Custom auth adapter configuration help needed

Policies and Telemetry
1

Hi All, need your help deploying a custom auth mixer adapter.

I was pretty much following this article https://medium.com/google-cloud/simple-istio-mixer-out-of-process-authorization-adapter-5f9363cd9bbc in order to try a custom auth mixer adapter, the only difference is I’m not using Istio’s demo app but just a simple dummy rest service.

All goes well and I can confirm my adapter works when I test it via local mixer server and client cli.
But when I deploy it to my Kubernetes cluster I can’t make it work and seems like my adapter is not being triggered by mixer at all.

  1. I’ve deployed my grpc adapter

  2. I’ve kubectl applied my attributes and template yaml’s

  3. I’ve applied my adapter config based on ‘authorisation’ template

  4. Below is my operator config

    handler for adapter
    apiVersion: “config.istio…/v1alpha2”
    kind: handler
    metadata:
    name: h1
    namespace: istio-system
    spec:
    adapter: my-auth-adapter
    connection:
    address: “my-auth-adapter-service:44225”
    params:
    auth_key: “secret”

    apiVersion: “config.istio…/v1alpha2”
    kind: instance
    metadata:
    name: icheck
    namespace: istio-system
    spec:
    template: authorization
    params:
    subject:
    properties:
    custom_token_header: request.headers[“x-custom-token”]

    apiVersion: “config.istio…/v1alpha2”
    kind: rule
    metadata:
    name: r1
    namespace: istio-system
    spec:
    actions:

    • handler: h1
      instances:
      • icheck

Now, in the mixer logs I see its connected to adapter

2019-05-28T08:47:53.336108Z info scheme "" not registered, fallback to default scheme

2019-05-28T08:47:53.336128Z info grpcAdapter Connected to: my-auth-adapter-service:44225

2019-05-28T08:47:53.336217Z info ccResolverWrapper: sending new addresses to cc: [{my-auth-adapter-service:44225 0 <nil>}]

2019-05-28T08:47:53.336255Z info base.baseBalancer: got new resolved addresses: [{my-auth-adapter-service:44225 0 <nil>}]

2019-05-28T08:47:53.336274Z info base.baseBalancer: handle SubConn state change: 0xc420ffe0f0, CONNECTING

2019-05-28T08:47:53.337911Z info base.baseBalancer: handle SubConn state change: 0xc420ffe0f0, READY

2019-05-28T08:47:53.338180Z info roundrobinPicker: newPicker called with readySCs: map[{my-auth-adapter-service:44225 0 <nil>}:0xc420ffe0f0]

2019-05-28T08:47:53.339303Z info Cleaning up handler table, with config ID:27

2019-05-28T08:47:53.339351Z info adapters deleted remote controller {"adapter": "kubernetesenv.istio-system"}

2019-05-28T08:47:53.339369Z info adapters adapter closed all scheduled daemons and workers {"adapter": "stdio.istio-system"}

2019-05-28T08:47:53.339400Z info adapters adapter closed all scheduled daemons and workers {"adapter": "prometheus.istio-system"}

2019-05-28T08:47:53.339530Z info adapters shutting down daemon... {"adapter": "kubernetesenv.istio-system"}

2019-05-28T08:47:53.339730Z info adapters shutting down daemon... {"adapter": "kubernetesenv.istio-system"}

2019-05-28T08:47:53.339768Z info adapters shutting down daemon... {"adapter": "kubernetesenv.istio-system"}

2019-05-28T08:47:53.340096Z info adapters shutting down daemon... {"adapter": "kubernetesenv.istio-system"}

2019-05-28T08:47:54.339681Z info adapters adapter closed all scheduled daemons and workers {"adapter": "kubernetesenv.istio-system"}

At the end of a day all my requests regardless of an ‘x-cutom-token’ header are successful and my auth adapter is not triggered at all.

Can anyone point me into the right direction here please?
Much apreciated!

2

Which version of Istio are you running? Is policy checking enabled for your install?

3

Istio 1.1.4. Thank you, my policy checking was indeed disabled. When I tried JWT based authentication
it worked for me so thats why I guess it is a bit confusing. With enabled policy check my adapter works now. Thank you very much!