Doc.: Incorrect "allowed" instead of "matches" in Rule documentation

[dsbos]

In the page section currently at https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule, about each of from, to, and when, it says, "If not set, any [source/operation/condition] is allowed."

Isn't that very wrong? Whether any source/operation/condition is allowed or denied depends on whether the action is ALLOW or DENY, right?

Shouldn't the referenced text say that any source/operation/condition matches, not that it is allowed?

[dsbos]

Relatedly:

Also, a bit earlier in that section, the text says:

A match occurs when at least one source, one operation and all conditions matches [sic] the request.

Don't the first two cases there contradict the intent of the "any ... is allowed" wording?

Consider an empty from list: Per the "If not set ..." wording, it's supposed to match any source, right? However, per the "at least one source ... matches," it's supposed to not match any source (since there are not specified sources), right?

If the later text is supposed to be carving out an exception to what the earlier text says, then those two bits of next need to be right next to each other.

Actually, it looks like other wording needs reworking to actually say what it means and say it clearly.

(For example, the wording "from specifies the source of a request" actually says that it specifies the source of one request, when it means to convey something more like "from specifies possible sources of requests," or maybe "from specifies sources that requests can have and match". (No, those two possible aren't quite "ready for prime time" without some more editing/refinement.))

[ericvn]

Depending on release, this would come from: https://github.com/istio/api/blob/release-1.10/security/v1beta1/authorization_policy.proto.

[howardjohn]

Yeah I think this is stale from when we did not have DENY mode