Authorization

The authorization template defines parameters for performing policy enforcement within Istio. It is primarily concerned with enabling Mixer

Example config:

apiVersion: "config.istio.io/v1alpha2"
kind: authorization
metadata:
  name: authinfo
  namespace: istio-system
spec:
 subject:
   user: source.user | request.auth.token[user] | ""
   groups: request.auth.token[groups]
   properties:
    iss: request.auth.token["iss"]
 action:
   namespace: destination.namespace | "default"
   service: destination.service | ""
   path: request.path | "/"
   method: request.method | "post"
   properties:
     version: destination.labels[version] | ""

Action

An action defines “how a resource is accessed”.

FieldTypeDescription
namespacestring

Namespace the target action is taking place in.

servicestring

The Service the action is being taken on.

methodstring

What action is being taken.

pathstring

HTTP REST path within the service

propertiesmap<string, istio.policy.v1beta1.Value>

Additional data about the action for use in policy.

Subject

A subject contains a list of attributes that identify the caller identity.

FieldTypeDescription
userstring

The user name/ID that the subject represents.

groupsstring

Groups the subject belongs to depending on the authentication mechanism, “groups” are normally populated from JWT claim or client certificate. The operator can define how it is populated when creating an instance of the template.

propertiesmap<string, istio.policy.v1beta1.Value>

Additional attributes about the subject.

Template

The authorization template defines parameters for performing policy enforcement within Istio. It is primarily concerned with enabling Mixer adapters to make decisions about who is allowed to do what. In this template, the “who” is defined in a Subject message. The “what” is defined in an Action message. During a Mixer Check call, these values will be populated based on configuration from request attributes and passed to individual authorization adapters to adjudicate.

FieldTypeDescription
subjectSubject

A subject contains a list of attributes that identify the caller identity.

actionAction

An action defines “how a resource is accessed”.

istio.policy.v1beta1.Value

An instance field of type Value denotes that the expression for the field is of dynamic type and can evalaute to any ValueType enum values. For example, when authoring an instance configuration for a template that has a field data of type istio.policy.v1beta1.Value, both of the following expressions are valid data: source.ip | ip("0.0.0.0"), data: request.id | ""; the resulting type is either ValueType.IP_ADDRESS or ValueType.STRING for the two cases respectively.

Objects of type Value are also passed to the adapters during request-time. There is a 1:1 mapping between oneof fields in Value and enum values inside ValueType. Depending on the expression’s evaluated ValueType, the equivalent oneof field in Value is populated by Mixer and passed to the adapters.

FieldTypeDescription
stringValuestring (oneof)

Used for values of type STRING

int64Valueint64 (oneof)

Used for values of type INT64

doubleValuedouble (oneof)

Used for values of type DOUBLE

boolValuebool (oneof)

Used for values of type BOOL

ipAddressValueistio.policy.v1beta1.IPAddress (oneof)

Used for values of type IPAddress

timestampValueistio.policy.v1beta1.TimeStamp (oneof)

Used for values of type TIMESTAMP

durationValueistio.policy.v1beta1.Duration (oneof)

Used for values of type DURATION

emailAddressValueistio.policy.v1beta1.EmailAddress (oneof)

Used for values of type EmailAddress

dnsNameValueistio.policy.v1beta1.DNSName (oneof)

Used for values of type DNSName

uriValueistio.policy.v1beta1.Uri (oneof)

Used for values of type Uri