I haven’t been able to figure out if the istio service authentication identity is passed to the receiving service, this could be useful for in application that needs to make authorization decisions about service peers.
For instance Service A is calling Service B they authenticate to each over mTLS that termites at the sidecar, is there some metadata being passed to Service B saying that its communicating to Service A and vice versa?
@leitang Metadata is being passed to the service/application, as it seems the link is more a reference to logging? Is there any information on how to access it depending on the protocol, and furthermore in this case where it’s an identity is suggested to use and trust these attributes to make authorization decisions in application?
AFAIK, metadata is passed between the Envoy filters, e.g., an identity can be generated by the Istio authentication Envoy filter and used in the Istio authorization Envoy filter to make authorization decisions.
When service A wants to talk to service B, A will verify B’s cert and its secure naming to make sure the one who’s presenting B’s cert is actually B. Secure naming information is stored in the Envoy config. https://istio.io/docs/concepts/security/#istio-identity. I think B is also making sure if A’s cert is presented by A, since it’s mTLS, but the doc on Istio website did not mention this part, maybe I’m wrong. @Tao_Li to confirm.
I have a use case where I want service to service authorization to partially live inside the application. For instance, if Service A is calling Service B, Service B needs to know that its talking to Service A so it can decide whether Service A is authorized to do what it is requesting.
Given the above scenario, would a service know what other service is talking to it so it can make authorization decisions?
P.S. Generally authentication can easily be delegated to service mesh, but authorization, especially end-user authorization but even service to service authorization is much harder to delegate to the service mesh if one doesn’t have an endpoint model and fine grained controls
B can have an authZ policy to allow services with service account foo with namespace bar access it. Service account and namespace information is part of the SAN field in a workload cert. When A presents its cert, B will be able to see if it should allow A with the given cert or not. However, as discussed above, it seems like anyone can just steal the cert and pretend to have the service account foo. Luckily with SDS, this will not happen, since the cert is not written to any file, but in memory instead.
For JWT, currently we don’t pass the validated token in the header, we could add this feature, please feel free to open an issue if you have any use cases for this.