Alibaba Cloud Service Mesh:Develop an HTTP-based custom authorization service

Background information

ASM allows you to configure JWT-based request authentication on a gateway to authenticate request identities. JWT is short for JSON Web Token. In an ASM instance, mutual TLS (mTLS) certificates are used to authenticate the identifies of requests by default. After you confirm the identity of a request, you can use authorization policies to restrict the behavior of the request. In addition to the preceding standard capabilities, ASM also supports custom authorization services. The following figure shows the overall process of a custom authorization service.

If you configure data to use HTTP to connect to a custom authorization service, the mesh proxy (gateway or sidecar proxy) fills the received request information in an HTTP-based authentication request and sends the request to the custom authorization service. The custom authorization service determines whether to allow the request.

• If the custom authorization service returns the status code 200, the request passes the verification and needs to be allowed.

• If the custom authorization service returns a status code 5xx, the authorization service is abnormal. The request is allowed or rejected based on your configuration.

• If another status code is returned, the verification fails and the request needs to be rejected.

Configuration introduction

In the ASM console, you can register a custom authorization service on the Define Custom Authorization Service page. After the registration, you can specify the mesh proxy that will use the authorization service in the authorization policy. For more information, see Use the HTTP protocol to connect to the custom authorization service.

Develop an HTTP-based custom authorization service

ASM is compatible with the open source Istio. The open source Istio provides development examples of custom authorization services. This part of code implements custom authorization services for both HTTP and gRPC protocols. The main logic of an HTTP-based custom authorization service mentioned in this topic is defined in the ServeHTTP function:

// ServeHTTP implements the HTTP check request.
func (s *ExtAuthzServer) ServeHTTP(response http.ResponseWriter, request *http.Request) {
	body, err := io.ReadAll(request.Body)
	if err != nil {
		log.Printf("[HTTP] read body failed: %v", err)
	}
	l := fmt.Sprintf("%s %s%s, headers: %v, body: [%s]\n", request.Method, request.Host, request.URL, request.Header, returnIfNotTooLong(string(body)))
	if allowedValue == request.Header.Get(checkHeader) {
		log.Printf("[HTTP][allowed]: %s", l)
		response.Header().Set(resultHeader, resultAllowed)
		response.Header().Set(overrideHeader, request.Header.Get(overrideHeader))
		response.Header().Set(receivedHeader, l)
		response.WriteHeader(http.StatusOK)
	} else {
		log.Printf("[HTTP][denied]: %s", l)
		response.Header().Set(resultHeader, resultDenied)
		response.Header().Set(overrideHeader, request.Header.Get(overrideHeader))
		response.Header().Set(receivedHeader, l)
		response.WriteHeader(http.StatusForbidden)
		_, _ = response.Write([]byte(denyBody))
	}
}

As you can see, this function checks the header of the request. If the value of the header is allowedValue, the status code 200 is returned, which indicates that the request is allowed. Otherwise, the status code 403 is returned, which indicates that the request is rejected.

Configure a custom authorization service

After you deploy the custom authorization service developed in the previous step in the ACK cluster, you can access the custom authorization service. For more information, see Implement custom authorization by using the HTTP protocol.