App Identity and Access Adapter for Istio Mixer not working

12/9/2019

I am trying to protect front end applications with the IBM App Identity and Access Adapter for Istio. There are two steps to follow once the service is in place:

  1. Create the OidcConfig (this is the default configuration provided in their example):
kind: OidcConfig
metadata:
    name: hello-oidc
    namespace: my-namespace
spec:
    discoveryUrl: https://dev-b37sro-t.auth0.com/.well-known/openid-configuration
    clientId: E3LjLlomDnaPTc0b83eZa1gT0oGDNLko
    clientSecret: randomlyGeneratedClientSecret(not revealing this one)
  1. Create the OidcPolicy (their example configuration again):
apiVersion: "security.cloud.ibm.com/v1"
kind: Policy
metadata:
  name:  oidcsamplepolicy
  namespace: my-namespace
spec:
  targets:
    -
      serviceName: helloworld
      paths:
        - exact: /hello
          method: ALL
          policies:
            - policyType: oidc
              config: hello-oidc
              redirectUri: http://helloworld.my-namespace.my-project-host/hello

I am using Auth0 as identity issuer, so I generate a new application (helloworld from Istio 1.4.0) and get the parameters needed in the previous configurations from there.

For some reason, when I apply the OidcConfig and the Policy in my Kubernetes Cluster/Namespace/Service, it doesn't seem to make any effect. I am still able to access the application from the web browser without any authentication required.

These are the links I followed for the implementation:

https://www.ibm.com/cloud/blog/using-istio-to-secure-your-multicloud-kubernetes-applications-with-zero-code-change

https://github.com/ibm-cloud-security/app-identity-and-access-adapter

-- Nora
google-cloud-platform
ibm-cloud
istio
kubernetes
openid-connect

1 Answer

1/22/2020

Did you set global.disablePolicyChecks to false and did you enable mixer during Istio install?

Mixer is disabled by default now.

See https://istio.io/docs/reference/config/installation-options/#mixer-options

Update:

I was just able to resolve this issue on my setup by doing the following:

First check the status of disablePolicyCheck:

kubectl -n istio-system get cm istio -o jsonpath="{@.data.mesh}" | grep disablePolicyChecks

If this returns disablePolicyChecks: true run

istioctl manifest apply --set values.global.disablePolicyChecks=false \
 --set values.mixer.policy.enabled=true \
 --set values.pilot.policy.enabled=true

Running the following should show the value of disablePolicyChecks as false

kubectl -n istio-system get cm istio -o jsonpath="{@.data.mesh}" | grep disablePolicyChecks
-- Emerson
Source: StackOverflow