Update RBAC for Authorization v2 API.#748
Conversation
googlebot
added
the
cla: yes
yangminzhu
force-pushed
the
authz_api_v2
branch
from
bae8570 to
1876f82
Compare
rshriram
left a comment
rshriram
left a comment
There was a problem hiding this comment.
could we align on the workload selectors?
Also, the widespread use of use and notUse is going to make the API and the spec a bit clumsy.
I suggest something like this:
message xxx
hosts
principals
groups
addresses
allow:
oneOf
xxx
all
disallow:
oneOf
xxx
all
so that the config would look like
rbac:
subject:
allow:
all
disallow:
principals: foo/bar/com
role:
allow:
hosts:
- ns1/*
- istio-system/*
disallow:
all
This is just a rough example, but you get the idea.
rbac/v1alpha1/rbac.proto
Outdated
| // Deprecated. Use selector in authorization policy instead. | ||
| repeated string services = 1 [deprecated = true]; | ||
|
|
||
| // Optional. A list of HTTP hosts. If not specified, it applies to any host. |
There was a problem hiding this comment.
why HTTP ? Just state that its a list of hosts corresponding to services in the registry.
Also, do you allow wildcard hosts like Pilot does? (*.foo.com)?
Secondly, do you think its useful to adopt the same convention as Pilot's sidecar format which has configNamespace/Hosts ? This allows people to import stuff in bulk, such as ns1/*, ns2/foo.com, etc. Note that the config namespace has nothing to do with k8s namespace.
There was a problem hiding this comment.
By HTTP we're trying to make it clear it's the HOST header in a HTTP request. The deprecated services field refer to services in registry but we're deprecating it in favor of the workload label selectors. cc @liminw
Under this condition (it's the HOST header in a HTTP request) we could support the wildcard hosts easily.
Secondly, for now I think we're not going to support the configNamespace/Hosts syntax but would revisit this later.
| repeated string hosts = 5; | ||
|
|
||
| // Optional. A list of HTTP hosts that must not be matched. | ||
| repeated string not_hosts = 6; |
There was a problem hiding this comment.
Do you need this not? isn't it sufficient to specify hosts alone?
There was a problem hiding this comment.
hmm I can see some use for this. But you should change the comments to state that you can either have hosts or notHosts, but not both.
There was a problem hiding this comment.
We're not using one_of for this (and other fields) because we allow to use them at then same time. Like the following one (Allows all sub domains of abc.com except admin.abc.com):
hosts: ["*.abc.com"]
notHosts: ["admin.abc.com"]| repeated int32 ports = 9; | ||
|
|
||
| // Optional. A list of port numbers that must not be matched. | ||
| repeated int32 not_ports = 10; |
There was a problem hiding this comment.
one of semantics must be specified in the comment.
There was a problem hiding this comment.
Same reply with the paths field.
| repeated string namespaces = 8; | ||
|
|
||
| // Optional. A list of namespaces that must not be matched. | ||
| repeated string not_namespaces = 9; |
There was a problem hiding this comment.
You dont need namespace here because the hosts section would specify it (ns1/*)
There was a problem hiding this comment.
We're treating the host field as the HOST field in a HTTP request, so we still need the namespace here. Also note the namespace field is in the Subject message which is for the identity while the host field is in the AccessRule message which is for the permission.
It may looks a bit clumsy in the API, but in reality, I think it's fine as most people won't use all these fields at the same time. cc @liminw For example, the following yaml actually doesn't look too bad. rules:
- notMethods: ["POST"]
paths: ["/info"]
- methods: ["GET"]
constraints:
- key: "destination.labels[version]"
value: ["test"]For more background about the design, also see the design doc |
yangminzhu
force-pushed
the
authz_api_v2
branch
from
1876f82 to
76fd48a
Compare
rshriram
left a comment
rshriram
left a comment
There was a problem hiding this comment.
Thanks for making the changes. one small nit: rename selector to workloadSelector for consistency with other api.
Also, 1.1 is merged into master IIRC. So you should have workload selector even there as well.
yangminzhu
force-pushed
the
authz_api_v2
branch
2 times, most recently
from
f50076d to
20c8680
Compare
|
@rshriram |
rbac/v1alpha1/rbac.proto
Outdated
| // select all pods/VMs. | ||
| // The scope of label search is platform dependent. On Kubernetes, for example, | ||
| // the scope includes pods running in the same namespace as the authorization policy itself. | ||
| istio.networking.v1alpha3.WorkloadSelector workload_selector = 1; |
There was a problem hiding this comment.
Can we duplicate WorkloadSelector definition here to avoid creating dependency on networking API? IMO, if workload selector is a common concept used by all Istio APIs, it should eventually be moved to a common package so that all APIs can import.
Signed-off-by: Yangmin Zhu <ymzhu@google.com>
yangminzhu
force-pushed
the
authz_api_v2
branch
from
20c8680 to
27c03b4
Compare
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: liminw, yangminzhu If they are not already assigned, you can assign the PR to them by writing The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
Signed-off-by: Yangmin Zhu <ymzhu@google.com>
5 participants
Signed-off-by: Yangmin Zhu ymzhu@google.com