Istio: HTTP Authorization: verify user is the resource owner

6/19/2019

Looking into using Istio to handle Authorization for an application built on a microservices architecture in Kubernetes.

One thing we're looking to accomplish is to decouple the authorization of a service by utilizing Istio Authorization.

Our API Gateway (Kong) will handle the verification/parsing of the JWT tokens and pass along any required attributes (usernames, groups, roles etc) as headers e.g. x-username: homer@somewhere.com (abstracts that from the services)

What we want to accomplish is along with verifying based on roles etc we also want to ensure that the x-username is also the owner of the resource e.g. if they are accessing:

/user/{userID}/resource

That would mean if userId matches the value of the x-username header we can continue serving the request, otherwise we'll send a 401 etc

Is there a way to configure this as part of Istio Authorization?

Thanks in advance for your time

-- jeffchong07
authorization
istio
jwt
kubernetes
microservices

1 Answer

6/20/2019

What you're looking for is attribute based access control (abac). Look into authorization engines e.g. Axiomatics that plug straight into Kong and provides that level of access control (ownership check).

You could also choose to call Axiomatics from Isitio using an adapter based on Istio's authorization template.

Policies in Axiomatics are written using either XACML or ALFA which are the 2 OASIS standards for ABAC / fine-grained authorization.

You could easily write a condition along the lines of:

rule checkOwner{
    deny
    condition not(owner==user.uid)
}

BTW you probably want to send back a 403 rather than 401. The latter refers to failed authentication.

-- David Brossard
Source: StackOverflow