On this page

Basic external auth policy

Authenticate requests with a basic dictionary of usernames and passwords.

Basic authentication sends encoded user credentials in a standard header within the request. Then, Gloo Mesh authenticates the request against a dictionary of usernames and passwords that are written in the external auth policy. If the credentials in the request header match the policy, the request is sent to the destination. If not, Gloo Mesh Gateway returns a 401 response.

You might use basic auth for testing environments, such as when you release a new API method or version to a small number of known users.

check_circle

If you import or export resources across workspaces, your policies might not apply. For more information, see Import and export policies.

Before you begin

info

This guide assumes that you use the same names for components like clusters, workspaces, and namespaces as in the getting started. If you have different names, make sure to update the sample configuration files in this guide.

Complete the multicluster getting started guide to set up the following testing environment.
- Three clusters along with environment variables for the clusters and their Kubernetes contexts.
- The Gloo meshctl CLI, along with other CLI tools such as kubectl and istioctl.
- The Gloo management server in the management cluster, and the Gloo agents in the workload clusters.
- Istio installed in the workload clusters.
- A simple Gloo workspace setup.
Install Bookinfo and other sample apps.
Make sure that the external auth service is installed and running. If not, install the external auth service.
```
kubectl get pods --context $REMOTE_CONTEXT1 -A -l app=ext-auth-service
```
Make sure that you have the following CLI tools, or something comparable:
- htpasswd to generate hashed, salted passwords.
- base64 to encode strings.

Apply a basic external auth policy

You can apply a basic external auth policy at the route or destination level. For more information, see Applying policies.

info

When you apply this custom resource to your cluster, Gloo Mesh Enterprise automatically checks the configuration against validation rules and value constraints. You can also run a pre-admission validation check by using the meshctl x validate resources command. For more information, see the resource validation overview and the CLI command reference.

Step 1: Configure a basic external auth policy

Generate a salt and hashed password for your user credentials. The following example uses the htpasswd tool for a user named user.
```
htpasswd -nbm user password
```
Example output:
```
user:$apr1$TYiryv0/$8BvzLUO9IfGPGGsPnAgSu1
```
Retrieve the salt and hashed password from the output of the previous step.
- Salt: TYiryv0/
- Hashed password: 8BvzLUO9IfGPGGsPnAgSu1

Review the following sample configuration file.

apiVersion: security.policy.gloo.solo.io/v2
kind: ExtAuthPolicy
metadata:
  name: basic-auth
  namespace: bookinfo
spec:
  applyToDestinations:
  - port:
      number: 9080
    selector:
      labels:
        app: ratings
  config:
    glooAuth:
      configs:
      - basicAuth:
          apr:
            users:
              user:
                hashedPassword: 8BvzLUO9IfGPGGsPnAgSu1
                salt: TYiryv0/
    server:
      name: default-server

Review the following table to understand this configuration. For more information, see the API docs.

Setting	Description
`applyToDestinations`	Use labels to apply the policy to destinations. Destinations might be a Kubernetes service, VirtualDestination, or ExternalService (if supported by the policy). If you do not specify any destinations or routes, the policy applies to all destinations in the workspace by default. If you do not specify any destinations but you do specify a route, the policy applies to the route but to no destinations. For an example that selects a VirtualDestination, see Apply external auth to virtual destinations.

`basicAuth`	Configure the basic auth credentials to use to authenticate requests. The example sets up user credentials for a user named `user` in the required APR1 format. For more information, see the API reference.
`hashedPassword`	The hashed password that you generated in the previous step. The example sets `8BvzLUO9IfGPGGsPnAgSu1`.
`salt`	The salt, or random data that hashes the password, that you generated in the previous step. The example sets `TYiryv0/`.
`server`	The `ExtAuthServer` resource that represents the server for the policy to use. In this example, only the `name` is specified. Gloo attempts to find the resource in the same namespace and cluster as the policy, or you can add `namespace` and `cluster` fields. To create an `ExtAuthServer` resource, see Set up the Gloo Mesh Enterprise external auth server.

Step 2: Verify basic external auth policies

Apply the example basic external auth policy and server in the workload cluster. The following example refers directly to the default Gloo Mesh Enterprise external auth service, but you can also use a virtual destination instead. For more information, see External auth server setup. Note: Change cluster-1 as needed to your cluster’s actual name.

kubectl apply --context ${REMOTE_CONTEXT1} -f - << EOF
apiVersion: security.policy.gloo.solo.io/v2
kind: ExtAuthPolicy
metadata:
  name: basic-auth
  namespace: bookinfo
spec:
  applyToDestinations:
  - port:
      number: 9080
    selector:
      labels:
        app: ratings
  config:
    glooAuth:
      configs:
      - basicAuth:
          apr:
            users:
              user:
                hashedPassword: 8BvzLUO9IfGPGGsPnAgSu1
                salt: TYiryv0/
    server:
      name: default-server
---
apiVersion: admin.gloo.solo.io/v2
kind: ExtAuthServer
metadata:
  name: default-server
  namespace: bookinfo
spec:
  destinationServer:
    port:
      number: 8083
    ref:
      cluster: cluster-1
      name: ext-auth-service
      namespace: gloo-mesh
EOF

View the ext-auth-service deployment logs to verify that the policy was accepted. Look for a message similar to the following: "logger":"extauth","caller":"runner/run.go:179","msg":"got new config". If you don’t see this message, check the management server logs for errors.
```
meshctl logs ext-auth --kubecontext $REMOTE_CONTEXT1
```
Send an unauthenticated request to the reviews app. Create a temporary curl pod in the bookinfo namespace, so that you can test the app setup. You can also use this method in Kubernetes 1.23 or later, but an ephemeral container might be simpler.
1. Create the curl pod.
```
kubectl run -it -n bookinfo --context $REMOTE_CONTEXT1 curl \
--image=curlimages/curl:7.73.0 --rm  -- sh
```
2. Send a request to the reviews app.
```
curl http://reviews:9080/reviews/1 -v
```
Example output: Notice that the request is denied with a 401 Unauthorized response.
```
HTTP/1.1 401 Unauthorized
```
Encode the expected user credentials in base64 format.
```
echo -n "user:password" | base64
```
Example output:
```
dXNlcjpwYXNzd29yZA==
```
Repeat the request to the reviews app, including the authorization header with the user credentials. This time, the request succeeds.
1. Create the curl pod.
```
kubectl run -it -n bookinfo --context $REMOTE_CONTEXT1 curl \
--image=curlimages/curl:7.73.0 --rm  -- sh
```
2. Send a request to the reviews app.
```
curl -H "Authorization: basic dXNlcjpwYXNzd29yZA==" http://reviews:9080/reviews/1 -v
```
3. Exit the temporary pod. The pod deletes itself.
```
exit
```
Example output:
```
HTTP/1.1 200 OK
```

Apply external auth to external services

The following example is for an external auth policy that applies to an external service. Note that this policy requires different routing table and external auth server resources, as well as an external service.

apiVersion: security.policy.gloo.solo.io/v2
kind: ExtAuthPolicy
metadata:
  name: httpbin-basic-auth
  namespace: bookinfo
spec:
  applyToRoutes:
  - route:
      labels:
        route: external-service
  config:
    glooAuth:
      configs:
      - basicAuth:
          apr:
            users:
              user:
                hashedPassword: 8BvzLUO9IfGPGGsPnAgSu1
                salt: TYiryv0/
    server:
      name: default-server

apiVersion: admin.gloo.solo.io/v2
kind: ExtAuthServer
metadata:
  name: default-server
  namespace: bookinfo
spec:
  destinationServer:
    port:
      number: 8083
    ref:
      cluster: cluster-1
      name: ext-auth-service
      namespace: gloo-mesh

apiVersion: networking.gloo.solo.io/v2
kind: ExternalService
metadata:
  name: external-service
  namespace: bookinfo
spec:
  hosts:
  - httpbin.solo
  ports:
  - name: http
    number: 8080
    protocol: HTTP

apiVersion: networking.gloo.solo.io/v2
kind: RouteTable
metadata:
  name: external-service-northsouth
  namespace: bookinfo
spec:
  defaultDestination:
    kind: EXTERNAL_SERVICE
    port:
      number: 8080
    ref:
      name: external-service
      namespace: bookinfo
  hosts:
  - www.example.com
  http:
  - forwardTo: {}
    labels:
      "no": auth
    matchers:
    - headers:
      - name: noauth
        value: "true"
    name: external-service-no-auth
  - forwardTo: {}
    labels:
      route: external-service
    name: external-service-northsouth
  virtualGateways:
  - name: istio-ingressgateway

Apply external auth to virtual destinations

You can apply an external auth policy to a virtual destination.

Create a VirtualDestination for the service that you want to protect. The following example creates a VirtualDestination for the Bookinfo reviews service. Note the following requirements:
- The VirtualDestination must be in the same workspace as its backing workloads, as well as the external auth policy.
- The VirtualDestination’s backing workloads must be of type Kubernetes service. ExternalWorkload and ExternalService are not supported.
- The backing service must be part of your service mesh.
```
kubectl apply -f - << EOF
apiVersion: networking.gloo.solo.io/v2
kind: VirtualDestination
metadata:
  name: reviews-global
  namespace: bookinfo
spec:
  hosts:
  - reviews.vd
  ports:
  - number: 80
    protocol: HTTP
    targetPort:
      name: http
  services:
  - labels:
      app: reviews
EOF
```

Create an ExtAuthServer. The following example refers directly to the default Gloo Mesh Enterprise external auth service, but you can also use a virtual destination instead. For more information, see External auth server setup. Note: Change cluster-1 as needed to your cluster’s actual name.

kubectl apply -f - << EOF
apiVersion: admin.gloo.solo.io/v2
kind: ExtAuthServer
metadata:
  name: default-server
  namespace: bookinfo
spec:
  destinationServer:
    port:
      number: 8083
    ref:
      cluster: cluster-1
      name: ext-auth-service
      namespace: gloo-mesh-addons
EOF

Create an ExtAuthPolicy that selects the virtual destination through the applyToDestinations field. Note: If you already have an ExtAuthPolicy that selects a Kubernetes service, that policy takes precedence.

kubectl apply -f - << EOF apiVersion: security.policy.gloo.solo.io/v2 kind: ExtAuthPolicy metadata: name: vd-basic-auth namespace: bookinfo spec: applyToDestinations: - kind: VIRTUAL_DESTINATION port: number: 80 selector: name: reviews-global config: glooAuth: configs: - basicAuth: apr: users: user: hashedPassword: 8BvzLUO9IfGPGGsPnAgSu1 salt: TYiryv0/ server: name: default-server

EOF

View the ext-auth-service deployment logs to verify that the policy was accepted. Look for a message similar to the following: "logger":"extauth","caller":"runner/run.go:179","msg":"got new config". If you don’t see this message, check the management server logs for errors.
```
meshctl logs ext-auth&ndash;kubecontext $REMOTE_CONTEXT1
```
Send an unauthenticated request to the reviews app.Create a temporary curl pod in the bookinfo namespace, so that you can test the app setup. You can also use this method in Kubernetes 1.23 or later, but an ephemeral container might be simpler.
1. Create the curl pod.
```
kubectl run -it -n bookinfo --context $REMOTE_CONTEXT1 curl \
--image=curlimages/curl:7.73.0 --rm  -- sh
```
2. Send a request to the reviews app.
```
curl http://reviews:9080/reviews/1 -v
```
Example output: Notice that the request is denied with a 401 Unauthorized response.
```
HTTP/1.1 401 Unauthorized
```
Encode the expected user credentials in base64 format.
```
echo -n "user:password" | base64
```
Example output:
```
dXNlcjpwYXNzd29yZA==
```
Repeat the request to the reviews app, including the authorization header with the user credentials. This time, the request succeeds.
1. Create the curl pod.
```
kubectl run -it -n bookinfo --context $REMOTE_CONTEXT1 curl \
--image=curlimages/curl:7.73.0 --rm  -- sh
```
2. Send a request to the reviews app.
```
curl -H "Authorization: basic dXNlcjpwYXNzd29yZA==" http://reviews:9080/reviews/1 -v
```
3. Exit the temporary pod. The pod deletes itself.
```
exit
```
Example output:
```
HTTP/1.1 200 OK
```

Cleanup

You can optionally remove the resources that you set up as part of this guide.

kubectl --context $REMOTE_CONTEXT1 -n bookinfo delete ExtAuthPolicy basic-auth
kubectl --context $REMOTE_CONTEXT1 -n bookinfo delete ExtAuthServer default-server
kubectl --context $REMOTE_CONTEXT1 -n bookinfo delete VirtualDestination reviews-global

Basic external auth policy

Before you begin link

Apply a basic external auth policy link

Step 1: Configure a basic external auth policy link

Step 2: Verify basic external auth policies link

Apply external auth to external services link

Apply external auth to virtual destinations link

Cleanup link