Basic external auth policy
Authenticate requests with a basic dictionary of usernames and passwords.Basic authentication sends encoded user credentials in a standard header within the request. Then, Gloo Mesh authenticates the request against a dictionary of usernames and passwords that are written in the external auth policy. If the credentials in the request header match the policy, the request is sent to the destination. If not, Gloo Mesh Gateway returns a 401 response.
You might use basic auth for testing environments, such as when you release a new API method or version to a small number of known users.
Before you begin
-
Complete the demo setup to install Gloo Mesh, Istio, and Bookinfo in your cluster.
-
Make sure that you have the following CLI tools, or something comparable:
htpasswd
to generate hashed, salted passwords.base64
to encode strings.
-
Create the Gloo Mesh resources for this policy in the management and workload clusters.
The following files are examples only for testing purposes. Your actual setup might vary. You can use the files as a reference for creating your own tests.
-
Download the following Gloo Mesh resources:
-
Apply the files to your management cluster.
kubectl apply -f kubernetes-cluster_gloo-mesh_cluster-1.yaml --context ${MGMT_CONTEXT} kubectl apply -f kubernetes-cluster_gloo-mesh_cluster-2.yaml --context ${MGMT_CONTEXT} kubectl apply -f workspace_gloo-mesh_anything.yaml --context ${MGMT_CONTEXT}
-
Download the following Gloo Mesh resources:
-
Apply the files to your workload cluster.
kubectl apply -f ext-auth-server_bookinfo_default-server.yaml --context ${REMOTE_CONTEXT1} kubectl apply -f route-table_bookinfo_www-example-com.yaml --context ${REMOTE_CONTEXT1} kubectl apply -f virtual-gateway_bookinfo_north-south-gw.yaml --context ${REMOTE_CONTEXT1} kubectl apply -f workspace-settings_bookinfo_anything.yaml --context ${REMOTE_CONTEXT1}
-
Configure basic external auth policies
You can apply a basic external auth policy at the route or destination level. For more information, see Applying policies.
- Generate a salt and hashed password for your user credentials. The following example uses the
htpasswd
tool for a user nameduser
.htpasswd -nbm user password
Example output:
user:$apr1$TYiryv0/$8BvzLUO9IfGPGGsPnAgSu1
- Retrieve the salt and hashed password from the output of the previous step.
- Salt:
TYiryv0/
- Hashed password:
8BvzLUO9IfGPGGsPnAgSu1
- Salt:
- Review the following sample configuration files.
apiVersion: security.policy.gloo.solo.io/v2 kind: ExtAuthPolicy metadata: name: basic-auth namespace: bookinfo spec: applyToRoutes: - route: labels: route: ratings config: glooAuth: configs: - basicAuth: apr: users: user: hashedPassword: 8BvzLUO9IfGPGGsPnAgSu1 salt: TYiryv0/ server: name: default-server
apiVersion: security.policy.gloo.solo.io/v2 kind: ExtAuthPolicy metadata: name: basic-auth namespace: bookinfo spec: applyToDestinations: - port: number: 9080 selector: labels: app: reviews config: glooAuth: configs: - basicAuth: apr: users: user: hashedPassword: 8BvzLUO9IfGPGGsPnAgSu1 salt: TYiryv0/ server: name: default-server
Setting | Description |
---|---|
spec.applyToDestinations |
Configure which destinations to apply the policy to, by using labels. Destinations can be a Kubernetes service, VirtualService, or ExternalService. If you do not specify any destinations or routes, the rate limit policy applies to all destinations in the workspace by default. If you do not specify any destinations but you do specify a route, the rate limit applies to the route but to no destinations. |
spec.applyToRoutes |
Configure which routes to apply the policy to, by using labels. The label matches the app and the route from the route table. If omitted, the policy applies to all routes in the workspace. |
spec.config.glooAuth.configs.basicAuth |
Configure the basic auth credentials to use to authenticate requests. The example sets up user credentials for a user named user in the required APR1 format. For more information, see the API reference. |
spec.config.glooAuth.configs.basicAuthapr.users.user.hashedPassword |
The hashed password that you generated in the previous step. The example sets 8BvzLUO9IfGPGGsPnAgSu1 . |
spec.config.glooAuth.configs.basicAuthapr.users.user.salt |
The salt, or random data that hashes the password, that you generated in the previous step. The example sets TYiryv0/ . |
Apply external auth to external services
The following example is for an external auth policy that applies to an external service. Note that this policy requires different routing table and external auth server resources, as well as an external service.
apiVersion: security.policy.gloo.solo.io/v2
kind: ExtAuthPolicy
metadata:
name: httpbin-basic-auth
namespace: bookinfo
spec:
applyToRoutes:
- route:
labels:
route: external-service
config:
glooAuth:
configs:
- basicAuth:
apr:
users:
user:
hashedPassword: 8BvzLUO9IfGPGGsPnAgSu1
salt: TYiryv0/
server:
name: default-server
apiVersion: admin.gloo.solo.io/v2
kind: ExtAuthServer
metadata:
name: default-server
namespace: bookinfo
spec:
destinationServer:
port:
number: 8083
ref:
cluster: cluster-1
name: ext-auth-service
namespace: gloo-mesh
apiVersion: networking.gloo.solo.io/v2
kind: ExternalService
metadata:
name: external-service
namespace: bookinfo
spec:
hosts:
- httpbin.org
ports:
- name: http
number: 80
protocol: HTTP
apiVersion: networking.gloo.solo.io/v2
kind: RouteTable
metadata:
name: external-service-northsouth
namespace: bookinfo
spec:
defaultDestination:
kind: EXTERNAL_SERVICE
port:
number: 80
ref:
name: external-service
namespace: bookinfo
hosts:
- www.example.com
http:
- forwardTo: {}
labels:
"no": auth
matchers:
- headers:
- name: noauth
value: "true"
name: external-service-no-auth
- forwardTo: {}
labels:
route: external-service
name: external-service-northsouth
virtualGateways:
- name: north-south-gw
Verify basic external auth policies
- Apply the example basic external auth policy in the workload cluster.
kubectl apply --context ${REMOTE_CONTEXT1} -f external-auth-policy.yaml
- View the
ext-auth-service
deployment logs to verify that the policy was accepted. Look for a message similar to the following:"logger":"extauth","caller":"runner/run.go:179","msg":"got new config"
kubectl logs -n gloo-mesh deploy/ext-auth-service -c ext-auth-service -f --context $REMOTE_CONTEXT1
- Send a request to the
httpbin
app through the ingress gateway.curl -vik -H "Host: www.example.com" "http://$INGRESS_GW_IP/status/200/"
- Verify that you notice the added or removed request and response headers.