"Dynamic" access rule constraints in a ServiceRole


Is there any way to have dynamic constraints defined within a ServiceRole?

The scenario that I have is actually simple: I want to restrict users so that they can only view their own data in some endpoints (for instance, userA should be able to access /orders/userA but NOT /orders/userB and vice versa)

Setting aside the whole debate of whether or not this concern should be handled by Istio (as opposed to the actual service logic), is there any way to implement something like this with the latest Istio version and if not, are there any plans to support “dynamic” constraints perhaps?

This could be achievable by allowing the constraint to check a path parameter against a JWT claim, for instance, which is currently not a possibility.



Adding our experts on authz.
@liminwang @YangminZhu



If you can put the path inside the JWT claim, can you try to use request.auth.claims[path] to match against it? See https://istio.io/docs/reference/config/authorization/constraints-and-properties/#supported-properties



Currently you can set specific rules like “userA can access /orders/userA” using Istio authorization. But if you are talking about a parameterized rule that matches a JWT claim against a path parameter, this is not available currently.