我是Istio的新手。我正在使用JWT实施授权。我收到有效JWT令牌的RBAC访问被拒绝错误。我添加了JWT有效负载和授权策略以供参考。我正在使用kubernetes版本v1.18.3和Istio 1.6.2。我正在minikube上运行集群。
JWT有效载荷:
{
"iss": "https://dev-n63ipah2.us.auth0.com/",
"sub": "sEbjHGBcZ16D0jk8wohIp7vPoT0MWTO0@clients",
"aud": "http://10.97.72.213/",
"iat": 1594125596,
"exp": 1594211996,
"azp": "sEbjHGBcZ16D0jk8wohIp7vPoT0MWTO0",
"scope": "read:contact write:contact update:contact delete:contact",
"gty": "client-credentials"
}
授权政策:
apiVersion: "security.istio.io/v1beta1"
kind: "AuthorizationPolicy"
metadata:
name: dex-ms-contact-require-jwt
namespace: default
spec:
selector:
matchLabels:
app: dex-ms-contact
action: ALLOW
rules:
- from:
- source:
requestPrincipals: ["https://dev-n63ipah2.us.auth0.com/sEbjHGBcZ16D0jk8wohIp7vPoT0MWTO0@clients"]
to:
- operation:
methods: ["*"]
paths: ["*"]
when:
- key: request.auth.claims[iss]
values: ["https://dev-n63ipah2.us.auth0.com/"]
应用授权策略后,我通过邮递员访问了GET http://10.97.72.213/contact/1 API,并收到403 Forbidden RBAC:访问被拒绝。
注意:10.97.72.213是Minikube群集的公共IP地址。
答案 0 :(得分:1)
根据Istio文档:
requestPrincipals - Optional. A list of request identities (i.e. “iss/sub” claims), which matches to the “request.auth.principal” attribute.
在您的情况下,iss是https://dev-n63ipah2.us.auth0.com/,而sub是https://dev-n63ipah2.us.auth0.com/,所以您可能想要这样的东西:
- from:
- source:
requestPrincipals: ["https://dev-n63ipah2.us.auth0.com//sEbjHGBcZ16D0jk8wohIp7vPoT0MWTO0@clients"]
(请注意双斜杠-第一个是iss的一部分,第二个是分隔符)。