SlideShare uma empresa Scribd logo

GDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization

KAI CHU CHUNG
KAI CHU CHUNG

Istio Security: API 認證機制 微服務 API 認證、存取權可以自己處理,不過每一個微服務都還會有包含非常多非商業邏輯的程式碼中,有 Istio 可我們可以將這些API 認證機制下放到 Istio 中,降低這些架構性與商業邏輯程式碼的隅合。本次分享將介紹基本 Istio Security 及與 OPA (open policy agent) 的應用整合實作

Tecnologia
1 de 37
Baixar para ler offline
KAI CHU CHUNG Cloud GDE GDG Cloud Taipei co-organizers @CageChung https://kaichu.io Istio Security: API Authorization GDG Cloud Taipei: Meetup #52
KAI CHU CHUNG Cloud GDE GDG Cloud Taipei co-organizers QNAP @CageChung https://kaichu.io
Agenda ● Microservice API authentication and authorization ● Istio security - API Authorization ● External Authorization ● OPA (open policy agent) ● Demo
Microservice API authentication and authorization
GoPherCon 2020 TW: 如何透過 Go-kit 快速 搭建微服務架構應用程 式實戰 https://kaichu.io/posts/gokit-engineering- operation/ - Go-kit - Layout - Test - Toolchain
Go-kit microservice Golang UK Conference 2015 - Peter Bourgon - Go Kit A Toolkit for Microservices - https://youtu.be/aL6sd4d4hxk?t=1022 auth
// Basic httptransport.NewServer( AuthMiddleware(cfg.auth.user, cfg.auth.password, "Example Realm")(makeUppercaseEndpoint()), decodeMappingsRequest, httptransport.EncodeJSONResponse, httptransport.ServerBefore(httptransport.PopulateRequestContext), ) // JWT var ep endpoint.Endpoint { kf := func(token *stdjwt.Token) (interface{}, error) { return []byte("SigningString"), nil } ep = MakeExampleEndpoint(service) ep = jwt.NewParser(kf, stdjwt.SigningMethodHS256, jwt.StandardClaimsFactory)(exampleEndpoint) Auth middleware - Basic Auth - JWT - Casbin/OPA
// Basic httptransport.NewServer( AuthMiddleware(cfg.auth.user, cfg.auth.password, "Example Realm")(makeUppercaseEndpoint()), decodeMappingsRequest, httptransport.EncodeJSONResponse, httptransport.ServerBefore(httptransport.PopulateRequestContext), ) // JWT var ep endpoint.Endpoint { kf := func(token *stdjwt.Token) (interface{}, error) { return []byte("SigningString"), nil } ep = MakeExampleEndpoint(service) ep = jwt.NewParser(kf, stdjwt.SigningMethodHS256, jwt.StandardClaimsFactory)(exampleEndpoint) Auth middleware - Basic Auth - JWT - Casbin/OPA
Microservice solve organizational problems ~ Microservice cause technical problems
Go-kit microservice + Istio Golang UK Conference 2015 - Peter Bourgon - Go Kit A Toolkit for Microservices - https://youtu.be/aL6sd4d4hxk?t=1022 auth +
Automatically secure your services through managed authentication, authorization, and encryption of communication between services. Istio security - API Authorization
Istio ● 1.8.0 (released 11/19) ● 1.7 (released 8/21) ● 1.6 (released 5/21) ● 1.5 (released 3/5) ● RequestAuthentication: 1.5 and above ● Mixer: default since Istio 1.3 and istio-telemetry is disabled by default in Istio 1.5. ● holdApplicationUntilProxyStarts: 1.7 and above Istio - https://istio.io/latest/
Istio / Istio in 2020 - Following the Trade Winds - https://istio.io/latest/blog/2020/tradewinds-2020/ Istio Architecture
Istio Security Architecture Istio / Security - https://istio.io/latest/docs/concepts/security/
Authentication Authorization Istio / Security - https://istio.io/latest/docs/concepts/security/ Istio Security
● Without Authorization header ● Authorization header with valid token ● Authorization header invalid token Istio - JWT {Header}.{Payload}.{Signature} apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata: name: require-jwt namespace: istio-system spec: selector: matchLabels: app: istio-ingressgateway jwtRules: - issuer: testing@secure.istio.io jwks: | {"keys":[{"kty":"RSA","kid":"GkNj4pf4WEojKjS1B8nvVceMoqlC8RqOwF5EhbHQ0Rk"... outputPayloadToHeader: X-Jwt-Playload
● Without Authorization header, 200 ● Authorization header with valid token, 200 ● Authorization header invalid token, 401 Istio - JWT {Header}.{Payload}.{Signature} apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata: name: require-jwt namespace: istio-system spec: selector: matchLabels: app: istio-ingressgateway jwtRules: - issuer: testing@secure.istio.io jwks: | {"keys":[{"kty":"RSA","kid":"GkNj4pf4WEojKjS1B8nvVceMoqlC8RqOwF5EhbHQ0Rk"... outputPayloadToHeader: X-Jwt-Playload
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: require-jwt namespace: istio-system spec: selector: matchLabels: app: istio-ingressgateway rules: - from: - source: requestPrincipals: ["*"] when: - key: request.auth.claims[iss] Istio - AuthorizationPolicy from.source requestPrincipals iss/sub from.source notRequestPrincipals iss/sub when.key request.auth.principal iss/sub when.key request.auth.audiences aud when.key request.auth.presenter azp when.key request.auth.claims[key] JWT All fields { "exp": 1904300334, "iat": 1604300334, "iss": "testing@secure.istio.io", "jti": "KaZRJOc68hCalhMMjr5ieA", "nbf": 1604300334, "roles": [ "owner" ], "sub": "owner@example.com", "userId": "eBenfKuCzAiAC_bfqETwY" }
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: require-jwt namespace: istio-system spec: selector: matchLabels: app: istio-ingressgateway rules: - from: - source: requestPrincipals: ["*"] when: - key: request.auth.claims[iss] Istio - AuthorizationPolicy from.source requestPrincipals iss/sub from.source notRequestPrincipals iss/sub when.key request.auth.principal iss/sub when.key request.auth.audiences aud when.key request.auth.presenter azp when.key request.auth.claims[key] JWT All fields { "exp": 1904300334, "iat": 1604300334, "iss": "testing@secure.istio.io", "jti": "KaZRJOc68hCalhMMjr5ieA", "nbf": 1604300334, "roles": [ "owner" ], "sub": "owner@example.com", "userId": "eBenfKuCzAiAC_bfqETwY" }
Request RequestAuthentication Request process AuthorizationPolicy istio-system istio-system401 403
filter calls an authorization service to check if the incoming request is authorized or not External Authorization
Envoy External Authorization cage1016/gokit-istio-security: demo how to implement Authentication by custom Authorization mixer adapter or envoy external authorization and Open Policy Agent
apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: extauth-tictac spec: workloadSelector: labels: app: tictac configPatches: - applyTo: HTTP_FILTER match: context: SIDECAR_INBOUND listener: filterChain: filter: name: envoy.http_connection_manager subFilter: name: envoy.router patch: operation: INSERT_BEFORE value: name: envoy.ext_authz typed_config: '@type': type.googleapis.com/envoy.config.filter.http.ext_authz.v2.ExtAuthz grpc_service: envoy_grpc: cluster_name: grpc-ext-auth-cluster - applyTo: CLUSTER match: context: SIDECAR_INBOUND patch: operation: ADD value: name: grpc-ext-auth-cluster type: STRICT_DNS connect_timeout: 0.25s http2_protocol_options: {} load_assignment: cluster_name: grpc-als-cluster endpoints: - lb_endpoints: - endpoint: address: socket_address: address: extauthz.default.svc.cluster.local port_value: 50051 Envoy filter - type.googleapis.com/ envoy.config.filter.http .ext_authz.v2.ExtAuthz - extauthz.default.svc. cluster.local:50051
type AuthorizationServer interface { // Performs authorization check based on the attributes associated with the // incoming request, and returns status `OK` or not `OK`. Check(context.Context, *CheckRequest) (*CheckResponse, error) } func (as *AuthorizationServer) Check(ctx context.Context, req *auth.CheckRequest) (*auth.CheckResponse, error) { h := req.GetAttributes().GetRequest().GetHttp() ... s := as.Verify(ctx, h.GetHeaders()["x-envoy-original-path"], h.Method, h.GetHeaders()["x-jwt-playload"]) return &auth.CheckResponse{ Status: s, }, nil } envoy.config.filter.http.ext_authz.v2.ExtAuthz AuthorizationServer is the server API for Authorization service. If the request is deemed unauthorized at the HTTP filter the request will be denied with 403 (Forbidden) response.
type AuthorizationServer interface { // Performs authorization check based on the attributes associated with the // incoming request, and returns status `OK` or not `OK`. Check(context.Context, *CheckRequest) (*CheckResponse, error) } func (as *AuthorizationServer) Check(ctx context.Context, req *auth.CheckRequest) (*auth.CheckResponse, error) { h := req.GetAttributes().GetRequest().GetHttp() ... s := as.Verify(ctx, h.GetHeaders()["x-envoy-original-path"], h.Method, h.GetHeaders()["x-jwt-playload"]) return &auth.CheckResponse{ Status: s, }, nil } envoy.config.filter.http.ext_authz.v2.ExtAuthz AuthorizationServer is the server API for Authorization service. - env: - name: QS_AUTHZ_URL value: "authz:8000"
Request RequestAuthentication Request process AuthorizationPolicy istio-system istio-system401 403 Pod Envoy Service Pod ext-Authz 50051 Envoy 403
extauthz https://github.com/cage1016/gokit-istio- security/blob/master/extauthz/README.md Envoy External Authorization
The Open Policy Agent (OPA) is an open source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack. Open Policy Agent
OPA (open policy agent) Declarative Policy, Context-aware, Expressive, Fast, Portable ● Cloud Native Computing Foundation incubating project ● Support ○ Kubernetes ■ Gatekeeper ○ Envoy ■ OPA Envoy plugin ○ Terraform ○ Kafka ○ SQL ○ Linux Open Policy Agent - https://www.openpolicyagent.org/
OPA cont. Gatekeeper OPA Envoy plugin open-policy-agent/gatekeeper: Gatekeeper - Policy Controller for Kubernetes - https://github.com/open-policy-agent/gatekeeper open-policy-agent/opa-envoy-plugin: A plugin to enforce OPA policies with Envoy - https://github.com/open-policy-agent/opa-envoy-plugin
Rego The Rego Playground - https://play.openpolicyagent.org/p/BYmNuNRZTs
gokit microservice demo - authz https://github.com/cage1016/ms-demo- authz authorization RBAC implementation by OPA (open policy agent)
{ "rolePermissions": { "editor": ... "owner": [ { "method": "POST", "path": "/api/([^/]+)/add/sum" }, { "method": "POST", "path": "/api/([^/]+)/tictac/tic" }, { "method": "GET", "path": "/api/([^/]+)/tictac/tac" }, { "method": "GET", "path": "/api/([^/]+)/authz/roles" }, { "method": "GET", "path": "/api/([^/]+)/authz/roles/[a-zA-Z0-9_-~]{21}" } ] OPA JSON Data - Generate from 6 RBAC DB tables - DB policy change notifier update
Request RequestAuthentication Request process AuthorizationPolicy istio-system istio-system401 403 Pod Envoy Service Pod ext-Authz 50051 Envoy 403 Authz Envoy Service DB
https://github.com/cage1016/gokit-istio-security Demo
Go-kit Istio Security https://github.com/cage1016/gokit-istio- security demo how to implement Authentication and custom Authorization with - Mixer - Envoy external and Open Policy Agent
KAI CHU CHUNG GDE Cloud GDG Cloud Taipei co-organizers @CageChung https://kaichu.io Q & A

Recomendados

GDG Devfest 2019 - Build go kit microservices at kubernetes with ease
GDG Devfest 2019 - Build go kit microservices at kubernetes with easeGDG Devfest 2019 - Build go kit microservices at kubernetes with ease
GDG Devfest 2019 - Build go kit microservices at kubernetes with ease
KAI CHU CHUNG
 
COSCUP 2020 Google 技術 x 公共參與 x 開源 口罩地圖技術開源
COSCUP 2020 Google 技術 x 公共參與 x 開源 口罩地圖技術開源COSCUP 2020 Google 技術 x 公共參與 x 開源 口罩地圖技術開源
COSCUP 2020 Google 技術 x 公共參與 x 開源 口罩地圖技術開源
KAI CHU CHUNG
 
Hiveminder - Everything but the Secret Sauce
Hiveminder - Everything but the Secret SauceHiveminder - Everything but the Secret Sauce
Hiveminder - Everything but the Secret Sauce
Jesse Vincent
 
如何透過 Go-kit 快速搭建微服務架構應用程式實戰
如何透過 Go-kit 快速搭建微服務架構應用程式實戰如何透過 Go-kit 快速搭建微服務架構應用程式實戰
如何透過 Go-kit 快速搭建微服務架構應用程式實戰
KAI CHU CHUNG
 
Coscup x ruby conf tw 2021 google cloud buildpacks 剖析與實踐
Coscup x ruby conf tw 2021 google cloud buildpacks 剖析與實踐Coscup x ruby conf tw 2021 google cloud buildpacks 剖析與實踐
Coscup x ruby conf tw 2021 google cloud buildpacks 剖析與實踐
KAI CHU CHUNG
 
Dev fest 2020 taiwan how to debug microservices on kubernetes as a pros (ht...
Dev fest 2020 taiwan how to debug microservices on kubernetes as a pros (ht...Dev fest 2020 taiwan how to debug microservices on kubernetes as a pros (ht...
Dev fest 2020 taiwan how to debug microservices on kubernetes as a pros (ht...
KAI CHU CHUNG
 
Taking Jenkins Pipeline to the Extreme
Taking Jenkins Pipeline to the ExtremeTaking Jenkins Pipeline to the Extreme
Taking Jenkins Pipeline to the Extreme
yinonavraham
 
Gokit
GokitGokit
Gokit
MyoungSu Shin
 

Recomendados

GDG Devfest 2019 - Build go kit microservices at kubernetes with ease
GDG Devfest 2019 - Build go kit microservices at kubernetes with easeGDG Devfest 2019 - Build go kit microservices at kubernetes with ease
GDG Devfest 2019 - Build go kit microservices at kubernetes with ease
KAI CHU CHUNG
 
COSCUP 2020 Google 技術 x 公共參與 x 開源 口罩地圖技術開源
COSCUP 2020 Google 技術 x 公共參與 x 開源 口罩地圖技術開源COSCUP 2020 Google 技術 x 公共參與 x 開源 口罩地圖技術開源
COSCUP 2020 Google 技術 x 公共參與 x 開源 口罩地圖技術開源
KAI CHU CHUNG
 
Hiveminder - Everything but the Secret Sauce
Hiveminder - Everything but the Secret SauceHiveminder - Everything but the Secret Sauce
Hiveminder - Everything but the Secret Sauce
Jesse Vincent
 
如何透過 Go-kit 快速搭建微服務架構應用程式實戰
如何透過 Go-kit 快速搭建微服務架構應用程式實戰如何透過 Go-kit 快速搭建微服務架構應用程式實戰
如何透過 Go-kit 快速搭建微服務架構應用程式實戰
KAI CHU CHUNG
 
Coscup x ruby conf tw 2021 google cloud buildpacks 剖析與實踐
Coscup x ruby conf tw 2021 google cloud buildpacks 剖析與實踐Coscup x ruby conf tw 2021 google cloud buildpacks 剖析與實踐
Coscup x ruby conf tw 2021 google cloud buildpacks 剖析與實踐
KAI CHU CHUNG
 
Dev fest 2020 taiwan how to debug microservices on kubernetes as a pros (ht...
Dev fest 2020 taiwan how to debug microservices on kubernetes as a pros (ht...Dev fest 2020 taiwan how to debug microservices on kubernetes as a pros (ht...
Dev fest 2020 taiwan how to debug microservices on kubernetes as a pros (ht...
KAI CHU CHUNG
 
Taking Jenkins Pipeline to the Extreme
Taking Jenkins Pipeline to the ExtremeTaking Jenkins Pipeline to the Extreme
Taking Jenkins Pipeline to the Extreme
yinonavraham
 
Gokit
GokitGokit
Gokit
MyoungSu Shin
 
Griffon @ Svwjug
Griffon @ SvwjugGriffon @ Svwjug
Griffon @ Svwjug
Andres Almiray
 
Gdg cloud taipei ddt meetup #53 buildpack
Gdg cloud taipei ddt meetup #53 buildpackGdg cloud taipei ddt meetup #53 buildpack
Gdg cloud taipei ddt meetup #53 buildpack
KAI CHU CHUNG
 
Global Interpreter Lock: Episode I - Break the Seal
Global Interpreter Lock: Episode I - Break the SealGlobal Interpreter Lock: Episode I - Break the Seal
Global Interpreter Lock: Episode I - Break the Seal
Tzung-Bi Shih
 
Asynchronní programování
Asynchronní programováníAsynchronní programování
Asynchronní programování
PeckaDesign.cz
 
Hacking pokemon go [droidcon tel aviv 2016]
Hacking pokemon go [droidcon tel aviv 2016]Hacking pokemon go [droidcon tel aviv 2016]
Hacking pokemon go [droidcon tel aviv 2016]
Guy Lis
 
Docker and Your Path to a Better Staging Environment - webinar by Gil Tayar
Docker and Your Path to a Better Staging Environment - webinar by Gil TayarDocker and Your Path to a Better Staging Environment - webinar by Gil Tayar
Docker and Your Path to a Better Staging Environment - webinar by Gil Tayar
Applitools
 
The Challenges of Container Configuration
The Challenges of Container ConfigurationThe Challenges of Container Configuration
The Challenges of Container Configuration
Gareth Rushgrove
 
How to send gzipped requests with boto3
How to send gzipped requests with boto3How to send gzipped requests with boto3
How to send gzipped requests with boto3
Luciano Mammino
 
The Gradle in Ratpack: Dissected
The Gradle in Ratpack: DissectedThe Gradle in Ratpack: Dissected
The Gradle in Ratpack: Dissected
David Carr
 
Gradle build tool that rocks with DSL JavaOne India 4th May 2012
Gradle build tool that rocks with DSL JavaOne India 4th May 2012Gradle build tool that rocks with DSL JavaOne India 4th May 2012
Gradle build tool that rocks with DSL JavaOne India 4th May 2012
Rajmahendra Hegde
 
Server Side Swift: Vapor
Server Side Swift: VaporServer Side Swift: Vapor
Server Side Swift: Vapor
Paweł Kowalczuk
 
The world of gradle - an introduction for developers
The world of gradle - an introduction for developersThe world of gradle - an introduction for developers
The world of gradle - an introduction for developers
Tricode (part of Dept)
 
Everything as a code
Everything as a codeEverything as a code
Everything as a code
Aleksandr Tarasov
 
Enterprise Guice 20090217 Bejug
Enterprise Guice 20090217 BejugEnterprise Guice 20090217 Bejug
Enterprise Guice 20090217 Bejug
robbiev
 
[Image Results] Java Build Tools: Part 2 - A Decision Maker's Guide Compariso...
[Image Results] Java Build Tools: Part 2 - A Decision Maker's Guide Compariso...[Image Results] Java Build Tools: Part 2 - A Decision Maker's Guide Compariso...
[Image Results] Java Build Tools: Part 2 - A Decision Maker's Guide Compariso...
ZeroTurnaround
 
pppr - 解決 JavaScript 無法被搜尋引擎正確索引的問題
pppr - 解決 JavaScript 無法被搜尋引擎正確索引的問題pppr - 解決 JavaScript 無法被搜尋引擎正確索引的問題
pppr - 解決 JavaScript 無法被搜尋引擎正確索引的問題
Mu Chun Wang
 
FwDays 2021: Metarhia Technology Stack for Node.js
FwDays 2021: Metarhia Technology Stack for Node.jsFwDays 2021: Metarhia Technology Stack for Node.js
FwDays 2021: Metarhia Technology Stack for Node.js
Timur Shemsedinov
 
Big query - Command line tools and Tips - (MOSG)
Big query - Command line tools and Tips - (MOSG)Big query - Command line tools and Tips - (MOSG)
Big query - Command line tools and Tips - (MOSG)
Soshi Nemoto
 
EWD 3 Training Course Part 22: Traversing Documents using DocumentNode Objects
EWD 3 Training Course Part 22: Traversing Documents using DocumentNode ObjectsEWD 3 Training Course Part 22: Traversing Documents using DocumentNode Objects
EWD 3 Training Course Part 22: Traversing Documents using DocumentNode Objects
Rob Tweed
 
Scripting GeoServer
Scripting GeoServerScripting GeoServer
Scripting GeoServer
Jared Erickson
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
Micron Technology
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
Erick Belluci Tedeschi
 

Mais conteúdo relacionado

Mais procurados

Docker and Your Path to a Better Staging Environment - webinar by Gil Tayar
Docker and Your Path to a Better Staging Environment - webinar by Gil TayarDocker and Your Path to a Better Staging Environment - webinar by Gil Tayar
Docker and Your Path to a Better Staging Environment - webinar by Gil Tayar
Applitools
 
Gradle build tool that rocks with DSL JavaOne India 4th May 2012
Gradle build tool that rocks with DSL JavaOne India 4th May 2012Gradle build tool that rocks with DSL JavaOne India 4th May 2012
Gradle build tool that rocks with DSL JavaOne India 4th May 2012
Rajmahendra Hegde
 
Everything as a code
Everything as a codeEverything as a code
Everything as a code
Aleksandr Tarasov
 
Enterprise Guice 20090217 Bejug
Enterprise Guice 20090217 BejugEnterprise Guice 20090217 Bejug
Enterprise Guice 20090217 Bejug
robbiev
 
pppr - 解決 JavaScript 無法被搜尋引擎正確索引的問題
pppr - 解決 JavaScript 無法被搜尋引擎正確索引的問題pppr - 解決 JavaScript 無法被搜尋引擎正確索引的問題
pppr - 解決 JavaScript 無法被搜尋引擎正確索引的問題
Mu Chun Wang
 

Mais procurados (20)

Griffon @ Svwjug
Griffon @ SvwjugGriffon @ Svwjug
Griffon @ Svwjug
 
Gdg cloud taipei ddt meetup #53 buildpack
Gdg cloud taipei ddt meetup #53 buildpackGdg cloud taipei ddt meetup #53 buildpack
Gdg cloud taipei ddt meetup #53 buildpack
 
Global Interpreter Lock: Episode I - Break the Seal
Global Interpreter Lock: Episode I - Break the SealGlobal Interpreter Lock: Episode I - Break the Seal
Global Interpreter Lock: Episode I - Break the Seal
 
Asynchronní programování
Asynchronní programováníAsynchronní programování
Asynchronní programování
 
Hacking pokemon go [droidcon tel aviv 2016]
Hacking pokemon go [droidcon tel aviv 2016]Hacking pokemon go [droidcon tel aviv 2016]
Hacking pokemon go [droidcon tel aviv 2016]
 
Docker and Your Path to a Better Staging Environment - webinar by Gil Tayar
Docker and Your Path to a Better Staging Environment - webinar by Gil TayarDocker and Your Path to a Better Staging Environment - webinar by Gil Tayar
Docker and Your Path to a Better Staging Environment - webinar by Gil Tayar
 
The Challenges of Container Configuration
The Challenges of Container ConfigurationThe Challenges of Container Configuration
The Challenges of Container Configuration
 
How to send gzipped requests with boto3
How to send gzipped requests with boto3How to send gzipped requests with boto3
How to send gzipped requests with boto3
 
The Gradle in Ratpack: Dissected
The Gradle in Ratpack: DissectedThe Gradle in Ratpack: Dissected
The Gradle in Ratpack: Dissected
 
Gradle build tool that rocks with DSL JavaOne India 4th May 2012
Gradle build tool that rocks with DSL JavaOne India 4th May 2012Gradle build tool that rocks with DSL JavaOne India 4th May 2012
Gradle build tool that rocks with DSL JavaOne India 4th May 2012
 
Server Side Swift: Vapor
Server Side Swift: VaporServer Side Swift: Vapor
Server Side Swift: Vapor
 
The world of gradle - an introduction for developers
The world of gradle - an introduction for developersThe world of gradle - an introduction for developers
The world of gradle - an introduction for developers
 
Everything as a code
Everything as a codeEverything as a code
Everything as a code
 
Enterprise Guice 20090217 Bejug
Enterprise Guice 20090217 BejugEnterprise Guice 20090217 Bejug
Enterprise Guice 20090217 Bejug
 
[Image Results] Java Build Tools: Part 2 - A Decision Maker's Guide Compariso...
[Image Results] Java Build Tools: Part 2 - A Decision Maker's Guide Compariso...[Image Results] Java Build Tools: Part 2 - A Decision Maker's Guide Compariso...
[Image Results] Java Build Tools: Part 2 - A Decision Maker's Guide Compariso...
 
pppr - 解決 JavaScript 無法被搜尋引擎正確索引的問題
pppr - 解決 JavaScript 無法被搜尋引擎正確索引的問題pppr - 解決 JavaScript 無法被搜尋引擎正確索引的問題
pppr - 解決 JavaScript 無法被搜尋引擎正確索引的問題
 
FwDays 2021: Metarhia Technology Stack for Node.js
FwDays 2021: Metarhia Technology Stack for Node.jsFwDays 2021: Metarhia Technology Stack for Node.js
FwDays 2021: Metarhia Technology Stack for Node.js
 
Big query - Command line tools and Tips - (MOSG)
Big query - Command line tools and Tips - (MOSG)Big query - Command line tools and Tips - (MOSG)
Big query - Command line tools and Tips - (MOSG)
 
EWD 3 Training Course Part 22: Traversing Documents using DocumentNode Objects
EWD 3 Training Course Part 22: Traversing Documents using DocumentNode ObjectsEWD 3 Training Course Part 22: Traversing Documents using DocumentNode Objects
EWD 3 Training Course Part 22: Traversing Documents using DocumentNode Objects
 
Scripting GeoServer
Scripting GeoServerScripting GeoServer
Scripting GeoServer
 

Semelhante a GDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization

Nk API - examples
Nk API - examplesNk API - examples
Nk API - examples
nasza-klasa
 
使用 Passkeys 打造無密碼驗證服務
使用 Passkeys 打造無密碼驗證服務使用 Passkeys 打造無密碼驗證服務
使用 Passkeys 打造無密碼驗證服務
升煌 黃
 

Semelhante a GDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization (20)

2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
 
"Auth for React.js APP", Nikita Galkin
"Auth for React.js APP", Nikita Galkin"Auth for React.js APP", Nikita Galkin
"Auth for React.js APP", Nikita Galkin
 
IdM and AC
IdM and ACIdM and AC
IdM and AC
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
 
Nk API - examples
Nk API - examplesNk API - examples
Nk API - examples
 
使用 Passkeys 打造無密碼驗證服務
使用 Passkeys 打造無密碼驗證服務使用 Passkeys 打造無密碼驗證服務
使用 Passkeys 打造無密碼驗證服務
 
Drive chrome(headless) with puppeteer
Drive chrome(headless) with puppeteerDrive chrome(headless) with puppeteer
Drive chrome(headless) with puppeteer
 
FIWARE ID Management
FIWARE ID ManagementFIWARE ID Management
FIWARE ID Management
 
RoadSec 2017 - Trilha AppSec - APIs Authorization
RoadSec 2017 - Trilha AppSec - APIs AuthorizationRoadSec 2017 - Trilha AppSec - APIs Authorization
RoadSec 2017 - Trilha AppSec - APIs Authorization
 
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris Kellogg
 
Build resource server & client for OCF Cloud (2018.8.30)
Build resource server & client for OCF Cloud (2018.8.30)Build resource server & client for OCF Cloud (2018.8.30)
Build resource server & client for OCF Cloud (2018.8.30)
 
Web Standards Support in WebKit
Web Standards Support in WebKitWeb Standards Support in WebKit
Web Standards Support in WebKit
 
Deep Dive: Building external auth plugins for Gloo Enterprise
Deep Dive: Building external auth plugins for Gloo EnterpriseDeep Dive: Building external auth plugins for Gloo Enterprise
Deep Dive: Building external auth plugins for Gloo Enterprise
 
Centralise legacy auth at the ingress gateway, SREday
Centralise legacy auth at the ingress gateway, SREdayCentralise legacy auth at the ingress gateway, SREday
Centralise legacy auth at the ingress gateway, SREday
 
Centralise legacy auth at the ingress gateway
Centralise legacy auth at the ingress gatewayCentralise legacy auth at the ingress gateway
Centralise legacy auth at the ingress gateway
 

Mais de KAI CHU CHUNG

Mais de KAI CHU CHUNG (20)

Devfest 2023 - Service Weaver Introduction - Taipei.pdf
Devfest 2023 - Service Weaver Introduction - Taipei.pdfDevfest 2023 - Service Weaver Introduction - Taipei.pdf
Devfest 2023 - Service Weaver Introduction - Taipei.pdf
 
DevFest 2022 - Skaffold 2 Deep Dive Taipei.pdf
DevFest 2022 - Skaffold 2 Deep Dive Taipei.pdfDevFest 2022 - Skaffold 2 Deep Dive Taipei.pdf
DevFest 2022 - Skaffold 2 Deep Dive Taipei.pdf
 
DevFest 2022 - Cloud Workstation Introduction TaiChung
DevFest 2022 - Cloud Workstation Introduction TaiChungDevFest 2022 - Cloud Workstation Introduction TaiChung
DevFest 2022 - Cloud Workstation Introduction TaiChung
 
Devfest 2021' - Artifact Registry Introduction (Taipei)
Devfest 2021' - Artifact Registry Introduction (Taipei)Devfest 2021' - Artifact Registry Introduction (Taipei)
Devfest 2021' - Artifact Registry Introduction (Taipei)
 
Velero search & practice 20210609
Velero search & practice 20210609Velero search & practice 20210609
Velero search & practice 20210609
 
Google App Engine: Basic
Google App Engine: BasicGoogle App Engine: Basic
Google App Engine: Basic
 
GDG Cloud Taipei meetup #50 - Build go kit microservices at kubernetes with ...
GDG Cloud Taipei meetup #50 - Build go kit microservices at kubernetes with ...GDG Cloud Taipei meetup #50 - Build go kit microservices at kubernetes with ...
GDG Cloud Taipei meetup #50 - Build go kit microservices at kubernetes with ...
 
Global GDG Leaders Summit, Google I/O 2018 經驗分享
Global GDG Leaders Summit, Google I/O 2018 經驗分享Global GDG Leaders Summit, Google I/O 2018 經驗分享
Global GDG Leaders Summit, Google I/O 2018 經驗分享
 
Google apps script introduction
Google apps script introductionGoogle apps script introduction
Google apps script introduction
 
Screenshot as a service
Screenshot as a serviceScreenshot as a service
Screenshot as a service
 
Nas 也可以揀土豆
Nas 也可以揀土豆Nas 也可以揀土豆
Nas 也可以揀土豆
 
60分鐘完送百萬edm,背後雲端ci/cd實戰大公開
60分鐘完送百萬edm,背後雲端ci/cd實戰大公開60分鐘完送百萬edm,背後雲端ci/cd實戰大公開
60分鐘完送百萬edm,背後雲端ci/cd實戰大公開
 
Django oscar introduction
Django oscar introductionDjango oscar introduction
Django oscar introduction
 
Continuous Integration & Continuous Delivery with GCP
Continuous Integration & Continuous Delivery with GCPContinuous Integration & Continuous Delivery with GCP
Continuous Integration & Continuous Delivery with GCP
 
Google apps script introduction
Google apps script introductionGoogle apps script introduction
Google apps script introduction
 
Gae managed vm introduction
Gae managed vm introductionGae managed vm introduction
Gae managed vm introduction
 
Google app engine (gae) 演進史
Google app engine (gae) 演進史Google app engine (gae) 演進史
Google app engine (gae) 演進史
 
痞客趴趴走 Waldo
痞客趴趴走 Waldo痞客趴趴走 Waldo
痞客趴趴走 Waldo
 
Waldo-gcp
Waldo-gcpWaldo-gcp
Waldo-gcp
 
Introduction to chrome extension development
Introduction to chrome extension developmentIntroduction to chrome extension development
Introduction to chrome extension development
 

Último

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 

Último (20)

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 

GDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization

  • 1. KAI CHU CHUNG Cloud GDE GDG Cloud Taipei co-organizers @CageChung https://kaichu.io Istio Security: API Authorization GDG Cloud Taipei: Meetup #52
  • 2. KAI CHU CHUNG Cloud GDE GDG Cloud Taipei co-organizers QNAP @CageChung https://kaichu.io
  • 3. Agenda ● Microservice API authentication and authorization ● Istio security - API Authorization ● External Authorization ● OPA (open policy agent) ● Demo
  • 5. GoPherCon 2020 TW: 如何透過 Go-kit 快速 搭建微服務架構應用程 式實戰 https://kaichu.io/posts/gokit-engineering- operation/ - Go-kit - Layout - Test - Toolchain
  • 6. Go-kit microservice Golang UK Conference 2015 - Peter Bourgon - Go Kit A Toolkit for Microservices - https://youtu.be/aL6sd4d4hxk?t=1022 auth
  • 7. // Basic httptransport.NewServer( AuthMiddleware(cfg.auth.user, cfg.auth.password, "Example Realm")(makeUppercaseEndpoint()), decodeMappingsRequest, httptransport.EncodeJSONResponse, httptransport.ServerBefore(httptransport.PopulateRequestContext), ) // JWT var ep endpoint.Endpoint { kf := func(token *stdjwt.Token) (interface{}, error) { return []byte("SigningString"), nil } ep = MakeExampleEndpoint(service) ep = jwt.NewParser(kf, stdjwt.SigningMethodHS256, jwt.StandardClaimsFactory)(exampleEndpoint) Auth middleware - Basic Auth - JWT - Casbin/OPA
  • 8. // Basic httptransport.NewServer( AuthMiddleware(cfg.auth.user, cfg.auth.password, "Example Realm")(makeUppercaseEndpoint()), decodeMappingsRequest, httptransport.EncodeJSONResponse, httptransport.ServerBefore(httptransport.PopulateRequestContext), ) // JWT var ep endpoint.Endpoint { kf := func(token *stdjwt.Token) (interface{}, error) { return []byte("SigningString"), nil } ep = MakeExampleEndpoint(service) ep = jwt.NewParser(kf, stdjwt.SigningMethodHS256, jwt.StandardClaimsFactory)(exampleEndpoint) Auth middleware - Basic Auth - JWT - Casbin/OPA
  • 9. Microservice solve organizational problems ~ Microservice cause technical problems
  • 10. Go-kit microservice + Istio Golang UK Conference 2015 - Peter Bourgon - Go Kit A Toolkit for Microservices - https://youtu.be/aL6sd4d4hxk?t=1022 auth +
  • 11. Automatically secure your services through managed authentication, authorization, and encryption of communication between services. Istio security - API Authorization
  • 12. Istio ● 1.8.0 (released 11/19) ● 1.7 (released 8/21) ● 1.6 (released 5/21) ● 1.5 (released 3/5) ● RequestAuthentication: 1.5 and above ● Mixer: default since Istio 1.3 and istio-telemetry is disabled by default in Istio 1.5. ● holdApplicationUntilProxyStarts: 1.7 and above Istio - https://istio.io/latest/
  • 13. Istio / Istio in 2020 - Following the Trade Winds - https://istio.io/latest/blog/2020/tradewinds-2020/ Istio Architecture
  • 14. Istio Security Architecture Istio / Security - https://istio.io/latest/docs/concepts/security/
  • 15. Authentication Authorization Istio / Security - https://istio.io/latest/docs/concepts/security/ Istio Security
  • 16. ● Without Authorization header ● Authorization header with valid token ● Authorization header invalid token Istio - JWT {Header}.{Payload}.{Signature} apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata: name: require-jwt namespace: istio-system spec: selector: matchLabels: app: istio-ingressgateway jwtRules: - issuer: testing@secure.istio.io jwks: | {"keys":[{"kty":"RSA","kid":"GkNj4pf4WEojKjS1B8nvVceMoqlC8RqOwF5EhbHQ0Rk"... outputPayloadToHeader: X-Jwt-Playload
  • 17. ● Without Authorization header, 200 ● Authorization header with valid token, 200 ● Authorization header invalid token, 401 Istio - JWT {Header}.{Payload}.{Signature} apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata: name: require-jwt namespace: istio-system spec: selector: matchLabels: app: istio-ingressgateway jwtRules: - issuer: testing@secure.istio.io jwks: | {"keys":[{"kty":"RSA","kid":"GkNj4pf4WEojKjS1B8nvVceMoqlC8RqOwF5EhbHQ0Rk"... outputPayloadToHeader: X-Jwt-Playload
  • 18. apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: require-jwt namespace: istio-system spec: selector: matchLabels: app: istio-ingressgateway rules: - from: - source: requestPrincipals: ["*"] when: - key: request.auth.claims[iss] Istio - AuthorizationPolicy from.source requestPrincipals iss/sub from.source notRequestPrincipals iss/sub when.key request.auth.principal iss/sub when.key request.auth.audiences aud when.key request.auth.presenter azp when.key request.auth.claims[key] JWT All fields { "exp": 1904300334, "iat": 1604300334, "iss": "testing@secure.istio.io", "jti": "KaZRJOc68hCalhMMjr5ieA", "nbf": 1604300334, "roles": [ "owner" ], "sub": "owner@example.com", "userId": "eBenfKuCzAiAC_bfqETwY" }
  • 19. apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: require-jwt namespace: istio-system spec: selector: matchLabels: app: istio-ingressgateway rules: - from: - source: requestPrincipals: ["*"] when: - key: request.auth.claims[iss] Istio - AuthorizationPolicy from.source requestPrincipals iss/sub from.source notRequestPrincipals iss/sub when.key request.auth.principal iss/sub when.key request.auth.audiences aud when.key request.auth.presenter azp when.key request.auth.claims[key] JWT All fields { "exp": 1904300334, "iat": 1604300334, "iss": "testing@secure.istio.io", "jti": "KaZRJOc68hCalhMMjr5ieA", "nbf": 1604300334, "roles": [ "owner" ], "sub": "owner@example.com", "userId": "eBenfKuCzAiAC_bfqETwY" }
  • 21. filter calls an authorization service to check if the incoming request is authorized or not External Authorization
  • 22. Envoy External Authorization cage1016/gokit-istio-security: demo how to implement Authentication by custom Authorization mixer adapter or envoy external authorization and Open Policy Agent
  • 23. apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: extauth-tictac spec: workloadSelector: labels: app: tictac configPatches: - applyTo: HTTP_FILTER match: context: SIDECAR_INBOUND listener: filterChain: filter: name: envoy.http_connection_manager subFilter: name: envoy.router patch: operation: INSERT_BEFORE value: name: envoy.ext_authz typed_config: '@type': type.googleapis.com/envoy.config.filter.http.ext_authz.v2.ExtAuthz grpc_service: envoy_grpc: cluster_name: grpc-ext-auth-cluster - applyTo: CLUSTER match: context: SIDECAR_INBOUND patch: operation: ADD value: name: grpc-ext-auth-cluster type: STRICT_DNS connect_timeout: 0.25s http2_protocol_options: {} load_assignment: cluster_name: grpc-als-cluster endpoints: - lb_endpoints: - endpoint: address: socket_address: address: extauthz.default.svc.cluster.local port_value: 50051 Envoy filter - type.googleapis.com/ envoy.config.filter.http .ext_authz.v2.ExtAuthz - extauthz.default.svc. cluster.local:50051
  • 24. type AuthorizationServer interface { // Performs authorization check based on the attributes associated with the // incoming request, and returns status `OK` or not `OK`. Check(context.Context, *CheckRequest) (*CheckResponse, error) } func (as *AuthorizationServer) Check(ctx context.Context, req *auth.CheckRequest) (*auth.CheckResponse, error) { h := req.GetAttributes().GetRequest().GetHttp() ... s := as.Verify(ctx, h.GetHeaders()["x-envoy-original-path"], h.Method, h.GetHeaders()["x-jwt-playload"]) return &auth.CheckResponse{ Status: s, }, nil } envoy.config.filter.http.ext_authz.v2.ExtAuthz AuthorizationServer is the server API for Authorization service. If the request is deemed unauthorized at the HTTP filter the request will be denied with 403 (Forbidden) response.
  • 25. type AuthorizationServer interface { // Performs authorization check based on the attributes associated with the // incoming request, and returns status `OK` or not `OK`. Check(context.Context, *CheckRequest) (*CheckResponse, error) } func (as *AuthorizationServer) Check(ctx context.Context, req *auth.CheckRequest) (*auth.CheckResponse, error) { h := req.GetAttributes().GetRequest().GetHttp() ... s := as.Verify(ctx, h.GetHeaders()["x-envoy-original-path"], h.Method, h.GetHeaders()["x-jwt-playload"]) return &auth.CheckResponse{ Status: s, }, nil } envoy.config.filter.http.ext_authz.v2.ExtAuthz AuthorizationServer is the server API for Authorization service. - env: - name: QS_AUTHZ_URL value: "authz:8000"
  • 26. Request RequestAuthentication Request process AuthorizationPolicy istio-system istio-system401 403 Pod Envoy Service Pod ext-Authz 50051 Envoy 403
  • 28. The Open Policy Agent (OPA) is an open source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack. Open Policy Agent
  • 29. OPA (open policy agent) Declarative Policy, Context-aware, Expressive, Fast, Portable ● Cloud Native Computing Foundation incubating project ● Support ○ Kubernetes ■ Gatekeeper ○ Envoy ■ OPA Envoy plugin ○ Terraform ○ Kafka ○ SQL ○ Linux Open Policy Agent - https://www.openpolicyagent.org/
  • 30. OPA cont. Gatekeeper OPA Envoy plugin open-policy-agent/gatekeeper: Gatekeeper - Policy Controller for Kubernetes - https://github.com/open-policy-agent/gatekeeper open-policy-agent/opa-envoy-plugin: A plugin to enforce OPA policies with Envoy - https://github.com/open-policy-agent/opa-envoy-plugin
  • 31. Rego The Rego Playground - https://play.openpolicyagent.org/p/BYmNuNRZTs
  • 32. gokit microservice demo - authz https://github.com/cage1016/ms-demo- authz authorization RBAC implementation by OPA (open policy agent)
  • 33. { "rolePermissions": { "editor": ... "owner": [ { "method": "POST", "path": "/api/([^/]+)/add/sum" }, { "method": "POST", "path": "/api/([^/]+)/tictac/tic" }, { "method": "GET", "path": "/api/([^/]+)/tictac/tac" }, { "method": "GET", "path": "/api/([^/]+)/authz/roles" }, { "method": "GET", "path": "/api/([^/]+)/authz/roles/[a-zA-Z0-9_-~]{21}" } ] OPA JSON Data - Generate from 6 RBAC DB tables - DB policy change notifier update
  • 34. Request RequestAuthentication Request process AuthorizationPolicy istio-system istio-system401 403 Pod Envoy Service Pod ext-Authz 50051 Envoy 403 Authz Envoy Service DB
  • 36. Go-kit Istio Security https://github.com/cage1016/gokit-istio- security demo how to implement Authentication and custom Authorization with - Mixer - Envoy external and Open Policy Agent
  • 37. KAI CHU CHUNG GDE Cloud GDG Cloud Taipei co-organizers @CageChung https://kaichu.io Q & A