Envoy-authz is a middleware of Envoy which performs external RBAC & ABAC authorization through casbin. This middleware uses Envoy's external authorization API through a gRPC server. This proxy would be deployed on any type of envoy-based service meshes like Istio.
Dependencies are managed through go.mod.
The grpc server is based on protocol buffer from external_auth.proto from Envoy.
// A generic interface for performing authorization check on incoming
// requests to a networked service.
service Authorization {
// Performs authorization check based on the attributes associated with the
// incoming request, and returns status `OK` or not `OK`.
rpc Check(v2.CheckRequest) returns (v2.CheckResponse);
}
From the above proto file, we have to use Check() service in the authorization server.
You can verify/test your policies on online casbin-editor.
$ go build . $ ./authz
$ envoy -c authz.yaml -l info
Once the envoy starts, it will start intercepting requests for the authorization process.
You need to send custom headers, which would contain usernames in the JWT token OF headers for this middleware to work. You can check the official Istio docs to get more info on modifying Request Headers.