Istio 1.5.4 Having a general AuthorizationPolicy and one specific by service

Hello,

I am using RequestAuthentication with my internal JWT to authenticate the requests. I also have some endpoints in my micro service system which need to be exposed without authentication, for this reason, I included an AuthorizationPolicy to allow the access without a valid token.

Having this working just fine, I now need to include specific AuthorizationPolicies for each micro service, so I can properly include SCOPES in my JWT and only allow access for specific users.

This is my current configuration:

RequestAuthentication

---
apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
    name: default
    namespace: istio-system
spec:
    selector:
    matchLabels:
      istio: ingressgateway
    jwtRules:
      - issuer: "my_company"
        jwksUri: "jwks_uri"
        fromHeaders:
          - name: Authorization
            prefix: "Bearer "
        forwardOriginalToken: true

AuthorizationPolicy

---
apiVersion: "security.istio.io/v1beta1"
kind: "AuthorizationPolicy"
metadata:
  name: default
  namespace: istio-system
spec:
  selector:
      matchLabels:
      istio: ingressgateway
  action: ALLOW
  rules:
    - when:
      - key: "request.auth.claims[iss]"
        values: ["my_company"]
    - from:
      - source:
          notRequestPrincipals: ["*"]
      to:
      - operation:
          methods: ["OPTIONS"]

And what I was doing to include this new extra AuthorizationPolicy is:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: my-microservice-authorization
  namespace: default
spec:
  selector:
    matchLabels:
      app: my-microservice-service
  action: ALLOW
  rules:
  - from:
    - source:
      requestPrincipals: ["my_company"]
    when:
    - key: "request.auth.claims[scopes]"
      values: ["CAN_DELETE"]
    to:
    - operation:
        methods: ["DELETE"]

The main problem is that, I am able to access the specific endpoint when only using the to a specific method, but I always get RBAC: access denied when including the from and/or when.

Is there something that I am missing?

Thank you.

A quick sanity check, did you specify the correct format for the requestPrincipals field? The format is combining the iss and sub with a / separator, e.g. some-issuer/some-subject

Hello YangminZhu, I even tried without the requestPrincipals field, removing the whole from block and only applying the when to ensure that it was correct.

I did though tested with the separator, having my_company/my_company as the documentation shows.

Okay then it’s better to get some more logging to help the troubleshooting.

Could you get the following:

  1. the Envoy config dump of the my-microservice-service workload (you can use istioctl d envoy <pod.namespace> to open the debug page and copy the envoy_config there) and;
  2. the Envoy debug logging of the my-microservice-service workload when you’re seeing the RBAC: access denied (you can turn on the debug logging by istioctl pc log <pod.namespace> --level "rbac:debug,jwt:debug"

Hey YangminZhu,

  1. the dump from envoy in my case has more than 42k lines, is there any specific part that is more important to reply with?

2020-10-12T09:50:39.563388Z	debug	envoy rbac	  [external/envoy/source/extensions/filters/http/rbac/rbac_filter.cc:74] checking request:   requestedServerName: outbound_.80_._.my_company_service.default.svc.cluster.local, sourceIP:     10.0.1.230:56268, directRemoteIP: 10.0.1.230:56268, remoteIP: 10.0.3.153:0,localAddress:   10.0.3.135:8080, ssl: uriSanPeerCertificate: spiffe://cluster.local/ns/istio-system/sa/istio-ingressgateway-  service-account, dnsSanPeerCertificate: , subjectPeerCertificate: , headers: ':authority',   'api.my_company.io'
  ':path', '/_search?pretty'
  ':method', 'GET'
  'accept', '*/*'
  'authorization', 'Bearer <TOKEN>'
  'user-agent', 'insomnia/2020.4.1'
  'x-forwarded-for', '95.91.245.146,10.0.3.153'
  'x-forwarded-port', '443'
  'x-forwarded-proto', 'http'
  'x-envoy-external-address', '10.0.3.153'
  'x-request-id', 'edae6106-b2ab-4892-b9c0-11ff2c458be3'
  'x-istio-attributes', '<INTERNAL>'
  'x-b3-traceid', '7d3a309b528d954f89b41afa5acacc19'
  'x-b3-spanid', '89b41afa5acacc19'
  'x-b3-sampled', '0'
  'x-envoy-original-path', '/_search?pretty'
  'content-length', '0'
  'x-forwarded-client-cert', 'By=spiffe://cluster.local/ns/default/sa/my_company_service;Hash=1a83ab9113b9780ee4776d0617f2816ba2832bf3fe4b72d1618c486dfa39dab9;Subject="";URI=spiffe://cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account'
  , dynamicMetadata: filter_metadata {
    key: "istio_authn"
    value {
      fields {
        key: "request.auth.principal"
        value {
          string_value: "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"
        }
      }
      fields {
        key: "source.namespace"
        value {
          string_value: "istio-system"
        }
      }
      fields {
        key: "source.principal"
        value {
          string_value: "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"
        }
      }
      fields {
        key: "source.user"
        value {
          string_value: "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"
        }
      }
    }
  }

I also was checking the policies in my pod using this tutorial https://istio.io/latest/docs/ops/common-problems/security-issues/#ensure-istiod-accepts-the-policies and this is the output:

2020-10-12T10:06:52.156340Z	debug	authorization	rule ns[default]-policy[my_company-authorization]-rule[0] generated policy: permissions:<and_rules:<rules:<any:true > > > principals:<and_ids:<ids:<or_ids:<ids:<metadata:<filter:"istio_authn" path:<key:"request.auth.principal" > value:<string_match:<exact:"my_company/my_company" > > > > > > > >
2020-10-12T10:06:52.156445Z	debug	authorization	rule ns[default]-policy[my_company-authorization]-rule[1] generated policy: permissions:<and_rules:<rules:<or_rules:<rules:<header:<name:":method" exact_match:"GET" > > > > > > principals:<and_ids:<ids:<or_ids:<ids:<metadata:<filter:"istio_authn" path:<key:"source.principal" > value:<string_match:<safe_regex:<google_re2:<> regex:".*/ns/istio-system/.*" > > > > > > > > >
2020-10-12T10:06:52.162103Z	error	authorization	skipped rule ns[default]-policy[my_company-authorization]-rule[0]: request.auth.principal must not be used in TCP
2020-10-12T10:06:52.162154Z	error	authorization	skipped rule ns[default]-policy[my_company-authorization]-rule[1]: :method must not be used in TCP

Thank you!