Additional Configuration Information
| Option | Explanation |
|---|---|
| JWT Issuers and mapping | In jwt.allowed, you can either define an issuer URI or you can define an issuer alias with a mapped value. Define an issuer URI: jwt header: authorization allowed: - name: demo.plainid.cloud Example of an issuer alias with a mapped value: jwt header: authorization allowed: - name: demo.plainid.cloud mapped: https://demo.plainid.cloud/auth/realms/demo You can also use a combination (as shown in the configuration above). |
| Supported JWT Signature Algorithms | In jwt.algs you can define a list of supported algorithms: jwt: algs: - ES256 - RS256 By default if jwt.algs is empty or not defined - an “RS256” signing algorithm is supported. |
| Request Matchers and Bypass Options | Examples: GET Requests with path "/echo/heartbeat" are bypassed to Echo MS as is, without validations and authorization. - match: /echo/heartbeat method: - GET bypass: true GET Requests with path "/echo/accounts/:accountID/transactions" (where ":accountID" is the path parameter) will have specific runtime and mode configurations which override such configurations from sidecarConfig.runtime and sidecarConfig.mode - match: /echo/accounts/:accountID/transactions runtime: entityTypeid: jwtcacheTime: 11smode:entitlement: true format: 5 flat: false denyOnEmpty: true |
| Disable authz-sidecar injection to specific pods | In MS Deployment configuration spec.template.metadata.annotations the following annotation should be added to present an authz-sidecar from being injected to the pod. sidecar.plainid.io/inject: "false" apiVersion: apps/v1 kind: Deployment metadata: ... spec: selector: matchLabels: ... template: metadata: labels: ... annotations: sidecar.plainid.io/inject: "false" |
Support PDP JWT
| Option | Explanation |
|---|---|
| Policy decision formats | The Authorizer supports different formats of decision provided by PDP Runtime. They should be specified in configuration runtime.accessTokenFormat and/or matchers[*].runtime.accessTokenFormatValues: - JSON (default)- JWT- StandardJWTIn case of JWT or StandardJWT format specified there are 2 additional configuration parameters that control a header where JWT will be delivered to the Client’s application:1. Header key/name: jwt.authorizationHeaderName and/or matchers[*].jwt.authorizationHeaderName. Default value is x-pid-authz.2. Header prefix: jwt.authorizationTokenType and/or matchers[*].jwt.authorizationTokenType. Default value is Bearer. |
Example
samples/sidecar-echo.yaml (example of microservice sidecar configuration)
apiVersion: authz.plainid.io/v1
kind: PlainidSidecar
metadata:
name: echo
spec:
workloadSelector:
labels:
app: echo
sidecarConfig:
matchers: # API Matchers section (Optional)
- match: /echo/bypass # Request path pattern
method: # Request methods
- POST
- GET
bypass: true # Bypass request (ignore all validations and authorization)
- match: /echo/:abc
runtime: # Specific runtime configuration for matching requests
entityTypeid: jwt
cacheTime: 11s
mode: # Specific mode configuration for matching requests
entitlement: true
format: 5
flat: false
denyOnEmpty: true
- match: /echo
runtime:
entityTypeid: jwt
cacheTime: 11s
clientId: PCTPBVXSCXINRLCKLDNFX
clientSecret: qw66NNZTw98(*.jtzPZXBZvbA3a+T1Huc(7nIhla
environments:
amount: "$.body.amount"
account: "$.body.account"
url: $.path.[0]
mode:
resolution: true
format: 5
flat: false
denyOnEmpty: true
runtime:
clientId: PHMW79EBNUCWO4NLGLPE # Mandatory: From Policy Manager Management UI
clientSecret: 8xPReuKhkTXCo4n1ymDkSY7oAsBNkCJGyE7jkKMV # From Policy Manager Management UI, if no Secret store used
entityTypeid: jwt
plainidUrl: https://demo.plainid.cloud # Mandatory: PDP URL, Should be set
resourceTypes: # Asset mappings example (only for PDP API v1-4)
- name: Accounts
assetPath: $.path[4]
- name: Loans
environments:
amount: "$.body.amount"
account: "$.path[2]"
url: $.path.[0]
accessTokenFormat: JWT # Policy decision format
passIncomingJwt: true # to pass the IDP JWT as-is to the PDP
jwt: # Mandatory: External request JWT configuration
header: authorization
allowed:
- name: demo.plainid.cloud # Mandatory: JWT Issuer example
- name: demo # Mandatory: JWT Issuer mapping example in case of JWT issuer do not match an issuer provided by Auth service
mapped: https://demo.plainid.cloud/auth/realms/demo
userClaim: "$.user.preferred_username[0]"
validateJwt: true
algs: # List of supported Signing Algorithms (RS256 by default if not set)
- ES256
- RS256
authorizationHeaderName: Authorization # JWT Header key/name in case of accessTokenFormat is JWT or StandardJWT
authorizationTokenType: Bearer # JWT Header prefix in case of accessTokenFormat is JWT or StandardJWT
mode: # Mandatory: Operation mode, ONLY ONE OF SHOULD BE TRUE: decision/entitlement/resolution/denyOnEmpty
decision: true # PERMIT/DENY Mode
entitlement: false # Header Injection mode
resolution: false # Header injection mode Query format
denyOnEmpty: false # DENY transaction when no policy fits the access request.
format: 2
logger:
logLevel: debug
detailedLog: false
format: text
tlsSkip: true
grpc:
servicePort: "7001"
Override Default Configuration
The helm install command accepts parameters to override default configuration values inline or that are defined in a
file.
- Example – To override the configuration found in the file:
cat override-values.yml
runtime:
debugLevel: info
replicas: 5
helm install sidecar-test1 ./ --values override-values.yml
Sample values.yaml
Note: For versions 4.x, you should remove the following from the values.yaml configuration file:
pdpAPIVersion: v5 #Optional: PDP Runtime API v5 integration
# Please Generate Public key, Private key, and Certificate Chain
# Based on the documentation provided by PlainID and place in values under webhook file names should match the example files in the chart
image:
pullPolicy: Always
imagePullSecrets:
- name: cr-creds
nameOverride: ""
fullnameOverride: ""
serviceAccount: plainid
podSecurityContext: { }
operator:
image:
repository: "docker.io/plainid/authz-operator"
tag: "1.6.0"
namespace: plainid-system
resources:
limits:
cpu: 100m
memory: 100Mi
requests:
cpu: 100m
memory: 20Mi
replicas: 1
debug: true
redis:
local: true
image: redis
port: 6379
pass: ""
tls: false
masterhost: test-plainid-redis-ro.plainid # Administration point address
securityContext:
capabilities:
drop:
- ALL
runAsNonRoot: true
runAsUser: 1000610001
webhook:
enabled: true
selfCert: true # If false, please set the values for certificates below
# for your certificate please set the following values. Values should be encoded to base64
bundle:
crt:
key:
auth: # Optional: Secret store configuration
file: "/keys/key"
iss: "ruleengine"
exp: 10s
pdpAPIVersion: v5 #Optional: PDP Runtime API v5 integration
authorizer:
id: test-authorizer # Mandatory: Should be updated
version: 1.2.3
moreVolumes: # Optional: Extra volumes configuration
- name: key-config
configMap:
name: key-config
nodeSelector: { }
tolerations: [ ]
affinity: { }
Following are the optional keys and values for the values.yaml file.
Operator
| Key | Explanation | Optional Value/Example |
|---|---|---|
| namespace | The namespace where the operator will be created | plainid-system |
| replicas | Number of replicas | 1 |
| debug | The debug state | true/false |
| image | The image repository of the operator | docker.io/plainid/authz-operator |
Redis
| Key | Explanation | Optional Value/Example |
|---|---|---|
| image | Redis image repository | redis |
| masterhost | Hostname of the master Redis instance | Master.redis.example.com |
| pass | Master password | ***** |
Auth
| Key | Explanation | Optional Value/Example |
|---|---|---|
| file | full path to a file with a secret key (same key as in Runtime configuration) | secret:/keys/key |
| iss | issuer or JWT claim (same issuer as in Runtime configuration) | ruleengine |
| exp | JWT expiration (10s by default if not set) | 10s |
GRPC Support
The PlainID sidecar supports GRPC (Google Remote Procedure Call) parsing. This capability can be achieved in different
ways:
- Auto learning
- Providing a Protocol Buffer (protobuf) descriptor file
Auto Learning
To support auto learning, the Application Developer should be enabled GRPC reflection on the server side (backend). In
the sidecar configuration YAML, the service port should be defined. Example
grpc:
servicePort: "7001"
Providing a protobuf Descriptor File
Providing a protobuf descriptor file can be accomplished in one of the following ways:
| Method | Example |
|---|---|
| Create a protobuf descriptor file from proto definition. | protoc --descriptor_set_out=demo.pb demo.proto |
| Create a new container image from plainid-authz-sidecar. | Create a new Dockerfile FROM docker.io/plainid/authz-envoy-sidecar:1.6.0;, ADD demo.pb /proto/demo.pb Build a new image: docker build -t authz-envoy-sidecar:1.0.1-pb, Push the new image to the relevant registry |
Multiple Descriptors
It is possible to include multiple descriptors. You can use the same image for all the services. To use the same image
for multiple descriptors:
- Change the PlainidInjector yaml to provide a new image tag.
- In the plainidsidecar.yaml file, provide the path to the relevant descriptor file.
HTTP Support
The PlainID Authorizer Sidecar supports HTTP connection. We should define a listener for HTTP connection:
http:
listener: 127.0.0.1:50080
grpc: protoFile: "/proto/demo.pb"