v1alpha1

package
v0.0.0-...-2d182f5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 2, 2018 License: Apache-2.0 Imports: 4 Imported by: 0

Documentation

Overview

Package v1alpha1 is a generated protocol buffer package.

This package defines user-facing authentication policy.

It is generated from these files: 

authentication/v1alpha1/policy.proto

It has these top-level messages: 

MutualTls
Jwt
PeerAuthenticationMethod
OriginAuthenticationMethod
Policy
TargetSelector
PortSelector

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrInvalidLengthPolicy = fmt.Errorf("proto: negative length found during unmarshaling")
	ErrIntOverflowPolicy   = fmt.Errorf("proto: integer overflow")
)
View Source 
var MutualTls_Mode_name = map[int32]string{
	0: "STRICT",
	1: "PERMISSIVE",
}
View Source 
var MutualTls_Mode_value = map[string]int32{
	"STRICT":     0,
	"PERMISSIVE": 1,
}
View Source 
var PrincipalBinding_name = map[int32]string{
	0: "USE_PEER",
	1: "USE_ORIGIN",
}
View Source 
var PrincipalBinding_value = map[string]int32{
	"USE_PEER":   0,
	"USE_ORIGIN": 1,
}

Functions

This section is empty.

Types

type Jwt 

type Jwt struct {
	// Identifies the issuer that issued the JWT. See
	// [issuer](https://tools.ietf.org/html/rfc7519#section-4.1.1)
	// Usually a URL or an email address.
	//
	// Example: https://securetoken.google.com
	// Example: [email protected]
	Issuer string `protobuf:"bytes,1,opt,name=issuer,proto3" json:"issuer,omitempty"`
	// The list of JWT
	// [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3).
	// that are allowed to access. A JWT containing any of these
	// audiences will be accepted.
	//
	// The service name will be accepted if audiences is empty.
	//
	// Example:
	//
	// “`yaml
	// audiences:
	// - bookstore_android.apps.googleusercontent.com
	//   bookstore_web.apps.googleusercontent.com
	// “`
	Audiences []string `protobuf:"bytes,2,rep,name=audiences" json:"audiences,omitempty"`
	// URL of the provider's public key set to validate signature of the
	// JWT. See [OpenID
	// Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
	//
	// Optional if the key set document can either (a) be retrieved from
	// [OpenID
	// Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html) of
	// the issuer or (b) inferred from the email domain of the issuer (e.g. a
	// Google service account).
	//
	// Example: https://www.googleapis.com/oauth2/v1/certs
	JwksUri string `protobuf:"bytes,3,opt,name=jwks_uri,json=jwksUri,proto3" json:"jwks_uri,omitempty"`
	// JWT is sent in a request header. `header` represents the
	// header name.
	//
	// For example, if `header=x-goog-iap-jwt-assertion`, the header
	// format will be x-goog-iap-jwt-assertion: <JWT>.
	JwtHeaders []string `protobuf:"bytes,6,rep,name=jwt_headers,json=jwtHeaders" json:"jwt_headers,omitempty"`
	// JWT is sent in a query parameter. `query` represents the
	// query parameter name.
	//
	// For example, `query=jwt_token`.
	JwtParams []string `protobuf:"bytes,7,rep,name=jwt_params,json=jwtParams" json:"jwt_params,omitempty"`
}

JSON Web Token (JWT) token format for authentication as defined by https://tools.ietf.org/html/rfc7519. See [OAuth 2.0](https://tools.ietf.org/html/rfc6749) and [OIDC 1.0](http://openid.net/connect) for how this is used in the whole authentication flow.

Example,

```yaml issuer: https://example.com audiences:

  • bookstore_android.apps.googleusercontent.com bookstore_web.apps.googleusercontent.com

jwksUri: https://example.com/.well-known/jwks.json ```

func (*Jwt) Descriptor 

func (*Jwt) Descriptor() ([]byte, []int)

func (*Jwt) GetAudiences 

func (m *Jwt) GetAudiences() []string

func (*Jwt) GetIssuer 

func (m *Jwt) GetIssuer() string

func (*Jwt) GetJwksUri 

func (m *Jwt) GetJwksUri() string

func (*Jwt) GetJwtHeaders 

func (m *Jwt) GetJwtHeaders() []string

func (*Jwt) GetJwtParams 

func (m *Jwt) GetJwtParams() []string

func (*Jwt) Marshal 

func (m *Jwt) Marshal() (dAtA []byte, err error)

func (*Jwt) MarshalTo 

func (m *Jwt) MarshalTo(dAtA []byte) (int, error)

func (*Jwt) ProtoMessage 

func (*Jwt) ProtoMessage()

func (*Jwt) Reset 

func (m *Jwt) Reset()

func (*Jwt) Size 

func (m *Jwt) Size() (n int)

func (*Jwt) String 

func (m *Jwt) String() string

func (*Jwt) Unmarshal 

func (m *Jwt) Unmarshal(dAtA []byte) error

type MutualTls 

type MutualTls struct {
	// WILL BE DEPRECATED, if set, will translates to `TLS_PERMISSIVE` mode.
	// Set this flag to true to allow regular TLS (i.e without client x509
	// certificate). If request carries client certificate, identity will be
	// extracted and used (set to peer identity). Otherwise, peer identity will
	// be left unset.
	// When the flag is false (default), request must have client certificate.
	AllowTls bool `protobuf:"varint,1,opt,name=allow_tls,json=allowTls,proto3" json:"allow_tls,omitempty"`
	// Defines the mode of mTLS authentication.
	Mode MutualTls_Mode `protobuf:"varint,2,opt,name=mode,proto3,enum=istio.authentication.v1alpha1.MutualTls_Mode" json:"mode,omitempty"`
}

TLS authentication params.

func (*MutualTls) Descriptor 

func (*MutualTls) Descriptor() ([]byte, []int)

func (*MutualTls) GetAllowTls 

func (m *MutualTls) GetAllowTls() bool

func (*MutualTls) GetMode 

func (m *MutualTls) GetMode() MutualTls_Mode

func (*MutualTls) Marshal 

func (m *MutualTls) Marshal() (dAtA []byte, err error)

func (*MutualTls) MarshalTo 

func (m *MutualTls) MarshalTo(dAtA []byte) (int, error)

func (*MutualTls) ProtoMessage 

func (*MutualTls) ProtoMessage()

func (*MutualTls) Reset 

func (m *MutualTls) Reset()

func (*MutualTls) Size 

func (m *MutualTls) Size() (n int)

func (*MutualTls) String 

func (m *MutualTls) String() string

func (*MutualTls) Unmarshal 

func (m *MutualTls) Unmarshal(dAtA []byte) error

type MutualTls_Mode 

type MutualTls_Mode int32

Defines the acceptable connection TLS mode. 

const (
	// Client cert must be presented, connection is in TLS.
	MutualTls_STRICT MutualTls_Mode = 0
	// Connection can be either plaintext or TLS, and client cert can be omitted.
	MutualTls_PERMISSIVE MutualTls_Mode = 1
)

func (MutualTls_Mode) EnumDescriptor 

func (MutualTls_Mode) EnumDescriptor() ([]byte, []int)

func (MutualTls_Mode) String 

func (x MutualTls_Mode) String() string

type OriginAuthenticationMethod 

type OriginAuthenticationMethod struct {
	// Jwt params for the method.
	Jwt *Jwt `protobuf:"bytes,1,opt,name=jwt" json:"jwt,omitempty"`
}

OriginAuthenticationMethod defines authentication method/params for origin authentication. Origin could be end-user, device, delegate service etc. Currently, only JWT is supported for origin authentication.

func (*OriginAuthenticationMethod) Descriptor 

func (*OriginAuthenticationMethod) Descriptor() ([]byte, []int)

func (*OriginAuthenticationMethod) GetJwt 

func (m *OriginAuthenticationMethod) GetJwt() *Jwt

func (*OriginAuthenticationMethod) Marshal 

func (m *OriginAuthenticationMethod) Marshal() (dAtA []byte, err error)

func (*OriginAuthenticationMethod) MarshalTo 

func (m *OriginAuthenticationMethod) MarshalTo(dAtA []byte) (int, error)

func (*OriginAuthenticationMethod) ProtoMessage 

func (*OriginAuthenticationMethod) ProtoMessage()

func (*OriginAuthenticationMethod) Reset 

func (m *OriginAuthenticationMethod) Reset()

func (*OriginAuthenticationMethod) Size 

func (m *OriginAuthenticationMethod) Size() (n int)

func (*OriginAuthenticationMethod) String 

func (m *OriginAuthenticationMethod) String() string

func (*OriginAuthenticationMethod) Unmarshal 

func (m *OriginAuthenticationMethod) Unmarshal(dAtA []byte) error

type PeerAuthenticationMethod 

type PeerAuthenticationMethod struct {
	// Types that are valid to be assigned to Params:
	//	*PeerAuthenticationMethod_Mtls
	//	*PeerAuthenticationMethod_Jwt
	Params isPeerAuthenticationMethod_Params `protobuf_oneof:"params"`
}

PeerAuthenticationMethod defines one particular type of authentication, e.g mutual TLS, JWT etc, (no authentication is one type by itself) that can be used for peer authentication. The type can be progammatically determine by checking the type of the "params" field.

func (*PeerAuthenticationMethod) Descriptor 

func (*PeerAuthenticationMethod) Descriptor() ([]byte, []int)

func (*PeerAuthenticationMethod) GetJwt 

func (m *PeerAuthenticationMethod) GetJwt() *Jwt

func (*PeerAuthenticationMethod) GetMtls 

func (m *PeerAuthenticationMethod) GetMtls() *MutualTls

func (*PeerAuthenticationMethod) GetParams 

func (m *PeerAuthenticationMethod) GetParams() isPeerAuthenticationMethod_Params

func (*PeerAuthenticationMethod) Marshal 

func (m *PeerAuthenticationMethod) Marshal() (dAtA []byte, err error)

func (*PeerAuthenticationMethod) MarshalTo 

func (m *PeerAuthenticationMethod) MarshalTo(dAtA []byte) (int, error)

func (*PeerAuthenticationMethod) ProtoMessage 

func (*PeerAuthenticationMethod) ProtoMessage()

func (*PeerAuthenticationMethod) Reset 

func (m *PeerAuthenticationMethod) Reset()

func (*PeerAuthenticationMethod) Size 

func (m *PeerAuthenticationMethod) Size() (n int)

func (*PeerAuthenticationMethod) String 

func (m *PeerAuthenticationMethod) String() string

func (*PeerAuthenticationMethod) Unmarshal 

func (m *PeerAuthenticationMethod) Unmarshal(dAtA []byte) error

func (*PeerAuthenticationMethod) XXX_OneofFuncs 

func (*PeerAuthenticationMethod) XXX_OneofFuncs() (func(msg proto.Message, b *proto.Buffer) error, func(msg proto.Message, tag, wire int, b *proto.Buffer) (bool, error), func(msg proto.Message) (n int), []interface{})

XXX_OneofFuncs is for the internal use of the proto package.

type PeerAuthenticationMethod_Jwt 

type PeerAuthenticationMethod_Jwt struct {
	Jwt *Jwt `protobuf:"bytes,2,opt,name=jwt,oneof"`
}

func (*PeerAuthenticationMethod_Jwt) MarshalTo 

func (m *PeerAuthenticationMethod_Jwt) MarshalTo(dAtA []byte) (int, error)

func (*PeerAuthenticationMethod_Jwt) Size 

func (m *PeerAuthenticationMethod_Jwt) Size() (n int)

type PeerAuthenticationMethod_Mtls 

type PeerAuthenticationMethod_Mtls struct {
	Mtls *MutualTls `protobuf:"bytes,1,opt,name=mtls,oneof"`
}

func (*PeerAuthenticationMethod_Mtls) MarshalTo 

func (m *PeerAuthenticationMethod_Mtls) MarshalTo(dAtA []byte) (int, error)

func (*PeerAuthenticationMethod_Mtls) Size 

func (m *PeerAuthenticationMethod_Mtls) Size() (n int)

type Policy 

type Policy struct {
	// List rules to select destinations that the policy should be applied on.
	// If empty, policy will be used on all destinations in the same namespace.
	Targets []*TargetSelector `protobuf:"bytes,1,rep,name=targets" json:"targets,omitempty"`
	// List of authentication methods that can be used for peer authentication.
	// They will be evaluated in order; the first validate one will be used to
	// set peer identity (source.user) and other peer attributes. If none of
	// these methods pass, and peer_is_optional flag is false (see below),
	// request will be rejected with authentication failed error (401).
	// Leave the list empty if peer authentication is not required
	Peers []*PeerAuthenticationMethod `protobuf:"bytes,2,rep,name=peers" json:"peers,omitempty"`
	// Set this flag to true to accept request (for peer authentication perspective),
	// even when none of the peer authentication methods defined above satisfied.
	// Typically, this is used to delay the rejection decision to next layer (e.g
	// authorization).
	// This flag is ignored if no authentication defined for peer (peers field is empty).
	PeerIsOptional bool `protobuf:"varint,3,opt,name=peer_is_optional,json=peerIsOptional,proto3" json:"peer_is_optional,omitempty"`
	// List of authentication methods that can be used for origin authentication.
	// Similar to peers, these will be evaluated in order; the first validate one
	// will be used to set origin identity and attributes (i.e request.auth.user,
	// request.auth.issuer etc). If none of these methods pass, and origin_is_optional
	// is false (see below), request will be rejected with authentication failed
	// error (401).
	// Leave the list empty if origin authentication is not required.
	Origins []*OriginAuthenticationMethod `protobuf:"bytes,4,rep,name=origins" json:"origins,omitempty"`
	// Set this flag to true to accept request (for origin authentication perspective),
	// even when none of the origin authentication methods defined above satisfied.
	// Typically, this is used to delay the rejection decision to next layer (e.g
	// authorization).
	// This flag is ignored if no authentication defined for origin (origins field is empty).
	OriginIsOptional bool `protobuf:"varint,5,opt,name=origin_is_optional,json=originIsOptional,proto3" json:"origin_is_optional,omitempty"`
	// Define whether peer or origin identity should be use for principal. Default
	// value is USE_PEER.
	// If peer (or orgin) identity is not available, either because of peer/origin
	// authentication is not defined, or failed, principal will be left unset.
	// In other words, binding rule does not affect the decision to accept or
	// reject request.
	PrincipalBinding PrincipalBinding `` /* 162-byte string literal not displayed */
}

Policy defines what authentication methods can be accepted on workload(s), and if authenticated, which method/certificate will set the request principal (i.e request.auth.principal attribute).

Authentication policy is composed of 2-part authentication: - peer: verify caller service credentials. This part will set source.user (peer identity). - origin: verify the origin credentials. This part will set request.auth.user (origin identity), as well as other attributes like request.auth.presenter, request.auth.audiences and raw claims. Note that the identity could be end-user, service account, device etc.

Last but not least, the principal binding rule defines which identity (peer or origin) should be used as principal. By default, it uses peer.

Examples:

Policy to enable mTLS for all services in namespace frod

```yaml apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: 

name: mTLS_enable
namespace: frod

spec: 

peers:
- mtls:

``` Policy to disable mTLS for "productpage" service

```yaml apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: 

name: mTLS_disable
namespace: frod

spec: 

targets:
- name: productpage

``` Policy to require mTLS for peer authentication, and JWT for origin authenticationn for productpage:9000. Principal is set from origin identity.

```yaml apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: 

name: mTLS_enable
namespace: frod

spec: 

target:
- name: productpage
  ports:
  - number: 9000
peers:
- mtls:
origins:
- jwt:
    issuer: "https://securetoken.google.com"
    audiences:
    - "productpage"
    jwksUri: "https://www.googleapis.com/oauth2/v1/certs"
    jwt_headers:
    - "x-goog-iap-jwt-assertion"
principaBinding: USE_ORIGIN

```

Policy to require mTLS for peer authentication, and JWT for origin authenticationn for productpage:9000, but allow origin authentication failed. Principal is set from origin identity. Note: this example can be used for use cases when we want to allow request from certain peers, given it comes with an approperiate authorization poicy to check and reject request accoridingly.

```yaml apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: 

name: mTLS_enable
namespace: frod

spec: 

target:
- name: productpage
  ports:
  - number: 9000
peers:
- mtls:
origins:
- jwt:
    issuer: "https://securetoken.google.com"
    audiences:
    - "productpage"
    jwksUri: "https://www.googleapis.com/oauth2/v1/certs"
    jwt_headers:
    - "x-goog-iap-jwt-assertion"
originIsOptional: true
principalBinding: USE_ORIGIN

```

func (*Policy) Descriptor 

func (*Policy) Descriptor() ([]byte, []int)

func (*Policy) GetOriginIsOptional 

func (m *Policy) GetOriginIsOptional() bool

func (*Policy) GetOrigins 

func (m *Policy) GetOrigins() []*OriginAuthenticationMethod

func (*Policy) GetPeerIsOptional 

func (m *Policy) GetPeerIsOptional() bool

func (*Policy) GetPeers 

func (m *Policy) GetPeers() []*PeerAuthenticationMethod

func (*Policy) GetPrincipalBinding 

func (m *Policy) GetPrincipalBinding() PrincipalBinding

func (*Policy) GetTargets 

func (m *Policy) GetTargets() []*TargetSelector

func (*Policy) Marshal 

func (m *Policy) Marshal() (dAtA []byte, err error)

func (*Policy) MarshalTo 

func (m *Policy) MarshalTo(dAtA []byte) (int, error)

func (*Policy) ProtoMessage 

func (*Policy) ProtoMessage()

func (*Policy) Reset 

func (m *Policy) Reset()

func (*Policy) Size 

func (m *Policy) Size() (n int)

func (*Policy) String 

func (m *Policy) String() string

func (*Policy) Unmarshal 

func (m *Policy) Unmarshal(dAtA []byte) error

type PortSelector 

type PortSelector struct {
	// Types that are valid to be assigned to Port:
	//	*PortSelector_Number
	//	*PortSelector_Name
	Port isPortSelector_Port `protobuf_oneof:"port"`
}

PortSelector specifies the name or number of a port to be used for matching targets for authenticationn policy. This is copied from networking API to avoid dependency.

func (*PortSelector) Descriptor 

func (*PortSelector) Descriptor() ([]byte, []int)

func (*PortSelector) GetName 

func (m *PortSelector) GetName() string

func (*PortSelector) GetNumber 

func (m *PortSelector) GetNumber() uint32

func (*PortSelector) GetPort 

func (m *PortSelector) GetPort() isPortSelector_Port

func (*PortSelector) Marshal 

func (m *PortSelector) Marshal() (dAtA []byte, err error)

func (*PortSelector) MarshalTo 

func (m *PortSelector) MarshalTo(dAtA []byte) (int, error)

func (*PortSelector) ProtoMessage 

func (*PortSelector) ProtoMessage()

func (*PortSelector) Reset 

func (m *PortSelector) Reset()

func (*PortSelector) Size 

func (m *PortSelector) Size() (n int)

func (*PortSelector) String 

func (m *PortSelector) String() string

func (*PortSelector) Unmarshal 

func (m *PortSelector) Unmarshal(dAtA []byte) error

func (*PortSelector) XXX_OneofFuncs 

func (*PortSelector) XXX_OneofFuncs() (func(msg proto.Message, b *proto.Buffer) error, func(msg proto.Message, tag, wire int, b *proto.Buffer) (bool, error), func(msg proto.Message) (n int), []interface{})

XXX_OneofFuncs is for the internal use of the proto package.

type PortSelector_Name 

type PortSelector_Name struct {
	Name string `protobuf:"bytes,2,opt,name=name,proto3,oneof"`
}

func (*PortSelector_Name) MarshalTo 

func (m *PortSelector_Name) MarshalTo(dAtA []byte) (int, error)

func (*PortSelector_Name) Size 

func (m *PortSelector_Name) Size() (n int)

type PortSelector_Number 

type PortSelector_Number struct {
	Number uint32 `protobuf:"varint,1,opt,name=number,proto3,oneof"`
}

func (*PortSelector_Number) MarshalTo 

func (m *PortSelector_Number) MarshalTo(dAtA []byte) (int, error)

func (*PortSelector_Number) Size 

func (m *PortSelector_Number) Size() (n int)

type PrincipalBinding 

type PrincipalBinding int32

Associates authentication with request principal. 

const (
	// Principal will be set to the identity from peer authentication.
	PrincipalBinding_USE_PEER PrincipalBinding = 0
	// Principal will be set to the identity from origin authentication.
	PrincipalBinding_USE_ORIGIN PrincipalBinding = 1
)

func (PrincipalBinding) EnumDescriptor 

func (PrincipalBinding) EnumDescriptor() ([]byte, []int)

func (PrincipalBinding) String 

func (x PrincipalBinding) String() string

type TargetSelector 

type TargetSelector struct {
	// REQUIRED. The name must be a short name from the service registry. The
	// fully qualified domain name will be resolved in a platform specific manner.
	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	// Specifies the ports on the destination. Leave empty to match all ports
	// that are exposed.
	Ports []*PortSelector `protobuf:"bytes,2,rep,name=ports" json:"ports,omitempty"`
}

TargetSelector defines a matching rule to a service/destination.

func (*TargetSelector) Descriptor 

func (*TargetSelector) Descriptor() ([]byte, []int)

func (*TargetSelector) GetName 

func (m *TargetSelector) GetName() string

func (*TargetSelector) GetPorts 

func (m *TargetSelector) GetPorts() []*PortSelector

func (*TargetSelector) Marshal 

func (m *TargetSelector) Marshal() (dAtA []byte, err error)

func (*TargetSelector) MarshalTo 

func (m *TargetSelector) MarshalTo(dAtA []byte) (int, error)

func (*TargetSelector) ProtoMessage 

func (*TargetSelector) ProtoMessage()

func (*TargetSelector) Reset 

func (m *TargetSelector) Reset()

func (*TargetSelector) Size 

func (m *TargetSelector) Size() (n int)

func (*TargetSelector) String 

func (m *TargetSelector) String() string

func (*TargetSelector) Unmarshal 

func (m *TargetSelector) Unmarshal(dAtA []byte) error

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.