Basic external auth policy
Authenticate requests with a basic dictionary of usernames and passwords.
Basic authentication sends encoded user credentials in a standard header within the request. Then, Gloo Mesh (Gloo Platform APIs) authenticates the request against a dictionary of usernames and passwords that are written in the external auth policy. If the credentials in the request header match the policy, the request is sent to the destination. If not, Gloo Mesh Gateway returns a 401 response.
You might use basic auth for testing environments, such as when you release a new API method or version to a small number of known users.
Before you begin
Complete the multicluster getting started guide to set up the following testing environment.
- Three clusters along with environment variables for the clusters and their Kubernetes contexts.
- The Gloo
meshctlCLI, along with other CLI tools such askubectlandistioctl. - The Gloo management server in the management cluster, and the Gloo agents in the workload clusters.
- Istio installed in the workload clusters.
- A simple Gloo workspace setup.
- Install Bookinfo and other sample apps.
Make sure that the external auth service is installed and running. If not, install the external auth service.
kubectl get pods –context $REMOTE_CONTEXT1 -A -l app=ext-auth-serviceMake sure that you have the following CLI tools, or something comparable:
htpasswdto generate hashed, salted passwords.base64to encode strings.
Apply a basic external auth policy
You can apply a basic external auth policy at the route or destination level. For more information, see Applying policies.
meshctl x validate resources command. For more information, see the resource validation overview and the CLI command reference.Step 1: Configure a basic external auth policy
- Generate a salt and hashed password for your user credentials. The following example uses the
htpasswdtool for a user nameduser.Example output:htpasswd -nbm user passworduser:$apr1$TYiryv0/$8BvzLUO9IfGPGGsPnAgSu1 - Retrieve the salt and hashed password from the output of the previous step.
- Salt:
TYiryv0/ - Hashed password:
8BvzLUO9IfGPGGsPnAgSu1
- Salt:
- Review the following sample configuration file.
apiVersion: security.policy.gloo.solo.io/v2 kind: ExtAuthPolicy metadata: name: basic-auth namespace: bookinfo spec: applyToDestinations: - port: number: 9080 selector: labels: app: ratings config: glooAuth: configs: - basicAuth: apr: users: user: hashedPassword: 8BvzLUO9IfGPGGsPnAgSu1 salt: TYiryv0/ server: name: default-serverReview the following table to understand this configuration. For more information, see the API docs.
Setting Description applyToDestinationsUse labels to apply the policy to destinations. Destinations might be a Kubernetes service, VirtualDestination, or ExternalService (if supported by the policy). If you do not specify any destinations or routes, the policy applies to all destinations in the workspace by default. If you do not specify any destinations but you do specify a route, the policy applies to the route but to no destinations.For an example that selects a VirtualDestination, see Apply external auth to virtual destinations. basicAuthConfigure the basic auth credentials to use to authenticate requests. The example sets up user credentials for a user named userin the required APR1 format. For more information, see the API reference.hashedPasswordThe hashed password that you generated in the previous step. The example sets 8BvzLUO9IfGPGGsPnAgSu1.saltThe salt, or random data that hashes the password, that you generated in the previous step. The example sets TYiryv0/.serverThe ExtAuthServerresource that represents the server for the policy to use. In this example, only thenameis specified. Gloo attempts to find the resource in the same namespace and cluster as the policy, or you can addnamespaceandclusterfields. To create anExtAuthServerresource, see Set up the Gloo Mesh (Gloo Platform APIs) external auth server.Step 2: Verify basic external auth policies
- Apply the example basic external auth policy and server in the workload cluster. The following example refers directly to the default Gloo Mesh (Gloo Platform APIs) external auth service, but you can also use a virtual destination instead. For more information, see External auth server setup. Note: Change
cluster-1as needed to your cluster’s actual name.kubectl apply --context ${REMOTE_CONTEXT1} -f - << EOF apiVersion: security.policy.gloo.solo.io/v2 kind: ExtAuthPolicy metadata: name: basic-auth namespace: bookinfo spec: applyToDestinations: - port: number: 9080 selector: labels: app: ratings config: glooAuth: configs: - basicAuth: apr: users: user: hashedPassword: 8BvzLUO9IfGPGGsPnAgSu1 salt: TYiryv0/ server: name: default-server --- apiVersion: admin.gloo.solo.io/v2 kind: ExtAuthServer metadata: name: default-server namespace: bookinfo spec: destinationServer: port: number: 8083 ref: cluster: cluster-1 name: ext-auth-service namespace: gloo-mesh EOFView the
ext-auth-servicedeployment logs to verify that the policy was accepted. Look for a message similar to the following:"logger":"extauth","caller":"runner/run.go:179","msg":"got new config". If you don’t see this message, check the management server logs for errors.meshctl logs ext-auth –kubecontext $REMOTE_CONTEXT1Send an unauthenticated request to the
reviewsapp.Create a temporary curl pod in the
bookinfonamespace, so that you can test the app setup. You can also use this method in Kubernetes 1.23 or later, but an ephemeral container might be simpler.
- Create the curl pod.
kubectl run -it -n bookinfo --context $REMOTE_CONTEXT1 curl \ --image=curlimages/curl:7.73.0 --rm -- sh - Send a request to the reviews app.
curl http://reviews:9080/reviews/1 -v
Example output: Notice that the request is denied with a
401 Unauthorizedresponse.HTTP/1.1 401 UnauthorizedEncode the expected user credentials in base64 format.
echo -n "user:password" | base64Example output:
dXNlcjpwYXNzd29yZA==Repeat the request to the
reviewsapp, including the authorization header with the user credentials. This time, the request succeeds.
- Create the curl pod.
kubectl run -it -n bookinfo --context $REMOTE_CONTEXT1 curl \ --image=curlimages/curl:7.73.0 --rm -- sh - Send a request to the reviews app.
curl -H "Authorization: basic dXNlcjpwYXNzd29yZA==" http://reviews:9080/reviews/1 -v - Exit the temporary pod. The pod deletes itself.
exit
Example output:
HTTP/1.1 200 OKApply external auth to external services
The following example is for an external auth policy that applies to an external service. Note that this policy requires different routing table and external auth server resources, as well as an external service.
apiVersion: security.policy.gloo.solo.io/v2 kind: ExtAuthPolicy metadata: name: httpbin-basic-auth namespace: bookinfo spec: applyToRoutes: - route: labels: route: external-service config: glooAuth: configs: - basicAuth: apr: users: user: hashedPassword: 8BvzLUO9IfGPGGsPnAgSu1 salt: TYiryv0/ server: name: default-serverapiVersion: admin.gloo.solo.io/v2 kind: ExtAuthServer metadata: name: default-server namespace: bookinfo spec: destinationServer: port: number: 8083 ref: cluster: cluster-1 name: ext-auth-service namespace: gloo-meshapiVersion: networking.gloo.solo.io/v2 kind: ExternalService metadata: name: external-service namespace: bookinfo spec: hosts: - httpbin.solo ports: - name: http number: 8080 protocol: HTTPapiVersion: networking.gloo.solo.io/v2 kind: RouteTable metadata: name: external-service-northsouth namespace: bookinfo spec: defaultDestination: kind: EXTERNAL_SERVICE port: number: 8080 ref: name: external-service namespace: bookinfo hosts: - www.example.com http: - forwardTo: {} labels: "no": auth matchers: - headers: - name: noauth value: "true" name: external-service-no-auth - forwardTo: {} labels: route: external-service name: external-service-northsouth virtualGateways: - name: istio-ingressgatewayApply external auth to virtual destinations
You can apply an external auth policy to a virtual destination.
Create a VirtualDestination for the service that you want to protect. The following example creates a VirtualDestination for the Bookinfo
reviewsservice. Note the following requirements:- The VirtualDestination must be in the same workspace as its backing workloads, as well as the external auth policy.
- The VirtualDestination’s backing workloads must be of type Kubernetes service. ExternalWorkload and ExternalService are not supported.
- The backing service must be part of your service mesh.
kubectl apply -f - << EOF apiVersion: networking.gloo.solo.io/v2 kind: VirtualDestination metadata: name: reviews-global namespace: bookinfo spec: hosts: - reviews.vd ports: - number: 80 protocol: HTTP targetPort: name: http services: - labels: app: reviews EOFCreate an ExtAuthServer. The following example refers directly to the default Gloo Mesh (Gloo Platform APIs) external auth service, but you can also use a virtual destination instead. For more information, see External auth server setup. Note: Change
cluster-1as needed to your cluster’s actual name.kubectl apply -f - << EOF apiVersion: admin.gloo.solo.io/v2 kind: ExtAuthServer metadata: name: default-server namespace: bookinfo spec: destinationServer: port: number: 8083 ref: cluster: cluster-1 name: ext-auth-service namespace: gloo-mesh-addons EOFCreate an ExtAuthPolicy that selects the virtual destination through the
applyToDestinationsfield. Note: If you already have an ExtAuthPolicy that selects a Kubernetes service, that policy takes precedence.kubectl apply -f - << EOF apiVersion: security.policy.gloo.solo.io/v2 kind: ExtAuthPolicy metadata: name: vd-basic-auth namespace: bookinfo spec: applyToDestinations: - kind: VIRTUAL_DESTINATION port: number: 80 selector: name: reviews-global config: glooAuth: configs: - basicAuth: apr: users: user: hashedPassword: 8BvzLUO9IfGPGGsPnAgSu1 salt: TYiryv0/ server: name: default-server EOFView the
ext-auth-servicedeployment logs to verify that the policy was accepted. Look for a message similar to the following:"logger":"extauth","caller":"runner/run.go:179","msg":"got new config". If you don’t see this message, check the management server logs for errors.meshctl logs ext-auth–kubecontext $REMOTE_CONTEXT1Send an unauthenticated request to the
reviewsapp.Create a temporary curl pod in thebookinfonamespace, so that you can test the app setup. You can also use this method in Kubernetes 1.23 or later, but an ephemeral container might be simpler.- Create the curl pod.
kubectl run -it -n bookinfo --context $REMOTE_CONTEXT1 curl \ --image=curlimages/curl:7.73.0 --rm -- sh - Send a request to the reviews app.
curl http://reviews:9080/reviews/1 -v
Example output: Notice that the request is denied with a
401 Unauthorizedresponse.HTTP/1.1 401 Unauthorized- Create the curl pod.
Encode the expected user credentials in base64 format.
echo -n "user:password" | base64Example output:
dXNlcjpwYXNzd29yZA==Repeat the request to the
reviewsapp, including the authorization header with the user credentials. This time, the request succeeds.- Create the curl pod.
kubectl run -it -n bookinfo --context $REMOTE_CONTEXT1 curl \ --image=curlimages/curl:7.73.0 --rm -- sh - Send a request to the reviews app.
curl -H "Authorization: basic dXNlcjpwYXNzd29yZA==" http://reviews:9080/reviews/1 -v - Exit the temporary pod. The pod deletes itself.
exit
Example output:
HTTP/1.1 200 OK- Create the curl pod.
Cleanup
You can optionally remove the resources that you set up as part of this guide.kubectl –context $REMOTE_CONTEXT1 -n bookinfo delete ExtAuthPolicy basic-auth kubectl –context $REMOTE_CONTEXT1 -n bookinfo delete ExtAuthServer default-server kubectl –context $REMOTE_CONTEXT1 -n bookinfo delete VirtualDestination reviews-global - Apply the example basic external auth policy and server in the workload cluster. The following example refers directly to the default Gloo Mesh (Gloo Platform APIs) external auth service, but you can also use a virtual destination instead. For more information, see External auth server setup. Note: Change