Istio has returning "RBAC: access denied" when use wildcard path in "AuthorizationPolicy", see files:
api-key-test-authorization.yml
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: api-key-test-authorization
namespace: test
spec:
selector:
matchLabels:
api-key-secured: enabled
rules:
- to:
- operation:
paths: ["*/test1", "*/test2/*", "*/test4*"]
- to:
- operation:
paths: ["/*"]
when:
- key: request.headers[api-key]
values: ["XXXXXXXX"]
Resources.java
...
enter code here
@GetMapping(value = "/test1")
@ResponseBody
public ResponseEntity<Resource> getTest1(HttpServletResponse response) throws IOException {
System.out.println("Test 1");
return ResponseEntity.ok().build();
}
@GetMapping(value = "/test2/{id}/xpto")
@ResponseBody
public ResponseEntity<Resource> getTest2(@PathVariable("id") String id, HttpServletResponse response) throws IOException {
System.out.println(id + " XPTO");
return ResponseEntity.ok().build();
}
@GetMapping(value = "/test3/{id}")
@ResponseBody
public ResponseEntity<Resource> getTest3(@PathVariable("id") String id, HttpServletResponse response) throws IOException {
System.out.println(id + " of Test 3");
return ResponseEntity.ok().build();
}
Results:
These path are configured to not need to pass the "api-key", however when there is a wildcard (*) in the path it returns the error demanding the "api-key".
I'm using Istio.1.4.9
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…