• Authorization
    • Action
    • Subject
    • Template

    Authorization

    The authorization template defines parameters for performing policyenforcement within Istio. It is primarily concerned with enabling Mixer

    Example config:

    1. apiVersion: "config.istio.io/v1alpha2"
    2. kind: instance
    3. metadata:
    4.   name: authinfo
    5.   namespace: istio-system
    6. spec:
    7.   compiledTemplate: authorization
    8.   params:
    9.     subject:
    10.       user: source.principal | request.auth.principal | ""
    11.       groups: request.auth.claims["groups"] | ""
    12.       properties:
    13.         iss: request.auth.claims["iss"]
    14.     action:
    15.       namespace: destination.namespace | "default"
    16.       service: destination.service.host | ""
    17.       path: request.path | "/"
    18.       method: request.method | "post"
    19.       properties:
    20.         version: destination.labels[version] | ""

    Action

    An action defines “how a resource is accessed”.

    FieldTypeDescriptionRequired
    namespacestringNamespace the target action is taking place in.No
    servicestringThe Service the action is being taken on.No
    methodstringWhat action is being taken.No
    pathstringHTTP REST path within the serviceNo
    propertiesmap<string, Value>Additional data about the action for use in policy.No

    Subject

    A subject contains a list of attributes that identifythe caller identity.

    FieldTypeDescriptionRequired
    userstringThe user name/ID that the subject represents.No
    groupsstringGroups the subject belongs to depending on the authentication mechanism,“groups” are normally populated from JWT claim or client certificate.The operator can define how it is populated when creating an instance ofthe template.No
    propertiesmap<string, Value>Additional attributes about the subject.No

    Template

    The authorization template defines parameters for performing policyenforcement within Istio. It is primarily concerned with enabling Mixeradapters to make decisions about who is allowed to do what.In this template, the “who” is defined in a Subject message. The “what” isdefined in an Action message. During a Mixer Check call, these valueswill be populated based on configuration from request attributes andpassed to individual authorization adapters to adjudicate.

    FieldTypeDescriptionRequired
    subjectSubjectA subject contains a list of attributes that identifythe caller identity.No
    actionActionAn action defines “how a resource is accessed”.No