Additional Configuration Settings

01 Sep 2024
6 Minutes to read

Print
Dark
Light
PDF

Additional Configuration Settings

Updated on 01 Sep 2024
6 Minutes to read

Print
Dark
Light
PDF

Article summary

Did you find this summary helpful?

Thank you for your feedback

Additional Configuration Information

Option	Explanation
JWT Issuers and mapping	In jwt.allowed, you can either define an issuer URI or you can define an issuer alias with a mapped value. Define an issuer URI: `jwt` `header: authorization` `allowed:` `- name: demo.plainid.cloud` Example of an issuer alias with a mapped value: `jwt` `header: authorization` `allowed:` `- name: demo.plainid.cloud` `mapped: https://demo.plainid.cloud/auth/realms/demo` You can also use a combination (as shown in the configuration above).
Supported JWT Signature Algorithms	In jwt.algs you can define a list of supported algorithms: `jwt:` `algs:` `- ES256` `- RS256` By default if jwt.algs is empty or not defined - an “RS256” signing algorithm is supported.
Request Matchers and Bypass Options	Examples: GET Requests with path `"/echo/heartbeat"` are bypassed to Echo MS as is, without validations and authorization. `- match: /echo/heartbeat` `method:` `- GET` `bypass: true` GET Requests with path `"/echo/accounts/:accountID/transactions"` (where ":accountID" is the path parameter) will have specific runtime and mode configurations which override such configurations from sidecarConfig.runtime and sidecarConfig.mode `- match:` `/echo/accounts/:accountID/transactions` `runtime:` `entityTypeid: jwt` `cacheTime: 11s` `mode:` `entitlement: true` `format: 5` `flat: false` `denyOnEmpty: true`
Disable authz-sidecar injection to specific pods	In MS Deployment configuration spec.template.metadata.annotations the following annotation should be added to present an authz-sidecar from being injected to the pod. `sidecar.plainid.io/inject: "false"` `apiVersion: apps/v1` `kind: Deployment` `metadata:` `...` `spec:` `selector:` `matchLabels:` `...` `template:` `metadata:` `labels:` `...` `annotations:` `sidecar.plainid.io/inject: "false"`

Support PDP JWT

Option Explanation

Policy decision formats The Authorizer supports different formats of decision provided by PDP Runtime.
They should be specified in configuration runtime.accessTokenFormat and/or matchers[*].runtime.accessTokenFormat
Values:
- JSON (default)
- JWT
- StandardJWT
In case of JWT or StandardJWT format specified there are 2 additional configuration parameters that control a header where JWT will be delivered to the Client’s application:
1. Header key/name: jwt.authorizationHeaderName and/or matchers[*].jwt.authorizationHeaderName. Default value is x-pid-authz.
2. Header prefix: jwt.authorizationTokenType and/or matchers[*].jwt.authorizationTokenType. Default value is Bearer.

Option	Explanation
Policy decision formats	The Authorizer supports different formats of decision provided by PDP Runtime. They should be specified in configuration `runtime.accessTokenFormat` and/or `matchers[].runtime.accessTokenFormat` Values: - `JSON` (default) - `JWT` - `StandardJWT` In case of `JWT` or `StandardJWT` format specified there are 2 additional configuration parameters that control a header where JWT will be delivered to the Client’s application: 1. Header key/name: `jwt.authorizationHeaderName` and/or `matchers[].jwt.authorizationHeaderName`. Default value is `x-pid-authz`. 2. Header prefix: `jwt.authorizationTokenType` and/or `matchers[*].jwt.authorizationTokenType`. Default value is `Bearer`.

Example

samples/sidecar-echo.yaml (example of microservice sidecar configuration)

apiVersion: authz.plainid.io/v1
kind: PlainidSidecar
metadata:
  name: echo
spec:
  workloadSelector:
    labels:
      app: echo
  sidecarConfig:
    matchers: # API Matchers section (Optional)
      - match: /echo/bypass                                   # Request path pattern
        method: # Request methods
          - POST
          - GET
        bypass: true                                          # Bypass request (ignore all validations and authorization) 
      - match: /echo/:abc
        runtime: # Specific runtime configuration for matching requests 
          entityTypeid: jwt
          cacheTime: 11s
        mode: # Specific mode configuration for matching requests
          entitlement: true
          format: 5
          flat: false
          denyOnEmpty: true
      - match: /echo
        runtime:
          entityTypeid: jwt
          cacheTime: 11s
          clientId: PCTPBVXSCXINRLCKLDNFX
          clientSecret: qw66NNZTw98(*.jtzPZXBZvbA3a+T1Huc(7nIhla
          environments:
            amount: "$.body.amount"
            account: "$.body.account"
            url: $.path.[0]
        mode:
          resolution: true
          format: 5
          flat: false
          denyOnEmpty: true
    runtime:
      clientId: PHMW79EBNUCWO4NLGLPE                         # Mandatory: From Policy Manager Management UI
      clientSecret: 8xPReuKhkTXCo4n1ymDkSY7oAsBNkCJGyE7jkKMV # From Policy Manager Management UI, if no Secret store used 
      entityTypeid: jwt
      plainidUrl: https://demo.plainid.cloud                 # Mandatory: PDP URL, Should be set
      resourceTypes: # Asset mappings example (only for PDP API v1-4)
        - name: Accounts
          assetPath: $.path[4]
        - name: Loans
      environments:
        amount: "$.body.amount"
        account: "$.path[2]"
        url: $.path.[0]
      accessTokenFormat: JWT                                # Policy decision format
      passIncomingJwt: true                                 # to pass the IDP JWT as-is to the PDP
    jwt: # Mandatory: External request JWT configuration
      header: authorization
      allowed:
        - name: demo.plainid.cloud                          # Mandatory: JWT Issuer example
        - name: demo                                        # Mandatory: JWT Issuer mapping example in case of JWT issuer do not match an issuer provided by Auth service
          mapped: https://demo.plainid.cloud/auth/realms/demo
      userClaim: "$.user.preferred_username[0]"
      validateJwt: true
      algs: # List of supported Signing Algorithms (RS256 by default if not set)
        - ES256
        - RS256
      authorizationHeaderName: Authorization                # JWT Header key/name in case of accessTokenFormat is JWT or StandardJWT
      authorizationTokenType: Bearer                        # JWT Header prefix in case of accessTokenFormat is JWT or StandardJWT
    mode: # Mandatory: Operation mode, ONLY ONE OF SHOULD BE TRUE: decision/entitlement/resolution/denyOnEmpty
      decision: true                                        # PERMIT/DENY Mode
      entitlement: false                                    # Header Injection mode
      resolution: false                                     # Header injection mode Query format
      denyOnEmpty: false                                    # DENY transaction when no policy fits the access request.
      format: 2
    logger:
      logLevel: debug
      detailedLog: false
      format: text
    tlsSkip: true
    grpc:
      servicePort: "7001"

Override Default Configuration

The helm install command accepts parameters to override default configuration values inline or that are defined in a
file.

Example – To override the configuration found in the file:
cat override-values.yml

runtime:
  debugLevel: info
  replicas: 5

helm install sidecar-test1 ./ --values override-values.yml

Sample values.yaml

Note: For versions 4.x, you should remove the following from the values.yaml configuration file:
pdpAPIVersion: v5 #Optional: PDP Runtime API v5 integration

# Please Generate  Public key, Private key, and  Certificate Chain
# Based on the documentation provided by PlainID and place in values under webhook file names should match the example files  in the chart
image:
  pullPolicy: Always
imagePullSecrets:
  - name: cr-creds
nameOverride: ""
fullnameOverride: ""
serviceAccount: plainid
podSecurityContext: { }
operator:
  image:
    repository: "docker.io/plainid/authz-operator"
    tag: "1.6.0"
  namespace: plainid-system
  resources:
    limits:
      cpu: 100m
      memory: 100Mi
    requests:
      cpu: 100m
      memory: 20Mi
  replicas: 1
  debug: true
redis:
  local: true
  image: redis
  port: 6379
  pass: ""
  tls: false
  masterhost: test-plainid-redis-ro.plainid    # Administration point address
securityContext:
  capabilities:
    drop:
      - ALL
  runAsNonRoot: true
  runAsUser: 1000610001
webhook:
  enabled: true
  selfCert: true # If false, please set the values for certificates below
  # for your certificate please set the following values. Values should be encoded to base64
  bundle:
  crt:
  key:
auth: # Optional: Secret store configuration
  file: "/keys/key"
  iss: "ruleengine"
  exp: 10s
pdpAPIVersion: v5                            #Optional: PDP Runtime API v5 integration
authorizer:
  id: test-authorizer                         # Mandatory: Should be updated
  version: 1.2.3
moreVolumes: # Optional: Extra volumes configuration
  - name: key-config
    configMap:
      name: key-config
nodeSelector: { }
tolerations: [ ]
affinity: { }

Following are the optional keys and values for the values.yaml file.

Operator

Key	Explanation	Optional Value/Example
namespace	The namespace where the operator will be created	plainid-system
replicas	Number of replicas	1
debug	The debug state	true/false
image	The image repository of the operator	docker.io/plainid/authz-operator

Redis

Key	Explanation	Optional Value/Example
image	Redis image repository	redis
masterhost	Hostname of the master Redis instance	Master.redis.example.com
pass	Master password	*****

Auth

Key	Explanation	Optional Value/Example
file	full path to a file with a secret key (same key as in Runtime configuration)	secret:/keys/key
iss	issuer or JWT claim (same issuer as in Runtime configuration)	ruleengine
exp	JWT expiration (10s by default if not set)	10s

GRPC Support

The PlainID sidecar supports GRPC (Google Remote Procedure Call) parsing. This capability can be achieved in different
ways:

Auto learning
Providing a Protocol Buffer (protobuf) descriptor file

Auto Learning

To support auto learning, the Application Developer should be enabled GRPC reflection on the server side (backend). In
the sidecar configuration YAML, the service port should be defined. Example

grpc:
  servicePort: "7001"

Providing a protobuf Descriptor File

Providing a protobuf descriptor file can be accomplished in one of the following ways:

Method	Example
Create a protobuf descriptor file from proto definition.	protoc --descriptor_set_out=demo.pb demo.proto
Create a new container image from plainid-authz-sidecar.	Create a new Dockerfile FROM docker.io/plainid/authz-envoy-sidecar:1.6.0;, ADD demo.pb /proto/demo.pb Build a new image: docker build -t authz-envoy-sidecar:1.0.1-pb, Push the new image to the relevant registry

Multiple Descriptors

It is possible to include multiple descriptors. You can use the same image for all the services. To use the same image
for multiple descriptors:

Change the PlainidInjector yaml to provide a new image tag.
In the plainidsidecar.yaml file, provide the path to the relevant descriptor file.

HTTP Support

The PlainID Authorizer Sidecar supports HTTP connection. We should define a listener for HTTP connection:

http:
  listener: 127.0.0.1:50080

grpc: protoFile: "/proto/demo.pb"

Was this article helpful?

What's Next

Istio and OSM Integrations

Table of contents