Implement custom external authorization in ASM - Zero Trust Security| Alibaba Cloud Documentation Center

Alibaba Cloud Service Mesh (ASM) supports custom external authorization. You can add an authentication process to the communication between services to ensure that only authenticated requests can access key services. This topic uses the httpbin application as an example to describe how to implement custom external authorization.

Prerequisites

An ASM instance is created. For more information, see Create an ASM instance.
A Container Service for Kubernetes (ACK) cluster is created. For more information, see Create an ACK managed cluster.
The ACK cluster is added to the ASM instance. For more information, see Add a cluster to an ASM instance.

Step 1: Create an external authorization application

Create an external authorization application named ext-authz in an ACK cluster to implement external authentication logic. The ext-authz application used in this topic specifies that only requests with the x-ext-authz: allow request header can be authenticated to access the httpbin application.

Use kubectl to connect to the ACK cluster. For more information, see Connect to ACK clusters by using kubectl.

Create an ext-authz.yaml file that contains the following content:

# Copyright Istio Authors
#
#   Licensed under the Apache License, Version 2.0 (the "License");
#   you may not use this file except in compliance with the License.
#   You may obtain a copy of the License at
#
#       http://www.apache.org/licenses/LICENSE-2.0
#
#   Unless required by applicable law or agreed to in writing, software
#   distributed under the License is distributed on an "AS IS" BASIS,
#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#   See the License for the specific language governing permissions and
#   limitations under the License.

# Example configurations for deploying ext-authz server separately in the mesh.

apiVersion: v1
kind: Service
metadata:
  name: ext-authz
  labels:
    app: ext-authz
spec:
  ports:
  - name: http
    port: 8000
    targetPort: 8000
  - name: grpc
    port: 9000
    targetPort: 9000
  selector:
    app: ext-authz
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: ext-authz
spec:
  replicas: 1
  selector:
    matchLabels:
      app: ext-authz
  template:
    metadata:
      labels:
        app: ext-authz
    spec:
      containers:
      - image: istio/ext-authz:0.6
        imagePullPolicy: IfNotPresent
        name: ext-authz
        ports:
        - containerPort: 8000
        - containerPort: 9000
---

Deploy the external authorization service in the ACK cluster.

kubectl apply -f ext-authz.yaml

Expected output:

service/ext-authz created
deployment.apps/ext-authz created

Check whether the ext-authz application works as expected.

kubectl logs "$(kubectl get pod -l app=ext-authz -n default -o jsonpath={.items..metadata.name})" -n default -c ext-authz

Expected output:

2021/01/07 22:55:47 Starting HTTP server at [::]:8000
2021/01/07 22:55:47 Starting gRPC server at [::]:9000

If the preceding result is returned, the external authorization service is deployed.

Obtain the Google Remote Procedure Call (gRPC) port that is used by the ext-authz application.
1. Log on to the ACK console.
2. In the left-side navigation pane of the ACK console, click Clusters.
3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
4. In the left-side navigation pane of the details page, choose Network > Services
5. On the Services page, click ext-authz.
  In the Internal Endpoint column, you can see that the gRPC port used is 9000.

Step 2: Create sample applications

Create an httpbin.yaml file that contains the following content:

# Copyright Istio Authors
#
#   Licensed under the Apache License, Version 2.0 (the "License");
#   you may not use this file except in compliance with the License.
#   You may obtain a copy of the License at
#
#       http://www.apache.org/licenses/LICENSE-2.0
#
#   Unless required by applicable law or agreed to in writing, software
#   distributed under the License is distributed on an "AS IS" BASIS,
#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#   See the License for the specific language governing permissions and
#   limitations under the License.

##################################################################################################
# httpbin service
##################################################################################################
apiVersion: v1
kind: ServiceAccount
metadata:
  name: httpbin
---
apiVersion: v1
kind: Service
metadata:
  name: httpbin
  labels:
    app: httpbin
    service: httpbin
spec:
  ports:
  - name: http
    port: 8000
    targetPort: 80
  selector:
    app: httpbin
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: httpbin
spec:
  replicas: 1
  selector:
    matchLabels:
      app: httpbin
      version: v1
  template:
    metadata:
      labels:
        app: httpbin
        version: v1
    spec:
      serviceAccountName: httpbin
      containers:
      - image: docker.io/kennethreitz/httpbin
        imagePullPolicy: IfNotPresent
        name: httpbin
        ports:
        - containerPort: 80

Deploy the httpbin application in the ACK cluster.
```
kubectl apply -f httpbin.yaml
```

Create a sleep.yaml file that contains the following content:

# Copyright Istio Authors
#
#   Licensed under the Apache License, Version 2.0 (the "License");
#   you may not use this file except in compliance with the License.
#   You may obtain a copy of the License at
#
#       http://www.apache.org/licenses/LICENSE-2.0
#
#   Unless required by applicable law or agreed to in writing, software
#   distributed under the License is distributed on an "AS IS" BASIS,
#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#   See the License for the specific language governing permissions and
#   limitations under the License.

##################################################################################################
# Sleep service
##################################################################################################
apiVersion: v1
kind: ServiceAccount
metadata:
  name: sleep
---
apiVersion: v1
kind: Service
metadata:
  name: sleep
  labels:
    app: sleep
    service: sleep
spec:
  ports:
  - port: 80
    name: http
  selector:
    app: sleep
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: sleep
spec:
  replicas: 1
  selector:
    matchLabels:
      app: sleep
  template:
    metadata:
      labels:
        app: sleep
    spec:
      terminationGracePeriodSeconds: 0
      serviceAccountName: sleep
      containers:
      - name: sleep
        image: curlimages/curl
        command: ["/bin/sleep", "3650d"]
        imagePullPolicy: IfNotPresent
        volumeMounts:
        - mountPath: /etc/sleep/tls
          name: secret-volume
      volumes:
      - name: secret-volume
        secret:
          secretName: sleep-secret
          optional: true
---

Deploy the sleep application in the ACK cluster.
```
kubectl apply -f sleep.yaml
```

Step 3: Manage the external authorization service

Declare the ext-authz application that you created in Step 1 to an ASM instance so that the ASM instance can use the application to authenticate requests.

Log on to the ASM console.
In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
On the details page of the ASM instance, choose Zero Trust Security > AuthorizationPolicy in the left-side navigation pane.
On the AuthorizationPolicy page, click Manage External Authorization Services. On the External Authorization page, click Create.

On the Create External Authorization Service page, set the parameters and click Create.


Parameter	Description
Name	The name of the custom external authorization service. In this example, set the value to test.
Protocol	The protocol that is used by the external authorization application. In this example, select GRPC.
Service Address	The endpoint of the external authorization application in the format of `<Application name>.<Namespace name>.svc.<Domain name of the cluster>`. In this example, set the value to `ext-authz.default.svc.cluster.local`.
Port	The service port of the external authorization application. In this example, set the value to 9000.
Timeout	The timeout period of the external authorization application. If the external authorization application does not respond within the specified period of time, the external authorization service is considered unavailable. In this example, set the value to 10 seconds.

Step 4: Create an authorization policy

Create an authorization policy to configure the request operation that requires authentication.

Log on to the ASM console.
In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
On the details page of the ASM instance, choose Zero Trust Security > AuthorizationPolicy in the left-side navigation pane.
On the AuthorizationPolicy page, click Create.

On the Create page, set the parameters and click Create.


Parameter	Description
Namespace	The name of the namespace in which the sample applications are deployed. In this example, select default.
Name	The name of the custom authorization policy. In this example, set the value to test1.
Policies	The authorization policy. In this example, select RULES.
Action	The authorization action. In this example, select CUSTOM.
Provider Name	The external authorization service. In this example, select test.
Workload Label Selection	Configure the workload to which the authorization policy applies. Turn on Workload Label Selection, click Add Matching Label, and then add a label with the name of app and the value of httpbin.
Request Operation	Configure the request operation that requires authentication. Turn on Request Operation and click Add Request Operation to List. Click Add Request Operation. Then, set the Request Operation Domain parameter to path and the Value parameter to /headers.

Step 5: Verify that the custom external authorization service is successful

Access httpbin.default:8000/ip.

kubectl exec "$(kubectl get pod -l app=sleep -n default -o jsonpath={.items..metadata.name})" -c sleep -n default -- curl "http://httpbin.default:8000/ip" -s -o /dev/null -w "%{http_code}\n"

Expected output:

If the preceding result is returned, no authentication is triggered.

Use a request with the x-ext-authz: deny request header to access httpbin.default:8000/headers.

kubectl exec " $(kubectl get pod -l app=sleep -n default -o jsonpath={.items..metadata.name})" -c sleep -ndefault -- curl "http://httpbin.default:8000/headers" -H "x-ext-authz: deny" -s

Expected output:

denied by ext_authz for not found header `x-ext-authz: allow` in the request

If the preceding result is returned, the authentication is triggered but fails.

Use a request with the x-ext-authz: allow request header to access httpbin.default:8000/headers.

kubectl exec "$(kubectl get pod -l app=sleep -n default -o jsonpath={.items..metadata.name})" -c sleep -n default -- curl "http://httpbin.default:8000/headers" -H "x-ext-authz: allow" -s

Expected output:

{
  "headers": {
    "Accept": "*/*",
    "Host": "httpbin:8000",
    "User-Agent": "curl/7.76.0-DEV",
    "X-B3-Parentspanid": "430f770aeb7ef215",
    "X-B3-Sampled": "0",
    "X-B3-Spanid": "60ff95c5acdf5288",
    "X-B3-Traceid": "fba72bb5765daf5a430f770aeb7e****",
    "X-Envoy-Attempt-Count": "1",
    "X-Ext-Authz": "allow",
    "X-Ext-Authz-Check-Result": "allowed",
    "X-Forwarded-Client-Cert": "By=spiffe://cluster.local/ns/default/sa/httpbin;Hash=e5178ee79066bfbafb1d98044fcd0cf80db76be8714c7a4b630c7922df520bf2;Subject=\"\";URI=spiffe://cluster.local/ns/default/sa/sleep"
  }
}

If the preceding result is returned, the authentication is triggered and passed.

The verification results indicate that only requests with the x-ext-authz: allow request header can access httpbin.default:8000/headers. This way, custom external authorization is implemented.