►
From YouTube: Better External Authorization
Description
#IstioCon2021
Presented at IstioCon 2021 by Yangmin Zhu.
I will talk about the better external authorization feature in 1.9 that allows users to easily integrate Istio with external authorization system (e.g. OPA, OAuth2).
The better external authorization is the latest improvement that solves a much wanted customer request for better extensibility in the authorization policy.
This feature makes it possible and greatly improves the user experience of many critical use cases, for example, integrate with industry standard auth mechanism (e.g. OAuth2), reuse existing in-house auth system (e.g. OPA) and more.
A
A
So
why
would
you
even
need
to
use
the
extraordinary
still
is
already
providing
the
first
class
authorization
policy?
That's
a
very
good
question.
There
are
a
lot
of
answers
here.
I
will
just
list
some
like
most
important
use
cases
here,
so
we
have
found
that
many
customers
they
need
better
extensibility
in
authorization
to
address
those
following
issues.
A
You
may
find
that
it's
your
authorization
policy.
It
just
lacks
some
like
necessary
semantics
for
your
use
case.
You
do
not
need
very
fancy
logic,
but
the
specific
expression
is
not
available
in
the
easter
authorizing
policy.
Yet
all
of
these
use
cases-
and
the
list
goes
on
it-
will
bring
you
to
this
point
that
you
need
better
accessibility
in
easter,
australian
policy.
A
Let's
take
a
look
at
what
it
is,
how
it
is
been
down
before
1.9
and
what
are
the
pain
points
of
the
old
approach
for
the
external
authorization
so
before
window
9,
it
is
usually
solved
by
using
the
roa
xlrc
filter,
combined
with
the
install
our
filter
api
and
it
of
course
works.
But
it
comes
with
some
big
pain
points
here.
A
A
A
So,
when
you
are
writing
on
the
filter,
you
are
now
reading
using
easter
api.
You
are
writing
the
roa
config
directly,
which
means
you
are
using
the
roa
api
directly
in
istio.
So
that
means
any
android.
Api
change
could
silently
break
your
onward
filter
api
without
prior
notice,
because
that
is
a
transparent
api
in
istio.
We
cannot
really
do
a
lot
of
validation
against
it
to
istio.
It's
it's
something
like
a
transparent
config
that
we
just
passed
to
the
runway
and
we
cannot
make
sure
it
is
always
consistent
with
our
version
we
are
using.
A
So
it's
the
user's
responsibility
to
make
sure
that
the
outward
version
used
in
istio
is
consistent
with
the
how
we
config
that
you
specified
in
your
rv
filter,
and
sometimes
you
will
even
need
slightly
different
rv
filter
in
each
different
install
version
due
to
the
alveolar
filter.
Api
itself
is
like
a
changing
rapidly.
It's
still
alpha
api,
and
this
becomes
worse.
If
you
have
a
lot
of
unbuilt
filter
api
applied
in
your
large
cluster
and
very
hard
to
maintain
and
scale.
A
A
A
This
is
mitigated
by
another
field
that
is
added
to
the
unveil,
xlc
filter,
config,
and
that
allows
you
to
override
to
use
a
separate
host
header
so
that
it
doesn't
default
to
use
the
class
name.
But
before
that
is
available,
you
have
to
apply
some
like
a
very
handy,
vocal
round
to
use
a
second
away
filter
to
patch
that
hostname,
so
that
it
doesn't
include
the
pipe
character.
A
A
So
this
needs
goes
on
and
on-
and
I
think
if
you
have
looked
at
some
other
presentation
in
this
istio
khan,
you
will
find
that
there
are
a
lot
of
people.
There
are
things
that
the
difficulties
they
are
using
on
will
filter,
but
let's
make
it
very
clear,
I'm
not
saying
that
you
should
never
use
onward
filter
api,
the
unrefield
api,
it's
it's!
It's
very
useful
and
it
has
its
legit
use
cases.
A
But
here
is
a
big,
but
it
is
not
the
proper
api
that
you
should
use
for
critical
security
feature
in
your
production,
environment
and
skill
because
of
the
usability
maintainability
and
troubleshooting
and
the
feature
wise.
All
those
things
makes
it
not
a
proper
like
api
that
it
should
depend
on
for
your
production
usage.
A
A
We
are
providing
infrastructure
level
and
first
class
api
support
of
a
better
extensibility
in
the
easter
authorization
policy.
So
here
I
will
just
focus
on
the
two
biggest
changes
in
this
feature.
You
will
find
more
details.
I
will
provide
a
link
later
in
the
slide
to
the
original
design
dock,
but
here
I
will
just
focus
those
two
things
here.
A
A
A
So
each
extension
provider
has
its
unique
name
and
it
will
be
referred
to
by
the
authorization
policy,
and
currently
we
support
the
extension
provider
of
type
away
external
oc
filter.
So
you
can
see
the
our
extra
oc
filter
is
actually
a
concrete
example
of
like
a
using
with
easter
authorization
policy
to
demonstrate
the
extensibility.
A
And
let's
look
into
the
api
example,
and
we
can
show
you
here:
the
left
side
is
a
very
normal
authorization
policy.
You
can
see,
we
give
it
a
kind.
This
alteration
policy
we
give
it
a
name
extra
or
z,
and
we
put
it
in
the
is
still
system
namespace
and
it
is
using
this
selector
to
select
the
ingress
gateway.
A
And
here
then
it
comes
to
the
new
changes
we
are
adding
in
1.9.
We
have
this
action
that
is
called
custom.
This
custom
action
will
allows
you
to
indicate
the
authorization
check
to
this
provider
identified
by
this
unique
name.
Here
I
give
it
name
like
my
extra
oc
service
and
this
action
is
triggered
under
these
rules.
A
So
this
specific
road
means
it
will
be
triggered
for
request
pass.
If
the
pass
has
the
prefix
stash
of
the
mean
snatch,
we
are
using
the
star
one
card
in
the
end
of
the
string
to
denote
this
is
a
prefix
matching,
and
this
rules
is
exactly
the
same
rules
that
you
might
already
be
using
in
your
existing
observation
policy,
so
there's
really
delta
here.
A
Is
this
like
a
custom
action
and
this
simple
provider
with
a
simple
string
name,
we
are
intentionally
making
this
the
same
design
decision
to
make
it
simple
that
you
don't
need
to
worry
too
much
about
in
your
ocean
policy.
That's
basically
just
two
fields
you
need
to
take
care
of,
and
then
let's
take
a
look
into
the
extension
provider
on
the
right
side.
A
A
A
A
We
simply
give
it
a
service
name.
Here
I
give
it
this
xlc
dot,
food
or
service
to
cluster
local.
This
means
I
have
deployed
my
xoc
server
in
the
full
name
space
and
it
is
serving
the
xlc
check.
Request
on
port
8000
and
design
comes
with
some
detailed
configuration
of
the
android
oc
filter
for
things
like
what
should
be
sent
to
the
xoc
service.
A
So,
combining
those
things
together,
that's
basically
all
the
things
you
need
to
use
the
extra
oc
in
istio
1.9,
you
define
the
you
define
the
xlrc
provider
in
the
mesh
config.
You
refer
it
in
your
oscillation
policy
and
in
your
authorization
policy
most
fields.
They
are
exactly
the
same
as
you
are
already
using
them
before
you
don't
need
to
learn
a
new
matching
rule.
A
It's
the
same
authorization
matching
rule
that
should
make
it
easier
to
adopt
in
your
use
case,
and
if
you
want
to
customize
your
hrc,
you
can
put
it
in
this
extension
provider,
for
things
like
include,
the
header
in
check
include
the
header
in
like
a
back
end.
Things
like
that.
You
can
also
customize
like
as
a
the
status
returned
by
the
xrc
when
it
failed
the
check.
A
So,
first
of
all,
you
apply
that
authorization
policy
and
you
configure
the
extension
provider
in
the
mesh
config
easterd
will
then
configure
will
will
find
your
configuration.
It
will
process
your
configuration
and
then
it
will
distribute
the
alway
config
to
the
workload
selected
by
your
oscillation
policy,
which
is
a
corresponding
xlr
oc
field
config.
A
A
A
A
A
A
A
That
means
changes
in
our
way.
You
will
not
break
your
configuration
in
sql,
because,
technically
speaking,
you
are
not
using
onward
api
at
all.
You
are
now
using
easter
api
and
esto
will
handle
all
those
changes
behind
the
scene
automatically
for
you,
because
we
will
maintain
the
stability
in
the
easter
api
and
the
easter
api
is
supposed
to
be
used
by
the
end
user,
which
is
different
from
the
output
api
that
is
supposed
to
be
used
by
machine
instead
of
a
human
being.
A
This
api
is
part
of
the
authorization
api
and
it
is
well
tested,
maintained
and
supported
by
the
install
team.
That's
a
another
big
benefit.
If
you
are
planning
to
integrate
this
skill
with
extra
authorization
that
simplifies
the
input
that
simplifies
the
integration
part
so
that
you
can
focus
on
your
xlrc
part
instead
of
the
integration
part
last.
It
also
provide
you
a
very
nice
feature
that
it
allows
triggering
the
extra
oscillator
flow
conditionally.
A
So
now
you
can
see
something
like
only
trigger
the
extra
flow
for
host
like
example.com
or
only
trigger
the
or
or
trigger
the
pass
for
triggers
the
extra
zero
for
all
paths
except
to
the
snaz
health.
You
may
have
this
slash.
Health
as
a
any
point
that
you
want,
everyone
has
access
to
it,
and
you
can
do
many
similar
things
here.
A
Okay,
so
I
have
include
all
those
important
information
about
this
feature
in
this
slide.
I
will
also
share
this
slide
to
to
the
easter
community.
Once
this
presentation
is
done,
you
can
find
the
original
design
dock.
You
need
to
join
the
easter
team
driver
access
for
access
to
the
design
dock,
that's
a
very
detailed
design
tool
that
includes
all
those
design
decisions
we
made
the
trade-offs
we
made
while
we
are
doing
it
like
today
and
implementation
details
pretty
much
everything
about
this
feature.
A
A
It
shows
you
how
to
integrate
with
a
sample
xl
server.
That
is
also
implemented
as
a
part
of
sample
server
in
istio.
You
can
use
that
as
a
starting
point
to
plug
in
your
customer
logic
and
and
push
it
to
your
production,
and
if
you
are
interested
in
the
api,
you
can
directly
look
into
the
formal
protobuf
definition
of
the
api
for
both
the
custom
action
and
the
extension
provider
and
last
but
not
least,
and
actually
very
important.
We
really
appreciate
your
feedback.
A
Next,
I
will
give
you
a
demo
of
using
this
extensibility,
so
this
new
api
in
1.9
allows
you
to
integrate
with
many
extra
oc
solutions
like
oppa,
like
os2
proxy,
and
I
think
it's
very
important
to
mention
the
difference
here
that
when
you
are
using
oppa,
os2
proxy
or
any
other
things,
those
things
are
also
scope
of
istio.
They
are
largely.
A
A
Okay.
So
let's
look
at
this
demo,
so
I
will
deploy
opa
in
the
default
namespace
as
the
extension
provider
in
in
the
user
case.
It
is
usually
maintained
by
the
customer
and
in
the
eastern
mesh.
I
will
deploy
the
workload
and
with
easter
proxy
and
I
will
use
oscillation
policy
to
delegate
the
authorization
check
to
the
opa
port.
A
Okay,
let
me
just
show
you
some
basic
status
in
my
kubernetes
cluster.
You
can
see.
I
have
already
deployed
the
example
http
being
the
example
at
sleep,
that's
just
the
example
sleep
and
hdb.
You
will
find
in
every
steel
task,
and
I
have
already
deployed
this
oppa
in
the
easter
cluster.
You
can
see
it
has
two
container,
which
means
it
has
the
istio
proxy
injected.
A
Yeah
you
can
see
we
are
using
still
1.9,
the
proxy
is
injected
correctly
and
we
are
using
the
latest
oper
that
that
is
specifically
built
for
the
roa
integration,
because
you
are
using
oper.
We
also
need
to
deploy
and
create
the
opera
policy,
and
currently
I
have
deployed
this
as
a
secret.
In
my
cluster
you
can
see
there
is
a
opa
policy
secret,
not
that
is
just
an
example
of
a
policy
that
I
deployed
for
the
customized
logic
of
access
control.
A
A
Okay,
here
you
can
see
we
have
a
example
of
a
policy.
It
does
sound
like
a
custom
processing
of
the
george
token,
in
the
request
check
his
fields
and
compare
it
against
another
field.
In
the
john
token,
this
customization
country
is
not
supported
by
easter
australian
policy.
That's
one
of
the
reasons
you
may
want
to
use
oppa
naked
for
things
like
this.
A
A
As
you
remember,
the
very
first
thing
we
need
to
do
is
to
define
this
extension
provider.
We
need
to
tell
the
istio
that
hey,
we
want
to
use
this
extension
provider,
and
here
is
a
detailed
information.
That's
how
you
can
talk
to
that
extension
provider,
so
I
will
configure
the
istio
config
map
to
end
this
definition.
A
A
And
then
save
and
exit
normally,
it
still
will
pick
up
the
changes
in
the
mesh
config
automatically
after,
like
a
one
or
two
minutes,
it's
a
bit
slow
because
we
are
using.
We
are
mounting
the
secret
instead
of
watching
a
web
mounting
the
config
map
instead
of
watching
the
config
map.
So
to
make
things
faster,
I
will
just
restart
the.
A
A
A
Okay,
the
new
study
is
now
up
and
running,
and
then
we
can
just
apply
the
authorization
policy
before
we
do
that.
Let's
take
a
quick
look
at
the
content
of
the
authorization
policy
you
can
see.
We
are
applying
it
to
the
http
being
workload
because
we
want
to
enforce
the
access
control
for
the
http
workload.
A
A
A
A
A
This
is
because
we
specified
as
a
not
pass
ip,
which
means
the
request
it
doesn't
even
trigger
the
extra
ocd
at
all.
Oppa
does
not
say
this
request
at
all,
because
we
don't
want
it
to
trigger
the
extra
flow
and
we
can
check
the
logs
in
the
op-up
container
to
confirm
to
confirm
that
it
is
actually
enforcing
all
those.
A
A
A
It
is
a
request
sent
to
this
destination
that
has
this
http
being
from
this
source.
That
has
this
sleep
principle.
So
oppa
knows
this
request
is
from
sleep
to
http,
which
has
this
past
snatch
headers,
but
it
doesn't
have
this
authorization
header,
so
it
gives
a
decision
that
it
should
be
delight.
The
result
is
a
force
for
the
second
request
to
snatch
headers.
It
has
this
authorizing
header
and
then
is
giving
this
decision
a
law
result.