java - Istio return "RBAC: access denied" with wildcard path

Question

Welcome To Ask or Share your Answers For Others

java - Istio return "RBAC: access denied" with wildcard path

asked Feb 6, 2021 in Technique[技术] by 深蓝 (71.8m points)

java - Istio return "RBAC: access denied" with wildcard path

Istio has returning "RBAC: access denied" when use wildcard path in "AuthorizationPolicy", see files:

api-key-test-authorization.yml

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: api-key-test-authorization
  namespace: test
spec:
  selector:
    matchLabels:
      api-key-secured: enabled
  rules:
  - to:
    - operation:
        paths: ["*/test1", "*/test2/*", "*/test4*"]
  - to:
    - operation:
        paths: ["/*"]
    when:
    - key: request.headers[api-key]
      values: ["XXXXXXXX"]

Resources.java

...
enter code here
@GetMapping(value = "/test1")
@ResponseBody
public ResponseEntity<Resource> getTest1(HttpServletResponse response) throws IOException {

    System.out.println("Test 1");

    return ResponseEntity.ok().build();
}

@GetMapping(value = "/test2/{id}/xpto")
@ResponseBody
public ResponseEntity<Resource> getTest2(@PathVariable("id") String id, HttpServletResponse response) throws IOException {

    System.out.println(id + " XPTO");

    return ResponseEntity.ok().build();
}

@GetMapping(value = "/test3/{id}")
@ResponseBody
public ResponseEntity<Resource> getTest3(@PathVariable("id") String id, HttpServletResponse response) throws IOException {

    System.out.println(id + " of Test 3");

    return ResponseEntity.ok().build();
}

Results:

"http://example.com/test1": work's fine;
"http://example.com/test2/xxx/xpto": return "RBAC: access denied";
"http://example.com/test3/xxx": return "RBAC: access denied";

These path are configured to not need to pass the "api-key", however when there is a wildcard (*) in the path it returns the error demanding the "api-key".

I'm using Istio.1.4.9

与恶龙缠斗过久,自身亦成为恶龙；凝视深渊过久,深渊将回以凝视…

1 Answer

深蓝 · Answer 1 · 2021-02-06T00:22:39+0000

It seems that according to documentation, prefix or suffix matching is possible, but not both:

Any string field in the rule supports Exact, Prefix, Suffix and Presence match:

Exact match: “abc” will match on value “abc”.

Prefix match: “abc*” will match on value “abc” and “abcd”.

Suffix match: “*abc” will match on value “abc” and “xabc”.

Presence match: “*” will match when value is not empty.

Note that for your given URLs, prefix matching will probably be enough, as the domain part is not taken into account in this context.

Something like that (untested)

paths: ["test1", "test2/*", "test4*"]

Categories

java - Istio return "RBAC: access denied" with wildcard path

java - Istio return "RBAC: access denied" with wildcard path

Please log in or register to add a comment.

Please log in or register to answer this question.

1 Answer

Please log in or register to add a comment.

Just Browsing Browsing

Most popular tags