我目前已在 Istio 的身份验证清单下方编写。
kind: RequestAuthentication
metadata:
name: "jwt-validation"
namespace: some-namespace
spec:
selector:
matchLabels:
auth: required
jwtRules:
- issuer: "https://you.auth0.com/"
jwksUri: "https://you.auth0.com/.well-known/jwks.json"
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: jwt-auth-policy
namespace: some-namespace
spec:
selector:
matchLabels:
auth: required
action: DENY
rules:
- from:
- source:
notRequestPrincipals: ["*"]
我从浏览器得到以下响应
RBAC: access denied
但不是这个,我想得到一个 Json 响应
说
{
"status": "failure",
"message": "Not Authorised"
}
带有状态码403
现在我尝试了下面的 Lua 过滤器
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: custom-filter-response-code
namespace: istio-system
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: HTTP_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.extAuthz"
patch:
operation: INSERT_AFTER
value:
name: envoy.custom-resp
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
inlineCode: |
function envoy_on_response(response_handle)
if response_handle:headers():get(":status") == "401" then
response_handle:headers():replace(":status", "403")
else
local body = response_handle:body()
local jsonString = tostring(body:getBytes(0, body:length()))
jsonString = jsonString:gsub("(status|failur)", "(message|Not Authorised)")
response_handle:body():set(jsonString)
end
请用正确的片段指导我