Kubernetes Istio(1.6.2):有效JWT令牌的RBAC访问被拒绝
我是新来的。我正在用JWT实现授权。我得到一个有效JWT令牌的RBAC访问被拒绝错误。我添加了JWT负载和授权策略以供参考。我使用的是kubernetes版本v1.18.3和Istio 1.6.2。我在minikube上运行集群 JWT有效载荷:Kubernetes Istio(1.6.2):有效JWT令牌的RBAC访问被拒绝,kubernetes,oauth-2.0,jwt,authorization,istio,Kubernetes,Oauth 2.0,Jwt,Authorization,Istio,我是新来的。我正在用JWT实现授权。我得到一个有效JWT令牌的RBAC访问被拒绝错误。我添加了JWT负载和授权策略以供参考。我使用的是kubernetes版本v1.18.3和Istio 1.6.2。我在minikube上运行集群 JWT有效载荷: { "iss": "https://dev-n63ipah2.us.auth0.com/", "sub": "sEbjHGBcZ16D0jk8wohIp7vPoT0MWTO0
{
"iss": "https://dev-n63ipah2.us.auth0.com/",
"sub": "sEbjHGBcZ16D0jk8wohIp7vPoT0MWTO0@clients",
"aud": "http://10.97.72.213/",
"iat": 1594125596,
"exp": 1594211996,
"azp": "sEbjHGBcZ16D0jk8wohIp7vPoT0MWTO0",
"scope": "read:contact write:contact update:contact delete:contact",
"gty": "client-credentials"
}
apiVersion: "security.istio.io/v1beta1"
kind: "AuthorizationPolicy"
metadata:
name: dex-ms-contact-require-jwt
namespace: default
spec:
selector:
matchLabels:
app: dex-ms-contact
action: ALLOW
rules:
- from:
- source:
requestPrincipals: ["https://dev-n63ipah2.us.auth0.com/sEbjHGBcZ16D0jk8wohIp7vPoT0MWTO0@clients"]
to:
- operation:
methods: ["*"]
paths: ["*"]
when:
- key: request.auth.claims[iss]
values: ["https://dev-n63ipah2.us.auth0.com/"]
注:10.97.72.213是Minikube群集的公共IP地址。根据Istio文档:
requestPrincipals - Optional. A list of request identities (i.e. “iss/sub” claims), which matches to the “request.auth.principal” attribute.
isshttps://dev-n63ipah2.us.auth0.com/子项https://dev-n63ipah2.us.auth0.com/- from:
- source:
requestPrincipals: ["https://dev-n63ipah2.us.auth0.com//sEbjHGBcZ16D0jk8wohIp7vPoT0MWTO0@clients"]
(请注意双斜杠-第一个是iss的一部分,第二个是分隔符)。您好,您可以添加特使日志以了解您的请求被拒绝的原因吗?您可以了解如何从中获取这些日志。您是否使用base64编码来获取字符串“sEbjHGBcZ16D0jk8wohIp7vPoT0MWTO0”或它是客户端id?