blob: 2f2e7a5a204fc0e9556bd3500897991a08f0a653 [file] [view]
---
id: envoy
title: Authorization of Service Mesh through Envoy
---
[Envoy-authz](https://github.com/casbin/envoy-authz) is a middleware of Envoy which performs external RBAC & ABAC authorization through casbin. This middleware uses [Envoy's external authorization API](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ext_authz_filter.html) through a gRPC server. This proxy would be deployed on any type of envoy-based service meshes like Istio.
## Requirements
- Envoy 1.17+
- Istio or any type of service mesh
- grpc dependencies
Dependencies are managed through `go.mod`.
## Working of Middleware
- A client would make a http request.
- Envoy proxy would send that request to grpc server.
- The grpc server would then authorize the request based on casbin policies.
- If authorized, the request would be sent through or else, it gets denied.
The grpc server is based on protocol buffer from [external_auth.proto](https://github.com/envoyproxy/envoy/blob/master/api/envoy/service/auth/v2alpha/external_auth.proto) from Envoy.
```
// A generic interface for performing authorization check on incoming
// requests to a networked service.
service Authorization {
// Performs authorization check based on the attributes associated with the
// incoming request, and returns status `OK` or not `OK`.
rpc Check(v2.CheckRequest) returns (v2.CheckResponse);
}
```
From the above proto file, we have to use `Check()` service in the authorization server.
## Usage
- Define the Casbin policies under config files by following this [guide](/docs/en/how-it-works).
You can verify/test your policies on online [casbin-editor](/editor/).
- Start the authorizing server by running:-
```
$ go build .
$ ./authz
```
- Load the envoy configuration:-
```
$ envoy -c authz.yaml -l info
```
Once the envoy starts, it will start intercepting requests for the authorization process.
## Integrating to Istio
You need to send custom headers, which would contain usernames in the JWT token OF headers for this middleware to work. You can check the official [Istio docs](https://istio.io/v1.4/docs/tasks/policy-enforcement/control-headers/) to get more info on modifying `Request Headers`.