You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Support AllAuthenticatedUsers for principals. Today we can set {user: "*"} to represent "AllUsers", including authenticated and unauthenticated identities. In some cases, we may need to accept only the authenticated identities. We can introduce "AllAuthenticatedUsers" in addition to "AllUsers". (Authorization V2, Adding additional fields for bindings and validation. #11800)
Support Mesh objects for ServiceRole and ServiceRoleBinding. MeshServiceRole can be bound to namespace level ServiceRoleBinding or MeshServiceRoleBinding. (will be done as part of Authorization V2)
Allow Multiple values for principals. Currently principals are map<string, string>, which allows a single string value. We can use the "Constraint" definition for principal, so that we can write:
Some improvements we can do for Istio RBAC:
Convert config.istio.io to rbac.istio.io. (Moved RBAC CRDs to group rbac.istio.io from config.istio.io #6874)
Support AllAuthenticatedUsers for principals. Today we can set {user: "*"} to represent "AllUsers", including authenticated and unauthenticated identities. In some cases, we may need to accept only the authenticated identities. We can introduce "AllAuthenticatedUsers" in addition to "AllUsers". (Authorization V2, Adding additional fields for bindings and validation. #11800)
Support JWT claims that are arrays (or non-string). For example, there can be a claim "groups: ["aaa", "bbb"]". Matching any one of the values in the array should pass the authorization check (Support ListValue for metadata matcher envoyproxy/envoy#3964, Add the groups claim to the attribute request.auth.groups proxy#1896, RBAC: handle all request.auth.claims[] using RBAC list matcher #7747, Authn uses protobuf.Struct to store claims and add list support for RBAC proxy#1925)
Support Mesh objects for ServiceRole and ServiceRoleBinding. MeshServiceRole can be bound to namespace level ServiceRoleBinding or MeshServiceRoleBinding. (will be done as part of Authorization V2)
Allow Multiple values for principals. Currently principals are map<string, string>, which allows a single string value. We can use the "Constraint" definition for principal, so that we can write:
(Authorization V2, #11800)
(Authorization V2, #11712, #11800)
Support other protocols like TCP and mango (authz: add TCP support for Istio authorization. #8325, rbac: add rbac network filter. envoyproxy/envoy#4083)
Query RBAC effect through CLI. In addition to issue Add istioctl subcommand to support querying Istio RBAC effect #4856, we can provide commands to support queries like list all permissions a subject has, or list all members that are allowed to access a service. (issue Add istioctl subcommand to support querying Istio RBAC effect #4856, Implement "permissions" and "subjects" sub commands to the "rbac list" command in istioctl #9036)