Authorization of Service Mesh through Envoy
Envoy-authz is an Envoy middleware that provides external RBAC and ABAC authorization through Casbin. It integrates with Envoy's external authorization API via a gRPC server and can be deployed on any Envoy-based service mesh, including Istio.
Prerequisites
- Envoy 1.17 or later
- Istio or another Envoy-based service mesh
- gRPC dependencies
Dependencies are managed through go.mod.
How It Works
- A client initiates an HTTP request
- Envoy intercepts the request and forwards it to the gRPC authorization server
- The server evaluates the request against Casbin policies
- Authorized requests proceed; unauthorized requests are blocked
The gRPC server implements the protocol buffer definition from Envoy's external_auth.proto:
// A generic interface for performing authorization checks on incoming
// requests to a networked service.
service Authorization {
// Performs an authorization check based on the attributes associated with the
// incoming request and returns a status of `OK` or not `OK`.
rpc Check(v2.CheckRequest) returns (v2.CheckResponse);
}
The authorization server must implement the Check() method defined above.
Penggunaan
- Configure your Casbin policies in the configuration files following the Casbin documentation.
You can test your policies using the online Casbin editor.
- Launch the authorization server:
go build .
./authz
- Apply the Envoy configuration:
envoy -c authz.yaml -l info
Once Envoy starts, it will route incoming requests through the authorization middleware.
Mengintegrasikan dengan Istio
To enable this middleware, configure your system to pass user identity information through custom headers in JWT tokens or request headers. For instructions on modifying request headers, consult the official Istio documentation.