Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

specify value for "spec.subjects.properties.version" doesn't work as expected in ServiceRoleBinding #6012

Closed
morvencao opened this issue Jun 4, 2018 · 16 comments · Fixed by #6156
Closed

specify value for "spec.subjects.properties.version" doesn't work as expected in ServiceRoleBinding #6012

morvencao opened this issue Jun 4, 2018 · 16 comments · Fixed by #6156
Assignees
@yangminzhu
Labels
area/security

Comments

@morvencao
Copy link
Member

morvencao commented Jun 4, 2018
edited
Loading

env:

ubuntu: 16.04
istio version: istio-0.8.0
kubenetes version: v1.10.0

Reproduce steps

  1. Download and install istio-0.8.0 with mTLS:
curl -L https://git.io/getLatestIstio | sh -
cd istio-0.8.0/
export PATH=$PWD/bin:$PATH
kubectl apply -f install/kubernetes/istio-demo-auth.yaml
  1. Try out the Istio RBAC with Bookinfo sample at: https://istio.io/docs/tasks/security/role-based-access-control/
    In the last step, I would like to only see “red” ratings in “Book Reviews” section, so I specify that only “reviews” service at version “v3” can access “ratings” service following the doc by update bind-ratings ServiceRoleBinding with:
apiVersion: "config.istio.io/v1alpha2"
kind: ServiceRoleBinding
metadata:
  name: bind-ratings
  namespace: default
spec:
  subjects:
  - user: "cluster.local/ns/default/sa/bookinfo-reviews"
    properties:
      version: "v3"
  roleRef:
    kind: ServiceRole
    name: "ratings-viewer"

Point the browser to the Bookinfo productpage (http://$GATEWAY_URL/productpage). Still I can should see the “black” and “red” ratings in “Book Reviews” section.
The results show that both review v2 and v3 can access ratings service.
Expected: Only “red” ratings in “Book Reviews” section.

/cc @gyliu513
@yangminzhu yangminzhu self-assigned this Jun 4, 2018
@yangminzhu
Copy link
Contributor

Hi Morven, Thanks for reporting the issue.
Would you mind to also upload the mixer policy log and the service config (kubectl get all -o yaml).
And could you confirm if you can access the productpage after removing all the existing ServiceRole and ServiceRoleBindings? (This is to confirm the RBAC is working as expected, when no ServiceRole and ServiceRoleBinginds defined, all request should be denied by default).

cc @liminw

@morvencao
Copy link
Member Author

@yangminzhu Thanks for quick reply.
Yes, you're right.
If remove all existing ServiceRole and ServiceRoleBindings by

kubectl delete servicerole --all
kubectl delete servicerolebinding --all

The product will be not accessed, get PERMISSION_DENIED:handler.rbac.istio-system:RBAC: permission denied.

My problem is that
this following ServiceRoleBinding works as expected: (both "black" and "red" ratings in “Book Reviews” section)

apiVersion: "config.istio.io/v1alpha2"
kind: ServiceRoleBinding
metadata:
  name: bind-ratings
  namespace: default
spec:
  subjects:
  - user: "cluster.local/ns/default/sa/bookinfo-reviews"
  roleRef:
    kind: ServiceRole
    name: "ratings-viewer"

While this one does not:(I'd like to only see “red” ratings in “Book Reviews” section)

apiVersion: "config.istio.io/v1alpha2"
kind: ServiceRoleBinding
metadata:
  name: bind-ratings
  namespace: default
spec:
  subjects:
  - user: "cluster.local/ns/default/sa/bookinfo-reviews"
    properties:
      version: "v3"
  roleRef:
    kind: ServiceRole
    name: "ratings-viewer"

@morvencao
Copy link
Member Author

No error message in mixer log:

root@master:~/istio-0.8.0# kubectl -n istio-system logs -f istio-policy-64595c6fff-9rzh8 -c mixer
Mixer started with
MaxMessageSize: 1048576
MaxConcurrentStreams: 1024
APIWorkerPoolSize: 1024
AdapterWorkerPoolSize: 1024
APIPort: 9091
APIAddress: tcp://127.0.0.1:9092
MonitoringPort: 9093
EnableProfiling: true
SingleThreaded: false
ConfigStoreURL: k8s://
ConfigDefaultNamespace: istio-system
ConfigIdentityAttribute: destination.service
ConfigIdentityAttributeDomain: svc.cluster.local
LoggingOptions: log.Options{OutputPaths:[]string{"stdout"}, ErrorOutputPaths:[]string{"stderr"}, RotateOutputPath:"", RotationMaxSize:104857600, RotationMaxAge:30, RotationMaxBackups:1000, JSONEncoding:false, LogGrpc:true, outputLevels:"default:info", logCallers:"", stackTraceLevels:"default:none"}
TracingOptions: tracing.Options{ZipkinURL:"http://zipkin:9411/api/v1/spans", JaegerURL:"", LogTraceSpans:false}
IntrospectionOptions: ctrlz.Options{Port:0x2694, Address:"127.0.0.1"}

2018-06-05T14:15:41.360855Z	warn	Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
2018-06-05T14:15:41.361159Z	info	Built new config.Snapshot: id='0'
2018-06-05T14:15:41.361195Z	info	Built new config.Snapshot: id='1'
2018-06-05T14:15:41.361231Z	info	Cleaning up handler table, with config ID:-1
2018-06-05T14:16:11.859527Z	info	Built new config.Snapshot: id='2'
2018-06-05T14:16:11.859838Z	info	adapters	getting kubeconfig from: ""	{"adapter": "handler.kubernetesenv.istio-system"}
2018-06-05T14:16:11.859857Z	warn	Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
2018-06-05T14:16:11.860890Z	info	adapters	Waiting for kubernetes cache sync...	{"adapter": "handler.kubernetesenv.istio-system"}
2018-06-05T14:16:11.961047Z	info	adapters	Cache sync successful.	{"adapter": "handler.kubernetesenv.istio-system"}
2018-06-05T14:16:11.962726Z	info	Cleaning up handler table, with config ID:1
Istio Mixer: root@48d5ddfd72da-docker.io/istio-0.8.0-6f9f420f0c7119ff4fa6a1966a6f6d89b1b4db84-Clean
Starting gRPC server on port 9091
2018-06-05T14:16:11.963147Z	info	adapters	serving prometheus metrics on 42422	{"adapter": "handler.prometheus.istio-system"}
2018-06-05T14:16:11.964927Z	info	ControlZ available at 10.1.27.174:9876
2018-06-05T14:22:53.718715Z	info	Publishing 3 events
2018-06-05T14:22:53.718983Z	info	Built new config.Snapshot: id='3'
2018-06-05T14:22:53.719596Z	info	adapters	getting kubeconfig from: ""	{"adapter": "handler.kubernetesenv.istio-system"}
2018-06-05T14:22:53.719755Z	warn	Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
2018-06-05T14:22:53.722082Z	info	adapters	Waiting for kubernetes cache sync...	{"adapter": "handler.kubernetesenv.istio-system"}
2018-06-05T14:22:53.822356Z	info	adapters	Cache sync successful.	{"adapter": "handler.kubernetesenv.istio-system"}
2018-06-05T14:22:53.822801Z	warn	Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
2018-06-05T14:22:53.830749Z	info	Cleaning up handler table, with config ID:2
2018-06-05T14:22:53.830898Z	error	adapters	adapter did not close all the scheduled daemons	{"adapter": "handler.kubernetesenv.istio-system"}
2018-06-05T14:22:53.830999Z	error	adapters	adapter did not close all the scheduled daemons	{"adapter": "handler.prometheus.istio-system"}
2018-06-05T14:24:20.233053Z	info	adapters	Publishing 2 events	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:24:20.233152Z	info	adapters	Role namespace: default, name: service-viewer, spec: rules:<services:"*" methods:"GET" constraints:<key:"app" values:"productpage" values:"details" values:"reviews" values:"ratings" > > 	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:24:20.233199Z	info	adapters	RoleBinding: bind-service-viewer for role service-viewer, Spec: subjects:<properties:<key:"namespace" value:"default" > > subjects:<properties:<key:"namespace" value:"istio-system" > > roleRef:<kind:"ServiceRole" name:"service-viewer" > 	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:24:26.700211Z	info	adapters	Checking role: service-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:24:26.700517Z	info	adapters	Checking rule: services [*], path [], method [GET], constraints [key:"app" values:"productpage" values:"details" values:"reviews" values:"ratings" ]	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:24:26.700595Z	info	adapters	role service-viewer is eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:24:26.706286Z	info	adapters	Checking role: service-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:24:26.706432Z	info	adapters	Checking rule: services [*], path [], method [GET], constraints [key:"app" values:"productpage" values:"details" values:"reviews" values:"ratings" ]	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:24:26.706505Z	info	adapters	role service-viewer is eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:24:26.714642Z	info	adapters	Checking role: service-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:24:26.714844Z	info	adapters	Checking rule: services [*], path [], method [GET], constraints [key:"app" values:"productpage" values:"details" values:"reviews" values:"ratings" ]	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:24:26.714885Z	info	adapters	role service-viewer is eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:24:26.749080Z	info	adapters	Checking role: service-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:24:26.749152Z	info	adapters	Checking rule: services [*], path [], method [GET], constraints [key:"app" values:"productpage" values:"details" values:"reviews" values:"ratings" ]	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:24:26.749159Z	info	adapters	role service-viewer is eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:24:27.528172Z	info	adapters	Checking role: service-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:24:27.528377Z	info	adapters	Checking rule: services [*], path [], method [GET], constraints [key:"app" values:"productpage" values:"details" values:"reviews" values:"ratings" ]	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:24:27.528508Z	info	adapters	role service-viewer is eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:24:27.569941Z	info	adapters	Checking role: service-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:24:27.570204Z	info	adapters	Checking rule: services [*], path [], method [GET], constraints [key:"app" values:"productpage" values:"details" values:"reviews" values:"ratings" ]	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:24:27.570294Z	info	adapters	role service-viewer is eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:24:28.121972Z	info	adapters	Checking role: service-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:24:28.122173Z	info	adapters	Checking rule: services [*], path [], method [GET], constraints [key:"app" values:"productpage" values:"details" values:"reviews" values:"ratings" ]	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:24:28.122180Z	info	adapters	role service-viewer is eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:24:28.605195Z	info	adapters	Checking role: service-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:24:28.605432Z	info	adapters	Checking rule: services [*], path [], method [GET], constraints [key:"app" values:"productpage" values:"details" values:"reviews" values:"ratings" ]	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:24:28.605522Z	info	adapters	role service-viewer is eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:24:43.443269Z	info	adapters	Publishing 2 events	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:25:18.788682Z	info	adapters	Publishing 2 events	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:25:18.788772Z	info	adapters	Role namespace: default, name: productpage-viewer, spec: rules:<services:"productpage.default.svc.cluster.local" methods:"GET" > 	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:25:18.788821Z	info	adapters	RoleBinding: bind-productpage-viewer for role productpage-viewer, Spec: subjects:<user:"*" > roleRef:<kind:"ServiceRole" name:"productpage-viewer" > 	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:25:24.247295Z	info	adapters	Checking role: productpage-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:25:24.247340Z	info	adapters	Checking rule: services [productpage.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:25:24.247359Z	info	adapters	role productpage-viewer is not eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:25:25.803370Z	info	adapters	Checking role: productpage-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:25:25.803417Z	info	adapters	Checking rule: services [productpage.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:25:25.803423Z	info	adapters	role productpage-viewer is not eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:25:25.839825Z	info	adapters	Checking role: productpage-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:25:25.839874Z	info	adapters	Checking rule: services [productpage.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:25:25.839879Z	info	adapters	role productpage-viewer is not eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:25:26.419000Z	info	adapters	Checking role: productpage-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:25:26.419051Z	info	adapters	Checking rule: services [productpage.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:25:26.419057Z	info	adapters	role productpage-viewer is not eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:25:26.944934Z	info	adapters	Checking role: productpage-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:25:26.945125Z	info	adapters	Checking rule: services [productpage.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:25:26.945219Z	info	adapters	role productpage-viewer is eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:25:26.961291Z	info	adapters	Checking role: productpage-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:25:26.961532Z	info	adapters	Checking rule: services [productpage.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:25:26.961612Z	info	adapters	role productpage-viewer is not eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:25:28.753389Z	info	adapters	Checking role: productpage-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:25:28.753623Z	info	adapters	Checking rule: services [productpage.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:25:28.753685Z	info	adapters	role productpage-viewer is not eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:25:28.758985Z	info	adapters	Checking role: productpage-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:25:28.759015Z	info	adapters	Checking rule: services [productpage.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:25:28.759020Z	info	adapters	role productpage-viewer is not eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:25:30.616175Z	info	adapters	Checking role: productpage-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:25:30.616218Z	info	adapters	Checking rule: services [productpage.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:25:30.616223Z	info	adapters	role productpage-viewer is not eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:25:31.335464Z	info	adapters	Checking role: productpage-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:25:31.335515Z	info	adapters	Checking rule: services [productpage.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:25:31.335520Z	info	adapters	role productpage-viewer is not eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:20.872322Z	info	adapters	Publishing 2 events	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:20.872372Z	info	adapters	Role namespace: default, name: productpage-viewer, spec: rules:<services:"productpage.default.svc.cluster.local" methods:"GET" > 	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:20.872481Z	info	adapters	Role namespace: default, name: details-reviews-viewer, spec: rules:<services:"details.default.svc.cluster.local" services:"reviews.default.svc.cluster.local" methods:"GET" > 	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:20.872504Z	info	adapters	RoleBinding: bind-details-reviews for role details-reviews-viewer, Spec: subjects:<user:"cluster.local/ns/default/sa/bookinfo-productpage" > roleRef:<kind:"ServiceRole" name:"details-reviews-viewer" > 	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:20.872519Z	info	adapters	RoleBinding: bind-productpage-viewer for role productpage-viewer, Spec: subjects:<user:"*" > roleRef:<kind:"ServiceRole" name:"productpage-viewer" > 	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:27.242294Z	info	adapters	Checking role: productpage-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:27.242347Z	info	adapters	Checking rule: services [productpage.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:27.242353Z	info	adapters	role productpage-viewer is eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:27.251725Z	info	adapters	Checking role: productpage-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:27.251963Z	info	adapters	Checking rule: services [productpage.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:27.252030Z	info	adapters	role productpage-viewer is not eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:27.252119Z	info	adapters	Checking role: details-reviews-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:27.252185Z	info	adapters	Checking rule: services [details.default.svc.cluster.local reviews.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:27.252291Z	info	adapters	role details-reviews-viewer is eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:27.936137Z	info	adapters	Checking role: productpage-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:27.936479Z	info	adapters	Checking rule: services [productpage.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:27.936556Z	info	adapters	role productpage-viewer is not eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:27.936641Z	info	adapters	Checking role: details-reviews-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:27.936734Z	info	adapters	Checking rule: services [details.default.svc.cluster.local reviews.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:27.936837Z	info	adapters	role details-reviews-viewer is eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:27.961971Z	info	adapters	Checking role: productpage-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:27.962282Z	info	adapters	Checking rule: services [productpage.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:27.962348Z	info	adapters	role productpage-viewer is not eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:27.962463Z	info	adapters	Checking role: details-reviews-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:27.962605Z	info	adapters	Checking rule: services [details.default.svc.cluster.local reviews.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:27.962656Z	info	adapters	role details-reviews-viewer is not eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:29.197994Z	info	adapters	Checking role: productpage-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:29.198268Z	info	adapters	Checking rule: services [productpage.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:29.198334Z	info	adapters	role productpage-viewer is not eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:29.198358Z	info	adapters	Checking role: details-reviews-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:29.198393Z	info	adapters	Checking rule: services [details.default.svc.cluster.local reviews.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:29.198426Z	info	adapters	role details-reviews-viewer is eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:29.206605Z	info	adapters	Checking role: productpage-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:29.206939Z	info	adapters	Checking rule: services [productpage.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:29.206998Z	info	adapters	role productpage-viewer is not eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:29.207027Z	info	adapters	Checking role: details-reviews-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:29.207068Z	info	adapters	Checking rule: services [details.default.svc.cluster.local reviews.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:29.207104Z	info	adapters	role details-reviews-viewer is eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:29.857572Z	info	adapters	Checking role: productpage-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:29.857788Z	info	adapters	Checking rule: services [productpage.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:29.857847Z	info	adapters	role productpage-viewer is not eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:29.857878Z	info	adapters	Checking role: details-reviews-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:29.857922Z	info	adapters	Checking rule: services [details.default.svc.cluster.local reviews.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:29.857960Z	info	adapters	role details-reviews-viewer is not eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:30.406441Z	info	adapters	Checking role: productpage-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:30.406499Z	info	adapters	Checking rule: services [productpage.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:30.406504Z	info	adapters	role productpage-viewer is not eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:30.406508Z	info	adapters	Checking role: details-reviews-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:30.406514Z	info	adapters	Checking rule: services [details.default.svc.cluster.local reviews.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:30.406518Z	info	adapters	role details-reviews-viewer is eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:30.447580Z	info	adapters	Checking role: productpage-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:30.447631Z	info	adapters	Checking rule: services [productpage.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:30.447636Z	info	adapters	role productpage-viewer is not eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:30.447640Z	info	adapters	Checking role: details-reviews-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:30.447646Z	info	adapters	Checking rule: services [details.default.svc.cluster.local reviews.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:30.447650Z	info	adapters	role details-reviews-viewer is not eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:32.336201Z	info	adapters	Checking role: details-reviews-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:32.336300Z	info	adapters	Checking rule: services [details.default.svc.cluster.local reviews.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:32.336306Z	info	adapters	role details-reviews-viewer is eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:32.343553Z	info	adapters	Checking role: productpage-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:32.343580Z	info	adapters	Checking rule: services [productpage.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:32.343585Z	info	adapters	role productpage-viewer is not eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:32.343588Z	info	adapters	Checking role: details-reviews-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:32.343592Z	info	adapters	Checking rule: services [details.default.svc.cluster.local reviews.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:32.343596Z	info	adapters	role details-reviews-viewer is eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:33.739344Z	info	adapters	Checking role: productpage-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:33.739487Z	info	adapters	Checking rule: services [productpage.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:33.739531Z	info	adapters	role productpage-viewer is not eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:33.739560Z	info	adapters	Checking role: details-reviews-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:33.739585Z	info	adapters	Checking rule: services [details.default.svc.cluster.local reviews.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:33.739603Z	info	adapters	role details-reviews-viewer is not eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:34.094208Z	info	adapters	Checking role: productpage-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:34.094477Z	info	adapters	Checking rule: services [productpage.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:34.094557Z	info	adapters	role productpage-viewer is not eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:34.094673Z	info	adapters	Checking role: details-reviews-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:34.094771Z	info	adapters	Checking rule: services [details.default.svc.cluster.local reviews.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:26:34.094897Z	info	adapters	role details-reviews-viewer is eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:29.095363Z	info	adapters	Publishing 2 events	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:29.095466Z	info	adapters	Role namespace: default, name: productpage-viewer, spec: rules:<services:"productpage.default.svc.cluster.local" methods:"GET" > 	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:29.095528Z	info	adapters	Role namespace: default, name: details-reviews-viewer, spec: rules:<services:"details.default.svc.cluster.local" services:"reviews.default.svc.cluster.local" methods:"GET" > 	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:29.095571Z	info	adapters	Role namespace: default, name: ratings-viewer, spec: rules:<services:"ratings.default.svc.cluster.local" methods:"GET" > 	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:29.095627Z	info	adapters	RoleBinding: bind-ratings for role ratings-viewer, Spec: subjects:<user:"cluster.local/ns/default/sa/bookinfo-reviews" > roleRef:<kind:"ServiceRole" name:"ratings-viewer" > 	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:29.095671Z	info	adapters	RoleBinding: bind-productpage-viewer for role productpage-viewer, Spec: subjects:<user:"*" > roleRef:<kind:"ServiceRole" name:"productpage-viewer" > 	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:29.095808Z	info	adapters	RoleBinding: bind-details-reviews for role details-reviews-viewer, Spec: subjects:<user:"cluster.local/ns/default/sa/bookinfo-productpage" > roleRef:<kind:"ServiceRole" name:"details-reviews-viewer" > 	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:32.002567Z	info	adapters	Checking role: productpage-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:32.002707Z	info	adapters	Checking rule: services [productpage.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:32.002792Z	info	adapters	role productpage-viewer is eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:32.008302Z	info	adapters	Checking role: productpage-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:32.008583Z	info	adapters	Checking rule: services [productpage.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:32.008724Z	info	adapters	role productpage-viewer is not eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:32.008785Z	info	adapters	Checking role: details-reviews-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:32.008864Z	info	adapters	Checking rule: services [details.default.svc.cluster.local reviews.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:32.008912Z	info	adapters	role details-reviews-viewer is eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:32.017710Z	info	adapters	Checking role: details-reviews-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:32.017856Z	info	adapters	Checking rule: services [details.default.svc.cluster.local reviews.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:32.017939Z	info	adapters	role details-reviews-viewer is eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:32.589089Z	info	adapters	Checking role: details-reviews-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:32.589261Z	info	adapters	Checking rule: services [details.default.svc.cluster.local reviews.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:32.589410Z	info	adapters	role details-reviews-viewer is eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:32.623808Z	info	adapters	Checking role: ratings-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:32.624033Z	info	adapters	Checking rule: services [ratings.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:32.624071Z	info	adapters	role ratings-viewer is eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:33.034807Z	info	adapters	Checking role: productpage-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:33.034968Z	info	adapters	Checking rule: services [productpage.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:33.035104Z	info	adapters	role productpage-viewer is not eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:33.035138Z	info	adapters	Checking role: details-reviews-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:33.035196Z	info	adapters	Checking rule: services [details.default.svc.cluster.local reviews.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:33.035229Z	info	adapters	role details-reviews-viewer is eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:33.109107Z	info	adapters	Checking role: productpage-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:33.109430Z	info	adapters	Checking rule: services [productpage.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:33.109531Z	info	adapters	role productpage-viewer is not eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:33.109642Z	info	adapters	Checking role: details-reviews-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:33.109742Z	info	adapters	Checking rule: services [details.default.svc.cluster.local reviews.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:33.109777Z	info	adapters	role details-reviews-viewer is not eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:33.109834Z	info	adapters	Checking role: ratings-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:33.109864Z	info	adapters	Checking rule: services [ratings.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:33.109918Z	info	adapters	role ratings-viewer is eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:34.341999Z	info	adapters	Checking role: details-reviews-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:34.342046Z	info	adapters	Checking rule: services [details.default.svc.cluster.local reviews.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:34.342065Z	info	adapters	role details-reviews-viewer is eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:36.009294Z	info	adapters	Checking role: productpage-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:36.009453Z	info	adapters	Checking rule: services [productpage.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:36.009505Z	info	adapters	role productpage-viewer is not eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:36.009539Z	info	adapters	Checking role: details-reviews-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:36.009584Z	info	adapters	Checking rule: services [details.default.svc.cluster.local reviews.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:27:36.009627Z	info	adapters	role details-reviews-viewer is eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:28:53.325844Z	info	adapters	Publishing 2 events	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:28:53.326031Z	info	adapters	Role namespace: default, name: productpage-viewer, spec: rules:<services:"productpage.default.svc.cluster.local" methods:"GET" > 	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:28:53.326145Z	info	adapters	Role namespace: default, name: details-reviews-viewer, spec: rules:<services:"details.default.svc.cluster.local" services:"reviews.default.svc.cluster.local" methods:"GET" > 	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:28:53.326240Z	info	adapters	RoleBinding: bind-productpage-viewer for role productpage-viewer, Spec: subjects:<user:"*" > roleRef:<kind:"ServiceRole" name:"productpage-viewer" > 	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:28:53.326450Z	info	adapters	RoleBinding: bind-details-reviews for role details-reviews-viewer, Spec: subjects:<user:"cluster.local/ns/default/sa/bookinfo-productpage" > roleRef:<kind:"ServiceRole" name:"details-reviews-viewer" > 	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:28:59.574302Z	info	adapters	Publishing 2 events	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:28:59.574869Z	info	adapters	Role namespace: default, name: productpage-viewer, spec: rules:<services:"productpage.default.svc.cluster.local" methods:"GET" > 	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:28:59.574881Z	info	adapters	Role namespace: default, name: details-reviews-viewer, spec: rules:<services:"details.default.svc.cluster.local" services:"reviews.default.svc.cluster.local" methods:"GET" > 	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:28:59.574889Z	info	adapters	Role namespace: default, name: ratings-viewer, spec: rules:<services:"ratings.default.svc.cluster.local" methods:"GET" > 	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:28:59.574904Z	info	adapters	RoleBinding: bind-productpage-viewer for role productpage-viewer, Spec: subjects:<user:"*" > roleRef:<kind:"ServiceRole" name:"productpage-viewer" > 	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:28:59.574915Z	info	adapters	RoleBinding: bind-details-reviews for role details-reviews-viewer, Spec: subjects:<user:"cluster.local/ns/default/sa/bookinfo-productpage" > roleRef:<kind:"ServiceRole" name:"details-reviews-viewer" > 	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:28:59.574927Z	info	adapters	RoleBinding: bind-ratings for role ratings-viewer, Spec: subjects:<user:"cluster.local/ns/default/sa/bookinfo-reviews" properties:<key:"version" value:"v3" > > roleRef:<kind:"ServiceRole" name:"ratings-viewer" > 	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:03.488144Z	info	adapters	Checking role: productpage-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:03.488365Z	info	adapters	Checking rule: services [productpage.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:03.488413Z	info	adapters	role productpage-viewer is eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:03.493827Z	info	adapters	Checking role: productpage-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:03.493905Z	info	adapters	Checking rule: services [productpage.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:03.493986Z	info	adapters	role productpage-viewer is not eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:03.494069Z	info	adapters	Checking role: details-reviews-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:03.494120Z	info	adapters	Checking rule: services [details.default.svc.cluster.local reviews.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:03.494192Z	info	adapters	role details-reviews-viewer is eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:03.501037Z	info	adapters	Checking role: productpage-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:03.501064Z	info	adapters	Checking rule: services [productpage.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:03.501069Z	info	adapters	role productpage-viewer is not eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:03.501072Z	info	adapters	Checking role: details-reviews-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:03.501213Z	info	adapters	Checking rule: services [details.default.svc.cluster.local reviews.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:03.501223Z	info	adapters	role details-reviews-viewer is eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:04.080305Z	info	adapters	Checking role: productpage-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:04.080594Z	info	adapters	Checking rule: services [productpage.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:04.080690Z	info	adapters	role productpage-viewer is not eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:04.080852Z	info	adapters	Checking role: details-reviews-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:04.080968Z	info	adapters	Checking rule: services [details.default.svc.cluster.local reviews.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:04.081047Z	info	adapters	role details-reviews-viewer is eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:04.088421Z	info	adapters	Checking role: productpage-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:04.088598Z	info	adapters	Checking rule: services [productpage.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:04.088685Z	info	adapters	role productpage-viewer is not eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:04.088798Z	info	adapters	Checking role: details-reviews-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:04.088899Z	info	adapters	Checking rule: services [details.default.svc.cluster.local reviews.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:04.088984Z	info	adapters	role details-reviews-viewer is eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:04.110151Z	info	adapters	Checking role: productpage-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:04.110188Z	info	adapters	Checking rule: services [productpage.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:04.110193Z	info	adapters	role productpage-viewer is not eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:04.110197Z	info	adapters	Checking role: details-reviews-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:04.110203Z	info	adapters	Checking rule: services [details.default.svc.cluster.local reviews.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:04.110207Z	info	adapters	role details-reviews-viewer is not eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:04.110212Z	info	adapters	Checking role: ratings-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:04.110217Z	info	adapters	Checking rule: services [ratings.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:04.110221Z	info	adapters	role ratings-viewer is eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:04.632320Z	info	adapters	Checking role: details-reviews-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:04.632524Z	info	adapters	Checking rule: services [details.default.svc.cluster.local reviews.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:04.632654Z	info	adapters	role details-reviews-viewer is eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:05.135226Z	info	adapters	Checking role: productpage-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:05.135449Z	info	adapters	Checking rule: services [productpage.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:05.135682Z	info	adapters	role productpage-viewer is not eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:05.135762Z	info	adapters	Checking role: details-reviews-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:05.135882Z	info	adapters	Checking rule: services [details.default.svc.cluster.local reviews.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:05.135938Z	info	adapters	role details-reviews-viewer is eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:05.157385Z	info	adapters	Checking role: productpage-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:05.157557Z	info	adapters	Checking rule: services [productpage.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:05.157720Z	info	adapters	role productpage-viewer is not eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:05.157805Z	info	adapters	Checking role: details-reviews-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:05.157877Z	info	adapters	Checking rule: services [details.default.svc.cluster.local reviews.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:05.157966Z	info	adapters	role details-reviews-viewer is not eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:05.158058Z	info	adapters	Checking role: ratings-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:05.158149Z	info	adapters	Checking rule: services [ratings.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:05.158230Z	info	adapters	role ratings-viewer is eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:07.966877Z	info	adapters	Checking role: ratings-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:07.967108Z	info	adapters	Checking rule: services [ratings.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:07.967203Z	info	adapters	role ratings-viewer is not eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:07.967316Z	info	adapters	Checking role: productpage-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:07.967431Z	info	adapters	Checking rule: services [productpage.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:07.967520Z	info	adapters	role productpage-viewer is not eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:07.967601Z	info	adapters	Checking role: details-reviews-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:07.967686Z	info	adapters	Checking rule: services [details.default.svc.cluster.local reviews.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:07.967796Z	info	adapters	role details-reviews-viewer is eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:08.512904Z	info	adapters	Checking role: productpage-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:08.512965Z	info	adapters	Checking rule: services [productpage.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:08.512971Z	info	adapters	role productpage-viewer is not eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:08.512975Z	info	adapters	Checking role: details-reviews-viewer	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:08.512981Z	info	adapters	Checking rule: services [details.default.svc.cluster.local reviews.default.svc.cluster.local], path [], method [GET], constraints []	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:29:08.512985Z	info	adapters	role details-reviews-viewer is eligible	{"adapter": "handler.rbac.istio-system"}
2018-06-05T14:31:43.495786Z	info	adapters	Publishing 6 events	{"adapter": "handler.rbac.istio-system"}

@yangminzhu
Copy link
Contributor

yangminzhu commented Jun 6, 2018
edited
Loading

So the RBAC seems enabled correctly, could you run the following command to get the authorization template: kubectl -n istio-system get authorization -o yaml and this command to get the pods with version label: kubectl get pod -L version.
Also what's the output when you're using the second ServiceRoleBinding with version=v3? Are all the ratings gone?

It might be the version label incorrectly configured in authorization template or pods.

@morvencao
Copy link
Member Author

morvencao commented Jun 6, 2018
edited
Loading

Seems version label is correct:

root@master:~/istio-0.8.0# kubectl -n istio-system get authorization -o yaml
apiVersion: v1
items:
- apiVersion: config.istio.io/v1alpha2
  kind: authorization
  metadata:
    clusterName: ""
    creationTimestamp: 2018-06-06T02:03:48Z
    generation: 1
    name: requestcontext
    namespace: istio-system
    resourceVersion: "689527"
    selfLink: /apis/config.istio.io/v1alpha2/namespaces/istio-system/authorizations/requestcontext
    uid: da2df8ce-692d-11e8-9a19-fa163e5c9799
  spec:
    action:
      method: request.method | ""
      namespace: destination.namespace | ""
      path: request.path | ""
      properties:
        app: destination.labels["app"] | ""
        version: destination.labels["version"] | ""
      service: destination.service | ""
    subject:
      groups: ""
      properties:
        app: source.labels["app"] | ""
        namespace: source.namespace | ""
        version: source.labels["version"] | ""
      user: source.user | ""
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""
root@master:~/istio-0.8.0# kubectl get pod -L version
NAME                              READY     STATUS    RESTARTS   AGE       VERSION
details-v1-5cf7bb9697-c66x8       2/2       Running   0          7m        v1
productpage-v1-75889dcfdd-kkgxk   2/2       Running   0          4m        v1
ratings-v1-7fc6954565-5lfjw       2/2       Running   0          7m        v1
reviews-v1-7c5b7cf587-8j4xg       2/2       Running   0          7m        v1
reviews-v2-cf998c7b9-jrp5s        2/2       Running   0          4m        v2
reviews-v3-774449d78f-lmhnq       2/2       Running   0          4m        v3

After I specify version: "v3" constraint, still I can see both reviews v2 and reviews v3 can access ratings service.

@morvencao
Copy link
Member Author

@yangminzhu The conditions defined in spec.subjects for ServiceRoleBinding belong to OR relationship?
I have review the doc for ServiceRoleBinding at: https://istio.io/docs/concepts/security/rbac/#servicerolebinding looks like the answer is yes. If that's the case, the ServiceRoleBinding definition and result are all right.

@yangminzhu
Copy link
Contributor

yangminzhu commented Jun 6, 2018
edited
Loading

Yes, the subjects in ServiceRoleBinding are evaluated with OR relationship.

So I suggest to turn on the Mixer debug logging to get more information. You could edit the istio-policy deployment to add this --log_output_level default:debug to the command line arguments of the mixer container config, this should enable the debug output of mixer, and then access the productpage several times after the istio-policy finished restart to get the new logs.

It seems everything is configured correctly, I also tried your use case on Istio-0.8 this afternoon and it's working as expected for me.

@morvencao
Copy link
Member Author

morvencao commented Jun 6, 2018
edited
Loading

Yes, the subjects in ServiceRoleBinding are evaluated with OR relationship.

I think this is a doc issue, you can checkout it here:
https://istio.io/docs/tasks/security/role-based-access-control/#step-3-allowing-reviews-service-to-access-ratings-service

I have defined ServiceAccount bookinfo-reviews for both reviews v2 and reviews v3, so the version: "v3" is useless?

An the end of this section, it mentions:

If you would like to only see “red” ratings in “Book Reviews” section, you can do that by specifying that only “reviews” service at version “v3” can access “ratings” service.

apiVersion: "config.istio.io/v1alpha2"
kind: ServiceRoleBinding
metadata:
  name: bind-ratings
  namespace: default
spec:
  subjects:
  - user: "cluster.local/ns/default/sa/bookinfo-reviews"
    properties:
      version: "v3"
  roleRef:
    kind: ServiceRole
    name: "ratings-viewer"

@yangminzhu
Copy link
Contributor

yangminzhu commented Jun 6, 2018
edited
Loading

Sorry if my last reply mislead you, the subjects is an array, I actually mean each subject in the array are OR, for fields inside a subject, the relationship is AND.
So for the following ServiceRoleBinding:

apiVersion: "config.istio.io/v1alpha2"
kind: ServiceRoleBinding
metadata:
  name: bind-ratings
  namespace: default
spec:
  subjects:
  - user: "userA"
    properties:
       version: "v3"
  - user: "userB"
    properties:
       version: "v2"
  roleRef:
    kind: ServiceRole
    name: "ratings-viewer"

The semantic is that it grants access to {userA and version=v3} OR {userB and version=v2}.

The expect behavior in your ServiceRoleBinding should be that only bookinfo-reviews with version=v3 is allowed to access.

Could you also run kubectl get serviceroles,servicerolebindings -o yaml and post the output here? I just want to make sure there're no other rules affecting the result.

@morvencao
Copy link
Member Author

morvencao commented Jun 6, 2018
edited
Loading

All ServiceRole and ServiceRoleBinding:

root@master:~/istio-0.8.0# kubectl get serviceroles,servicerolebindings -o yaml
apiVersion: v1
items:
- apiVersion: config.istio.io/v1alpha2
  kind: ServiceRole
  metadata:
    clusterName: ""
    creationTimestamp: 2018-06-06T04:49:01Z
    generation: 1
    name: details-reviews-viewer
    namespace: default
    resourceVersion: "741214"
    selfLink: /apis/config.istio.io/v1alpha2/namespaces/default/serviceroles/details-reviews-viewer
    uid: eea906e1-6944-11e8-9a19-fa163e5c9799
  spec:
    rules:
    - methods:
      - GET
      services:
      - details.default.svc.cluster.local
      - reviews.default.svc.cluster.local
- apiVersion: config.istio.io/v1alpha2
  kind: ServiceRole
  metadata:
    clusterName: ""
    creationTimestamp: 2018-06-06T04:47:56Z
    generation: 1
    name: productpage-viewer
    namespace: default
    resourceVersion: "741049"
    selfLink: /apis/config.istio.io/v1alpha2/namespaces/default/serviceroles/productpage-viewer
    uid: c7ba92db-6944-11e8-9a19-fa163e5c9799
  spec:
    rules:
    - methods:
      - GET
      services:
      - productpage.default.svc.cluster.local
- apiVersion: config.istio.io/v1alpha2
  kind: ServiceRole
  metadata:
    clusterName: ""
    creationTimestamp: 2018-06-06T04:50:02Z
    generation: 1
    name: ratings-viewer
    namespace: default
    resourceVersion: "741369"
    selfLink: /apis/config.istio.io/v1alpha2/namespaces/default/serviceroles/ratings-viewer
    uid: 12fb1162-6945-11e8-9a19-fa163e5c9799
  spec:
    rules:
    - methods:
      - GET
      services:
      - ratings.default.svc.cluster.local
- apiVersion: config.istio.io/v1alpha2
  kind: ServiceRoleBinding
  metadata:
    clusterName: ""
    creationTimestamp: 2018-06-06T04:49:01Z
    generation: 1
    name: bind-details-reviews
    namespace: default
    resourceVersion: "741215"
    selfLink: /apis/config.istio.io/v1alpha2/namespaces/default/servicerolebindings/bind-details-reviews
    uid: eea9debc-6944-11e8-9a19-fa163e5c9799
  spec:
    roleRef:
      kind: ServiceRole
      name: details-reviews-viewer
    subjects:
    - user: cluster.local/ns/default/sa/bookinfo-productpage
- apiVersion: config.istio.io/v1alpha2
  kind: ServiceRoleBinding
  metadata:
    clusterName: ""
    creationTimestamp: 2018-06-06T04:47:56Z
    generation: 1
    name: bind-productpage-viewer
    namespace: default
    resourceVersion: "741050"
    selfLink: /apis/config.istio.io/v1alpha2/namespaces/default/servicerolebindings/bind-productpage-viewer
    uid: c7bb6a86-6944-11e8-9a19-fa163e5c9799
  spec:
    roleRef:
      kind: ServiceRole
      name: productpage-viewer
    subjects:
    - user: '*'
- apiVersion: config.istio.io/v1alpha2
  kind: ServiceRoleBinding
  metadata:
    clusterName: ""
    creationTimestamp: 2018-06-06T04:50:02Z
    generation: 1
    name: bind-ratings
    namespace: default
    resourceVersion: "741370"
    selfLink: /apis/config.istio.io/v1alpha2/namespaces/default/servicerolebindings/bind-ratings
    uid: 12fbf115-6945-11e8-9a19-fa163e5c9799
  spec:
    roleRef:
      kind: ServiceRole
      name: ratings-viewer
    subjects:
    - properties:
        version: v3
      user: cluster.local/ns/default/sa/bookinfo-reviews
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""

BTW, have opened debug flag for istio-policy, it 's quit lots of logs, maybe I can filter some important info for you by grep, what's your suggestion?

@morvencao
Copy link
Member Author

morvencao commented Jun 6, 2018
edited
Loading

@yangminzhu istio-policy logs with debug flag:
istio-policy.log

@yangminzhu
Copy link
Contributor

The logs seems doesn't include the information when the request is happening, could you try again? If you look at your previous mixer logs, it contains a lot of adapters logs which is missing in your new log, also I'm expecting to see the attributes for each request to be logged which is also missing.

Last, I feel this round trip is not very efficient, how about let's have a short video conference to discuss about it?

@morvencao
Copy link
Member Author

What about this one? For the whole logs file is two large, I have cut the head part.
istio-policy.log

It's OK for me to have a conference, but my time zone is different from your. Anyway, please check the logs firstly.

@gyliu513
Copy link
Member

gyliu513 commented Jun 8, 2018

@yangminzhu you will have the issue when you run to the last step of https://istio.io/docs/tasks/security/role-based-access-control/#enabling-istio-rbac after configure the ServiceRoleBinding as follows for reviews-v3.

apiVersion: "config.istio.io/v1alpha2"
kind: ServiceRoleBinding
metadata:
  name: bind-ratings
  namespace: default
spec:
  subjects:
  - user: "cluster.local/ns/default/sa/bookinfo-reviews"
    properties:
      version: "v3"
  roleRef:
    kind: ServiceRole
    name: "ratings-viewer"

@liminw
Copy link
Contributor

liminw commented Jun 11, 2018

@morvencao I looked at the istio-policy.log you provided. It seems that the value for source.labels attribute is "unknown". If this is true, there may be a bug in Pilot/proxy for distributing the labels. I will see if I can reproduce it in my environment.

@yangminzhu
Copy link
Contributor

@morvencao @gyliu513
I think I have found the root cause here, it's actually a bug that incorrectly evaluated the user/group/properties in a subject to OR relationship. I'll send out a fix soon and try to make it to 0.8.1 release.

In my previous test, I only included the version: "v3" in my binding config which won't trigger the bug. To workaround this, you could include only properties in a subject, like this:

apiVersion: "config.istio.io/v1alpha2"
kind: ServiceRoleBinding
metadata:
  name: bind-ratings
  namespace: default
spec:
  subjects:
  - properties:
      app: reviews
      version: "v3"
  roleRef:
    kind: ServiceRole
    name: "ratings-viewer"

Thanks for reporting this and sorry for the trouble.

@yangminzhu yangminzhu mentioned this issue Jun 11, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yangminzhu yangminzhu

Labels
area/security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix a bug in rbac adapter to evaluate the properties correctly. yangminzhu/istio
4 participants
@yangminzhu @gyliu513 @morvencao @liminw