Skip to content

Add proto for authentication policy. #361

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 7, 2018
Merged

Add proto for authentication policy. #361

merged 1 commit into from
Feb 7, 2018

Conversation

diemtvu
Copy link
Contributor

@diemtvu diemtvu commented Feb 7, 2018

Initial API for Authentication policy. In this version, the policy is able to:

  • Independently config peer (service-to-service) and end-user authentication.
  • Allow to use JWT for peer authentication though still need follow up implementation.
  • Allow to use multiple JWTs simultaneously.

The policy has not yet include 'impersonation' rules, and other options to conditionally activate authentication mechanism (e.g enable/disable a particular end-user auth based on peer identity).

Example specs for use cases:

  1. Turn on mTLS for all service-to-service, and (end-user) JWT for service productpage (will need 2 policies)
metadata:
  name: global
spec:
  destinations:  # leave blank for all.
  peers:
  - mTLS:

and

metadata
  name: productpage
spec:
  destinations:
  - name: productpage
    port: 9000
  peers:
  - mTLS:
  endUsers:
  - jwt:
      issuer: "https://securetoken.google.com"
      jwksUri: "https://www.googleapis.com/oauth2/v1/certs"

Using either mTLS or JWT for service-to-service

metadata:
  name: global
spec:
  destinations:  # leave blank for all.
  peers:
  - mTLS:
  - jwt:
      issuer: "https://securetoken.istio.io"

Design doc link

@googlebot googlebot added the cla: yes Set by the Google CLA bot to indicate the author of a PR has signed the Google CLA. label Feb 7, 2018
@diemtvu
Copy link
Contributor Author

diemtvu commented Feb 7, 2018

This is redo of #335, due to some git merge mess up.

@diemtvu diemtvu mentioned this pull request Feb 7, 2018
Closed
@diemtvu diemtvu assigned diemtvu, ayj, xiaolanz and geeknoid and unassigned diemtvu Feb 7, 2018
@diemtvu diemtvu merged commit ffa742d into istio:master Feb 7, 2018
@diemtvu diemtvu deleted the authn2 branch February 7, 2018 05:30
@diemtvu diemtvu mentioned this pull request Feb 8, 2018
Closed
ayj pushed a commit to ayj/api that referenced this pull request Feb 14, 2018
@diemtvu @ayj
Add proto for authentication policy. (istio#361)
3c68bd6
incfly pushed a commit to incfly/api that referenced this pull request Jun 13, 2018
@mangchiandjjoe
Removed pending requests management (istio#361)
a5e6a34 
* Removed pending requests management

* Exposed ConfigLoadingStatus

* Added description of the config loading status
incfly pushed a commit to incfly/api that referenced this pull request Jun 13, 2018
@istio-testing @istio-merge-robot
Update_Dependencies (istio#361)
be67c3a 
Automatic merge from submit-queue.

[DO NOT MERGE] Auto PR to update dependencies of mixerclient

This PR will be merged automatically once checks are successful.
```release-note
none
```
nacx pushed a commit to nacx/api that referenced this pull request Apr 15, 2020
@tetrate-ci
liaison, server: serve static assets and gRPC, depends on envoy for s…
e0aed40 
…ingle-port serving (istio#361)

This patch provides the tooling and instructions for running liaison-server+envoy to serve gRPC, gRPC-Web, HTTP1.1/JSON APIs and static assets on the same port locally.

You need to bring your own Envoy (e.g. from https://bintray.com/getenvoy/envoy).

```
$ go run liaison/cmd/server/main.go -n liaison-server -l :9901 --ui-server-listen-address :8080 --ui-server-name liaison-ui-server
$ make -C liaison generate-envoy-config
$ /path/to/your/envoy -c scripts/liaison.v1alpha1.generated-envoy-config.yaml
```

Then open browser: http://localhost:51051. Enjoy! :)

Signed-off-by: Dhi Aurrahman <[email protected]>

Mirrored from https://github.com/tetrateio/tetrate @ 61fd899c19497182cb396034883527cdaa1d062a
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@geeknoid geeknoid geeknoid approved these changes

@douglas-reid douglas-reid Awaiting requested review from douglas-reid

@rshriram rshriram Awaiting requested review from rshriram

Assignees

@ayj ayj

@geeknoid geeknoid

@xiaolanz xiaolanz

Labels
cla: yes Set by the Google CLA bot to indicate the author of a PR has signed the Google CLA.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@diemtvu @geeknoid @ayj @googlebot @xiaolanz