概述ext_authz可在HTTP请求进入服务前调用外部鉴权服务,结合OPA策略或自研鉴权接口,统一实现跨服务的授权控制与审计,支持JWT解析与细粒度规则。关键实践与参数入口层: Gateway或Sidecar插入 envoy.filters.http.ext_authz超时与缓存: 配置鉴权超时、失败策略与结果缓存JWT与属性: 解析令牌并传递用户属性给鉴权服务审计: 记录拒绝事件与规则命中示例/配置/实现apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: ext-authz
namespace: istio-system
spec:
workloadSelector:
labels: { istio: ingressgateway }
configPatches:
- applyTo: HTTP_FILTER
match:
context: GATEWAY
listener: { portNumber: 443 }
patch:
operation: INSERT_BEFORE
value:
name: envoy.filters.http.ext_authz
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
http_service:
server_uri:
uri: http://authz.svc.cluster.local/check
cluster: ext-authz
timeout: 0.5s
authorization_request:
headers_to_add: [{ header: "x-user", value: "%REQ(x-user)%" }]
authorization_response:
allowed_upstream_headers: ["x-user", "x-roles"]
package authz
default allow = false
allow {
input.path = ["/api", "orders"]
input.method = "GET"
some r
r := input.user.roles[_]
r == "reader"
}
验证允许与拒绝: 根据角色访问不同路径返回200或403性能与超时: 鉴权服务超时时采取失败策略并告警审计: 记录拒绝与规则命中日志,可追溯安全属性: JWT解析与用户属性传递正确注意事项鉴权服务需高可用与低延迟缓存与失败策略需谨慎,避免放过风险请求与现有AuthorizationPolicy协同,保持策略一致定期审计与测试策略覆盖
发表评论 取消回复