RequestPrincipals - Code Search

pilot/pkg/security/authz/builder/testdata/http/allow-full-rule-in.yaml

        - key: "request.auth.principal"
          values: ["requestPrincipals", "requestPrincipals-prefix-*", "*-suffix-requestPrincipals", "*", "https://example.com/*"]
          notValues: ["not-requestPrincipals", "not-requestPrincipals-prefix-*", "*-not-suffix-requestPrincipals", "*"]
        - key: "request.auth.audiences"
          values: ["audiences", "audiences-prefix-*", "*-suffix-audiences", "*"]

Registered: Fri Jun 14 15:00:06 UTC 2024

- Last Modified: Sat Apr 20 01:58:53 UTC 2024

- 4.1K bytes

- Viewed (0)

github.com/istio/istio

pilot/pkg/security/authz/builder/testdata/http/allow-full-rule-out.yaml

                      stringMatch:
                        exact: requestPrincipals
                - metadata:
                    filter: istio_authn
                    path:
                    - key: request.auth.principal
                    value:
                      stringMatch:
                        prefix: requestPrincipals-prefix-
                - metadata:
                    filter: istio_authn

Registered: Fri Jun 14 15:00:06 UTC 2024

- Last Modified: Sat Apr 20 01:58:53 UTC 2024

- 32.6K bytes

- Viewed (0)

github.com/istio/istio

pilot/pkg/serviceregistry/kube/controller/ambient/testdata/allow-full-in.yaml

  - from:
    - source:
        requestPrincipals: [ "requestPrincipals", "requestPrincipals-prefix-*", "*-suffix-requestPrincipals", "*" ]
        notRequestPrincipals: [ "not-requestPrincipals", "not-requestPrincipals-prefix-*", "*-suffix-not-requestPrincipals", "*" ]
  - from:
    - source:
        namespaces: [ "ns", "ns-prefix-*", "*-ns-suffix", "*" ]

Registered: Fri Jun 14 15:00:06 UTC 2024

- Last Modified: Thu Feb 29 18:40:34 UTC 2024

- 4K bytes

- Viewed (0)

github.com/istio/istio

pilot/pkg/serviceregistry/kube/controller/ambient/testdata/deny-groups-in.yaml

kind: AuthorizationPolicy
metadata:
  name: groups-deny
spec:
  action: DENY
  rules:
  # Has mix of L4 and L7 in from
  - from:
    - source:
        principals: ["from-mix-principal"]
        requestPrincipals: ["from-mix-requestPrincipals"]
        namespaces: ["from-mix-ns"]
    to:
    - operation:
        ports: ["80"]
  # Has mix of L4 and L7 in to
  - from:
    - source:
        principals: ["to-mix-principal"]

Registered: Fri Jun 14 15:00:06 UTC 2024

- Last Modified: Thu Feb 29 18:40:34 UTC 2024

- 1.4K bytes

- Viewed (0)

github.com/istio/istio

pilot/pkg/security/authz/builder/testdata/http/extended-allow-full-rule-out.yaml

                        path:
                        - key: payload
                        - key: iss
                        value:
                          stringMatch:
                            exact: requestPrincipals
                    - metadata:
                        filter: envoy.filters.http.jwt_authn
                        path:
                        - key: payload
                        - key: sub

Registered: Fri Jun 14 15:00:06 UTC 2024

- Last Modified: Fri May 03 18:02:42 UTC 2024

- 39K bytes

- Viewed (0)

github.com/istio/istio

pilot/pkg/serviceregistry/kube/controller/ambient/testdata/allow-groups-in.yaml

kind: AuthorizationPolicy
metadata:
  name: groups
spec:
  rules:
  # Has mix of L4 and L7 in from
  - from:
    - source:
        principals: ["from-mix-principal"]
        requestPrincipals: ["from-mix-requestPrincipals"]
        namespaces: ["from-mix-ns"]
    to:
    - operation:
        ports: ["80"]
  # Has mix of L4 and L7 in to
  - from:
    - source:
        principals: ["to-mix-principal"]

Registered: Fri Jun 14 15:00:06 UTC 2024

- Last Modified: Thu Feb 29 18:40:34 UTC 2024

- 1.3K bytes

- Viewed (0)

github.com/istio/istio

tests/integration/ambient/testdata/requestauthn/waypoint-jwt.yaml.tmpl

spec:
  targetRefs:
  - kind: Gateway
    group: gateway.networking.k8s.io
    name: waypoint
  rules:
  - from:
    - source:
        requestPrincipals: ["******@****.***/sub-1"]
    - source:
        requestPrincipals: ["******@****.***/sub-1"]
  - to:
    - operation:

Registered: Fri Jun 14 15:00:06 UTC 2024

- Last Modified: Mon Apr 15 16:23:36 UTC 2024

- 1.3K bytes

- Viewed (0)

github.com/istio/istio

tests/integration/security/testdata/authz/jwt.yaml.tmpl

    from:
    - source:
        requestPrincipals: ["******@****.***/sub-1"]
  - to:
    - operation:
        paths: ["/token2"]
        methods: ["GET"]
    when:
    - key: request.auth.claims[groups]
      values: ["group-2"]
  - to:
    - operation:
        paths: ["/tokenAny"]
        methods: ["GET"]
    from:
    - source:
        requestPrincipals: ["*"]
  - to:
    - operation:

Registered: Fri Jun 14 15:00:06 UTC 2024

- Last Modified: Wed May 08 23:36:51 UTC 2024

- 3K bytes

- Viewed (0)

github.com/istio/istio

pilot/pkg/security/authz/model/model.go

			if useExtendedJwt {
				merged.insertFrontExtended(requestPrincipalGenerator{}, attrRequestPrincipal, s.RequestPrincipals, s.NotRequestPrincipals)
			} else {
				merged.insertFront(requestPrincipalGenerator{}, attrRequestPrincipal, s.RequestPrincipals, s.NotRequestPrincipals)
			}
			merged.insertFront(srcPrincipalGenerator{}, attrSrcPrincipal, s.Principals, s.NotPrincipals)
		}

Registered: Fri Jun 14 15:00:06 UTC 2024

- Last Modified: Mon Mar 25 10:39:25 UTC 2024

- 13.8K bytes

- Viewed (0)

github.com/istio/istio

pilot/pkg/serviceregistry/kube/controller/ambient/authorization.go

	}
	fromMatches := []*security.Match{}
	for _, from := range rule.From {
		op := from.Source
		if action == security.Action_ALLOW && anyNonEmpty(op.RemoteIpBlocks, op.NotRemoteIpBlocks, op.RequestPrincipals, op.NotRequestPrincipals) {
			// L7 policies never match for ALLOW
			// For DENY they will always match, so it is more restrictive
			return nil
		}
		match := &security.Match{

Registered: Fri Jun 14 15:00:06 UTC 2024

- Last Modified: Mon Apr 15 16:23:36 UTC 2024

- 18.4K bytes

- Viewed (0)

Search Options