活动

天翼云最新优惠活动,涵盖免费试用,产品折扣等,助您降本增效!
热门活动
免费活动
  • 活动
  • 息壤智算
  • 产品
  • 解决方案
  • 应用商城
  • 定价
  • 合作伙伴
  • 开发者
  • 支持与服务
  • 了解天翼云
searchusermenu
  • 发布文章
  • 消息中心
点赞
收藏
评论
分享
原创

istio支持jwt配置介绍

云计算
2023-11-22 01:29:44
28
0

一、JWT规则

JWKS

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: example1
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  jwtRules:
  - issuer: example1
    jwks: '{ 
      "keys":[   
        {
          "alg": "RS256",
          "e": "AQAB",
          "kid": "DHFbpoIUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_-envvQ",
          "kty": "RSA",
          "n":"xAE7eB6qugXyCAG3yhh7pkDkT65pHymX-P7KfIupjf59vsdo91bSP9C8H07pSAGQO1MV_xFj9VswgsCg4R6otmg5PV2He95lZdHtOcU5DXIg_pbhLdKXbi66GlVeK6ABZOUW3WYtnNHD-91gVuoeJT_DwtGGcp4ignkgXfkiEm4sw-4sfb4qdt5oLbyVpmW6x9cfa7vs2WTfURiCrBoUqgBo_-4WTiULmmHSGZHOjzwa8WtrtOQGsAFjIbno85jp6MnGGGZPYZbDAa_b3y5u-YpW7ypZrvD8BgtKVjgtQgZhLAGezMt0ua3DRrWnKqTZ0BJ_EyxOGuHJrLsn00fnMQ",
          "use": "sig"
        }
      ]
    }'

指定域名

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: example1
  namespace: istio-system
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
      istio: ingressgateway
  action: ALLOW
  rules:
  - to:
    - operation:
        hosts: ["aaa.example1.com"]
    when:
    - key: request.auth.claims[iss]
      values: ["example1"]

二、JWT Token位置

(1)http头部

默认位置,yaml不需特别指定,示例 Authorization: Bearer xxxx
如果改成其他位置,需在yaml指定,示例 Aaaa: Bbb xxxx

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: example1
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  jwtRules:
  - issuer: example1
    jwks: 参考上面配置,此处省略...
    fromHeaders:
    - name: Aaaa
      prefix: "Bbb "

(2)query参数

示例:http:斜杠aaa.example1.com?abc=xxx

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: example1
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  jwtRules:
  - issuer: example1
    jwks: 参考上面配置,此处省略...
    fromParams:
    - "abc"

三、JWT Claim转换

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: example1
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  jwtRules:
  - issuer: example1
    jwks: 参考上面配置,此处省略...
    outputClaimToHeaders:
    - header: "x-jwt-claim-foo"
      claim: "foo"

四、请求匹配模式

(1)白名单模式

http:斜杠aaa.example1.com/abc,不校验JWT
http:斜杠aaa.example1.com/xxx,校验JWT

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: example1
  namespace: istio-system
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
      istio: ingressgateway
  action: ALLOW
  rules:
  - to:
    - operation:
        hosts: ["aaa.example1.com"]
        notPaths: ["/abc"]
    when:
    - key: request.auth.claims[iss]
      values: ["example1"]
  - to:
    - operation:
        hosts: ["aaa.example1.com"]
        paths: ["/abc"]

(2)黑名单模式

http:斜杠aaa.example1.com/abc,校验JWT
http:斜杠aaa.example1.com/xxx,不校验JWT

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: example1
  namespace: istio-system
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
      istio: ingressgateway
  action: ALLOW
  rules:
  - to:
    - operation:
        hosts: ["aaa.example1.com"]
        paths: ["/abc"]
    when:
    - key: request.auth.claims[iss]
      values: ["example1"]
  - to:
    - operation:
        hosts: ["aaa.example1.com"]
        notPaths: ["/abc"]

版权声明:本文内容系天翼云实名用户自发贡献,版权归原作者所有,天翼云开发者社区不拥有其著作权,亦不承担相应法律责任,未经许可,不得转载。

如有疑问或争议,请联系ctyunbbs@chinatelecom.cn删除。

0条评论
作者已关闭评论
a****k
16文章数
0粉丝数
a****k
16 文章 | 0 粉丝
Ta的热门文章查看更多
glibc升级回退版本出现的locale报错问题cpprestsdk编译安装使用Kafka跨网络访问方案Kafka消费者rebalance耗时较长的原因分析Jetty解析http报文过程介绍
a****k
16文章数
0粉丝数
a****k
16 文章 | 0 粉丝
原创

istio支持jwt配置介绍

云计算
2023-11-22 01:29:44
28
0

一、JWT规则

JWKS

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: example1
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  jwtRules:
  - issuer: example1
    jwks: '{ 
      "keys":[   
        {
          "alg": "RS256",
          "e": "AQAB",
          "kid": "DHFbpoIUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_-envvQ",
          "kty": "RSA",
          "n":"xAE7eB6qugXyCAG3yhh7pkDkT65pHymX-P7KfIupjf59vsdo91bSP9C8H07pSAGQO1MV_xFj9VswgsCg4R6otmg5PV2He95lZdHtOcU5DXIg_pbhLdKXbi66GlVeK6ABZOUW3WYtnNHD-91gVuoeJT_DwtGGcp4ignkgXfkiEm4sw-4sfb4qdt5oLbyVpmW6x9cfa7vs2WTfURiCrBoUqgBo_-4WTiULmmHSGZHOjzwa8WtrtOQGsAFjIbno85jp6MnGGGZPYZbDAa_b3y5u-YpW7ypZrvD8BgtKVjgtQgZhLAGezMt0ua3DRrWnKqTZ0BJ_EyxOGuHJrLsn00fnMQ",
          "use": "sig"
        }
      ]
    }'

指定域名

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: example1
  namespace: istio-system
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
      istio: ingressgateway
  action: ALLOW
  rules:
  - to:
    - operation:
        hosts: ["aaa.example1.com"]
    when:
    - key: request.auth.claims[iss]
      values: ["example1"]

二、JWT Token位置

(1)http头部

默认位置,yaml不需特别指定,示例 Authorization: Bearer xxxx
如果改成其他位置,需在yaml指定,示例 Aaaa: Bbb xxxx

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: example1
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  jwtRules:
  - issuer: example1
    jwks: 参考上面配置,此处省略...
    fromHeaders:
    - name: Aaaa
      prefix: "Bbb "

(2)query参数

示例:http:斜杠aaa.example1.com?abc=xxx

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: example1
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  jwtRules:
  - issuer: example1
    jwks: 参考上面配置,此处省略...
    fromParams:
    - "abc"

三、JWT Claim转换

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: example1
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  jwtRules:
  - issuer: example1
    jwks: 参考上面配置,此处省略...
    outputClaimToHeaders:
    - header: "x-jwt-claim-foo"
      claim: "foo"

四、请求匹配模式

(1)白名单模式

http:斜杠aaa.example1.com/abc,不校验JWT
http:斜杠aaa.example1.com/xxx,校验JWT

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: example1
  namespace: istio-system
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
      istio: ingressgateway
  action: ALLOW
  rules:
  - to:
    - operation:
        hosts: ["aaa.example1.com"]
        notPaths: ["/abc"]
    when:
    - key: request.auth.claims[iss]
      values: ["example1"]
  - to:
    - operation:
        hosts: ["aaa.example1.com"]
        paths: ["/abc"]

(2)黑名单模式

http:斜杠aaa.example1.com/abc,校验JWT
http:斜杠aaa.example1.com/xxx,不校验JWT

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: example1
  namespace: istio-system
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
      istio: ingressgateway
  action: ALLOW
  rules:
  - to:
    - operation:
        hosts: ["aaa.example1.com"]
        paths: ["/abc"]
    when:
    - key: request.auth.claims[iss]
      values: ["example1"]
  - to:
    - operation:
        hosts: ["aaa.example1.com"]
        notPaths: ["/abc"]

版权声明:本文内容系天翼云实名用户自发贡献,版权归原作者所有,天翼云开发者社区不拥有其著作权,亦不承担相应法律责任,未经许可,不得转载。

如有疑问或争议,请联系ctyunbbs@chinatelecom.cn删除。

文章来自个人专栏
文章 | 订阅
0条评论
作者已关闭评论
作者已关闭评论
0
0
售前咨询热线
400-810-9889转1
关注天翼云
  • 旗舰店
  • 天翼云APP
  • 天翼云微信公众号
服务与支持
账户管理
快速入口
云网生态
了解天翼云
热门产品
热门推荐
更多推荐
友情链接
©2025 天翼云科技有限公司版权所有 增值电信业务经营许可证A2.B1.B2-20090001
公司地址:北京市东城区青龙胡同甲1号、3号2幢2层205-32室
备案京公网安备11010802043424号京ICP备 2021034386号