Add AuthenticationPolicy proto

[diemtvu]

Initial API for Authentication policy. In this version, the policy is able to:

• Independently config peer (service-to-service) and end-user authentication.
• Allow to use JWT for peer authentication though still need follow up implementation.
• Allow to use multiple JWTs simultaneously.

The policy has not yet include 'impersonation' rules, and other options to conditionally activate authentication mechanism (e.g enable/disable a particular end-user auth based on peer identity).

Example specs for use cases:

1. Turn on mTLS for all service-to-service, and (end-user) JWT for service productpage (will need 2 policies)

metadata:
  name: global
spec:
  target:  # leave blank for all.
  peer:
  - mTLS:

and

metadata
  name: productpage
spec:
  target:
  - name: productpage
    port: 9000
  peer:
  - mTLS:
  end_user:
  - jwt:
      issuer: "https://securetoken.google.com"
      jwks_uri: "https://www.googleapis.com/oauth2/v1/certs"

Using either mTLS or JWT for service-to-service

metadata:
  name: global
spec:
  target:  # leave blank for all.
  peer:
  - mTLS:
  - jwt:
      issuer: "https://securetoken.istio.io"

Design doc: https://docs.google.com/document/d/1ezP4UuOn3JXEs_cXW4GyPGq-Ppq_XhS9-M-lN6ocOA4/edit?ts=5a70c798#heading=h.vel7gfeap92a

[xiaolanz]

For new protos, we'd better follow this proto package guide:

https://docs.google.com/document/d/1C_NMYj9ZhdUWwZMWUoX_SLU8VoiV8U8V6yUJVYcdSS8/edit?ts=5a6f888b#heading=h.7zgnj8bwqfld

I think it's better to be in package "istio.authentication.v1alpha1" than mixer.client

The message name can be shorten to "Policy", "mechanism".

[ayj]

+1 for defining these authentication policy in a new package. istio.mixer.v1.config.client is really low-level component level config (i.e. envoy filter) and should be decoupled from policy the user writes.

[diemtvu]

Done. Move to authentication/v1alpha1/policy.proto

[xiaolanz]

Is it possible to leave out service/workload scope for now?

If we only use global and namespace scoping:

• max align with k8s model
• easier policy config
• service level isolation can be achieved by per service per namespace.

• issue with non-k8s identity integration
• cannot control over port level. (do we care?)

If we have service/workload level scope,

• need to invent our "service/workload" scope concept + format
• develop complex scoping conflict resolution/validation -- maybe very hard to use.
• additional RBAC if we want to ACL service/workload scope.

A lot of the above points have been discussed extensively. I feel that the gains to introducing service/level scope is very small comparing to the undertakes.

I wonder if we can just start with policy without explicit scoping. If we have to have it later, we can maybe add it by introducing the "binding" config.

[diemtvu]

We need this to match the policy to the services on which it should be applied. I rename the field so hope it won't be confused with scoping.

[xiaolanz]

repeated fields must be in purals.

following https://cloud.google.com/apis/design/naming_convention#repeated_field_names

[diemtvu]

Done. Interesting style difference with google3 :)

[douglas-reid]

@geeknoid This feels like a prime candidate for the new proto packages/directories (policy/v1beta/...) rather than adding to the existing structure (mixer/v1/config/client/...). Should this be the first entry in that directory?

[qiwzhang]

This is a hack. we should not need this if Envoy has a way to share request data between different filters.
For now, we have to use http header to pass data between filters.

[geeknoid]

I'd rather keep this with the other mixer client config for now, until the whole thing can be relocated/update in a cohesive way.

[qiwzhang]

Why should we let users set this? It is our internal plumbing. Users can easily screw us up with typo or mistake.

[liminw]

Agree with Wayne, this is implementation detail and should not be user visible.

[qiwzhang]

It is clearer to have a specific on/off boolean flag

[diemtvu]

Removed.

[qiwzhang]

I think "target" should not be part of Policy. It should be part of "Binding" . Please take a look at EndUserAuthenticationPolicySpecBinding

[liminw]

How would the policy CRD look like if we use "binding"? Diem gave some examples of the authentication CRDs that users can provide with the proposed proto.

[liminw]

Agree with @douglas-reid, I think we should introduce a new proto package instead of reusing the current mixer/v1/config/client package. We can call it "authentication/v1alpha1". Alternatively we can add "security" prefix to it ("security/authentication/v1alpha1"), in which case, I will move "rbac" package to "security" directory too.

[liminw]

Agree with Wayne, this is implementation detail and should not be user visible.

[liminw]

typo: authentiated -> authenticated.

[liminw]

Same as above, the claims are stored in a header is really implementation detail, and should not be set by user.

[diemtvu]

Removed. My previous plan is let's user to bind the output of each authentication themselves, and the 'attributes extraction' can retrieve data accordingly. However, we might not need it yet if the mechanism is defined inline in the policy, so let's leave it out for now.

[liminw]

typo: determined

[ayj]

It's been said by others already, but it would be useful to create a new package to hold the user-facing authentication policy. We can keep the existing mixer client policy as an implementation detail between Pilot and mixerclient and deal with refactoring that later. Things like jwks_cluster, output_header_location, and any other envoy/proxy/mixerclient specific bits can remain mixerclient config.

[ayj]

Is it possible to apply policy at ingress (i.e. gateway)?

[diemtvu]

Should be, though some mode (e.g mTLS) maybe not applicable

[ZackButcher]

How does this relate to DestinationRule's name? We've also moved to accepting wildcard domains in many of these fields; is that allowed here too? cc @rshriram @louiscryan

[ZackButcher]

BTW feels like we need a common type for this, it's popping up a lot. Previously we had IstioService for this concept, but it went away.

[ZackButcher]

Right, forgot we renamed IstioService to Destination

api/routing/v1alpha2/route_rule.proto

Line 266 in e419233

message Destination {

[ayj]

Why is none needed?

[ZackButcher]

It's not an enum so we don't get a default value. However, I think using Empty would be better. (E.g. what does none: False even mean?)

[ayj]

For example, what's the difference between an empty (or null) peers array and a peers array with none?

[diemtvu]

None is one kind of authentication. For example, it can be used to define a service to require EUC, except for request come from specific peers. However, I haven't defined the applied condition in this PR yet.

peer:

• mtls:
  end_user:
• jwt: .....
• none:
  in: "service_account_A"

[ayj]

Interesting - thanks for the explanation. It looks like none should really be a specific type and not a boolean or Empty so it can be extended in the future, e.g.

message None {
     // TODO - add conditions to require EUC?
}

[diemtvu]

Done

[ayj]

Can you define a new JWT type under authentication/v1alpha1 for user-facing config with the envoy specific bits stripped out?

[ZackButcher]

+1, this should be elevated up to a higher level; istio.authentication.v1alpha1.JWT seems reasonable and can be re-used in Mixer.

[diemtvu]

Done. Not sure if I strip out the right fields though. PTAL

[ZackButcher]

I think we'll also need to be able to match on labels.

[diemtvu]

Maybe. I'm just not sure mTLS setting in particular can support that.

On the other hand, I really temp to use the route_rule.Destination. Do you think it's a good idea?

[ZackButcher]

Yeah, that seems most reasonable.

[diemtvu]

Done

[ZackButcher]

2018

[ZackButcher]

@rshriram @diemtvu: one more thought: is this something that can/should be part of DestinationRule? Would the configuration be more natural there? We already have other TLS settings there.

[ZackButcher]

Either way we should rationalize the TLS settings there with the ones defined here.

[diemtvu]

Not sure, I was once told to stay away from DestinationRule :) (we want to separate networking and security). Not sure if the perspective now shifted.

Regardless, I rather keep them separated for now, and see how they evolve and decide later. What do you think?

[douglas-reid]

nit: the comment refers to this as "AuthenticationMechanism" but the message name is "Mechanism". We should use one or the other.

[diemtvu]

Change back to AuthenticationMechanism

[douglas-reid]

Is it AuthenticationPolicy or Policy ? We should be consistent. I think this should read:

// Policy binds credentials to workload(s), defining an authentication policy.
// A policy is composed of two-part authentication:
// - peers: ...

Related, I think the examples need to be updated to use the plurals (peers, end_users).

[ZackButcher]

Also please use camelCase for YAML field names in examples.

[diemtvu]

Done

[douglas-reid]

@wora should this be plural? I realize that would be inconsistent with other usages of match in the API, but it matches the style guidelines, I believe.

What is the recommendation here? If it is to prefer match to matches, should we update our Style Guide to mention this exception?

[douglas-reid]

i'm confused by the CR examples. Should these be:

apiVersion: config.istio.io/**v1alpha1**
kind: **Policy**

?

And if so, do we need to call these AuthenticationPolicy so that it isn't a generic Policy?

[diemtvu]

Good catch, cut-and-paste error.

Regarding the proto name, I think it's not necessary to be the same as 'kind', though it seems to be the convention so far (https://github.com/istio/istio/blob/master/pilot/pkg/model/config.go#L307)

Do you have any strong preference?

[wora]

principal => issuer

[wora]

Do we really need the Location message? I think this works just fine:

repeated string jwt_headers;
repeated string jwt_params;

This part is very unlikely to change, so the extra nesting doesn't seem to add much value.

[diemtvu]

I copied this from the old jwt proto. @ayj @qiwzhang what do you think about this?

[qiwzhang]

I am fine with this change.

[ayj]

Is ordering important? The previous version searched location in order of appearance.

[ayj]

@wora on API guidance for whether its preferred to reuse types and implications on backwards compatibility. If this is a more core type maybe it belongs in a different package?

[geeknoid]

This isn't quite right.

$title and $overview and $location should be "floating" comments, not attached to any element. So add a blank line right after these definitions.

Second, you should add a user-friendly comment on top of the package definition which will displayed in the docs on istio.io.

[diemtvu]

Done

[geeknoid]

Placeholder is one word

[geeknoid]

Add ```yaml around the code block

[diemtvu]

Done

[geeknoid]

Make this a markdown link:

xxx

[geeknoid]

Add ```yaml and remove extra spaces at the start of the lines in the code block.

[diemtvu]

Done

[geeknoid]

Add ```yaml around code block and remove spaces at the start of each line.

[diemtvu]

Done

[geeknoid]

Add ```yaml, etc.

[geeknoid]

mixer -> Mixer

[xiaolanz]

I think that Destination should be refactor into a istio.common place. then, both route rule and authentication policy reference to it. We should create that common package and copy the Destination message there. And then, another PR to switch route rule to use the new message.

@wora is there an existing pattern we can follow to do thi?

[diemtvu]

Should I re-introduce the Destination message specific for authN (which we may want a list of ports instead a single one, and probably without label as it's unclear we are able to use that information yet), and waive the refactor decision till later?

[ayj]

How would I apply policy at the edge of the mesh with destination (i.e. ingress/gateway) or restrict to specific protocols/paths/methods? RouteRule has some notion of binding to a gateway or host/service with further protocol specific refinement. Do we need something similar here?

[ZackButcher]

remote empty comment line

[ZackButcher]

camel case yaml field names: jwksUri

[ZackButcher]

I know this is copied over from the Google API auth protos but do we know why is this jwks and not jwtks?

[diemtvu]

afaik, the name is based on OpenID spec.

[ayj]

jwks_uri is also used in OpenID spec (see https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata)

[ZackButcher]

Sorry, only do one or the other: either have ```yaml blocks, or indent by four spaces, but not both.

[diemtvu]

Ideally, we do want to use the same notion, but I have a hard time to see how exactly all pieces fit altogether, given they are all work-in-progress. I'd like to wait a bit until all implementation details settle down on that side. Does this make sense?

…

On Tue, Feb 6, 2018 at 11:07 AM, Jason Young ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In authentication/v1alpha1/policy.proto <#335 (comment)>: > +// port: +// number: 9000 +// peers: +// - mtls: +// endUsers: +// - jwt: +// issuer: "https://securetoken.google.com" +// audiences: +// - "productpage" +// jwksUri: "https://www.googleapis.com/oauth2/v1/certs" +// locations: +// - header: x-goog-iap-jwt-assertion +message Policy { + // List of destinations (workloads) that the policy should be applied on. + // If empty, policy will be used on all destinations in the same namespace. + repeated istio.routing.v1alpha2.Destination destinations = 1; How would I apply policy at the edge of the mesh with destination (i.e. ingress/gateway) or restrict to specific protocols/paths/methods? RouteRule has some notion of binding to a gateway or host/service with further protocol specific refinement. Do we need something similar here? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#335 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AX99cZAa4obn_kf9EqoVwZHa9CGtyd_Cks5tSKL2gaJpZM4RzSWG> .

-- Diem Vu | Software Engineer | [email protected] | +1 408-215-8127

[googlebot]

So there's good news and bad news.

👍 The good news is that everyone that needs to sign a CLA (the pull request submitter and all commit authors) have done so. Everything is all good there.

😕 The bad news is that it appears that one or more commits were authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that here in the pull request.

Note to project maintainer: This is a terminal state, meaning the cla/google commit status will not change from this State. It's up to you to confirm consent of the commit author(s) and merge this pull request when appropriate.

[istio-testing]

@diemtvu: The following test failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
prow/api-presubmit.sh	75db816	link	/test api-presubmit

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[diemtvu]

I did something bad in the last rebase(s) so I create new PR #361 to replace this.