Improved path pattern matching for AuthorizationPolicy

[Cakasim]

Description

This is an attempt to reboot a topic that was already discussed in few other issues and PRs. This issue aims to provide a summary of the outcome so far. The goal is to understand if this is a valid feature request that will be worked on in a foreseeable time or if the community should rather focus on workarounds.

The problem: the AuthorizationPolicy path matchers currently lack support for more advanced pattern matching. As stated in the documentation, only exact, any, prefix and suffix matching is supported. This is not aligned with how REST APIs are usually designed, there is no way to match a path pattern with dynamic parts like an order number, e.g., GET /orders/123/line-items.

This missing feature was already mentioned and discussed in a few issues and PRs, sharing a potentially incomplete list here:

• Support for regex in paths in an AuthorizationPolicy #25021
• Support regex for ServiceRole spec.rules.paths #16585 (comment)
• Add regex function in string matcher #27984

Ideas

Based on my reading there are the following ideas so far:

• Using regex based matching. Regex based match is also supported in VirtualService so it sounds natural to also add support for it in AuthorizationPolicy. This was discussed as not ideal because using regex matching comes with a cost of performance and also a security risk in terms of badly crafted expressions. ref: Support regex for ServiceRole spec.rules.paths #16585 (comment)
• Using "glob" based matching style. Looks like most of the use cases can be implemented using a simpler matching style than regex-based. By using a path pattern as it is already common practice in a lot of technologies. The example from above would look like the following /orders/{orderId}/line-items. The placeholder {orderId} can be anything except /. This perfectly supports the REST API design mentioned earlier. see also: Support regex for ServiceRole spec.rules.paths #16585 (comment)

Personally, I would suggest that we don't even need the named placeholders. A simple /orders/{}/line-items should do the trick.

Alternatives

Well, not much. One of the alternatives is OPA. But this is like really another dimension when it comes to authorization and overkill for most use cases. For the brave, here's the howto: https://www.openpolicyagent.org/docs/latest/envoy-tutorial-istio/

Affected product areas

[ ] Ambient
[ ] Docs
[ ] Dual Stack
[ ] Installation
[ ] Networking
[X] Performance and Scalability
[ ] Extensions and Telemetry
[X] Security
[ ] Test and Release
[X] User Experience
[ ] Developer Infrastructure

Questions to be answered

• Is this a valid feature that should be prioritized?
• Optional: is there any ETA that can be shared?

[dmitriy-kharchenko]

+1 (may be more)

[keithmattix]

/cc @jaellio

[taitasu555]

+1

[jlbujeda-alerce]

+1

[keithmattix]

I believe this is already supported https://istio.io/latest/news/releases/1.22.x/announcing-1.22/#path-templating-in-authorization-policy

[howardjohn]

This has been implemented!