Authorization

The authorization template defines parameters for performing policy enforcement within Istio. It is primarily concerned with enabling Mixer

Example config:

apiVersion: "config.istio.io/v1alpha2"
kind: instance
metadata:
  name: authinfo
  namespace: istio-system
spec:
  compiledTemplate: authorization
  params:
    subject:
      user: source.principal | request.auth.principal | ""
      groups: request.auth.claims["groups"] | ""
      properties:
        iss: request.auth.claims["iss"]
    action:
      namespace: destination.namespace | "default"
      service: destination.service.host | ""
      path: request.path | "/"
      method: request.method | "post"
      properties:
        version: destination.labels[version] | ""

Subject

A subject contains a list of attributes that identify the caller identity.

Field Type Description Required
user string

The user name/ID that the subject represents.

No
groups string

Groups the subject belongs to depending on the authentication mechanism, “groups” are normally populated from JWT claim or client certificate. The operator can define how it is populated when creating an instance of the template.

No
properties map<string, Value>

Additional attributes about the subject.

No

Action

An action defines “how a resource is accessed”.

Field Type Description Required
namespace string

Namespace the target action is taking place in.

No
service string

The Service the action is being taken on.

No
method string

What action is being taken.

No
path string

HTTP REST path within the service

No
properties map<string, Value>

Additional data about the action for use in policy.

No

Template

The authorization template defines parameters for performing policy enforcement within Istio. It is primarily concerned with enabling Mixer adapters to make decisions about who is allowed to do what. In this template, the “who” is defined in a Subject message. The “what” is defined in an Action message. During a Mixer Check call, these values will be populated based on configuration from request attributes and passed to individual authorization adapters to adjudicate.

Field Type Description Required
subject Subject

A subject contains a list of attributes that identify the caller identity.

No
action Action

An action defines “how a resource is accessed”.

No
Was this information useful?
Do you have any suggestions for improvement?

Thanks for your feedback!