使用JWT認證授權

應用服務網格中使用JWT實現對請求的身份認證，可以進一步配置授權策略，限制對請求的授權。

操作步驟

部署測試應用

參考以上示例部署sleep和httpbin應用，pod列表如下：

配置JWT認證策略：

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: "jwt-example"
  namespace: bookinfo
spec:
  selector:
    matchLabels:
      app: httpbin
  jwtRules:
  - issuer: "testing@secure.istio.io"
jwks: '{ "keys":[ {"e":"AQAB","kid":"DHFbpoIUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_-envvQ","kty":"RSA","n":"xAE7eB6qugXyCAG3yhh7pkDkT65pHymX-P7KfIupjf59vsdo91bSP9C8H07pSAGQO1MV_xFj9VswgsCg4R6otmg5PV2He95lZdHtOcU5DXIg_pbhLdKXbi66GlVeK6ABZOUW3WYtnNHD-91gVuoeJT_DwtGGcp4ignkgXfkiEm4sw-4sfb4qdt5oLbyVpmW6x9cfa7vs2WTfURiCrBoUqgBo_-4WTiULmmHSGZHOjzwa8WtrtOQGsAFjIbno85jp6MnGGGZPYZbDAa_b3y5u-YpW7ypZrvD8BgtKVjgtQgZhLAGezMt0ua3DRrWnKqTZ0BJ_EyxOGuHJrLsn00fnMQ"}]}'

使用非法的JWT訪問，可以看到返回了401錯誤：

kubectl exec "$(kubectl get pod -l app=sleep -n bookinfo -o jsonpath={.items..metadata.name})" -c sleep -n bookinfo -- curl "//httpbin:8000/headers" -sS -o /dev/null -H "Authorization: Bearer invalidToken" -w "%{http_code}\n"
401

不帶JWT頭部時會放過請求（返回200）：

kubectl exec "$(kubectl get pod -l app=sleep -n bookinfo -o jsonpath={.items..metadata.name})" -c sleep -n bookinfo -- curl "//httpbin:8000/headers" -sS -o /dev/null -w "%{http_code}\n"
200

創建授權策略，要求請求帶有合法的JWT才允許訪問：

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: require-jwt
  namespace: bookinfo
spec:
  selector:
    matchLabels:
      app: httpbin
  action: ALLOW
  rules:
  - from:
    - source:
       requestPrincipals: ["testing@secure.istio.io/testing@secure.istio.io"]

再次不帶JWT訪問返回了403：

kubectl exec "$(kubectl get pod -l app=sleep -n bookinfo -o jsonpath={.items..metadata.name})" -c sleep -n bookinfo -- curl "//httpbin:8000/headers" -sS -o /dev/null -w "%{http_code}\n"
403

使用已經生成好的token驗證訪問，可以看到返回了200狀態碼：

TOKEN= eyJhbGciOiJSUzI1NiIsImtpZCI6IkRIRmJwb0lVcXJZOHQyenBBMnFYZkNtcjVWTzVaRXI0UnpIVV8tZW52dlEiLCJ0eXAiOiJKV1QifQ.eyJleHAiOjQ2ODU5ODk3MDAsImZvbyI6ImJhciIsImlhdCI6MTUzMjM4OTcwMCwiaXNzIjoidGVzdGluZ0BzZWN1cmUuaXN0aW8uaW8iLCJzdWIiOiJ0ZXN0aW5nQHNlY3VyZS5pc3Rpby5pbyJ9.CfNnxWP2tcnR9q0vxyxweaF3ovQYHYZl82hAUsn21bwQd9zP7c-LS9qd_vpdLG4Tn1A15NxfCjp5f7QNBUo-KC9PJqYpgGbaXhaGx7bEdFWjcwv3nZzvc7M__ZpaCERdwU7igUmJqYGBYQ51vr2njU9ZimyKkfDe3axcyiBZde7G6dabliUosJvvKOPcKIWPccCgefSj_GNfwIip3-SsFdlR7BtbVUcqR-yv-XOxJ3Uc1MI0tz3uMiiZcyPV7sNCU4KRnemRIMHVOfuvHsU60_GhGbiSFzgPTAa9WTltbnarTbxudb_YEOx12JiwYToeX0DCPb43W1tzIBxgm8NxUg
kubectl exec "$(kubectl get pod -l app=sleep -n bookinfo -o jsonpath={.items..metadata.name})" -c sleep -n bookinfo -- curl "//httpbin:8000/headers"  -H "Authorization: Bearer $TOKEN" -sS -o /dev/null -w "%{http_code}\n"
200

修改授權策略，只允許JWT信息中groups字段包含group1的時候才允許訪問，策略如下：

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: require-jwt
  namespace: bookinfo
spec:
  selector:
    matchLabels:
      app: httpbin
  action: ALLOW
  rules:
  - from:
    - source:
       requestPrincipals: ["testing@secure.istio.io/testing@secure.istio.io"]
    when:
    - key: request.auth.claims[groups]
      values: ["group1"]

使用上述TOKEN訪問返回403：

kubectl exec "$(kubectl get pod -l app=sleep -n bookinfo -o jsonpath={.items..metadata.name})" -c sleep -n bookinfo -- curl "//httpbin:8000/headers"  -H "Authorization: Bearer $TOKEN" -sS -o /dev/null -w "%{http_code}\n"
403

更新TOKEN

TOKEN= eyJhbGciOiJSUzI1NiIsImtpZCI6IkRIRmJwb0lVcXJZOHQyenBBMnFYZkNtcjVWTzVaRXI0UnpIVV8tZW52dlEiLCJ0eXAiOiJKV1QifQ.eyJleHAiOjM1MzczOTExMDQsImdyb3VwcyI6WyJncm91cDEiLCJncm91cDIiXSwiaWF0IjoxNTM3MzkxMTA0LCJpc3MiOiJ0ZXN0aW5nQHNlY3VyZS5pc3Rpby5pbyIsInNjb3BlIjpbInNjb3BlMSIsInNjb3BlMiJdLCJzdWIiOiJ0ZXN0aW5nQHNlY3VyZS5pc3Rpby5pbyJ9.EdJnEZSH6X8hcyEii7c8H5lnhgjB5dwo07M5oheC8Xz8mOllyg--AHCFWHybM48reunF--oGaG6IXVngCEpVF0_P5DwsUoBgpPmK1JOaKN6_pe9sh0ZwTtdgK_RP01PuI7kUdbOTlkuUi2AO-qUyOm7Art2POzo36DLQlUXv8Ad7NBOqfQaKjE9ndaPWT7aexUsBHxmgiGbz1SyLH879f7uHYPbPKlpHU6P9S-DaKnGLaEchnoKnov7ajhrEhGXAQRukhDPKUHO9L30oPIr5IJllEQfHYtt6IZvlNUGeLUcif3wpry1R5tBXRicx2sXMQ7LyuDremDbcNy_iE76Upg

再次訪問返回200

kubectl exec "$(kubectl get pod -l app=sleep -n bookinfo -o jsonpath={.items..metadata.name})" -c sleep -n bookinfo -- curl "//httpbin:8000/headers"  -H "Authorization: Bearer $TOKEN" -sS -o /dev/null -w "%{http_code}\n"
200