Auth
Authentication
Field | Description | Validation Rule |
jwt | – |
JWT
Field | Description | Validation Rule |
issuer | string | string = { |
audiences | List of string | – |
jwksUri | string | – |
jwks | string | – |
Authorization
Configuration for authorizing a HTTP request
Field | Description | Validation Rule |
external | tetrateio.api.tsb.auth.v2.Authorization.ExternalAuthzBackend | – |
local | – |
ExternalAuthzBackend
Use an authorization server running at the specified URI. Support both HTTP and gRPC server.
It is recommended to enable TLS validation (SIMPLE or MUTUAL) to secure traffic
between workload and external authorization server
If you use gRPC, do not set includeRequestHeaders
Field | Description | Validation Rule |
uri | – | |
includeRequestHeaders | List of string | – |
tls | – |
LocalAuthz
Authorize the request in Envoy based on the JWT claims.
Field | Description | Validation Rule |
rules | – |
ClientTLSSettings
Configure TLS parameters for the client
Field | Description | Validation Rule |
mode | tetrateio.api.tsb.auth.v2.TLSMode | – |
files | tetrateio.api.tsb.auth.v2.TLSFileSource | – |
subjectAltNames | List of string | – |
LocalAuthzRule
LocalAuthzRule
Bindings define the subjects that can access the resource a policy is attached to, and the conditions that need to be met for that access to be granted. A policy can have multiple bindings to configure different access controls for specific subjects.
Field | Description | Validation Rule |
name | string | string = { |
from | List of tetrateio.api.tsb.auth.v2.Subject | – |
to | List of tetrateio.api.tsb.auth.v2.LocalAuthzRule.HttpOperation | – |
HttpOperation
Field | Description | Validation Rule |
paths | List of string | repeated = { |
methods | List of string | repeated = { |
Subject
Subject
A subject designates an actor (user, service, etc) that attempts to access a target resource. Subjects can be modeled with JWT tokens, service accounts, and decorated with attributes such as HTTP request headers, JWT token claims, etc. The fields that define a subject will be matched to incoming requests, to fully qualify where the request comes from, and to decide if the given request is allowed or not for the target resource. All the fields in a subject are evaluated as AND expressions.
Field | Description | Validation Rule |
jwt | tetrateio.api.tsb.auth.v2.Subject.JWTClaims | – |
JWTClaims
JWT based subject
JWT based subjects qualify a subject by matching against a JWT token present in the request. By default the token is expected to be present in the 'Authorization' HTTP header, with the 'Bearer" prefix.
Field | Description | Validation Rule |
iss | – | |
sub | – | |
other | map<string, string> |
TLSFileSource
TLSFileSource is used to load the keys and certificates from files accessible to the workload
Field | Description | Validation Rule |
clientCertificate | string | – |
privateKey | string | – |
caCertificates | string | – |
TLSMode
Describes how authentication is performed as part of establishing TLS connection
Name | Number | Description |
DISABLED | 0 | TLS is not used and communication is in plaintext. |
SIMPLE | 1 | Only the server is authenticated. |
MUTUAL | 2 | Both the peers in the communication must present their certificate for TLS authentication |