Google Git
Sign in
apache/casbin-envoy-authz

Istio/Envoy RBAC & ABAC authorization middleware based on Casbin

Mirrored from https://github.com/apache/casbin-envoy-authz.git
Clone this repo:

Branches

  1. 6151bf3 fix: fix broken links (#7) by YunShu · 2 years, 9 months ago master
  2. 06ae844 docs: replace gitter links with discord (#6) by YunShu · 2 years, 10 months ago
  3. 9e92da7 Merge pull request #5 from ashish493/master by Yang Luo · 4 years, 9 months ago
  4. e33c21c docs: Added Istio integration docs by Ashish Malik · 4 years, 9 months ago
  5. 05b1398 feat: Implemented gRPC server for authorization (#2) by Ashish Malik · 4 years, 9 months ago

envoy-authz

Contributions Welcome Discord License

Envoy-authz is a middleware of Envoy which performs external authorization through casbin. This proxy would be deployed on any type of envoy-based service meshes like Istio.

Installation

go get github.com/casbin/envoy-authz

Requirements

  • Envoy 1.17+
  • Istio or any type of service mesh
  • grpc dependencies

Working

  • A client would make a http request.
  • Envoy proxy would send that request to grpc server.
  • The grpc server would then authorize the request based on casbin policies.
  • If authorized, the request would be sent through or else, it gets denied.

The grpc server is based on protocol buffer from external_auth.proto.

Usage

  • Define the Casbin policies under config files by following this guide.

You can verify/test your policies on online casbin-editor.

  • Start the authorizing server by running:-
$ go build .
$ ./authz
  • Load the envoy configuration:-
$  envoy -c authz.yaml -l info

Once the envoy starts, it will start intercepting requests for the authorization process.

Integrating to Istio

You need to send custom headers, which would contain usernames in the JWT token OF headers for this middleware to work. You can check the official Istio docs to get more info on modifying Request Headers.

Community

In case of any query, you can ask on our Discord.