Details
-
Task
-
Resolution: Done
-
Major
-
maistra-0.5.0
-
None
-
Maistra TP sprint 8
Description
I am using redhat sso for authentication and authorization and have created following roles.
-prod
user:prod001
-rate
user:rate001
I have created the following artifacts.
----------------------------
cat istio-defaul-authorization.yaml
apiVersion: "rbac.istio.io/v1alpha1"
kind: RbacConfig
metadata:
name: default
spec:
mode: 'ON'
----------------------------
cat servicerole-productpage.yaml
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
name: productviewer
spec:
rules:
- services: ["productpage.myproject.svc.cluster.local"]
methods: ["GET"]
-------------------------------------------------------------------------
---------------------------------------------------------------------apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
name: productviewe-binding
namespace: myproject
spec:
subjects:
- properties:
request.auth.claims[email]: "prod001@gmail.com"
roleRef:
kind: ServiceRole
name: "productviewer"
With the above setting ,everything works as expected
But when I am using service role binding as follows.It gives exception while creating the definition. apiVersion: "rbac.istio.io/v1alpha1"
-------------------------------------------
kind: ServiceRoleBinding
metadata:
name: productviewe-binding
namespace: myproject
spec:
subjects:
request.auth.claims[realm_access]:
roles:
roleRef:
kind: ServiceRole
name: "productviewer"
-------------------------------------------
I get the following exception.
---------------------------------------------
*Error from server: *error when creating "servicerolebinding-product.yaml": admission webhook "pilot.validation.istio.io" denied the request: error decoding configuration: YAML decoding error: roleRef:
kind: ServiceRole
name: productviewer
subjects:
- properties:
request.auth.claims[realm_access]:
roles: - prod
- uma_authorization
- json: cannot unmarshal object into Go value of type string*
---------------------------------------------
To define any role base authentication using RHSSO ,we need to get this working.
My json webtoken is as follows.
....................................................................................................
{
"jti": "6da0c0be-1eb3-4df6-a404-b5f178920110",
"exp": 1545555606,
"nbf": 0,
"iat": 1545555306,
"iss": "http://sso-http-sso.apps.bb40.example.opentlc.com/auth/realms/istio",
"aud": "servicemesh",
"sub": "89189f58-bc32-4ec5-9bcc-7f009be1a74d",
"typ": "Bearer",
"azp": "servicemesh",
"auth_time": 0,
"session_state": "d4014802-cfe4-41d9-9eb9-d371d2a4b59c",
"acr": "1",
"allowed-origins": [],
"realm_access":
,
"resource_access": {
"account":
},
"name": "prod001 first name prod001 last name",
"preferred_username": "prod001",
"given_name": "prod001 first name",
"family_name": "prod001 last name",
"email": "prod001@gmail.com"
}
----------------------------------------------------------------------------------