authorization template defines parameters for performing policy enforcement within Istio. It is primarily concerned with enabling Mixer
apiVersion: "config.istio.io/v1alpha2" kind: authorization metadata: name: authinfo namespace: istio-system spec: subject: user: source.user | request.auth.token[user] | "" groups: request.auth.token[groups] properties: iss: request.auth.token["iss"] action: namespace: destination.namespace | "default" service: destination.service | "" path: request.path | "/" method: request.method | "post" properties: version: destination.labels[version] | ""
An action defines “how a resource is accessed”.
A subject contains a list of attributes that identify the caller identity.
authorization template defines parameters for performing policy enforcement within Istio. It is primarily concerned with enabling Mixer adapters to make decisions about who is allowed to do what. In this template, the “who” is defined in a Subject message. The “what” is defined in an Action message. During a Mixer Check call, these values will be populated based on configuration from request attributes and passed to individual authorization adapters to adjudicate.
Value is used inside templates for fields that have dynamic types. The actual datatype of the field depends on the datatype of the expression used in the operator configuration.