Exclude path with notPaths in AuthorizationPolicy

Hi,

i need to implement istio jwt validation for a SINGLE microservice that expose different paths, i would like to have a one generic authorization policy to enable jwt for all endpoint :
i.e:

/ciao
/hi
/hello
/bonjour

and i have the need to exclude a single path from jwt and check with another AuthorizationPolicy the authorization basic header :

i.e.
/ciao/italia/

so i tested different way to have the authorizationpolicy where in one i enable jwt validation for all paths ["*"] and then exclude with notPaths["/ciao/italia]"] from jwt but it’s not working, one of the way is:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: require-jwt
namespace: foo
spec:
action: ALLOW
rules:

  • to:
    • operation:
      paths: ["/*"]
    • operation:
      notPaths: ["/ciao/italia*"]
      when:
    • key: request.auth.claims[realm_access][group]
      values:
      • Claim
        selector:
        matchLabels:
        app: httpbin

i gave a look to all these resource but nothing helped me :

What i found suspicios is that istio if there is wildcard entry in paths["*"] it’s not able to exclude the path that is contained in notPaths.

In this example, istio can exclude the path but if only we specify the paths not the wildcard in any path statement - Disable RequestAuthentication JWT rules for specific paths · Issue #27432 · istio/istio · GitHub.

so i tested different way to have the authorizationpolicy where in one i enable jwt validation for all paths [“*”] and then exclude with notPaths[“/ciao/italia]”] from jwt but it’s not working

You can create an authz policy with 2 rules, the first rule uses notPaths: ["/ciao/italia"] to whitelist the path (do not require jwt) and the 2nd rule to use paths: ["*"] to require jwt on all paths.

If you can format your example policy using the ``` it would be easier to see but I suspect the issue is you are using only 1 rule instead of 2 which means all the paths are required for jwt.

Thanks, it worked!

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: jwt-test
spec:
  selector:
    matchLabels:
     app: test
  action: ALLOW
  rules:
  - to:
    - operation:
        methods:
         - POST
        paths:
         - /ciao/italia/*
  - to:
    - operation:
        methods:
         - POST
        paths:
         - /hello/uk*
  - to:
    - operation:
        paths: ["*"]
    when:
    - key: request.auth.claims[realm_access][group]
      values: ["Test"]

This a rough copy of what worked with you precious inputs.