GDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization

KAI CHU CHUNG
Cloud GDE
GDG Cloud Taipei co-organizers
@CageChung
https://kaichu.io
Istio Security: API Authorization
GDG Cloud Taipei: Meetup #52

KAI CHU CHUNG
Cloud GDE
QNAP
@CageChung
https://kaichu.io

Agenda
● Microservice API authentication and authorization
● Istio security - API Authorization
● External Authorization
● OPA (open policy agent)
● Demo

Microservice API
authentication and
authorization

GoPherCon 2020 TW:
如何透過 Go-kit 快速
搭建微服務架構應用程
式實戰
https://kaichu.io/posts/gokit-engineering-
operation/
- Go-kit
- Layout
- Test
- Toolchain

Go-kit microservice
Golang UK Conference 2015 - Peter Bourgon - Go Kit A Toolkit for Microservices - https://youtu.be/aL6sd4d4hxk?t=1022
auth

// Basic
httptransport.NewServer(
AuthMiddleware(cfg.auth.user, cfg.auth.password, "Example Realm")(makeUppercaseEndpoint()),
decodeMappingsRequest,
httptransport.EncodeJSONResponse,
httptransport.ServerBefore(httptransport.PopulateRequestContext),
)
// JWT
var ep endpoint.Endpoint
{
kf := func(token *stdjwt.Token) (interface{}, error) { return []byte("SigningString"), nil }
ep = MakeExampleEndpoint(service)
ep = jwt.NewParser(kf, stdjwt.SigningMethodHS256, jwt.StandardClaimsFactory)(exampleEndpoint)
Auth
middleware
- Basic Auth
- JWT
- Casbin/OPA

Microservice solve organizational problems
~ Microservice cause technical problems

Go-kit microservice + Istio
Golang UK Conference 2015 - Peter Bourgon - Go Kit A Toolkit for Microservices - https://youtu.be/aL6sd4d4hxk?t=1022
auth
+

Automatically secure your services through
managed authentication, authorization, and
encryption of communication between services.
Istio security - API
Authorization

Istio
● 1.8.0 (released 11/19)
● 1.7 (released 8/21)
● 1.6 (released 5/21)
● 1.5 (released 3/5)
● RequestAuthentication: 1.5 and above
● Mixer: default since Istio 1.3 and istio-telemetry
is disabled by default in Istio 1.5.
● holdApplicationUntilProxyStarts: 1.7 and
above
Istio - https://istio.io/latest/

Istio / Istio in 2020 - Following the Trade Winds - https://istio.io/latest/blog/2020/tradewinds-2020/
Istio Architecture

Istio Security Architecture
Istio / Security - https://istio.io/latest/docs/concepts/security/

Authentication Authorization
Istio / Security - https://istio.io/latest/docs/concepts/security/
Istio Security

● Without Authorization header
● Authorization header with valid token
● Authorization header invalid token
Istio - JWT
{Header}.{Payload}.{Signature}
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: require-jwt
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
jwtRules:
- issuer: testing@secure.istio.io
jwks: |
{"keys":[{"kty":"RSA","kid":"GkNj4pf4WEojKjS1B8nvVceMoqlC8RqOwF5EhbHQ0Rk"...
outputPayloadToHeader: X-Jwt-Playload

● Without Authorization header, 200
● Authorization header with valid token, 200
● Authorization header invalid token, 401
Istio - JWT
{Header}.{Payload}.{Signature}
kind: RequestAuthentication
metadata:
name: require-jwt
spec:
selector:
matchLabels:
jwtRules:
- issuer: testing@secure.istio.io
jwks: |
{"keys":[{"kty":"RSA","kid":"GkNj4pf4WEojKjS1B8nvVceMoqlC8RqOwF5EhbHQ0Rk"...
outputPayloadToHeader: X-Jwt-Playload

kind: AuthorizationPolicy
metadata:
name: require-jwt
spec:
selector:
matchLabels:
rules:
- from:
- source:
requestPrincipals: ["*"]
when:
- key: request.auth.claims[iss]
Istio - AuthorizationPolicy
from.source requestPrincipals iss/sub
from.source notRequestPrincipals iss/sub
when.key request.auth.principal iss/sub
when.key request.auth.audiences aud
when.key request.auth.presenter azp
when.key request.auth.claims[key] JWT All fields
{
"exp": 1904300334,
"iat": 1604300334,
"iss": "testing@secure.istio.io",
"jti": "KaZRJOc68hCalhMMjr5ieA",
"nbf": 1604300334,
"roles": [
"owner"
],
"sub": "owner@example.com",
"userId": "eBenfKuCzAiAC_bfqETwY"
}

Request RequestAuthentication
Request process
AuthorizationPolicy
istio-system istio-system401 403

filter calls an authorization service to check if the
incoming request is authorized or not
External Authorization

Envoy External Authorization
cage1016/gokit-istio-security: demo how to implement Authentication by custom Authorization mixer adapter or envoy external authorization and Open Policy Agent

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: extauth-tictac
spec:
workloadSelector:
labels:
app: tictac
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
filterChain:
filter:
name: envoy.http_connection_manager
subFilter:
name: envoy.router
patch:
operation: INSERT_BEFORE
value:
name: envoy.ext_authz
typed_config:
'@type': type.googleapis.com/envoy.config.filter.http.ext_authz.v2.ExtAuthz
grpc_service:
envoy_grpc:
cluster_name: grpc-ext-auth-cluster
- applyTo: CLUSTER
match:
context: SIDECAR_INBOUND
patch:
operation: ADD
value:
name: grpc-ext-auth-cluster
type: STRICT_DNS
connect_timeout: 0.25s
http2_protocol_options: {}
load_assignment:
cluster_name: grpc-als-cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: extauthz.default.svc.cluster.local
port_value: 50051
Envoy filter
- type.googleapis.com/
envoy.config.filter.http
.ext_authz.v2.ExtAuthz
- extauthz.default.svc.
cluster.local:50051

type AuthorizationServer interface {
// Performs authorization check based on the attributes associated with the
// incoming request, and returns status `OK` or not `OK`.
Check(context.Context, *CheckRequest) (*CheckResponse, error)
}
func (as *AuthorizationServer) Check(ctx context.Context, req *auth.CheckRequest) (*auth.CheckResponse, error) {
h := req.GetAttributes().GetRequest().GetHttp()
...
s := as.Verify(ctx, h.GetHeaders()["x-envoy-original-path"], h.Method, h.GetHeaders()["x-jwt-playload"])
return &auth.CheckResponse{
Status: s,
}, nil
}
envoy.config.filter.http.ext_authz.v2.ExtAuthz
AuthorizationServer is the server API for Authorization service.
If the request is deemed unauthorized at the HTTP filter the request will be denied with 403
(Forbidden) response.

type AuthorizationServer interface {
// Performs authorization check based on the attributes associated with the
// incoming request, and returns status `OK` or not `OK`.
Check(context.Context, *CheckRequest) (*CheckResponse, error)
}
func (as *AuthorizationServer) Check(ctx context.Context, req *auth.CheckRequest) (*auth.CheckResponse, error) {
h := req.GetAttributes().GetRequest().GetHttp()
...
s := as.Verify(ctx, h.GetHeaders()["x-envoy-original-path"], h.Method, h.GetHeaders()["x-jwt-playload"])
return &auth.CheckResponse{
Status: s,
}, nil
}
envoy.config.filter.http.ext_authz.v2.ExtAuthz
AuthorizationServer is the server API for Authorization service.
- env:
- name: QS_AUTHZ_URL
value: "authz:8000"

Request process
AuthorizationPolicy
Pod
Envoy
Service
Pod
ext-Authz 50051
Envoy
403

extauthz
https://github.com/cage1016/gokit-istio-
security/blob/master/extauthz/README.md
Envoy External Authorization

The Open Policy Agent (OPA) is an open source,
general-purpose policy engine that enables
unified, context-aware policy enforcement across
the entire stack.
Open Policy Agent

OPA (open policy agent)
Declarative Policy, Context-aware, Expressive, Fast, Portable
● Cloud Native Computing Foundation incubating project
● Support
○ Kubernetes
■ Gatekeeper
○ Envoy
■ OPA Envoy plugin
○ Terraform
○ Kafka
○ SQL
○ Linux Open Policy Agent - https://www.openpolicyagent.org/

OPA cont.
Gatekeeper OPA Envoy plugin
open-policy-agent/gatekeeper: Gatekeeper - Policy Controller for Kubernetes - https://github.com/open-policy-agent/gatekeeper
open-policy-agent/opa-envoy-plugin: A plugin to enforce OPA policies with Envoy - https://github.com/open-policy-agent/opa-envoy-plugin

Rego
The Rego Playground - https://play.openpolicyagent.org/p/BYmNuNRZTs

gokit microservice
demo - authz
https://github.com/cage1016/ms-demo-
authz
authorization RBAC
implementation by OPA (open
policy agent)

{
"rolePermissions": {
"editor": ...
"owner": [
{
"method": "POST",
"path": "/api/([^/]+)/add/sum"
},
{
"method": "POST",
"path": "/api/([^/]+)/tictac/tic"
},
{
"method": "GET",
"path": "/api/([^/]+)/tictac/tac"
},
{
"method": "GET",
"path": "/api/([^/]+)/authz/roles"
},
{
"method": "GET",
"path": "/api/([^/]+)/authz/roles/[a-zA-Z0-9_-~]{21}"
}
]
OPA JSON Data
- Generate from 6
RBAC DB tables
- DB policy change
notifier update

Request process
AuthorizationPolicy
Pod
Envoy
Service
Pod
ext-Authz 50051
Envoy
403
Authz
Envoy
Service
DB

https://github.com/cage1016/gokit-istio-security
Demo

Go-kit Istio Security
https://github.com/cage1016/gokit-istio-
security
demo how to implement
Authentication and custom
Authorization with
- Mixer
- Envoy external and Open
Policy Agent

KAI CHU CHUNG
GDE Cloud
@CageChung
https://kaichu.io
Q & A

GDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to GDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization

Similar to GDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization (20)

More from KAI CHU CHUNG

More from KAI CHU CHUNG (20)

Recently uploaded

Recently uploaded (20)

GDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization