How to apply this policy

Lokesh_Aggarwal · December 5, 2019, 7:49am

open-policy-agent/opa-istio-plugin/blob/398637bc9d7f937145fbd23ed4b758497087d70c/quick_start.yaml#L241


        query: data.istio.authz.allow
---
############################################################
# Example policy to enforce into OPA-Istio sidecars.
############################################################
apiVersion: v1
kind: ConfigMap
metadata:
  name: opa-policy
data:
  policy.rego: |
    package istio.authz


    import input.attributes.request.http as http_request


    default allow = false


    allow {
        roles_for_user[r]
        required_roles[r]
    }

This policy works fine in opa-istio-plugin(GRPC) but when I run this policy in OPA adapter its shows
PERMISSION_DENIED:opa-handler.istio-system:opa: request was rejected

According to policy alice can access /productpage BUT NOT /api/v1/products .

curl --user alice:password -i http://$GATEWAY_URL/productpage
curl --user alice:password -i http://$GATEWAY_URL/api/v1/products

2 bob can access /productpage AND /api/v1/products .

curl --user bob:password -i http://$GATEWAY_URL/productpage
curl --user bob:password -i http://$GATEWAY_URL/api/v1/products
But it shows permission denied on all curl commands.

Topic		Replies	Views
Authorization Policy error with CUSTOM action and OPA used as external authorizer Config security	0	475	September 19, 2022
External Authorization with OPA is not working Security	0	463	September 7, 2022
Istio 1.5 AuthorizationPolicy using JWT Security	4	975	July 28, 2020
Authorization polices issue Security	1	168	November 15, 2023
Question - Mixer Attribute Generation Policies and Telemetry	4	631	April 16, 2019

How to apply this policy

Related Topics