Envoy-authz is a middleware of Envoy which performs external authorization through casbin. This proxy would be deployed on any type of envoy-based service meshes like Istio.
go get github.com/casbin/envoy-authz
- Envoy 1.17+
- Istio or any type of service mesh
- grpc dependencies
- A client would make a http request.
- Envoy proxy would send that request to grpc server.
- The grpc server would then authorize the request based on casbin policies.
- If authorized, the request would be sent through or else, it gets denied.
The grpc server is based on protocol buffer from external_auth.proto.
- Define the Casbin policies under config files by following this guide.
You can verify/test your policies on online casbin-editor.
- Start the authorizing server by running:-
$ go build .
$ ./authz
- Load the envoy configuration:-
$ envoy -c authz.yaml -l info
Once the envoy starts, it will start intercepting requests for the authorization process.
You need to send custom headers, which would contain usernames in the JWT token OF headers for this middleware to work. You can check the official Istio docs to get more info on modifying Request Headers.
In case of any query, you can ask on our Discord.