search

Kuadrant / kuadrant-controller

Apache License 2.0
12 stars 7 forks source link

implement new authpolicy design #166

Closed rahulanand16nov closed 2 years ago

rahulanand16nov commented 2 years ago

155

Verification Steps:

  1. make local-setup
  2. kubectl apply -f examples/toystore/toystore.yaml
  3. kubectl apply -f examples/toystore/httproute.yaml
  4. Configure Authorino
kubectl apply -f -<<EOF
apiVersion: v1
kind: Secret
metadata:
  name: api-kek
  labels:
    authorino.kuadrant.io/managed-by: authorino
    group: friends
stringData:
  api_key: ITSFORDEMO
type: Opaque
EOF
  1. kubectl apply -f config/samples/apim_v1alpha1_authpolicy.yaml 
    
kubectl get authorizationpolicy -A
NAMESPACE         NAME                                       AGE
kuadrant-system   on-kuadrant-gwapi-gateway-using-toystore   9s

kubectl get authconfig -A NAMESPACE NAME READY kuadrant-system ap-default-toystore-1 true

7. `curl -v -XPOST -H 'Authorization: APIKEY ITSFORDEMO' -H 'Host: api.toystore.com' http://localhost:9080/admin/toy` // sweet 200 OK :)
8. `curl -v -XPOST -H 'Authorization: APIKEY WRONG' -H 'Host: api.toystore.com' http://localhost:9080/admin/toy` // 401 unauthorized
9. `kubectl delete -f config/samples/apim_v1alpha1_authpolicy.yaml`

kubectl get authorizationpolicy -n kuadrant-system No resources found in kuadrant-system namespace.



## Next Step

- Target Gateway resource.
- Take hosts from GWAPI resources and limit its configurability.
- Status block for AuthPolicy
rahulanand16nov commented 2 years ago

I wonder in the future whether Istio's EnvoyFilter resource won't be a better fit for us compared to (more limited) AuthorizationPolicy. (Consider, e.g., the use case for host override via context extension.)

We had earlier implemented extAuthz API in the wasm-shim as well, but it was later removed. We can support all the cases with just one wasm module, i.e., pre-auth RL, auth (with context extension), and post-auth RL. Since context extension is per route thing, we come to the same problem of having an ID on the rules to match upon by EnvoyFilter, which to me is a bad UX.

@guicassolato If you think it's something desirable then we can talk about it more during the tech discussion like how will the design of AuthPolicy change to allow users to specify context extensions.