Authorization Proxy is an implementation of Kubernetes sidecar container to provide a common interface for the user to do authentication and authorization check for specific URL resources. It caches the policies from Athenz, and provide a reverse proxy interface for the user to authenticate the role token written on the request header, to allow or reject user's specific URL request.
Requires go 1.9 or later.
Authorization Proxy acts as a reverse proxy sitting in front of the user application. When the user request for specific URL resource of the user application, the request comes to authorization proxy first.
To authenticate the request, the authorization proxy should know which user can take an action to which resource, therefore the policy updater is introduced.
The policy updater periodically updates the Athenz PublicKey and Policy data from Athenz Server and validate and decode the policy data. The decoded result will store in the memory cache inside the policy updater.
The authorization proxy will verify and decode the role token written on the request header and check if the user can take an action to a specific resource. If the user is allowed to take an action the resource, the request will proxy to the user application.
The authorization proxy will return unauthorized to the user whenever if the role token is invalid, or the role written on the role token has no privilege to take the action to the resource that user is requesting.
The mapping rules describe the elements using in the authorization proxy. The user can configure which Athenz domain's policies cached in the policy updater, and decide if the user is authorized to take the action to the resource.
The mapping rules were described below.
Description | Map to (Athenz) | Example | |
---|---|---|---|
Role | Role name written on the role token | Role | user |
Action | HTTP/HTTPS request action | Action | POST |
Resource | HTTP/HTTPS request resource, it support regular expression | Resource | /api/* |
All the HTTP/HTTPS methods and URI path will be automatically converted to lower case.
The example configuration file is here. For detail explaination please read config.go.
Copyright (C) 2018 Yahoo Japan Corporation Athenz team.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
This project requires contributors to agree to a Contributor License Agreement (CLA).
Note that only for contributions to the garm repository on the GitHub, the contributors of them shall be deemed to have agreed to the CLA without individual written agreements.