Skip to content
home
2.11.x
Security
External authentication and authorization

Basic external auth policy

Page as Markdown
Authenticate requests with a basic dictionary of usernames and passwords.
Basic authentication sends encoded user credentials in a standard header within the request. Then, Gloo Mesh authenticates the request against a dictionary of usernames and passwords that are written in the external auth policy. If the credentials in the request header match the policy, the request is sent to the destination. If not, Gloo Mesh Gateway returns a 401 response.
You might use basic auth for testing environments, such as when you release a new API method or version to a small number of known users.
Before you begin

  1. Set up Gloo Mesh Gateway in a single cluster.
  2. Install Bookinfo and other sample apps.
  3. Configure an HTTP listener on your gateway and set up basic routing for the sample apps.
  4. Make sure that the external auth service is installed and running. If not, install the external auth service.
    kubectl get pods -A -l app=ext-auth-service
  5. Make sure that you have the following CLI tools, or something comparable:
    • htpasswd to generate hashed, salted passwords.
    • base64 to encode strings.
Apply a basic external auth policy

You can apply a basic external auth policy at the route or destination level. For more information, see Applying policies.
Step 1: Configure a basic external auth policy

  1. Generate a salt and hashed password for your user credentials. The following example uses the htpasswd tool for a user named user.
    htpasswd -nbm user password
    Example output:
    user:$apr1$TYiryv0/$8BvzLUO9IfGPGGsPnAgSu1
  2. Retrieve the salt and hashed password from the output of the previous step.
    • Salt: TYiryv0/
    • Hashed password: 8BvzLUO9IfGPGGsPnAgSu1
  3. Review the following sample configuration file.
apiVersion: security.policy.gloo.solo.io/v2
kind: ExtAuthPolicy
metadata:
  name: basic-auth
  namespace: bookinfo
spec:
  applyToRoutes:
  - {}
  - route:
      labels:
        route: ratings
  config:
    glooAuth:
      configs:
      - basicAuth:
          apr:
            users:
              user:
                hashedPassword: 8BvzLUO9IfGPGGsPnAgSu1
                salt: TYiryv0/
    server:
      name: default-server
Review the following table to understand this configuration. For more information, see the API docs.
SettingDescription
applyToRoutesUse labels to configure which routes to apply the policy to. This example label matches the app and route from the example route table that you apply separately. If omitted and you do not have another selector such as applyToDestinations, the policy applies to all routes in the workspace.
basicAuthConfigure the basic auth credentials to use to authenticate requests. The example sets up user credentials for a user named user in the required APR1 format. For more information, see the API reference.
hashedPasswordThe hashed password that you generated in the previous step. The example sets 8BvzLUO9IfGPGGsPnAgSu1.
saltThe salt, or random data that hashes the password, that you generated in the previous step. The example sets TYiryv0/.
serverThe ExtAuthServer resource that represents the server for the policy to use. In this example, only the name is specified. Gloo attempts to find the resource in the same namespace and cluster as the policy, or you can add namespace and cluster fields. To create an ExtAuthServer resource, see Set up the Gloo Mesh Gateway external auth server.
Step 2: Verify basic external auth policies

  1. Apply the example basic external auth policy and server in the workload cluster. The following example refers directly to the default Gloo Mesh Gateway external auth service, but you can also use a virtual destination instead. For more information, see External auth server setup. Note: Change cluster-1 as needed to your cluster’s actual name.
kubectl apply -f - << EOF
apiVersion: security.policy.gloo.solo.io/v2
kind: ExtAuthPolicy
metadata:
  name: basic-auth
  namespace: bookinfo
spec:
  applyToRoutes:
  - {}
  - route:
      labels:
        route: ratings
  config:
    glooAuth:
      configs:
      - basicAuth:
          apr:
            users:
              user:
                hashedPassword: 8BvzLUO9IfGPGGsPnAgSu1
                salt: TYiryv0/
    server:
      name: default-server
---
apiVersion: admin.gloo.solo.io/v2
kind: ExtAuthServer
metadata:
  name: default-server
  namespace: bookinfo
spec:
  destinationServer:
    port:
      number: 8083
    ref:
      cluster: cluster-1
      name: ext-auth-service
      namespace: gloo-mesh
EOF
  1. View the ext-auth-service deployment logs to verify that the policy was accepted. Look for a message similar to the following: "logger":"extauth","caller":"runner/run.go:179","msg":"got new config". If you don’t see this message, check the management server logs for errors.
    meshctl logs ext-auth
  2. Send an unauthenticated request to the reviews app.
  • HTTP:
    curl -vik --resolve www.example.com:80:${INGRESS_GW_ADDRESS} http://www.example.com:80/ratings/1
  • HTTPS:
    curl -vik --resolve www.example.com:443:${INGRESS_GW_ADDRESS} https://www.example.com:443/ratings/1 
    • Example output: Notice that the request is denied with a 401 Unauthorized response.
    HTTP/1.1 401 Unauthorized
    1. Encode the expected user credentials in base64 format.
      echo -n "user:password" | base64
      Example output:
      dXNlcjpwYXNzd29yZA==
    2. Repeat the request to the reviews app, including the authorization header with the user credentials. This time, the request succeeds.
  • HTTP:
    curl -vik --resolve www.example.com:80:${INGRESS_GW_ADDRESS} http://www.example.com:80/ratings/1 -H "Authorization: basic dXNlcjpwYXNzd29yZA=="
  • HTTPS:
    curl -vik --resolve www.example.com:443:${INGRESS_GW_ADDRESS} https://www.example.com:443/ratings/1 -H "Authorization: basic dXNlcjpwYXNzd29yZA=="
    • Example output:
    HTTP/1.1 200 OK
    Apply external auth to external services

    The following example is for an external auth policy that applies to an external service. Note that this policy requires different routing table and external auth server resources, as well as an external service.
    apiVersion: security.policy.gloo.solo.io/v2
kind: ExtAuthPolicy
metadata:
  name: httpbin-basic-auth
  namespace: bookinfo
spec:
  applyToRoutes:
  - route:
      labels:
        route: external-service
  config:
    glooAuth:
      configs:
      - basicAuth:
          apr:
            users:
              user:
                hashedPassword: 8BvzLUO9IfGPGGsPnAgSu1
                salt: TYiryv0/
    server:
      name: default-server
    apiVersion: admin.gloo.solo.io/v2
kind: ExtAuthServer
metadata:
  name: default-server
  namespace: bookinfo
spec:
  destinationServer:
    port:
      number: 8083
    ref:
      cluster: cluster-1
      name: ext-auth-service
      namespace: gloo-mesh
    apiVersion: networking.gloo.solo.io/v2
kind: ExternalService
metadata:
  name: external-service
  namespace: bookinfo
spec:
  hosts:
  - httpbin.solo
  ports:
  - name: http
    number: 8080
    protocol: HTTP
    apiVersion: networking.gloo.solo.io/v2
kind: RouteTable
metadata:
  name: external-service-northsouth
  namespace: bookinfo
spec:
  defaultDestination:
    kind: EXTERNAL_SERVICE
    port:
      number: 8080
    ref:
      name: external-service
      namespace: bookinfo
  hosts:
  - www.example.com
  http:
  - forwardTo: {}
    labels:
      "no": auth
    matchers:
    - headers:
      - name: noauth
        value: "true"
    name: external-service-no-auth
  - forwardTo: {}
    labels:
      route: external-service
    name: external-service-northsouth
  virtualGateways:
  - name: istio-ingressgateway
    Cleanup

    You can optionally remove the resources that you set up as part of this guide.
    kubectl -n bookinfo delete ExtAuthPolicy basic-auth
kubectl -n bookinfo delete ExtAuthServer default-server
kubectl -n bookinfo delete VirtualDestination reviews-global
    External auth server setupAPI keys