亚欧色一区w666天堂,色情一区二区三区免费看,少妇特黄A片一区二区三区,亚洲人成网站999久久久综合,国产av熟女一区二区三区

  • 發布文章
  • 消息中心
點贊
收藏
評論
分享
原創

istio支持jwt配置介紹

2023-11-22 01:29:44
28
0

一、JWT規則

JWKS

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: example1
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  jwtRules:
  - issuer: example1
    jwks: '{ 
      "keys":[   
        {
          "alg": "RS256",
          "e": "AQAB",
          "kid": "DHFbpoIUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_-envvQ",
          "kty": "RSA",
          "n":"xAE7eB6qugXyCAG3yhh7pkDkT65pHymX-P7KfIupjf59vsdo91bSP9C8H07pSAGQO1MV_xFj9VswgsCg4R6otmg5PV2He95lZdHtOcU5DXIg_pbhLdKXbi66GlVeK6ABZOUW3WYtnNHD-91gVuoeJT_DwtGGcp4ignkgXfkiEm4sw-4sfb4qdt5oLbyVpmW6x9cfa7vs2WTfURiCrBoUqgBo_-4WTiULmmHSGZHOjzwa8WtrtOQGsAFjIbno85jp6MnGGGZPYZbDAa_b3y5u-YpW7ypZrvD8BgtKVjgtQgZhLAGezMt0ua3DRrWnKqTZ0BJ_EyxOGuHJrLsn00fnMQ",
          "use": "sig"
        }
      ]
    }'

指定域名

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: example1
  namespace: istio-system
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
      istio: ingressgateway
  action: ALLOW
  rules:
  - to:
    - operation:
        hosts: ["aaa.example1.com"]
    when:
    - key: request.auth.claims[iss]
      values: ["example1"]

二、JWT Token位置

(1)http頭部

默認位置,yaml不需特別指定,示例 Authorization: Bearer xxxx
如果改成其他位置,需在yaml指定,示例 Aaaa: Bbb xxxx

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: example1
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  jwtRules:
  - issuer: example1
    jwks: 參考上面配置,此處省略...
    fromHeaders:
    - name: Aaaa
      prefix: "Bbb "

(2)query參數

示例:http:斜杠aaa.example1.com?abc=xxx

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: example1
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  jwtRules:
  - issuer: example1
    jwks: 參考上面配置,此處省略...
    fromParams:
    - "abc"

三、JWT Claim轉換

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: example1
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  jwtRules:
  - issuer: example1
    jwks: 參考上面配置,此處省略...
    outputClaimToHeaders:
    - header: "x-jwt-claim-foo"
      claim: "foo"

四、請求匹配模式

(1)白名單模式

http:斜杠aaa.example1.com/abc,不校驗JWT
http:斜杠aaa.example1.com/xxx,校驗JWT

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: example1
  namespace: istio-system
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
      istio: ingressgateway
  action: ALLOW
  rules:
  - to:
    - operation:
        hosts: ["aaa.example1.com"]
        notPaths: ["/abc"]
    when:
    - key: request.auth.claims[iss]
      values: ["example1"]
  - to:
    - operation:
        hosts: ["aaa.example1.com"]
        paths: ["/abc"]

(2)黑名單模式

http:斜杠aaa.example1.com/abc,校驗JWT
http:斜杠aaa.example1.com/xxx,不校驗JWT

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: example1
  namespace: istio-system
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
      istio: ingressgateway
  action: ALLOW
  rules:
  - to:
    - operation:
        hosts: ["aaa.example1.com"]
        paths: ["/abc"]
    when:
    - key: request.auth.claims[iss]
      values: ["example1"]
  - to:
    - operation:
        hosts: ["aaa.example1.com"]
        notPaths: ["/abc"]

版權聲明:本文內容系天翼云實名用戶自發貢獻,版權歸原作者所有,天翼云開發者社區不擁有其著作權,亦不承擔相應法律責任,未經許可,不得轉載。

如有疑問或爭議,請聯系ctyunbbs@chinatelecom.cn刪除。

0條評論
作者已關閉評論
a****k
16文章數
0粉絲數
a****k
16 文章 | 0 粉絲
原創

istio支持jwt配置介紹

2023-11-22 01:29:44
28
0

一、JWT規則

JWKS

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: example1
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  jwtRules:
  - issuer: example1
    jwks: '{ 
      "keys":[   
        {
          "alg": "RS256",
          "e": "AQAB",
          "kid": "DHFbpoIUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_-envvQ",
          "kty": "RSA",
          "n":"xAE7eB6qugXyCAG3yhh7pkDkT65pHymX-P7KfIupjf59vsdo91bSP9C8H07pSAGQO1MV_xFj9VswgsCg4R6otmg5PV2He95lZdHtOcU5DXIg_pbhLdKXbi66GlVeK6ABZOUW3WYtnNHD-91gVuoeJT_DwtGGcp4ignkgXfkiEm4sw-4sfb4qdt5oLbyVpmW6x9cfa7vs2WTfURiCrBoUqgBo_-4WTiULmmHSGZHOjzwa8WtrtOQGsAFjIbno85jp6MnGGGZPYZbDAa_b3y5u-YpW7ypZrvD8BgtKVjgtQgZhLAGezMt0ua3DRrWnKqTZ0BJ_EyxOGuHJrLsn00fnMQ",
          "use": "sig"
        }
      ]
    }'

指定域名

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: example1
  namespace: istio-system
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
      istio: ingressgateway
  action: ALLOW
  rules:
  - to:
    - operation:
        hosts: ["aaa.example1.com"]
    when:
    - key: request.auth.claims[iss]
      values: ["example1"]

二、JWT Token位置

(1)http頭部

默認位置,yaml不需特別指定,示例 Authorization: Bearer xxxx
如果改成其他位置,需在yaml指定,示例 Aaaa: Bbb xxxx

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: example1
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  jwtRules:
  - issuer: example1
    jwks: 參考上面配置,此處省略...
    fromHeaders:
    - name: Aaaa
      prefix: "Bbb "

(2)query參數

示例:http:斜杠aaa.example1.com?abc=xxx

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: example1
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  jwtRules:
  - issuer: example1
    jwks: 參考上面配置,此處省略...
    fromParams:
    - "abc"

三、JWT Claim轉換

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: example1
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  jwtRules:
  - issuer: example1
    jwks: 參考上面配置,此處省略...
    outputClaimToHeaders:
    - header: "x-jwt-claim-foo"
      claim: "foo"

四、請求匹配模式

(1)白名單模式

http:斜杠aaa.example1.com/abc,不校驗JWT
http:斜杠aaa.example1.com/xxx,校驗JWT

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: example1
  namespace: istio-system
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
      istio: ingressgateway
  action: ALLOW
  rules:
  - to:
    - operation:
        hosts: ["aaa.example1.com"]
        notPaths: ["/abc"]
    when:
    - key: request.auth.claims[iss]
      values: ["example1"]
  - to:
    - operation:
        hosts: ["aaa.example1.com"]
        paths: ["/abc"]

(2)黑名單模式

http:斜杠aaa.example1.com/abc,校驗JWT
http:斜杠aaa.example1.com/xxx,不校驗JWT

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: example1
  namespace: istio-system
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
      istio: ingressgateway
  action: ALLOW
  rules:
  - to:
    - operation:
        hosts: ["aaa.example1.com"]
        paths: ["/abc"]
    when:
    - key: request.auth.claims[iss]
      values: ["example1"]
  - to:
    - operation:
        hosts: ["aaa.example1.com"]
        notPaths: ["/abc"]

版權聲明:本文內容系天翼云實名用戶自發貢獻,版權歸原作者所有,天翼云開發者社區不擁有其著作權,亦不承擔相應法律責任,未經許可,不得轉載。

如有疑問或爭議,請聯系ctyunbbs@chinatelecom.cn刪除。

文章來自個人專欄
文章 | 訂閱
0條評論
作者已關閉評論
作者已關閉評論
0
0