Skip to main content
Version: 0.9.x

Runtime TSB App to App Authorization

Run time authorization policies are attached to specific resources and define which subjects, and under which conditions, are allowed to access them. Different subjects can be configured to access the target resource with different conditions by setting multiple bindings in the same policy.

The default authorization policy allows access between services within an application, and denies cross-application traffic. Traffic between applications must be explicitly enabled by applying the corresponding access policy in the target application.

Multiple bindings may be specified in a single policy, in which case access will be granted when the requests the requirements of one of them (i.e. either JWT, header, etc.). Also, a single binding could specify multiple enforcement criteria (i.e. have a JWT token and some header) in which case the request will need to satisfy both to comply with the binding.

Default authorization policy

When applications are discovered, the default policy is an empty policy which allows all access. Note though that the default policy blocking cross namespace communications still apply, which means that you will need add a load balancer in order to be able to reach the application.

curl -s -u admin:admin \
  https://${TCCIP}:8443/v1/tenants/tcc/environments/dev/applications/bookinfo:authz | jq .
{
  "bindings": [],
  "etag": "\"OnGSG5pNga0=\""
}

JWT token

In this example we configure the httpbin application to require the clients to present a JWT token in the requests so they can pass. Moreover, the JWT token has to comply a certain restrictions.

cat<<EOF > /tmp/authz.json
{
  "bindings": [
    {
      "display_name": "Allow only if JWT is set",
      "from": [
        {
          "jwt": {
            "principal": "tetrate.io/admin",
            "audience": "bookinfo",
            "claims": {
              "group": "applications"
            },
            "validation": {
              "issuer": "tetrate.io",
              "jwks": "{\"keys\":[{\"kid\":\"0f9a5588-715f-46b6-9de9-1545ccb48d93\",\"kty\":\"oct\",\"alg\":\"HS256\",\"k\":\"c2lnbmluZy1rZXk=\"}]}"
            }
          }
        }
      ],
      "allow_http": {
        "to": [
          {
            "paths": [
              "/headers"
            ],
            "hosts": [
              "httpbin.tetrate.io"
            ],
            "methods": [
              "GET", "HEAD"
            ]
          }
        ]
      }
    }
  ],
  "etag": "\"7auuxwzEAq0=\""
}
EOF
note

You could replace the jwt.validation.jwks and use a URL to fetch the JWKS JSON by setting jwt.validation.jwksUri pointing to the right URL.

The policy above specifies that:

  • Access is allowed from clients exposing a JWT token with the specified conditions (principal, audience, etc.). Note that the validation section needs to provide sufficient data to validate the token in the request.
  • Provided the source is allowed, access is granted to the specified hosts, paths, etc.

To apply such policy to an application:

curl -s -u admin:admin https://${TCCIP}:8443/v1/tenants/tcc/environments/dev/applications/httpbin:authz \
    -XPUT \
    -d @/tmp/authz.json

When the policy has been applied you will need to provide a JWT token in order to be able to access the application:

curl -s -o /dev/null -w "%{http_code}" "https://httpbin.tetrate.io/headers"
403
curl -s -o /dev/null -w "%{http_code}" "https://httpbin.tetrate.io/headers" \
    -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJib29raW5mbyIsImV4cCI6MTU3OTM0NDcwOSwiZ3JvdXAiOiJhcHBsaWNhdGlvbnMiLCJpYXQiOjE1NzkyNTgzMDksImlzcyI6InRldHJhdGUuaW8iLCJzdWIiOiJhZG1pbiJ9.yJSVEFsnaihkTNZkH9wtH5rYxGfykFouHDW0stYoMW8"
200

HTTP Headers

Similarly to the JWT example, requests can be authorized based on the presence of specific HTTP headers.

cat<<EOF > /tmp/authz.json
{
  "bindings": [
    {
      "display_name": "Allow based on x-app-id header",
      "from": [
        {
          "request_headers": {
            "x-app-id": "httpbin"
          }
        }
      ],
      "allow_http": {
        "to": [
          {
            "hosts": [
              "bookinfo.tetrate.io"
            ],
            "paths": [
                "/productpage"
            ]
          }
        ]
      }
    }
  ],
  "etag": "\"jhnkTq+1KDk=\""
}
EOF

In the example above:

  • Access will only be granted from clients setting the x-app-id header with a value of exactly httpbin.
  • Access will be granted only when requests are addressed to host bookinfo.tetrate.io and path /productpage. All other hosts or paths will be denied.

To apply the policy:

curl -s -u admin:admin \
    https://${TCCIP}:8443/v1/tenants/tcc/environments/dev/applications/bookinfo:authz \
    -XPUT \
    -d @/tmp/authz.json

Now you can verify access is only possible if you provide the right value of the x-app-id header and only on the specified hosts and paths.

curl -s -o /dev/null -w "%{http_code}\n" "https://bookinfo.tetrate.io/headers"
403
curl -s -o /dev/null -w "%{http_code}\n" "https://bookinfo.tetrate.io/headers" -H 'x-app-id: httpbin'
403
curl -s -o /dev/null -w "%{http_code}\n" "https://bookinfo.tetrate.io/productpage" -H 'x-app-id: httpbin'
200