Basic external auth policy

Authenticate requests with a basic dictionary of usernames and passwords.

Basic authentication sends encoded user credentials in a standard header within the request. Then, Gloo Mesh authenticates the request against a dictionary of usernames and passwords that are written in the external auth policy. If the credentials in the request header match the policy, the request is sent to the destination. If not, Gloo Mesh Gateway returns a 401 response.

You might use basic auth for testing environments, such as when you release a new API method or version to a small number of known users.

Before you begin

  1. Complete the demo setup to install Gloo Mesh, Istio, and Bookinfo in your cluster.

  2. Make sure that you have the following CLI tools, or something comparable:

    • htpasswd to generate hashed, salted passwords.
    • base64 to encode strings.
  3. Create the Gloo Mesh resources for this policy in the management and workload clusters.

    The following files are examples only for testing purposes. Your actual setup might vary. You can use the files as a reference for creating your own tests.

    1. Download the following Gloo Mesh resources:

    2. Apply the files to your management cluster.

      kubectl apply -f kubernetes-cluster_gloo-mesh_cluster-1.yaml --context ${MGMT_CONTEXT}
      kubectl apply -f kubernetes-cluster_gloo-mesh_cluster-2.yaml --context ${MGMT_CONTEXT}
      kubectl apply -f workspace_gloo-mesh_anything.yaml --context ${MGMT_CONTEXT}
      
    1. Download the following Gloo Mesh resources:

    2. Apply the files to your workload cluster.

      kubectl apply -f ext-auth-server_bookinfo_default-server.yaml --context ${REMOTE_CONTEXT1}
      kubectl apply -f route-table_bookinfo_www-example-com.yaml --context ${REMOTE_CONTEXT1}
      kubectl apply -f virtual-gateway_bookinfo_north-south-gw.yaml --context ${REMOTE_CONTEXT1}
      kubectl apply -f workspace-settings_bookinfo_anything.yaml --context ${REMOTE_CONTEXT1}
      

Configure basic external auth policies

You can apply a basic external auth policy at the route or destination level. For more information, see Applying policies.

  1. Generate a salt and hashed password for your user credentials. The following example uses the htpasswd tool for a user named user.
    htpasswd -nbm user password
    

    Example output:

    user:$apr1$TYiryv0/$8BvzLUO9IfGPGGsPnAgSu1
    
  2. Retrieve the salt and hashed password from the output of the previous step.
    • Salt: TYiryv0/
    • Hashed password: 8BvzLUO9IfGPGGsPnAgSu1
  3. Review the following sample configuration files.
    apiVersion: security.policy.gloo.solo.io/v2
    kind: ExtAuthPolicy
    metadata:
      name: basic-auth
      namespace: bookinfo
    spec:
      applyToRoutes:
      - route:
          labels:
            route: ratings
      config:
        glooAuth:
          configs:
          - basicAuth:
              apr:
                users:
                  user:
                    hashedPassword: 8BvzLUO9IfGPGGsPnAgSu1
                    salt: TYiryv0/
        server:
          name: default-server
    
    apiVersion: security.policy.gloo.solo.io/v2
    kind: ExtAuthPolicy
    metadata:
      name: basic-auth
      namespace: bookinfo
    spec:
      applyToDestinations:
      - port:
          number: 9080
        selector:
          labels:
            app: reviews
      config:
        glooAuth:
          configs:
          - basicAuth:
              apr:
                users:
                  user:
                    hashedPassword: 8BvzLUO9IfGPGGsPnAgSu1
                    salt: TYiryv0/
        server:
          name: default-server
    
Review the following table to understand this configuration.
Setting Description
spec.applyToDestinations Configure which destinations to apply the policy to, by using labels. Destinations can be a Kubernetes service, VirtualService, or ExternalService. If you do not specify any destinations or routes, the rate limit policy applies to all destinations in the workspace by default. If you do not specify any destinations but you do specify a route, the rate limit applies to the route but to no destinations.
spec.applyToRoutes Configure which routes to apply the policy to, by using labels. The label matches the app and the route from the route table. If omitted, the policy applies to all routes in the workspace.
spec.config.glooAuth.configs.basicAuth Configure the basic auth credentials to use to authenticate requests. The example sets up user credentials for a user named user in the required APR1 format. For more information, see the API reference.
spec.config.glooAuth.configs.basicAuthapr.users.user.hashedPassword The hashed password that you generated in the previous step. The example sets 8BvzLUO9IfGPGGsPnAgSu1.
spec.config.glooAuth.configs.basicAuthapr.users.user.salt The salt, or random data that hashes the password, that you generated in the previous step. The example sets TYiryv0/.

Apply external auth to external services

The following example is for an external auth policy that applies to an external service. Note that this policy requires different routing table and external auth server resources, as well as an external service.

apiVersion: security.policy.gloo.solo.io/v2
kind: ExtAuthPolicy
metadata:
  name: httpbin-basic-auth
  namespace: bookinfo
spec:
  applyToRoutes:
  - route:
      labels:
        route: external-service
  config:
    glooAuth:
      configs:
      - basicAuth:
          apr:
            users:
              user:
                hashedPassword: 8BvzLUO9IfGPGGsPnAgSu1
                salt: TYiryv0/
    server:
      name: default-server
apiVersion: admin.gloo.solo.io/v2
kind: ExtAuthServer
metadata:
  name: default-server
  namespace: bookinfo
spec:
  destinationServer:
    port:
      number: 8083
    ref:
      cluster: cluster-1
      name: ext-auth-service
      namespace: gloo-mesh
apiVersion: networking.gloo.solo.io/v2
kind: ExternalService
metadata:
  name: external-service
  namespace: bookinfo
spec:
  hosts:
  - httpbin.org
  ports:
  - name: http
    number: 80
    protocol: HTTP
apiVersion: networking.gloo.solo.io/v2
kind: RouteTable
metadata:
  name: external-service-northsouth
  namespace: bookinfo
spec:
  defaultDestination:
    kind: EXTERNAL_SERVICE
    port:
      number: 80
    ref:
      name: external-service
      namespace: bookinfo
  hosts:
  - www.example.com
  http:
  - forwardTo: {}
    labels:
      "no": auth
    matchers:
    - headers:
      - name: noauth
        value: "true"
    name: external-service-no-auth
  - forwardTo: {}
    labels:
      route: external-service
    name: external-service-northsouth
  virtualGateways:
  - name: north-south-gw

Verify basic external auth policies

  1. Apply the example basic external auth policy in the workload cluster.
    kubectl apply --context ${REMOTE_CONTEXT1} -f external-auth-policy.yaml
    
  2. View the ext-auth-service deployment logs to verify that the policy was accepted. Look for a message similar to the following: "logger":"extauth","caller":"runner/run.go:179","msg":"got new config"
    kubectl logs -n gloo-mesh deploy/ext-auth-service -c ext-auth-service -f --context $REMOTE_CONTEXT1
    
  3. Send a request to the httpbin app through the ingress gateway.
    curl -vik -H "Host: www.example.com" "http://$INGRESS_GW_IP/status/200/"
    
  4. Verify that you notice the added or removed request and response headers.