-
Notifications
You must be signed in to change notification settings - Fork 347
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support fined-grained access control in SecurityPolicy #2250
Comments
|
We probably shouldn't go this route because:
We can just remove the path out of the API because
Yes, we can. As the below links show, the Envoy RBAC filter can retrieve claims such as envoyproxy/envoy#7913 (comment) |
@zhaohuabing if you use api outline that is mentioned in first post, it does not support "action" mentioned in https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/rbac/v3/rbac.proto#config-rbac-v3-rbac so instead the api spec should be something like
|
@zetaab this feature has not been built out yet, you can use the existing fields in |
@arkodg yep, but just wanted to mention that there can be multiple types of "action". So perhaps worth of including that as well. Anyways I am really waiting for this feature, so just wanted to participate |
@zetaab can you also outline your use case here ? are you trying to perform authz based on claims ? |
@arkodg my use case is 1) I would like to have OIDC authentication (+JWT verify needed in envoy level?) 2) I would like to define that group X,Y,Z is allowed (others denied) to HTTPRoute or even in global level. Currently the claims can be included as http headers in http response towards upstream afaik. However, there is no way to block requests based on the claim values. Another case: 1) JWT authentication 2) I want that only Third case: HTTPRoute requires one of the following: 1) OIDC auth (+jwt) OR 2) specified ip address. (this needs two action I think all of these can be done with envoyproxy RBAC module |
thanks for sharing your use case @zetaab
both these APIs will translate intent into envoy rbac filter |
@guydc brought the use case of wanting to limit supported methods (send |
@arkodg Can we include this in v1.1.0? it's a very nice feature and I dare say essential to the gateway! |
Relates to
#1845
What is this?
EG can leverage RBAC for implementing fine-grained access control, at both the
Gateway
andxRoute
level.The principal, obtained through the authentication process (such as OIDC, JWT, etc.), serves as the basis for defining access control policies. Source IP-based access control can also be supported in this model.
The below is roughly how API will look like, but it's just an initial idea and definitely needs more input.
API outline
Reference:envoyproxy/envoy#7913
The text was updated successfully, but these errors were encountered: