New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support regex for ServiceRole spec.rules.paths #16585
Comments
Instead of introducing a new key (
|
This feature will be very useful to define the authz policy, without this feature the only way that I can image is to use the Mixer Policy with OPA (it is powerful but seems not a recommend way), so I suggest AuthorizationPolicy to support another header matcher mode (istio/pilot/pkg/security/authz/model/matcher/header.go):
|
This becomes important in Istio 1.5 now that the alpha Authentication Policy is being replaced with the Request Authentication and Peer Authentication. There is no other way to exclude paths for JWT then to use an Authorization Policy which does not allow regex. |
Hmm indeed this seems a feature regression... I confirmed we don't have regex in the beta API (both req/authz). @yangminzhu you must know more on this. We do not include regex in the authz api is that for a specific reason or due to our negligence? |
yes, we dropped the regex support in the beta RequestAuthentication and didn't add it in the AuthorizationPolicy as we're not sure how many users will actually need the regex and what's the API should be.
paths:
@jpatters thanks for the suggestion, we ever considered this a little bit but @liminw has some concerns that this will make the policy quite redudant.
@edgel this seems a more easier and incremental way to support the regex, but we need to think about the detail syntax. @diemtvu @liminw It looks like many users are actually wanting the regex match in authZ policy, could you share some thoughts here, maybe we could support it like this: |
We usually don't make a feature request as a P0. Previsouly this was an experimental feature and we don't expect users to use it in production. |
+1 |
new authorization policy has |
What is the recommended solution for the following REST pattern of sub-resources? Suppose I build a CRUD REST service for Countries. Each country has a sub-resource City. Following REST convention, I believe this means paths like I have a rule to ALLOW requests to Some users who are authorized for I am not an expert REST developer but I had thought this was an extremely common pattern--can you help me understand why this pattern is uncommon (what are the better patterns for subresources?), or what led to the conclusion that users would not use this regex support for this purpose in production? |
Can't speak for everyone, but it's definitely the same issue for us. We've followed what we believe is the correct REST convention, and find ourselves unable to express this within the policy. We're trying to replace our custom Envoy-based sidecar with a full Istio implementation, but the lack of this support means we'll likely end up with some kind of hybrid, which is unfortunate. We definitely need this for Production use-cases. |
Yep, we have run head-first into the same; we are moving away from Istio for our REST services until it has more support for basic REST conventions. |
@yangminzhu is this solved by #27984? |
yes, but we're evaluating if glob matching would be good enough for most use cases. @wereeder @jpatters @edgel @nak3 @lgarrett-isp @DanSalt @ajit-hybris @aguromano @ajitchahal @mcieplak @rolandkool I'm wondering would the glob matching good enough for your use cases? It looks like most examples (e.g. |
@yangminzhu For My header is be like x-auth-request-groups : 'CN=EMSUDEMY,OU=Groups,O=cco.xxx.com, CN=all-xxxx-people,OU=xxxx Groups,O=cco.xxxx.com, CN=xxxxxxxxx,OU=xxxx Groups,O=cco.xxxx.com . I would like match |
there seems a discussion about this in the community concerning about the security risk @yangminzhu do you have any updates for this regex supporting? |
Is there any update for this issue? Will you support glob matching? |
+1 |
|
this is supported upstream now: |
Seems like we can expect it to be released in Envoy 1.30. Any idea what the target release date is for that? I'm not sure istio/api#2173 is the right API though given that upstream Envoy just added a new matcher |
@keithmattix According to schedule planned release date of Envoy 1.30 is 16/04/2024 - Envoy Major release schedule |
Well that link's going in my bookmarks :) Thanks! I think that means that Istio 1.22 can very easily include this feature. Either me or someone on my team can tackle this if @mstrYoda is ok with it? I see they're currently assigned to the issue |
It is okay to me, also I would like to contribute too if there is a chance for it 👍 |
Hi @mstrYoda! I am excited to takle this work together! Here are my thoughts for a solution and how we can pair. Let's leave the apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbin
namespace: foo
spec:
action: ALLOW
rules:
- from:
- source:
principals: ["cluster.local/ns/default/sa/sleep"]
- source:
namespaces: ["test"]
to:
- operation:
methods: ["GET"]
pathTemplates: ["/info/*/{file}", "/info/v2/*/{file}]
- operation:
methods: ["POST"]
pathTemplates: ["/data/**"]
when:
- key: request.auth.claims[iss]
values: ["https://accounts.google.com"]
Would you be interested in taking on the api changes? I can work on the control plane changes. Let me know your thoughts! |
Just checking this is a typo? :) I suppose it'd be more effort to only partially support the uri template syntax (i.e. not the named variables) than just passing it straight through to the Envoy config, but as a user I'm wondering if there'd be any value in the named variables beyond it being a kind of documentation: might the captured values get exposed somewhere for (say) use in access logs, or an EnvoyFilter, in a |
Hi @jaellio 👋 Thanks for the collaboration. I have the same questions with the @michaelbannister 🤔 I did not work on API side before but I have some idea and experience on the control plane side. Can we pair/collaborate on both? I can make the changes on the API side and would love to see developments on the control plane too. |
I am a bit worried about having multiple ways to represent path, especially when its also in 'when'. It can be pretty complex to have 4 (with 'not' variants) rules for the same thing. I also don't think we need to support the full syntax of Envoy's URI template. The URI template is the implementation detail of our API; we should define the API we want and map it onto the URI template. Specifically, I don't see a strong need to support |
@michaelbannister Yes, apologies for the typo! I forgot to update the comment :) It should be " I think for now it would make sense to not support named variables. I had originally assumed that you could reference the variable later on in the template or as an environment variable. Primarily, the variable seems to be a source of documentation (and confusion). We could revisit adding support for named variables later on based on user feedback and increased functionality support (either by Istio or Envoy). For now, we can interpret any paths containing |
@howardjohn Are If we opted to support URI template matching for the existing |
Ah I guess not, my bad. I agree |
If we only support If we don't want to incorporate named variables (regardless of whether or not we do anything with them) we could support the following templating and map them to envoy's supported uri templating:
We will also support the existing
Alternatively, if we are interested in incorporating a named variable (but not doing anything with the variable at this time) we could support the same templating with I find the named variables introduce unnecessary confusion and would opt for the former option. We can add support for named variables later if necessary. |
Isn't this "Match any character"? Its not "path aware", just equivalent to
+1. I would, similarly, not support |
I think in the UriTemplate context,
I think the OP's original example would require something like |
I would agree Depending on how you are defining We could interpret any path with only |
I think adding new fields ( |
Increases templating support for positive and negative path mathching. Part of istio/istio#16585 Signed-off-by: Jackie Elliott <jaellio@microsoft.com>
If we aren't in favor of adding new fields, I think we should add support for the following. I don't think
If the path contains |
This sounds reasonable to me. It'd be good if the corresponding Istio docs were clearer than the UriTemplate docs, though:
but then this example:
which suggests that the Another thought: Would we want to explicitly disallow any use of |
Totally agree. This could be a lot more clear - I can verify this by updating the unit tests. I already make some updates to verify if
I think that explicitly disallowing alternative use cases might be better than an undefined outcome even if we document it as unsupported functionality. I am not sure how complicated the conditional/regex would be, but I think it makes sense to only allow Regarding the impact of explicitly disallowing the use of |
Added a comment on the PR - not against adding matches, but only if we understand:
|
Closing in favor of creating a new issue to track broader adoption and integration of URI templating. |
(This is used to request new product features, please visit https://discuss.istio.io for questions on using Istio)
Describe the feature request
Support regex paths for ServiceRole spec.rules.paths, similar to how the Policy supports regex for spec.peers.jwt.trigger_rules.excluded_paths
Describe alternatives you've considered
Paths currently support wildcard patching for suffix, prefix or exact match, but not a mix of these. I tried using wildcard at beginning and end but this did not work. Without regex support, I have had to define several variations for allowing access to the swagger-ui.html. For example, I have added the following:
I would like to simplify this with a regex, such as:
Affected product area (please put an X in all that apply)
[ ] Configuration Infrastructure
[ ] Docs
[ ] Installation
[ ] Networking
[ ] Performance and Scalability
[ ] Policies and Telemetry
[X] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
Additional context
The text was updated successfully, but these errors were encountered: