Service Mesh (ASM) supports comprehensive authentication and authorization configurations and offers flexible extensibility. You can integrate a Service Mesh (ASM) that uses the HTTP or gRPC protocol into the Service Mesh (ASM) authorization workflow. This topic describes how to develop a Service Mesh (ASM) based on the Service Mesh (ASM).
Background
Within a service mesh, you can configure JWT authentication (RequestAuthentication) on a gateway to authenticate requests. For requests within the mesh, the mesh uses the provided mTLS certificates by default to authenticate requests. Once a request is authenticated, you can use an authorization policy (AuthorizationPolicy) to restrict its behavior. In addition to these standard capabilities, Service Mesh (ASM) can integrate with a custom authorization service. The overall workflow for a custom authorization service is as follows.
When you configure a custom authorization service to use the HTTP protocol, the mesh proxy (gateway or sidecar) populates an HTTP authorization request with information from the original request. The proxy then sends the authorization request to the custom authorization service, which decides whether to allow the original request.
-
A status code of 200 from the custom authorization service indicates that the request is allowed.
-
A 5xx status code indicates an error in the custom authorization service. Whether the request is allowed or denied depends on the configured failure mode.
-
Any other status code denies the request.
Configuration
You can associate a custom authorization service in the ASM console. After associating the service, you can configure an authorization policy to specify which mesh proxies use it. For detailed steps, see Implement custom authorization by using the HTTP protocol.
Develop an HTTP custom authorization service
ASM is compatible with the open-source Istio service mesh. The Istio community offers a sample implementation of a custom authorization service. This code implements both HTTP- and gRPC-based custom authorization services. The main logic for the HTTP part, which is the focus of this topic, is in the ServeHTTP function:
// ServeHTTP implements the HTTP check request.
func (s *ExtAuthzServer) ServeHTTP(response http.ResponseWriter, request *http.Request) {
body, err := io.ReadAll(request.Body)
if err != nil {
log.Printf("[HTTP] read body failed: %v", err)
}
l := fmt.Sprintf("%s %s%s, headers: %v, body: [%s]\n", request.Method, request.Host, request.URL, request.Header, returnIfNotTooLong(string(body)))
if allowedValue == request.Header.Get(checkHeader) {
log.Printf("[HTTP][allowed]: %s", l)
response.Header().Set(resultHeader, resultAllowed)
response.Header().Set(overrideHeader, request.Header.Get(overrideHeader))
response.Header().Set(receivedHeader, l)
response.WriteHeader(http.StatusOK)
} else {
log.Printf("[HTTP][denied]: %s", l)
response.Header().Set(resultHeader, resultDenied)
response.Header().Set(overrideHeader, request.Header.Get(overrideHeader))
response.Header().Set(receivedHeader, l)
response.WriteHeader(http.StatusForbidden)
_, _ = response.Write([]byte(denyBody))
}
}This function checks the request's header. If the header's value is allowedValue, it returns a status code of 200 (allow). Otherwise, it returns 403 (deny).
Configure the custom authorization service
After deploying the custom authorization service to your ACK cluster, you can integrate it with the mesh. For detailed steps, see Implement custom authorization by using the HTTP protocol.
Because this authorization service inspects the header defined by the checkHeader variable, you must configure the Carry origin header within auth request parameter when you import the service into the mesh. Otherwise, the authorization check will fail.