Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Doc.: Incorrect "allowed" instead of "matches" in Rule documentation #2071

Open
dsbos opened this issue Aug 4, 2021 · 3 comments
Open

Doc.: Incorrect "allowed" instead of "matches" in Rule documentation #2071

dsbos opened this issue Aug 4, 2021 · 3 comments

Comments

@dsbos
Copy link

dsbos commented Aug 4, 2021

In the page section currently at https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule, about each of from, to, and when, it says, "If not set, any [source/operation/condition] is allowed."

Isn't that very wrong? Whether any source/operation/condition is allowed or denied depends on whether the action is ALLOW or DENY, right?

Shouldn't the referenced text say that any source/operation/condition matches, not that it is allowed?

@dsbos
Copy link
Author

dsbos commented Aug 4, 2021

Relatedly:

Also, a bit earlier in that section, the text says:

A match occurs when at least one source, one operation and all conditions matches [sic] the request.

Don't the first two cases there contradict the intent of the "any ... is allowed" wording?

Consider an empty from list: Per the "If not set ..." wording, it's supposed to match any source, right? However, per the "at least one source ... matches," it's supposed to not match any source (since there are not specified sources), right?

If the later text is supposed to be carving out an exception to what the earlier text says, then those two bits of next need to be right next to each other.

Actually, it looks like other wording needs reworking to actually say what it means and say it clearly.

(For example, the wording "from specifies the source of a request" actually says that it specifies the source of one request, when it means to convey something more like "from specifies possible sources of requests," or maybe "from specifies sources that requests can have and match". (No, those two possible aren't quite "ready for prime time" without some more editing/refinement.))

@ericvn
Copy link

ericvn commented Aug 4, 2021

Depending on release, this would come from: https://github.com/istio/api/blob/release-1.10/security/v1beta1/authorization_policy.proto.

@ericvn ericvn transferred this issue from istio/istio.io Aug 4, 2021
@howardjohn
Copy link
Member

Yeah I think this is stale from when we did not have DENY mode

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants