Additional Configuration Settings
    • 01 Sep 2024
    • 6 Minutes to read
    • Dark
      Light
    • PDF

    Additional Configuration Settings

    • Dark
      Light
    • PDF

    Article summary

    Additional Configuration Information

    OptionExplanation
    JWT Issuers and mappingIn jwt.allowed, you can either define an issuer URI or you can define an issuer alias with a mapped value.
    Define an issuer URI:
    jwt
        header: authorization
        allowed:
                - name: demo.plainid.cloud

    Example of an issuer alias with a mapped value:
    jwt
        header: authorization
        allowed:
                - name: demo.plainid.cloud
                  mapped: https://demo.plainid.cloud/auth/realms/demo

    You can also use a combination (as shown in the configuration above).
    Supported JWT Signature AlgorithmsIn jwt.algs you can define a list of supported algorithms:
    jwt:
        algs:
           - ES256
           - RS256

    By default if jwt.algs is empty or not defined - an “RS256” signing algorithm is supported.
    Request Matchers and Bypass OptionsExamples:

    GET Requests with path "/echo/heartbeat" are bypassed to Echo MS as is, without validations and authorization.

    - match: /echo/heartbeat
      method:
    - GET
      bypass: true

    GET Requests with path
    "/echo/accounts/:accountID/transactions" (where ":accountID" is the path parameter) will have specific runtime and mode configurations which override such configurations from sidecarConfig.runtime and sidecarConfig.mode

    - match:
    /echo/accounts/:accountID/transactions
      runtime:
        entityTypeid: jwt
       cacheTime: 11s
      mode:
            entitlement: true
            format: 5
            flat: false
            denyOnEmpty: true
    Disable authz-sidecar injection to specific podsIn MS Deployment configuration spec.template.metadata.annotations the following annotation should be added to present an authz-sidecar from being injected to the pod.
    sidecar.plainid.io/inject: "false"

    apiVersion: apps/v1
    kind: Deployment
    metadata:
      ...
    spec:
      selector:
        matchLabels:
           ...
      template:
       metadata:
        labels:
            ...
        annotations:
             sidecar.plainid.io/inject: "false"

    Support PDP JWT

    OptionExplanation
    Policy decision formatsThe Authorizer supports different formats of decision provided by PDP Runtime.
    They should be specified in configuration runtime.accessTokenFormat and/or matchers[*].runtime.accessTokenFormat
    Values:
    - JSON (default)
    - JWT
    - StandardJWT
    In case of JWT or StandardJWT format specified there are 2 additional configuration parameters that control a header where JWT will be delivered to the Client’s application:
    1. Header key/name: jwt.authorizationHeaderName and/or matchers[*].jwt.authorizationHeaderName. Default value is x-pid-authz.
    2. Header prefix: jwt.authorizationTokenType and/or matchers[*].jwt.authorizationTokenType. Default value is Bearer.

    Example

    samples/sidecar-echo.yaml (example of microservice sidecar configuration)

    apiVersion: authz.plainid.io/v1
    kind: PlainidSidecar
    metadata:
      name: echo
    spec:
      workloadSelector:
        labels:
          app: echo
      sidecarConfig:
        matchers: # API Matchers section (Optional)
          - match: /echo/bypass                                   # Request path pattern
            method: # Request methods
              - POST
              - GET
            bypass: true                                          # Bypass request (ignore all validations and authorization) 
          - match: /echo/:abc
            runtime: # Specific runtime configuration for matching requests 
              entityTypeid: jwt
              cacheTime: 11s
            mode: # Specific mode configuration for matching requests
              entitlement: true
              format: 5
              flat: false
              denyOnEmpty: true
          - match: /echo
            runtime:
              entityTypeid: jwt
              cacheTime: 11s
              clientId: PCTPBVXSCXINRLCKLDNFX
              clientSecret: qw66NNZTw98(*.jtzPZXBZvbA3a+T1Huc(7nIhla
              environments:
                amount: "$.body.amount"
                account: "$.body.account"
                url: $.path.[0]
            mode:
              resolution: true
              format: 5
              flat: false
              denyOnEmpty: true
        runtime:
          clientId: PHMW79EBNUCWO4NLGLPE                         # Mandatory: From Policy Manager Management UI
          clientSecret: 8xPReuKhkTXCo4n1ymDkSY7oAsBNkCJGyE7jkKMV # From Policy Manager Management UI, if no Secret store used 
          entityTypeid: jwt
          plainidUrl: https://demo.plainid.cloud                 # Mandatory: PDP URL, Should be set
          resourceTypes: # Asset mappings example (only for PDP API v1-4)
            - name: Accounts
              assetPath: $.path[4]
            - name: Loans
          environments:
            amount: "$.body.amount"
            account: "$.path[2]"
            url: $.path.[0]
          accessTokenFormat: JWT                                # Policy decision format
          passIncomingJwt: true                                 # to pass the IDP JWT as-is to the PDP
        jwt: # Mandatory: External request JWT configuration
          header: authorization
          allowed:
            - name: demo.plainid.cloud                          # Mandatory: JWT Issuer example
            - name: demo                                        # Mandatory: JWT Issuer mapping example in case of JWT issuer do not match an issuer provided by Auth service
              mapped: https://demo.plainid.cloud/auth/realms/demo
          userClaim: "$.user.preferred_username[0]"
          validateJwt: true
          algs: # List of supported Signing Algorithms (RS256 by default if not set)
            - ES256
            - RS256
          authorizationHeaderName: Authorization                # JWT Header key/name in case of accessTokenFormat is JWT or StandardJWT
          authorizationTokenType: Bearer                        # JWT Header prefix in case of accessTokenFormat is JWT or StandardJWT
        mode: # Mandatory: Operation mode, ONLY ONE OF SHOULD BE TRUE: decision/entitlement/resolution/denyOnEmpty
          decision: true                                        # PERMIT/DENY Mode
          entitlement: false                                    # Header Injection mode
          resolution: false                                     # Header injection mode Query format
          denyOnEmpty: false                                    # DENY transaction when no policy fits the access request.
          format: 2
        logger:
          logLevel: debug
          detailedLog: false
          format: text
        tlsSkip: true
        grpc:
          servicePort: "7001"
    

    Override Default Configuration

    The helm install command accepts parameters to override default configuration values inline or that are defined in a
    file.

    1. Example – To override the configuration found in the file:
      cat override-values.yml
    runtime:
      debugLevel: info
      replicas: 5
    

    helm install sidecar-test1 ./ --values override-values.yml

    Sample values.yaml

    Note: For versions 4.x, you should remove the following from the values.yaml configuration file:
    pdpAPIVersion: v5 #Optional: PDP Runtime API v5 integration

    # Please Generate  Public key, Private key, and  Certificate Chain
    # Based on the documentation provided by PlainID and place in values under webhook file names should match the example files  in the chart
    image:
      pullPolicy: Always
    imagePullSecrets:
      - name: cr-creds
    nameOverride: ""
    fullnameOverride: ""
    serviceAccount: plainid
    podSecurityContext: { }
    operator:
      image:
        repository: "docker.io/plainid/authz-operator"
        tag: "1.6.0"
      namespace: plainid-system
      resources:
        limits:
          cpu: 100m
          memory: 100Mi
        requests:
          cpu: 100m
          memory: 20Mi
      replicas: 1
      debug: true
    redis:
      local: true
      image: redis
      port: 6379
      pass: ""
      tls: false
      masterhost: test-plainid-redis-ro.plainid    # Administration point address
    securityContext:
      capabilities:
        drop:
          - ALL
      runAsNonRoot: true
      runAsUser: 1000610001
    webhook:
      enabled: true
      selfCert: true # If false, please set the values for certificates below
      # for your certificate please set the following values. Values should be encoded to base64
      bundle:
      crt:
      key:
    auth: # Optional: Secret store configuration
      file: "/keys/key"
      iss: "ruleengine"
      exp: 10s
    pdpAPIVersion: v5                            #Optional: PDP Runtime API v5 integration
    authorizer:
      id: test-authorizer                         # Mandatory: Should be updated
      version: 1.2.3
    moreVolumes: # Optional: Extra volumes configuration
      - name: key-config
        configMap:
          name: key-config
    nodeSelector: { }
    tolerations: [ ]
    affinity: { }
    

    Following are the optional keys and values for the values.yaml file.

    Operator

    KeyExplanationOptional Value/Example
    namespaceThe namespace where the operator will be createdplainid-system
    replicasNumber of replicas1
    debugThe debug statetrue/false
    imageThe image repository of the operatordocker.io/plainid/authz-operator

    Redis

    KeyExplanationOptional Value/Example
    imageRedis image repositoryredis
    masterhostHostname of the master Redis instanceMaster.redis.example.com
    passMaster password*****

    Auth

    KeyExplanationOptional Value/Example
    filefull path to a file with a secret key (same key as in Runtime configuration)secret:/keys/key
    ississuer or JWT claim (same issuer as in Runtime configuration)ruleengine
    expJWT expiration (10s by default if not set)10s

    GRPC Support

    The PlainID sidecar supports GRPC (Google Remote Procedure Call) parsing. This capability can be achieved in different
    ways:

    • Auto learning
    • Providing a Protocol Buffer (protobuf) descriptor file

    Auto Learning

    To support auto learning, the Application Developer should be enabled GRPC reflection on the server side (backend). In
    the sidecar configuration YAML, the service port should be defined. Example

    grpc:
      servicePort: "7001"
    

    Providing a protobuf Descriptor File

    Providing a protobuf descriptor file can be accomplished in one of the following ways:

    MethodExample
    Create a protobuf descriptor file from proto definition.protoc --descriptor_set_out=demo.pb demo.proto
    Create a new container image from plainid-authz-sidecar.Create a new Dockerfile FROM docker.io/plainid/authz-envoy-sidecar:1.6.0;, ADD demo.pb /proto/demo.pb Build a new image: docker build -t authz-envoy-sidecar:1.0.1-pb, Push the new image to the relevant registry

    Multiple Descriptors

    It is possible to include multiple descriptors. You can use the same image for all the services. To use the same image
    for multiple descriptors:

    1. Change the PlainidInjector yaml to provide a new image tag.
    2. In the plainidsidecar.yaml file, provide the path to the relevant descriptor file.

    HTTP Support

    The PlainID Authorizer Sidecar supports HTTP connection. We should define a listener for HTTP connection:

    http:
      listener: 127.0.0.1:50080
    

    grpc: protoFile: "/proto/demo.pb"


    Was this article helpful?