"Dynamic" access rule constraints in a ServiceRole

carlosaml · March 20, 2019, 6:14pm

Is there any way to have dynamic constraints defined within a ServiceRole?

The scenario that I have is actually simple: I want to restrict users so that they can only view their own data in some endpoints (for instance, userA should be able to access /orders/userA but NOT /orders/userB and vice versa)

Setting aside the whole debate of whether or not this concern should be handled by Istio (as opposed to the actual service logic), is there any way to implement something like this with the latest Istio version and if not, are there any plans to support “dynamic” constraints perhaps?

This could be achievable by allowing the constraint to check a path parameter against a JWT claim, for instance, which is currently not a possibility.

Oliver · March 28, 2019, 4:48am

Adding our experts on authz.
@liminwang @YangminZhu

YangminZhu · March 29, 2019, 7:16pm

If you can put the path inside the JWT claim, can you try to use request.auth.claims[path] to match against it? See https://istio.io/docs/reference/config/authorization/constraints-and-properties/#supported-properties

liminwang · March 29, 2019, 8:53pm

Currently you can set specific rules like “userA can access /orders/userA” using Istio authorization. But if you are talking about a parameterized rule that matches a JWT claim against a path parameter, this is not available currently.

Topic		Replies	Views
Authorization policy challenge Security	6	1209	April 4, 2020
Matching permissions in Istio AuthorizationPolicy Security security	1	493	July 10, 2020
Role or group based authorization for backend services Security	3	501	June 27, 2019
JWT claims validation Security	5	749	May 24, 2019
JWT and Authorization Security	7	1014	July 2, 2019

"Dynamic" access rule constraints in a ServiceRole

Related topics