0

I want to create a rule in the Istio authorization:

            - to:
                - operation:
                    methods: [ "POST" ]
                    paths: [ "/data/api/v1/departments/*/users/*/position" ]
              when:
                - key: request.auth.claims[resource_access][roles]
                  values: [ "edit" ]

so I want to use path variables here (in places with '*'). What should I put instead of '*' to make it working? It doesn't work in the current setup.

I get 'RBAC denied', I have a role 'edit' and path to that role is okay. It works fine for endpoints without '*' signs

Chris
  • 5,109
  • 3
  • 19
  • 40
Kacper Ostrowski
  • 1
  • 1

1 Answers1

1

Posting this answer as a community wiki as similar question has been already answered here:

Part of the question:

       - operation:
           methods: ["PUT"]
           paths: ["/my-service/docs/*/activate/*"]

Answer:

According to istio documentation:

Rule

Rule matches requests from a list of sources that perform a list of operations subject to a list of conditions. A match occurs when at least one source, operation and condition matches the request. An empty rule is always matched.

Any string field in the rule supports Exact, Prefix, Suffix and Presence match:

  • Exact match: “abc” will match on value “abc”.
  • Prefix match: “abc*” will match on value “abc” and “abcd”.
  • Suffix match: “*abc” will match on value “abc” and “xabc”.
  • Presence match: “*” will match when value is not empty.

So Authorization Policy does support wildcard, but I think the issue is with the */activate/* path, because paths can use wildcards only at the start, end or whole string, double wildcard just doesn't work.

There are related open github issues about that:

Dawid Kruk
  • 8,982
  • 2
  • 22
  • 45