requestAuthentication详解

时间:2022-12-16 18:57:19


 欢迎关注我的公众号:

requestAuthentication详解

 目前刚开始写一个月,一共写了18篇原创文章,文章目录如下:

​istio多集群探秘,部署了50次多集群后我得出的结论​

​istio多集群链路追踪,附实操视频​

​istio防故障利器,你知道几个,istio新手不要读,太难!​

​istio业务权限控制,原来可以这么玩​

​istio实现非侵入压缩,微服务之间如何实现压缩​

​不懂envoyfilter也敢说精通istio系列-http-rbac-不要只会用AuthorizationPolicy配置权限​

​不懂envoyfilter也敢说精通istio系列-02-http-corsFilter-不要只会vs​

​不懂envoyfilter也敢说精通istio系列-03-http-csrf filter-再也不用再代码里写csrf逻辑了​

​不懂envoyfilter也敢说精通istio系列http-jwt_authn-不要只会RequestAuthorization​

​不懂envoyfilter也敢说精通istio系列-05-fault-filter-故障注入不止是vs​

​不懂envoyfilter也敢说精通istio系列-06-http-match-配置路由不只是vs​

​不懂envoyfilter也敢说精通istio系列-07-负载均衡配置不止是dr​

​不懂envoyfilter也敢说精通istio系列-08-连接池和断路器​

​不懂envoyfilter也敢说精通istio系列-09-http-route filter​

​不懂envoyfilter也敢说精通istio系列-network filter-redis proxy​

​不懂envoyfilter也敢说精通istio系列-network filter-HttpConnectionManager​

​不懂envoyfilter也敢说精通istio系列-ratelimit-istio ratelimit完全手册​

学习目标

requestAuthentication详解

什么是RequestAuthentication

RequestAuthentication defines what request authentication methods are supported by a workload. It will reject a request if the request contains invalid authentication information, based on the configured authentication rules. A request that does not contain any authentication credentials will be accepted but will not have any authenticated identity.

就是用来配置jwt的

资源详解

Field

Type

Description

Required

​selector​

​WorkloadSelector​

The selector determines the workloads to apply the RequestAuthentication on. If not set, the policy will be applied to all workloads in the same namespace as the policy.

No

​jwtRules​

​JWTRule[]​

Define the list of JWTs that can be validated at the selected workloads’ proxy. A valid token will be used to extract the authenticated identity. Each rule will be activated only when a token is presented at the location recorgnized by the rule. The token will be validated based on the JWT rule config. If validation fails, the request will be rejected. Note: if more than one token is presented (at different locations), the output principal is nondeterministic.

No

selector

ra-example-productpage.yaml

apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
name: "productpage"
spec:
selector:
matchLabels:
app: productpage
jwtRules:
- issuer: "testing@secure.istio.io"
jwks: |
{ "keys":
[
{
"e":"AQAB",
"kid":"DHFbpoIUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_-envvQ",
"kty":"RSA",
"n":"xAE7eB6qugXyCAG3yhh7pkDkT65pHymX-P7KfIupjf59vsdo91bSP9C8H07pSAGQO1MV_xFj9VswgsCg4R6otmg5PV2He95lZdHtOcU5DXIg_pbhLdKXbi66GlVeK6ABZOUW3WYtnNHD-91gVuoeJT_DwtGGcp4ignkgXfkiEm4sw-4sfb4qdt5oLbyVpmW6x9cfa7vs2WTfURiCrBoUqgBo_-4WTiULmmHSGZHOjzwa8WtrtOQGsAFjIbno85jp6MnGGGZPYZbDAa_b3y5u-YpW7ypZrvD8BgtKVjgtQgZhLAGezMt0ua3DRrWnKqTZ0BJ_EyxOGuHJrLsn00fnMQ"
}
]
}

TOKEN=eyJhbGciOiJSUzI1NiIsImtpZCI6IkRIRmJwb0lVcXJZOHQyenBBMnFYZkNtcjVWTzVaRXI0UnpIVV8tZW52dlEiLCJ0eXAiOiJKV1QifQ.eyJleHAiOjM1MzczOTExMDQsImdyb3VwcyI6WyJncm91cDEiLCJncm91cDIiXSwiaWF0IjoxNTM3MzkxMTA0LCJpc3MiOiJ0ZXN0aW5nQHNlY3VyZS5pc3Rpby5pbyIsInNjb3BlIjpbInNjb3BlMSIsInNjb3BlMiJdLCJzdWIiOiJ0ZXN0aW5nQHNlY3VyZS5pc3Rpby5pbyJ9.EdJnEZSH6X8hcyEii7c8H5lnhgjB5dwo07M5oheC8Xz8mOllyg--AHCFWHybM48reunF--oGaG6IXVngCEpVF0_P5DwsUoBgpPmK1JOaKN6_pe9sh0ZwTtdgK_RP01PuI7kUdbOTlkuUi2AO-qUyOm7Art2POzo36DLQlUXv8Ad7NBOqfQaKjE9ndaPWT7aexUsBHxmgiGbz1SyLH879f7uHYPbPKlpHU6P9S-DaKnGLaEchnoKnov7ajhrEhGXAQRukhDPKUHO9L30oPIr5IJllEQfHYtt6IZvlNUGeLUcif3wpry1R5tBXRicx2sXMQ7LyuDremDbcNy_iE76Upg

curl 192.168.198.154:30986/productpage -H "Authorization: Bearer ${TOKEN}"

jwtRules

Field

Type

Description

Required

​issuer​

​string​

Identifies the issuer that issued the JWT. See ​​issuer​​​ A JWT with different ​​iss​​​ claim will be rejected.Example: ​​Auth0: Secure access for everyone. But not just anyone.​​ Example: ​​1234567-compute@developer.gserviceaccount.com​​

Yes

​audiences​

​string[]​

The list of JWT ​​audiences​​​. that are allowed to access. A JWT containing any of these audiences will be accepted.The service name will be accepted if audiences is empty.Example:​​audiences: - bookstore_android.apps.example.com bookstore_web.apps.example.com​

No

​jwksUri​

​string​

URL of the provider’s public key set to validate signature of the JWT. See ​​OpenID Discovery​​​.Optional if the key set document can either (a) be retrieved from ​​OpenID Discovery​​​ of the issuer or (b) inferred from the email domain of the issuer (e.g. a Google service account).Example: ​​https://www.googleapis.com/oauth2/v1/certs​​Note: Only one of jwksuri and jwks should be used. jwksuri will be ignored if it does.

No

​jwks​

​string​

JSON Web Key Set of public keys to validate signature of the JWT. See ​​https://auth0.com/docs/jwks.Note​​: Only one of jwksuri and jwks should be used. jwksuri will be ignored if it does.

No

​fromHeaders​

​JWTHeader[]​

List of header locations from which JWT is expected. For example, below is the location spec if JWT is expected to be found in ​​x-jwt-assertion​​​ header, and have “Bearer ” prefix:​​fromHeaders: - name: x-jwt-assertion prefix: "Bearer "​

No

​fromParams​

​string[]​

List of query parameters from which JWT is expected. For example, if JWT is provided via query parameter ​​my_token​​​ (e.g /path?my_token=), the config is:​​fromParams: - "my_token"​

No

​outputPayloadToHeader​

​string​

This field specifies the header name to output a successfully verified JWT payload to the backend. The forwarded data is ​​base64_encoded(jwt_payload_in_JSON)​​. If it is not specified, the payload will not be emitted.

No

​forwardOriginalToken​

​bool​

If set to true, the orginal token will be kept for the ustream request. Default is false.

No

issuer

ra-example-productpage.yaml

apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
name: "productpage"
spec:
selector:
matchLabels:
app: productpage
jwtRules:
- issuer: "testing@secure.istio.io"
jwks: |
{ "keys":
[
{
"e":"AQAB",
"kid":"DHFbpoIUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_-envvQ",
"kty":"RSA",
"n":"xAE7eB6qugXyCAG3yhh7pkDkT65pHymX-P7KfIupjf59vsdo91bSP9C8H07pSAGQO1MV_xFj9VswgsCg4R6otmg5PV2He95lZdHtOcU5DXIg_pbhLdKXbi66GlVeK6ABZOUW3WYtnNHD-91gVuoeJT_DwtGGcp4ignkgXfkiEm4sw-4sfb4qdt5oLbyVpmW6x9cfa7vs2WTfURiCrBoUqgBo_-4WTiULmmHSGZHOjzwa8WtrtOQGsAFjIbno85jp6MnGGGZPYZbDAa_b3y5u-YpW7ypZrvD8BgtKVjgtQgZhLAGezMt0ua3DRrWnKqTZ0BJ_EyxOGuHJrLsn00fnMQ"
}
]
}

audiences

ra-productpage-jwtrules-audiences.yaml

apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
name: "productpage"
spec:
selector:
matchLabels:
app: productpage
jwtRules:
- issuer: "testing@secure.istio.io"
audiences:
- "app"
jwks: |
{ "keys":
[
{
"e":"AQAB",
"kid":"DHFbpoIUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_-envvQ",
"kty":"RSA",
"n":"xAE7eB6qugXyCAG3yhh7pkDkT65pHymX-P7KfIupjf59vsdo91bSP9C8H07pSAGQO1MV_xFj9VswgsCg4R6otmg5PV2He95lZdHtOcU5DXIg_pbhLdKXbi66GlVeK6ABZOUW3WYtnNHD-91gVuoeJT_DwtGGcp4ignkgXfkiEm4sw-4sfb4qdt5oLbyVpmW6x9cfa7vs2WTfURiCrBoUqgBo_-4WTiULmmHSGZHOjzwa8WtrtOQGsAFjIbno85jp6MnGGGZPYZbDAa_b3y5u-YpW7ypZrvD8BgtKVjgtQgZhLAGezMt0ua3DRrWnKqTZ0BJ_EyxOGuHJrLsn00fnMQ"
}
]
}

Audiences in Jwt are not allowed

jwt里没有audience

jwksUri

ra-productpage-jwtrules-jwksUri.yaml

apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
name: "productpage"
spec:
selector:
matchLabels:
app: productpage
jwtRules:
- issuer: "testing@secure.istio.io"
jwksUri: http://jwt-server.istio.svc.cluster.local:8000

jwt-server.yaml

apiVersion: v1
kind: Service
metadata:
name: jwt-server
labels:
app: jwt-server
spec:
ports:
- name: http
port: 8000
targetPort: 8000
selector:
app: jwt-server
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: jwt-server
spec:
replicas: 1
selector:
matchLabels:
app: jwt-server
template:
metadata:
labels:
app: jwt-server
spec:
containers:
- image: docker.io/istio/jwt-server:0.5
imagePullPolicy: IfNotPresent
name: jwt-server
ports:
- containerPort: 8000
---

jwks

ra-example-productpage.yaml

apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
name: "productpage"
spec:
selector:
matchLabels:
app: productpage
jwtRules:
- issuer: "testing@secure.istio.io"
jwks: |
{ "keys":
[
{
"e":"AQAB",
"kid":"DHFbpoIUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_-envvQ",
"kty":"RSA",
"n":"xAE7eB6qugXyCAG3yhh7pkDkT65pHymX-P7KfIupjf59vsdo91bSP9C8H07pSAGQO1MV_xFj9VswgsCg4R6otmg5PV2He95lZdHtOcU5DXIg_pbhLdKXbi66GlVeK6ABZOUW3WYtnNHD-91gVuoeJT_DwtGGcp4ignkgXfkiEm4sw-4sfb4qdt5oLbyVpmW6x9cfa7vs2WTfURiCrBoUqgBo_-4WTiULmmHSGZHOjzwa8WtrtOQGsAFjIbno85jp6MnGGGZPYZbDAa_b3y5u-YpW7ypZrvD8BgtKVjgtQgZhLAGezMt0ua3DRrWnKqTZ0BJ_EyxOGuHJrLsn00fnMQ"
}
]
}

fromHeaders

ield

Type

Description

Required

​name​

​string​

The HTTP header name.

Yes

​prefix​

​string​

The prefix that should be stripped before decoding the token. For example, for “Authorization: Bearer ”, prefix=“Bearer ” with a space at the end. If the header doesn’t have this exact prefix, it is considerred invalid.

No

ra-productpage-jwtrules-fromHeaders.yaml

apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
name: "productpage"
spec:
selector:
matchLabels:
app: productpage
jwtRules:
- issuer: "testing@secure.istio.io"
fromHeaders:
- name: my-token
prefix: test
jwks: |
{ "keys":
[
{
"e":"AQAB",
"kid":"DHFbpoIUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_-envvQ",
"kty":"RSA",
"n":"xAE7eB6qugXyCAG3yhh7pkDkT65pHymX-P7KfIupjf59vsdo91bSP9C8H07pSAGQO1MV_xFj9VswgsCg4R6otmg5PV2He95lZdHtOcU5DXIg_pbhLdKXbi66GlVeK6ABZOUW3WYtnNHD-91gVuoeJT_DwtGGcp4ignkgXfkiEm4sw-4sfb4qdt5oLbyVpmW6x9cfa7vs2WTfURiCrBoUqgBo_-4WTiULmmHSGZHOjzwa8WtrtOQGsAFjIbno85jp6MnGGGZPYZbDAa_b3y5u-YpW7ypZrvD8BgtKVjgtQgZhLAGezMt0ua3DRrWnKqTZ0BJ_EyxOGuHJrLsn00fnMQ"
}
]
}

curl 192.168.198.154:30986/productpage -H "my-token: test ${TOKEN}"

fromParams

ra-productpage-jwtrules-fromParams.yaml

apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
name: "productpage"
spec:
selector:
matchLabels:
app: productpage
jwtRules:
- issuer: "testing@secure.istio.io"
fromParams:
- my-token
jwks: |
{ "keys":
[
{
"e":"AQAB",
"kid":"DHFbpoIUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_-envvQ",
"kty":"RSA",
"n":"xAE7eB6qugXyCAG3yhh7pkDkT65pHymX-P7KfIupjf59vsdo91bSP9C8H07pSAGQO1MV_xFj9VswgsCg4R6otmg5PV2He95lZdHtOcU5DXIg_pbhLdKXbi66GlVeK6ABZOUW3WYtnNHD-91gVuoeJT_DwtGGcp4ignkgXfkiEm4sw-4sfb4qdt5oLbyVpmW6x9cfa7vs2WTfURiCrBoUqgBo_-4WTiULmmHSGZHOjzwa8WtrtOQGsAFjIbno85jp6MnGGGZPYZbDAa_b3y5u-YpW7ypZrvD8BgtKVjgtQgZhLAGezMt0ua3DRrWnKqTZ0BJ_EyxOGuHJrLsn00fnMQ"
}
]
}

curl 192.168.198.154:30986/productpage?my-token=${TOKEN}

outputPayloadToHeader

ra-productpage-jwtrules-outputPayloadToHeader.yaml

apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
name: "productpage"
spec:
selector:
matchLabels:
app: productpage
jwtRules:
- issuer: "testing@secure.istio.io"
fromParams:
- my-token
outputPayloadToHeader: auth
jwks: |
{ "keys":
[
{
"e":"AQAB",
"kid":"DHFbpoIUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_-envvQ",
"kty":"RSA",
"n":"xAE7eB6qugXyCAG3yhh7pkDkT65pHymX-P7KfIupjf59vsdo91bSP9C8H07pSAGQO1MV_xFj9VswgsCg4R6otmg5PV2He95lZdHtOcU5DXIg_pbhLdKXbi66GlVeK6ABZOUW3WYtnNHD-91gVuoeJT_DwtGGcp4ignkgXfkiEm4sw-4sfb4qdt5oLbyVpmW6x9cfa7vs2WTfURiCrBoUqgBo_-4WTiULmmHSGZHOjzwa8WtrtOQGsAFjIbno85jp6MnGGGZPYZbDAa_b3y5u-YpW7ypZrvD8BgtKVjgtQgZhLAGezMt0ua3DRrWnKqTZ0BJ_EyxOGuHJrLsn00fnMQ"
}
]
}

curl 192.168.198.154:30986/productpage?my-token=${TOKEN}

forwardOriginalToken

1启用网关jwt

网关不启用token转发

kubectl apply -f ra-example.yaml -n istio-system

apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
name: "jwt-example"
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
jwtRules:
- issuer: "testing@secure.istio.io"
jwks: |
{ "keys":
[
{
"e":"AQAB",
"kid":"DHFbpoIUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_-envvQ",
"kty":"RSA",
"n":"xAE7eB6qugXyCAG3yhh7pkDkT65pHymX-P7KfIupjf59vsdo91bSP9C8H07pSAGQO1MV_xFj9VswgsCg4R6otmg5PV2He95lZdHtOcU5DXIg_pbhLdKXbi66GlVeK6ABZOUW3WYtnNHD-91gVuoeJT_DwtGGcp4ignkgXfkiEm4sw-4sfb4qdt5oLbyVpmW6x9cfa7vs2WTfURiCrBoUqgBo_-4WTiULmmHSGZHOjzwa8WtrtOQGsAFjIbno85jp6MnGGGZPYZbDAa_b3y5u-YpW7ypZrvD8BgtKVjgtQgZhLAGezMt0ua3DRrWnKqTZ0BJ_EyxOGuHJrLsn00fnMQ"
}
]
}
# forwardOriginalToken: true # 转发 Authorization 请求头

2启用productpage jwt

ra-productpage-jwtrules-forwardOriginalToken.yaml

apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
name: "productpage"
spec:
selector:
matchLabels:
app: productpage
jwtRules:
- issuer: "testing@secure.istio.io"
jwks: |
{ "keys":
[
{
"e":"AQAB",
"kid":"DHFbpoIUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_-envvQ",
"kty":"RSA",
"n":"xAE7eB6qugXyCAG3yhh7pkDkT65pHymX-P7KfIupjf59vsdo91bSP9C8H07pSAGQO1MV_xFj9VswgsCg4R6otmg5PV2He95lZdHtOcU5DXIg_pbhLdKXbi66GlVeK6ABZOUW3WYtnNHD-91gVuoeJT_DwtGGcp4ignkgXfkiEm4sw-4sfb4qdt5oLbyVpmW6x9cfa7vs2WTfURiCrBoUqgBo_-4WTiULmmHSGZHOjzwa8WtrtOQGsAFjIbno85jp6MnGGGZPYZbDAa_b3y5u-YpW7ypZrvD8BgtKVjgtQgZhLAGezMt0ua3DRrWnKqTZ0BJ_EyxOGuHJrLsn00fnMQ"
}
]
}

curl 192.168.198.154:30986/productpage -H "Authorization: Bearer ${TOKEN}"

访问失败

3修改网关jwt

网关启用转发token

kubectl apply -f ra-example.yaml -n istio-system

apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
name: "jwt-example"
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
jwtRules:
- issuer: "testing@secure.istio.io"
jwks: |
{ "keys":
[
{
"e":"AQAB",
"kid":"DHFbpoIUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_-envvQ",
"kty":"RSA",
"n":"xAE7eB6qugXyCAG3yhh7pkDkT65pHymX-P7KfIupjf59vsdo91bSP9C8H07pSAGQO1MV_xFj9VswgsCg4R6otmg5PV2He95lZdHtOcU5DXIg_pbhLdKXbi66GlVeK6ABZOUW3WYtnNHD-91gVuoeJT_DwtGGcp4ignkgXfkiEm4sw-4sfb4qdt5oLbyVpmW6x9cfa7vs2WTfURiCrBoUqgBo_-4WTiULmmHSGZHOjzwa8WtrtOQGsAFjIbno85jp6MnGGGZPYZbDAa_b3y5u-YpW7ypZrvD8BgtKVjgtQgZhLAGezMt0ua3DRrWnKqTZ0BJ_EyxOGuHJrLsn00fnMQ"
}
]
}
forwardOriginalToken: true # 转发 Authorization 请求头

4访问

curl 192.168.198.154:30986/productpage -H "Authorization: Bearer ${TOKEN}"

成功