Authorization
The authorization
template defines parameters for performing policy
enforcement within Istio. It is primarily concerned with enabling Mixer
Example config:
apiVersion: "config.istio.io/v1alpha2"
kind: instance
metadata:
name: authinfo
namespace: istio-system
spec:
compiledTemplate: authorization
params:
subject:
user: source.principal | request.auth.principal | ""
groups: request.auth.claims["groups"] | ""
properties:
iss: request.auth.claims["iss"]
action:
namespace: destination.namespace | "default"
service: destination.service.host | ""
path: request.path | "/"
method: request.method | "post"
properties:
version: destination.labels[version] | ""
Action
An action defines “how a resource is accessed”.
Subject
A subject contains a list of attributes that identify the caller identity.
Template
The authorization
template defines parameters for performing policy
enforcement within Istio. It is primarily concerned with enabling Mixer
adapters to make decisions about who is allowed to do what.
In this template, the “who” is defined in a Subject message. The “what” is
defined in an Action message. During a Mixer Check call, these values
will be populated based on configuration from request attributes and
passed to individual authorization adapters to adjudicate.