| Table of Contents |
|---|
Authentication with Emco
EMCO uses Istio and other open source solutions to provide Multi-tenancy solution leveraging Istio Authorization and Authentication frameworks. This is achieved without adding any logic in EMCO microservices. Authentication for the EMCO users are done at the Isito Gateway, where all the traffic enters the cluster. Istio along with autherservice (istio ecosystem project) enables request-level authentication with JSON Web Token (JWT) validation. This can be achieved using a custom authentication provider or any OpenID Connect providers like KeyCloak, Auth0 etc.
Authservice is an entity that works along side with Envoy proxy. It is used to work with external IAM systems (OAUTH2). Many Enterprises have their own OAUTH2 server for authenticating users and provide roles. ONAP4K8s along with Istio-ingress and Authservice use single or multiple OAUTH2 servers, one belonging to each project (Enterprise).
| Drawio | ||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Authentication Flow with OIDC, Istio Ingress Gateway and Authservice
...
Steps for setting up ONAP4K8s with Istio + Authservice
Keycloak
Keycloak is an open source software product to allow single sign-on with Identity Management and Access Management. Keycloak is being used here as an example of IAM service to be used with EMCO.
In a kubernetes cluster where Keycloak is going to be installed follow these steps to create keyclock deployment:
...
Now when you try to assess EMCO you'll get 403 error. [https://<Istio Ingress service IP Address:port>/v2/projects]
Authservice Setup in Istio Ingress-gateway
Authservice Configmap
The following example shows how to setup authservice with keycloak.
...
Currently, there is not yet a native way to install Authservice into the Istio Ingress-gateway. We are manually modifying the Deployment of istio-ingressgateway to add the Authservice container. Add the contianer below. Note: Change the container section in ingress-gateway deployment to make it possible to add multiple containers.
| Code Block | ||||
|---|---|---|---|---|
| ||||
$ kubectl edit deployments istio-ingressgateway -n istio-system
Under containers section add:
- name: authservice
image: adrianlzt/authservice:0.3.1-d3cd2d498169
imagePullPolicy: Always
ports:
- containerPort: 10003
volumeMounts:
- name: emco-authservice-configmap-volume
mountPath: /etc/authservice
In the volumes section add:
- name: emco-authservice-configmap-volume
configMap:
name: emco-authservice-configmap
|
...
Try accessing EMCO URL agian [https://<Istio Ingress service IP Address:port>/v2/projects]. This will take you to the Keycloak login page and from there user can get authenticated before allowed to access EMCO resources.
Setup with multiple OAuth2 Servers.
The following changes are required if different OAuth2 servers are needed for different projects. All other configurations remain the same.
Virtual service to support multiple servers
...
Authorization Policies with Istio
As specified in Keycloak section Role Mappers are created using Keycloak. These can be used apply authorizations for users. Some examples the can used:
| Code Block | ||||
|---|---|---|---|---|
| ||||
apiVersion: "security.istio.io/v1beta1"
kind: AuthorizationPolicy
metadata:
name: allow-admin
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
action: ALLOW
rules:
- when:
- key: request.auth.claims[role]
values: ["ADMIN"]
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allow-user
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
action: ALLOW
rules:
- to:
- operation:
paths: ["/v2/projects/enterprise1/*"]
when:
- key: request.auth.claims[role]
values: ["USER"]
|
...