-
Notifications
You must be signed in to change notification settings - Fork 7.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improved path pattern matching for AuthorizationPolicy
#47306
Comments
+1 (may be more) |
/cc @jaellio |
+1 |
1 similar comment
+1 |
I believe this is already supported https://istio.io/latest/news/releases/1.22.x/announcing-1.22/#path-templating-in-authorization-policy |
This has been implemented! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
This is an attempt to reboot a topic that was already discussed in few other issues and PRs. This issue aims to provide a summary of the outcome so far. The goal is to understand if this is a valid feature request that will be worked on in a foreseeable time or if the community should rather focus on workarounds.
The problem: the
AuthorizationPolicy
path matchers currently lack support for more advanced pattern matching. As stated in the documentation, only exact, any, prefix and suffix matching is supported. This is not aligned with how REST APIs are usually designed, there is no way to match a path pattern with dynamic parts like an order number, e.g.,GET /orders/123/line-items
.This missing feature was already mentioned and discussed in a few issues and PRs, sharing a potentially incomplete list here:
Ideas
Based on my reading there are the following ideas so far:
VirtualService
so it sounds natural to also add support for it inAuthorizationPolicy
. This was discussed as not ideal because using regex matching comes with a cost of performance and also a security risk in terms of badly crafted expressions. ref: Support regex for ServiceRole spec.rules.paths #16585 (comment)/orders/{orderId}/line-items
. The placeholder{orderId}
can be anything except/
. This perfectly supports the REST API design mentioned earlier. see also: Support regex for ServiceRole spec.rules.paths #16585 (comment)Personally, I would suggest that we don't even need the named placeholders. A simple
/orders/{}/line-items
should do the trick.Alternatives
Well, not much. One of the alternatives is OPA. But this is like really another dimension when it comes to authorization and overkill for most use cases. For the brave, here's the howto: https://www.openpolicyagent.org/docs/latest/envoy-tutorial-istio/
Affected product areas
[ ] Ambient
[ ] Docs
[ ] Dual Stack
[ ] Installation
[ ] Networking
[X] Performance and Scalability
[ ] Extensions and Telemetry
[X] Security
[ ] Test and Release
[X] User Experience
[ ] Developer Infrastructure
Questions to be answered
The text was updated successfully, but these errors were encountered: