authzadaptor

package module
v0.0.0-...-d9e79a9 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 4, 2020 License: Apache-2.0 Imports: 23 Imported by: 0

README

AWS ALB Route Directive Adapter For Istio

AWS alb route directive adapter for istio is used in Kubeflow AWS Coginito manifest as part of the Authentication and Authorization offering.

Authentication - After your load balancer authenticates a user successfully, it sends the user claims received from the IdP to the target. The load balancer signs the user claim so that applications can verify the signature and verify that the claims were sent by the load balancer. The load balancer adds the HTTP headers x-amzn-oidc-data which is user claims, in JSON web tokens (JWT) format.

Authorization - Route directives enable Mixer adapters to modify traffic metadata using operation templates on the request and response headers. AWS alb route directive adapter for istio decode x-amzn-oidc-data and retrieve email field and add custom http header kubeflow-userid: alice@amazon.com which will be used by Kubeflow Authorization layer.

This repo is built from Route directive adapter development guide. If you meet any problems, please follow that instructions.

Compability

  • This is originally built with istio 1.1.x. In istio 1.2.x, Adapter was removed and you have to enable it manually. Check change notes
  • This is not limited to Kubeflow usage. You can use it for any similar use case and customize it.

Development Instruction

Istio Local Copy

If you don't have isito, please download nad build a local copy of istio

mkdir -p $GOPATH/src/istio.io/
cd $GOPATH/src/istio.io/
git clone https://github.com/istio/istio
cd istio
go build ./...
Download code

Clone this repo and put it under $GOPATH/src/istio.io/isito.

Build binary
cd $GOPATH/src/istio.io/istio
GO111MODULE=off CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o authzadaptor/authzadaptor ./authzadaptor/main/main.go
Build container image
docker build -t seedjeffwan/istio-adapter:0.1 authzadaptor
Regenerate codes

If you want to start from scratch, you can follow instruction to generate codes.

cd $GOPATH/src/istio.io/istio

bin/mixer_codegen.sh -t authzadaptor/template.proto
bin/mixer_codegen.sh -a authzadaptor/config/config.proto -x "-s=false -n authzadaptor -t authzadaptor”

Security

See CONTRIBUTING for more information.

License

This project is licensed under the Apache-2.0 License.

Documentation

Overview

Package authzadaptor is a generated protocol buffer package.

It is generated from these files: 

authzadaptor/template_handler_service.proto

It has these top-level messages: 

HandleAuthzadaptorRequest
HandleAuthzadaptorResponse
OutputMsg
InstanceMsg
Type
InstanceParam

Index

Constants

View Source 
const TemplateName = "authzadaptor"

Fully qualified name of the template

Variables

View Source 
var (
	ErrInvalidLengthTemplateHandlerService = fmt.Errorf("proto: negative length found during unmarshaling")
	ErrIntOverflowTemplateHandlerService   = fmt.Errorf("proto: integer overflow")
)

Functions

func RegisterHandleAuthzadaptorServiceServer 

func RegisterHandleAuthzadaptorServiceServer(s *grpc.Server, srv HandleAuthzadaptorServiceServer)

Types

type AuthZAdaptor 

type AuthZAdaptor struct {
	URLToPublicKeyDict map[string]*ecdsa.PublicKey
}

func (AuthZAdaptor) HandleAuthzadaptor 

func (authZAdaptor AuthZAdaptor) HandleAuthzadaptor(_ context.Context, req *HandleAuthzadaptorRequest) (*HandleAuthzadaptorResponse, error)

type HandleAuthzadaptorRequest 

type HandleAuthzadaptorRequest struct {
	// 'authzadaptor' instance.
	Instance *InstanceMsg `protobuf:"bytes,1,opt,name=instance" json:"instance,omitempty"`
	// Adapter specific handler configuration.
	//
	// Note: Backends can also implement [InfrastructureBackend][https://istio.io/docs/reference/config/mixer/istio.mixer.adapter.model.v1beta1.html#InfrastructureBackend]
	// service and therefore opt to receive handler configuration during session creation through [InfrastructureBackend.CreateSession][TODO: Link to this fragment]
	// call. In that case, adapter_config will have type_url as 'google.protobuf.Any.type_url' and would contain string
	// value of session_id (returned from InfrastructureBackend.CreateSession).
	AdapterConfig *google_protobuf1.Any `protobuf:"bytes,2,opt,name=adapter_config,json=adapterConfig" json:"adapter_config,omitempty"`
	// Id to dedupe identical requests from Mixer.
	DedupId string `protobuf:"bytes,3,opt,name=dedup_id,json=dedupId,proto3" json:"dedup_id,omitempty"`
}

Request message for HandleAuthzadaptor method.

func (*HandleAuthzadaptorRequest) Descriptor 

func (*HandleAuthzadaptorRequest) Descriptor() ([]byte, []int)

func (*HandleAuthzadaptorRequest) Marshal 

func (m *HandleAuthzadaptorRequest) Marshal() (dAtA []byte, err error)

func (*HandleAuthzadaptorRequest) MarshalTo 

func (m *HandleAuthzadaptorRequest) MarshalTo(dAtA []byte) (int, error)

func (*HandleAuthzadaptorRequest) ProtoMessage 

func (*HandleAuthzadaptorRequest) ProtoMessage()

func (*HandleAuthzadaptorRequest) Reset 

func (m *HandleAuthzadaptorRequest) Reset()

func (*HandleAuthzadaptorRequest) Size 

func (m *HandleAuthzadaptorRequest) Size() (n int)

func (*HandleAuthzadaptorRequest) String 

func (this *HandleAuthzadaptorRequest) String() string

func (*HandleAuthzadaptorRequest) Unmarshal 

func (m *HandleAuthzadaptorRequest) Unmarshal(dAtA []byte) error

type HandleAuthzadaptorResponse 

type HandleAuthzadaptorResponse struct {
	Result *istio_mixer_adapter_model_v1beta11.CheckResult `protobuf:"bytes,1,opt,name=result" json:"result,omitempty"`
	Output *OutputMsg                                      `protobuf:"bytes,2,opt,name=output" json:"output,omitempty"`
}

func (*HandleAuthzadaptorResponse) Descriptor 

func (*HandleAuthzadaptorResponse) Descriptor() ([]byte, []int)

func (*HandleAuthzadaptorResponse) Marshal 

func (m *HandleAuthzadaptorResponse) Marshal() (dAtA []byte, err error)

func (*HandleAuthzadaptorResponse) MarshalTo 

func (m *HandleAuthzadaptorResponse) MarshalTo(dAtA []byte) (int, error)

func (*HandleAuthzadaptorResponse) ProtoMessage 

func (*HandleAuthzadaptorResponse) ProtoMessage()

func (*HandleAuthzadaptorResponse) Reset 

func (m *HandleAuthzadaptorResponse) Reset()

func (*HandleAuthzadaptorResponse) Size 

func (m *HandleAuthzadaptorResponse) Size() (n int)

func (*HandleAuthzadaptorResponse) String 

func (this *HandleAuthzadaptorResponse) String() string

func (*HandleAuthzadaptorResponse) Unmarshal 

func (m *HandleAuthzadaptorResponse) Unmarshal(dAtA []byte) error

type HandleAuthzadaptorServiceClient 

type HandleAuthzadaptorServiceClient interface {
	// HandleAuthzadaptor is called by Mixer at request-time to deliver 'authzadaptor' instances to the backend.
	HandleAuthzadaptor(ctx context.Context, in *HandleAuthzadaptorRequest, opts ...grpc.CallOption) (*HandleAuthzadaptorResponse, error)
}

func NewHandleAuthzadaptorServiceClient 

func NewHandleAuthzadaptorServiceClient(cc *grpc.ClientConn) HandleAuthzadaptorServiceClient

type HandleAuthzadaptorServiceServer 

type HandleAuthzadaptorServiceServer interface {
	// HandleAuthzadaptor is called by Mixer at request-time to deliver 'authzadaptor' instances to the backend.
	HandleAuthzadaptor(context.Context, *HandleAuthzadaptorRequest) (*HandleAuthzadaptorResponse, error)
}

type Handler 

type Handler interface {
	adapter.Handler

	// HandleAuthzadaptor is called by Mixer at request time to deliver instances to
	// to an adapter.
	HandleAuthzadaptor(context.Context, *Instance) (adapter.CheckResult, *Output, error)
}

Handler must be implemented by adapter code if it wants to process data associated with the 'authzadaptor' template.

Mixer uses this interface to call into the adapter at request time in order to dispatch created instances to the adapter. Adapters take the incoming instances and do what they need to achieve their primary function.

The name of each instance can be used as a key into the Type map supplied to the adapter at configuration time via the method 'SetAuthzadaptorTypes'. These Type associated with an instance describes the shape of the instance

type HandlerBuilder 

type HandlerBuilder interface {
	adapter.HandlerBuilder

	// SetAuthzadaptorTypes is invoked by Mixer to pass the template-specific Type information for instances that an adapter
	// may receive at runtime. The type information describes the shape of the instance.
	SetAuthzadaptorTypes(map[string]*Type)
}

HandlerBuilder must be implemented by adapters if they want to process data associated with the 'authzadaptor' template.

Mixer uses this interface to call into the adapter at configuration time to configure it with adapter-specific configuration as well as all template-specific type information.

type Instance 

type Instance struct {
	// Name of the instance as specified in configuration.
	Name string

	Key string

	Path string
}

Instance is constructed by Mixer for the 'authzadaptor' template.

type InstanceMsg 

type InstanceMsg struct {
	// Name of the instance as specified in configuration.
	Name string `protobuf:"bytes,72295727,opt,name=name,proto3" json:"name,omitempty"`
	Key  string `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"`
	Path string `protobuf:"bytes,2,opt,name=path,proto3" json:"path,omitempty"`
}

Contains instance payload for 'authzadaptor' template. This is passed to infrastructure backends during request-time through HandleAuthzadaptorService.HandleAuthzadaptor.

func (*InstanceMsg) Descriptor 

func (*InstanceMsg) Descriptor() ([]byte, []int)

func (*InstanceMsg) Marshal 

func (m *InstanceMsg) Marshal() (dAtA []byte, err error)

func (*InstanceMsg) MarshalTo 

func (m *InstanceMsg) MarshalTo(dAtA []byte) (int, error)

func (*InstanceMsg) ProtoMessage 

func (*InstanceMsg) ProtoMessage()

func (*InstanceMsg) Reset 

func (m *InstanceMsg) Reset()

func (*InstanceMsg) Size 

func (m *InstanceMsg) Size() (n int)

func (*InstanceMsg) String 

func (this *InstanceMsg) String() string

func (*InstanceMsg) Unmarshal 

func (m *InstanceMsg) Unmarshal(dAtA []byte) error

type InstanceParam 

type InstanceParam struct {
	Key  string `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"`
	Path string `protobuf:"bytes,2,opt,name=path,proto3" json:"path,omitempty"`
}

Represents instance configuration schema for 'authzadaptor' template.

func (*InstanceParam) Descriptor 

func (*InstanceParam) Descriptor() ([]byte, []int)

func (*InstanceParam) Marshal 

func (m *InstanceParam) Marshal() (dAtA []byte, err error)

func (*InstanceParam) MarshalTo 

func (m *InstanceParam) MarshalTo(dAtA []byte) (int, error)

func (*InstanceParam) ProtoMessage 

func (*InstanceParam) ProtoMessage()

func (*InstanceParam) Reset 

func (m *InstanceParam) Reset()

func (*InstanceParam) Size 

func (m *InstanceParam) Size() (n int)

func (*InstanceParam) String 

func (this *InstanceParam) String() string

func (*InstanceParam) Unmarshal 

func (m *InstanceParam) Unmarshal(dAtA []byte) error

type Output 

type Output struct {
	Email string
	// contains filtered or unexported fields
}

Output struct is returned by the attribute producing adapters that handle this template.

func NewOutput 

func NewOutput() *Output

func (*Output) SetEmail 

func (o *Output) SetEmail(val string)

func (*Output) WasSet 

func (o *Output) WasSet(field string) bool

type OutputMsg 

type OutputMsg struct {
	Email string `protobuf:"bytes,1,opt,name=email,proto3" json:"email,omitempty"`
}

Contains output payload for 'authzadaptor' template.

func (*OutputMsg) Descriptor 

func (*OutputMsg) Descriptor() ([]byte, []int)

func (*OutputMsg) Marshal 

func (m *OutputMsg) Marshal() (dAtA []byte, err error)

func (*OutputMsg) MarshalTo 

func (m *OutputMsg) MarshalTo(dAtA []byte) (int, error)

func (*OutputMsg) ProtoMessage 

func (*OutputMsg) ProtoMessage()

func (*OutputMsg) Reset 

func (m *OutputMsg) Reset()

func (*OutputMsg) Size 

func (m *OutputMsg) Size() (n int)

func (*OutputMsg) String 

func (this *OutputMsg) String() string

func (*OutputMsg) Unmarshal 

func (m *OutputMsg) Unmarshal(dAtA []byte) error

type Type 

type Type struct {
}

Contains inferred type information about specific instance of 'authzadaptor' template. This is passed to infrastructure backends during configuration-time through [InfrastructureBackend.CreateSession][TODO: Link to this fragment].

func (*Type) Descriptor 

func (*Type) Descriptor() ([]byte, []int)

func (*Type) Marshal 

func (m *Type) Marshal() (dAtA []byte, err error)

func (*Type) MarshalTo 

func (m *Type) MarshalTo(dAtA []byte) (int, error)

func (*Type) ProtoMessage 

func (*Type) ProtoMessage()

func (*Type) Reset 

func (m *Type) Reset()

func (*Type) Size 

func (m *Type) Size() (n int)

func (*Type) String 

func (this *Type) String() string

func (*Type) Unmarshal 

func (m *Type) Unmarshal(dAtA []byte) error

Source Files

View all Source files

Directories

Path Synopsis
Package config is a generated protocol buffer package.
 Package config is a generated protocol buffer package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.