-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
provide Service-to-Service authorization #3342
Comments
I have had a look at the traffic access control part of the SMI spec, as recomended by @grampelberg. The definition is covering my intended use case fine. Since we are looking at using other policy engines like OPA, it would be usefull if the SMI CRDs where not only way to set authz policy. |
It would be nice to support external authorization that works similar to envoy's external authorization filter. This is useful when you run OPA as an authorization engine in a sidecar. Communication flow:
More details can be found also here |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions. |
Update to the spec doc: https://github.com/servicemeshinterface/smi-spec/tree/master/apis/traffic-access/ |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions. |
I think this one is related to #2746 |
Hmmm... not as originally written, since Network Polices (NP) and client authentication approach restricting access from two different angles. IMHO The former is more like a machine based (think NFS v3) restriction, while the latter identifies different users (human or machine) and assigns permissions. I hope SMI is comming soon, but do not doubt the correctness of @grampelberg's observation on most people only needing NPs |
Is this actually I've been trying to find an issue I can subscribe to for future Access Control work, but so far i've only found #4647 and this one. |
This is planned for stable-2.11 (we're currently working on stable-2.10). This has mostly been blocked on extending mTLS to cover all meshed communication. In 2.9 we added mTLS for most TCP traffic; and 2.10 will extend coverage to include server-first protocols, as well as multicluster routing. The server-first mTLS should merge before the new year. We'll update this issue with llinks to our plans for authorization as they are documented. I'd expect this to move forward in January. |
Awesome news - thank you for the update! |
wow! great stuff! |
@olix0r Is the plan to implement SMI Traffic Access Control, support calling an external authz provider (#2901) or something else? As @cypherfox, @kubaj and others have noted, some of us already have an external authz provider that implements the Envoy External Authorization API (like opa-envoy-plugin) so it would be great if Linkerd could be configured to use it like we can with our ingress controllers. |
Ability for OPA to integrate with something like Okta would be most useful to allow Okta to be the central control plane |
I'm happy to share our initial proposal/prototype for policy in Linkerd: https://github.com/linkerd/polixy/blob/main/DESIGN.md. I'd like to keep discussions about this proposal in the discussions for that repo. TLDR:
These choices have been made so that we can:
And, this plan doesn't preclude other solutions in the future. We're eager for questions and feedback! |
Applications have no way to know whether a request was transported via Linkerd's mTLS and, if it was, what the client's identity was. This change sets the `l5d-client-id` header with the value of the client's identity name. Furthermore, any prior values for this header are stripped from inbound requests so that client identities may not be spoofed. This header is set on all inbound requests over meshed connections. This behavior may be made configurable in the future. Related to linkerd/linkerd2#3342 and linkerd/linkerd2#3756
Linkerd stable-2.11.0 includes support for server authorization policies. |
Feature Request
What problem are you trying to solve?
Eliminating the need for any authentication and authorization in application micro services. As linkerd2 already has fairly strong identity management infrastructure for automatic TLS, it seems a good starting point.
How should the problem be solved?
By having the proxy request authorization (authz) from a service (e.g. an OPA wrapper), caching the for a TTL returned with the authz result.
What do you want to happen? Add any considered drawbacks.
Deny access to the target service if the identity does not comply with a pre-set policy.
For an initial prototype a whitelist of identities per service would be sufficient.
The request to the authz service may cause latency spikes, especially if the service is unavailable.
Any alternatives you've considered?
Building good Authz and Authn code in every micro service. This has never the level of quality that I would aim for.
How would users interact with this feature?
By configuring the authz service. The method and complexity of it would depend on the type of the authz service.
The text was updated successfully, but these errors were encountered: