Loading...

XML

Word

Printable

Details

Type: Task
Resolution: Done
Priority: Major
Fix Version/s: maistra-0.8.0
Affects Version/s: maistra-0.5.0
Component/s: None
Labels:
- upstream

Sprint:
Maistra TP sprint 8

SFDC Cases Counter:
SFDC Cases Links:

Description

I am using redhat sso for authentication and authorization and have created following roles.
-prod
user:prod001
-rate
user:rate001

I have created the following artifacts.
----------------------------
cat istio-defaul-authorization.yaml

apiVersion: "rbac.istio.io/v1alpha1"
kind: RbacConfig
metadata:
name: default
spec:
mode: 'ON'

----------------------------

cat servicerole-productpage.yaml

apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
name: productviewer
spec:
rules:

services: ["productpage.myproject.svc.cluster.local"]
methods: ["GET"]

-------------------------------------------------------------------------

apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
name: productviewe-binding
namespace: myproject
spec:
subjects:

properties:
request.auth.claims[email]: "prod001@gmail.com"
roleRef:
kind: ServiceRole
name: "productviewer"

---------------------------------------------------------------------
With the above setting ,everything works as expected

But when I am using service role binding as follows.It gives exception while creating the definition.
-------------------------------------------

apiVersion: "rbac.istio.io/v1alpha1" kind: ServiceRoleBinding metadata: name: productviewe-binding namespace: myproject spec: subjects:
properties: request.auth.claims[realm_access]: roles: prod uma_authorization roleRef: kind: ServiceRole name: "productviewer"

-------------------------------------------

I get the following exception.
---------------------------------------------
*Error from server: *error when creating "servicerolebinding-product.yaml": admission webhook "pilot.validation.istio.io" denied the request: error decoding configuration: YAML decoding error: roleRef:
kind: ServiceRole
name: productviewer
subjects:

properties:
request.auth.claims[realm_access]:
roles:
prod
uma_authorization

json: cannot unmarshal object into Go value of type string*
---------------------------------------------
To define any role base authentication using RHSSO ,we need to get this working.

My json webtoken is as follows.
....................................................................................................
{
"jti": "6da0c0be-1eb3-4df6-a404-b5f178920110",
"exp": 1545555606,
"nbf": 0,
"iat": 1545555306,
"iss": "http://sso-http-sso.apps.bb40.example.opentlc.com/auth/realms/istio",
"aud": "servicemesh",
"sub": "89189f58-bc32-4ec5-9bcc-7f009be1a74d",
"typ": "Bearer",
"azp": "servicemesh",
"auth_time": 0,
"session_state": "d4014802-cfe4-41d9-9eb9-d371d2a4b59c",
"acr": "1",
"allowed-origins": [],
"realm_access":

{ "roles": [ "prod", "uma_authorization" ] }

,
"resource_access": {
"account":

{ "roles": [ "manage-account", "manage-account-links", "view-profile" ] }

},
"name": "prod001 first name prod001 last name",
"preferred_username": "prod001",
"given_name": "prod001 first name",
"family_name": "prod001 last name",
"email": "prod001@gmail.com"
}
----------------------------------------------------------------------------------

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

istio-defaul-authorization.yaml
0.1 kB
2018/12/23 5:48 AM
servicerolebinding-product_notworking.yaml
0.3 kB
2018/12/23 5:48 AM
servicerolebinding-product.yaml
0.3 kB
2018/12/23 5:48 AM
servicerole-productpage.yaml
0.2 kB
2018/12/23 5:48 AM

Activity

People

Assignee:: Kevin Conner (Inactive)

Reporter:: Shrish srivastava (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2018/12/23 5:44 AM

Updated:: 2020/11/13 7:17 PM

Resolved:: 2019/02/17 3:24 PM