-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
policy: Per route authorization #8901
Conversation
Signed-off-by: Alex Leong <alex@buoyant.io>
Signed-off-by: Alex Leong <alex@buoyant.io>
) -> HashMap<AuthorizationRef, ClientAuthorization> { | ||
let mut authzs = HashMap::default(); | ||
|
||
for (name, spec) in self.authorization_policies.iter() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
style nit, not important: &HashMap
implements IntoIterator
, so i believe this could just be
for (name, spec) in self.authorization_policies.iter() { | |
for (name, spec) in self.authorization_policies { |
Signed-off-by: Alex Leong <alex@buoyant.io>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is looking pretty good to me! I think we need some deeper testing--I'll try to do some manual testing in the meantime.
Great! Seems to work as expected using a config like https://gist.github.com/olix0r/0d13b32037e91ad802a907077f29b821#file-emojivoto-policy-yml
|
Signed-off-by: Alex Leong <alex@buoyant.io>
let curl = curl::Runner::init(&client, &ns).await; | ||
let (allowed, denied) = tokio::join!( | ||
curl.run( | ||
"curl-allowed", | ||
"http://nginx/allowed", | ||
LinkerdInject::Enabled | ||
), | ||
curl.run("curl-denied", "http://nginx/denied", LinkerdInject::Enabled), | ||
); | ||
let (allowed_status, denied_status) = tokio::join!(allowed.exit_code(), denied.exit_code()); | ||
assert_eq!( | ||
allowed_status, 0, | ||
"curling allowed route must contact nginx" | ||
); | ||
assert_ne!( | ||
denied_status, 0, | ||
"curl which does not match route must not contact nginx" | ||
); | ||
}) | ||
.await; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are probably a few more states worth considering here:
- allowed by a server-scoped authorization
- allowed by a server-scoped authorization but not present in routes (should get a 404).
not a blocker
Signed-off-by: Alex Leong <alex@buoyant.io>
"http://nginx/allowed", | ||
LinkerdInject::Enabled | ||
), | ||
curl.run("curl-denied", "http://nginx/denied", LinkerdInject::Enabled), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, I still think this is a little off: this case is hitting an endpoint on no route. we probably want an additional route object that matches /denied
(or an empty route to match all endpoints?). OR we should rename "denied" to something like "no-route"
Signed-off-by: Alex Leong <alex@buoyant.io>
Fixes #8890
When building the
InboundHttpRoute
, we find all authorizations which target that route and copy the associated authentications onto the route and return them in the api. This allows AuthorizationPolicies to target HttpRoutes.We also add admission, api, and e2e tests.