Envoy (Service Mesh Authorization)

envoy-authz is an Envoy external authorization service that uses Casbin for RBAC/ABAC. It implements Envoy’s external auth gRPC API and works with Istio or any Envoy-based mesh.

Prerequisites

Envoy 1.17 or later
Istio or another Envoy-based service mesh
gRPC dependencies

Dependencies are managed through go.mod.

How It Works

A client initiates an HTTP request
Envoy intercepts the request and forwards it to the gRPC authorization server
The server evaluates the request against Casbin policies
Authorized requests proceed; unauthorized requests are blocked

The gRPC server implements the protocol buffer definition from Envoy's external_auth.proto:

// A generic interface for performing authorization checks on incoming
// requests to a networked service.
service Authorization {
  // Performs an authorization check based on the attributes associated with the
  // incoming request and returns a status of `OK` or not `OK`.
  rpc Check(v2.CheckRequest) returns (v2.CheckResponse);
}

The authorization server must implement the Check() method defined above.

Verwendung

Configure your Casbin policies in the configuration files following the Casbin documentation.

You can test your policies using the online Casbin editor.

Launch the authorization server:

go build .
./authz

Apply the Envoy configuration:

envoy -c authz.yaml -l info

Once Envoy starts, it will route incoming requests through the authorization middleware.

Integration mit Istio

To enable this middleware, configure your system to pass user identity information through custom headers in JWT tokens or request headers. For instructions on modifying request headers, consult the official Istio documentation.

Prerequisites​

How It Works​

Verwendung​

Integration mit Istio​

Prerequisites

How It Works

Verwendung

Integration mit Istio