External Authorization in OSSM

Posted on

I was trying out the external authorization techPreview feature in OSSM 2.x. I added the mesh config as specified in https://istio.io/latest/docs/tasks/security/authorization/authz-custom/ to the SMCP yaml, under techPreview.

Independently, I can curl the external authorization server directly like
curl ext-authz.opa-istio.svc.cluster.local:8000 -H 'x-ext-authz: allow' --> [200 OK]

curl ext-authz.opa-istio.svc.cluster.local:8000--> [403 Forbidden]
This same service is part of my mesh config -->

defaultConfig:
  discoveryAddress: istiod-basic.istio-system.svc:15012
  extensionProviders:
  - envoyExtAuthzGrpc:
      port: "9000"
      service: ext-authz.opa-istio.svc.cluster.local
    name: sample-ext-authz-grpc
  - envoyExtAuthzHttp:
      includeRequestHeadersInCheck:
      - x-ext-authz
      port: "8000"
      service: ext-authz.opa-istio.svc.cluster.local
    name: sample-ext-authz-http
  proxyMetadata:
...
  1. I then deployed a httpd web server in a service-mesh namespace with sidecar sidecar.istio.io/inject: 'true'.
    I am able to curl the httpd server pages at this stage:
    curl http://httpd-istio-system.apps.pok.brf1.ibm.com/ returns html.
  2. I then added an authorization policy with CUSTOM action matching the httpd workload and using the extension provider configured in mesh config.
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: ext-authz-httpd
spec:
  selector:
    matchLabels:
      app: httpd
  action: CUSTOM
  provider:
    name: sample-ext-authz-grpc
  rules:
  - to:
    - operation:
        hosts:
        - httpd-istio-system.apps.pok.brf1.ibm.com
        - httpd

But after this auth policy id deployed,
curl http://httpd-istio-system.apps.pok.brf1.ibm.com/ always returns RBAC: access denied, even if I add the required headers:
curl http://httpd-istio-system.apps.pok.brf1.ibm.com/ -H 'x-ext-authz: allow' , I always get RBAC: access denied

Would appreciate any help. Thank you.

https://access.redhat.com/solutions/6992389,
https://issues.redhat.com/browse/OSSM-1859,

[EDIT] I found the following in the istod pod's logs

error   authorization   Processed authorization policy: failed to process CUSTOM action: available providers are [] but found "sample-ext-authz-http"

Seems like the custom providers specified in the techPreview SMCP yaml is not getting activated somehow!

JS

Responses