destination.labels[version] | ""

Field	Type	Description
`subject`	`Subject`	A subject contains a list of attributes that identify the caller identity.
`action`	`Action`	An action defines “how a resource is accessed”.

istio.mixer.adapter.model.v1beta1.Value

Value is used inside templates for fields that have dynamic types. The actual datatype of the field depends on the datatype of the expression used in the operator configuration.