Authz template sub messages

[mangchiandjjoe]

What this PR does / why we need it:

We need a authorization template for mixer adapters

Which issue this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close that issue when PR gets merged): fixes #

Special notes for your reviewer:

authz template has sub messages

Release note:

Authorization adapter template.
Any authorization module needs to answer the question: Is a “subject” allowed to do an “action”. 

[mangchiandjjoe]

/assign @mandarjog @guptasu

[codecov]

Codecov Report

Merging #1877 into master will increase coverage by 0.6%.
The diff coverage is n/a.

@@            Coverage Diff            @@
##           master    #1877     +/-   ##
=========================================
+ Coverage   81.23%   81.84%   +0.6%     
=========================================
  Files         191      195      +4     
  Lines       19344    15949   -3395     
=========================================
- Hits        15715    13053   -2662     
+ Misses       3173     2430    -743     
- Partials      456      466     +10

Flag	Coverage Δ
#broker	47.27% <ø> (+1.75%)	⬆️
#mixer	83.21% <ø> (+0.67%)	⬆️
#pilot	80.93% <ø> (+0.45%)	⬆️
#security	88.88% <ø> (-1.51%)	⬇️

Impacted Files	Coverage Δ
pilot/platform/kube/queue.go	82.97% <0%> (-7.41%)	⬇️
mixer/pkg/template/template.go	70.58% <0%> (-5.03%)	⬇️
pilot/platform/kube/cache.go	62.5% <0%> (-4.17%)	⬇️
mixer/pkg/config/handler.go	73.23% <0%> (-4.09%)	⬇️
pilot/proxy/envoy/policy.go	85.71% <0%> (-3.02%)	⬇️
mixer/adapter/noopLegacy/noop.go	22.22% <0%> (-2.78%)	⬇️
mixer/pkg/adapter/check.go	53.84% <0%> (-2.41%)	⬇️
mixer/pkg/config/store/convert.go	68.18% <0%> (-2.19%)	⬇️
mixer/pkg/mockapi/handler.go	86.2% <0%> (-2.03%)	⬇️
pilot/platform/consul/controller.go	76.84% <0%> (-1.92%)	⬇️
... and 161 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 85983c2...6c26fd4. Read the comment docs.

[guptasu]

Hi @mangchiandjjoe , has this template gone through a formal design review. Basically every new template needs to have a 1 pager that is shared by the istio-integration group and reviewed widely. Here is an example:
https://docs.google.com/document/d/1jRiRLdyufYDcBvR5wjIBmPLUTzrtjnBqnTd4P9_JCGQ/edit?ts=59fa07ee

[guptasu]

Consider adding more description and example config. sample : https://github.com/istio/istio/blob/master/mixer/template/listentry/template.proto#L23

[mangchiandjjoe]

Done

[guptasu]

repeated. This is the first template we have used repeated. repeated fields are not completely supported yet. I can make it work in 1/2 day (just need to add its procession in the bootstraping code (loading yaml and generating instance objects), the code for generating artifacts to be used by the adapter is already present).

This should not block your adapter implementation thought. But unfortunately without change from me, you won't be able to test your adapter e2e with Mixer.

[mangchiandjjoe]

That should be fine. We can keep this field repeated for now and write a e2e test after the implementation.

[mangchiandjjoe]

I created a design document for the authz template https://goo.gl/1y3Z1v

[liminw]

@guptasu Sunny, the template was originally from Istio RBAC design doc. It has been reviewed and approved.

There is one thing Jae noticed is that, "name" under "subject" is not allowed. The error message says that "name" is a reserved field. Do you think it is a bug? "name" is allowed to be a field name in messages.

[guptasu]

It is intentional. We have reserved the name field for instance name value.

…

On Nov 28, 2017 11:55 AM, "Limin Wang" ***@***.***> wrote: @guptasu <https://github.com/guptasu> Sunny, the template was originally from Istio RBAC design doc <https://docs.google.com/document/d/1dKXUEOxrj4TWZKrW7fx_A-nrOdVD4tYolpjgT8DYBTY/edit#heading=h.uy42ya2lsfue>. It has been reviewed and approved. There is one thing Jae noticed is that, "name" under "subject" is not allowed. The error message says that "name" is a reserved field. Do you think it is a bug? "name" is allowed to be a field name in messages. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1877 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AK6xEwqG_digpYu4BTPu7FmRzxuWtqR5ks5s7GUWgaJpZM4QseUU> .

[mangchiandjjoe]

/retest

[guptasu]

Overall looks good. Once your one page design is approved and the field names are approved, you can submit this PR. I am not super familiar on what should be the content of this template.

[guptasu]

Add message comment

[mangchiandjjoe]

Done

[guptasu]

Add message comment.

[mangchiandjjoe]

Done

[guptasu]

The template looks good from the structure point of view. For the field names and comments, I will let others (@liminw and other auth experts) to comment on how intuitive they are.

[mangchiandjjoe]

Field names and comments are from the Istio Native RBAC Design V2 https://goo.gl/kof8o2 which was approved

[mangchiandjjoe]

/assign @geeknoid
Hello Martin, could you please take a look at the PR?

[geeknoid]

What are the valid groups, where are they defined? Can you clarify in the comments?

[liminw]

Depending on the authentication mechanism, "groups" are normally populated from JWT claim or client certificate. The operator can define how it is populated when creating an instance of the template.

[mangchiandjjoe]

Updated comment

[geeknoid]

Could we replace all uses of authz with authorization?

[mangchiandjjoe]

Renamed

[geeknoid]

This is not a list, it's just one single action.

Could you provide a comment explaining what this is for?

[liminw]

Action defines "how the resource is accessed".

[mangchiandjjoe]

Updated

[geeknoid]

This is not a list, it's a single subject.

Could you provide a comment explaining what this is for?

[liminw]

"Subject" contains a list of attributes that identify the caller identity.

[mangchiandjjoe]

Updated

[geeknoid]

@douglas-reid @mandarjog

Is this the right way to reference a service?

[geeknoid]

should validate that the "subject" is allowed to do the given "action"

[douglas-reid]

is allowed to perform the specified action ?

[mangchiandjjoe]

Updated

[geeknoid]

Let's remove this paragraph, that's how templates work in general and we don't need to explain that here.

[mangchiandjjoe]

Done

[geeknoid]

Lowercase s

[mangchiandjjoe]

Done

[geeknoid]

I worry about reusing the word action here, since that has a generic meaning in Mixer. Maybe "demand"? A subject makes a demand?

@mandarjog

[geeknoid]

Comments on the fields please.

[mangchiandjjoe]

Done

[douglas-reid]

There are generated files in this PR, but the generatedfiles file is not updated. I think that is problematic.

[douglas-reid]

extra is not a great name, imho. can we use something like attributes or even something like metadata instead? It might help to have a better comment on Subject that explains what a subject is (that doesn't use the word subject in the description) and what extra you might need/want for a subject.

[liminw]

It was previously named "attributes". It was renamed because Martin thought that "attributes" conflicts with Istio terms of "attributes". It is not "metadata" either. This field represents the custom attributes (in addition to "user" and "groups") that can be used to identify the subject. It is hard to come up with a good name. Do you have other suggestions for the name?

[geeknoid]

"properties"?

[douglas-reid]

is this the destination.service ?

[douglas-reid]

again, i think we want a more descriptive name than extra. Is this stuff metadata about the action?

[douglas-reid]

is allowed to perform the specified action ?

[douglas-reid]

Can we add more detail about the purpose here? This will end up in docs on the website, and while authorization is reasonably clear to sophisticated users, I think we could benefit from some lingo clarity. Maybe something like:

The authorization template defines parameters for performing policy enforcement within Istio. It is primarily concerned with enabling Mixer adapters to make decisions about who is allowed to do what. In this template, the who is defined in a Subject message. The what is defined in the Action message. During a Mixer Check call, these values will be populated based on configuration from request attributes and passed to individual authorization adapters to adjudicate.

You can probably describe it better, but I think that would be helpful (and maybe eliminate the need for the following paragraph).

[mangchiandjjoe]

Replaced

[geeknoid]

extra -> properties

[mangchiandjjoe]

Done

[geeknoid]

extra -> properties

[mangchiandjjoe]

Done

[geeknoid]

Should this be called resource? or resource_path?

[mangchiandjjoe]

It is the HTTP REST path within the service. Updated comment.

[geeknoid]

/retest all

[geeknoid]

/lgtm
/approve

[istio-merge-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: geeknoid

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these OWNERS Files:

• mixer/OWNERS [geeknoid]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[istio-merge-robot]

/test all [submit-queue is verifying that this PR is safe to merge]

[istio-merge-robot]

Automatic merge from submit-queue.