[Experimental] This feature is a experimental feature.
+
+
+allow |
+Allow |
+
+ Allow specifies a Jwt requirement. This is Optional, the default value is ALLOW_MISSING.
+
|
No
@@ -274,3 +285,39 @@
+JWTRule.Allow
+
+Allow specifies a Jwt requirement.
+
+
+
+
+| Name |
+Description |
+
+
+
+
+ALLOW_MISSING |
+
+ The requirement is satisfied if JWT is missing, but failed if JWT is
+presented but invalid. Similar to ALLOW_MISSING_OR_FAILED, this is used
+to only verify JWTs and pass the verified payload to another filter. The
+different is this mode will reject requests with invalid tokens.
+This is the default behavior.
+
+ |
+
+
+ALLOW_MISSING_OR_FAILED |
+
+ The requirement is always satisfied even if JWT is missing or the JWT
+verification fails. A typical usage is: this filter is used to only verify
+JWTs and pass the verified JWT payloads to another filter, the other filter
+will make decision. In this mode, all JWT tokens will be verified.
+
+ |
+
+
+
+
diff --git a/security/v1/jwt.proto b/security/v1/jwt.proto
index c75648620e4..1ebe4f0871c 100644
--- a/security/v1/jwt.proto
+++ b/security/v1/jwt.proto
@@ -162,6 +162,25 @@ message JWTRule {
// ```
// [Experimental] This feature is a experimental feature.
repeated ClaimToHeader output_claim_to_headers = 11; // [TODO:Update the status whenever this feature is promoted.]
+
+ // Allow specifies a Jwt requirement.
+ enum Allow {
+ // The requirement is satisfied if JWT is missing, but failed if JWT is
+ // presented but invalid. Similar to ALLOW_MISSING_OR_FAILED, this is used
+ // to only verify JWTs and pass the verified payload to another filter. The
+ // different is this mode will reject requests with invalid tokens.
+ // This is the default behavior.
+ ALLOW_MISSING = 0;
+
+ // The requirement is always satisfied even if JWT is missing or the JWT
+ // verification fails. A typical usage is: this filter is used to only verify
+ // JWTs and pass the verified JWT payloads to another filter, the other filter
+ // will make decision. In this mode, all JWT tokens will be verified.
+ ALLOW_MISSING_OR_FAILED = 1;
+ }
+
+ // Allow specifies a Jwt requirement. This is Optional, the default value is ALLOW_MISSING.
+ Allow allow = 12;
}
// This message specifies a header location to extract JWT token.
diff --git a/security/v1beta1/jwt.gen.json b/security/v1beta1/jwt.gen.json
index 92cf1f8babe..9a2453591d9 100644
--- a/security/v1beta1/jwt.gen.json
+++ b/security/v1beta1/jwt.gen.json
@@ -85,8 +85,19 @@
"items": {
"$ref": "#/components/schemas/istio.security.v1beta1.ClaimToHeader"
}
+ },
+ "allow": {
+ "$ref": "#/components/schemas/istio.security.v1beta1.JWTRule.Allow"
}
}
+ },
+ "istio.security.v1beta1.JWTRule.Allow": {
+ "description": "Allow specifies a Jwt requirement.",
+ "type": "string",
+ "enum": [
+ "ALLOW_MISSING",
+ "ALLOW_MISSING_OR_FAILED"
+ ]
}
}
}
diff --git a/security/v1beta1/jwt.pb.go b/security/v1beta1/jwt.pb.go
index 40fdc322014..520109ebb32 100644
--- a/security/v1beta1/jwt.pb.go
+++ b/security/v1beta1/jwt.pb.go
@@ -41,6 +41,62 @@ const (
_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
)
+// Allow specifies a Jwt requirement.
+type JWTRule_Allow int32
+
+const (
+ // The requirement is satisfied if JWT is missing, but failed if JWT is
+ // presented but invalid. Similar to ALLOW_MISSING_OR_FAILED, this is used
+ // to only verify JWTs and pass the verified payload to another filter. The
+ // different is this mode will reject requests with invalid tokens.
+ // This is the default behavior.
+ JWTRule_ALLOW_MISSING JWTRule_Allow = 0
+ // The requirement is always satisfied even if JWT is missing or the JWT
+ // verification fails. A typical usage is: this filter is used to only verify
+ // JWTs and pass the verified JWT payloads to another filter, the other filter
+ // will make decision. In this mode, all JWT tokens will be verified.
+ JWTRule_ALLOW_MISSING_OR_FAILED JWTRule_Allow = 1
+)
+
+// Enum value maps for JWTRule_Allow.
+var (
+ JWTRule_Allow_name = map[int32]string{
+ 0: "ALLOW_MISSING",
+ 1: "ALLOW_MISSING_OR_FAILED",
+ }
+ JWTRule_Allow_value = map[string]int32{
+ "ALLOW_MISSING": 0,
+ "ALLOW_MISSING_OR_FAILED": 1,
+ }
+)
+
+func (x JWTRule_Allow) Enum() *JWTRule_Allow {
+ p := new(JWTRule_Allow)
+ *p = x
+ return p
+}
+
+func (x JWTRule_Allow) String() string {
+ return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
+}
+
+func (JWTRule_Allow) Descriptor() protoreflect.EnumDescriptor {
+ return file_security_v1beta1_jwt_proto_enumTypes[0].Descriptor()
+}
+
+func (JWTRule_Allow) Type() protoreflect.EnumType {
+ return &file_security_v1beta1_jwt_proto_enumTypes[0]
+}
+
+func (x JWTRule_Allow) Number() protoreflect.EnumNumber {
+ return protoreflect.EnumNumber(x)
+}
+
+// Deprecated: Use JWTRule_Allow.Descriptor instead.
+func (JWTRule_Allow) EnumDescriptor() ([]byte, []int) {
+ return file_security_v1beta1_jwt_proto_rawDescGZIP(), []int{0, 0}
+}
+
//
@@ -168,6 +224,8 @@ type JWTRule struct {
// ```
// [Experimental] This feature is a experimental feature.
OutputClaimToHeaders []*ClaimToHeader `protobuf:"bytes,11,rep,name=output_claim_to_headers,json=outputClaimToHeaders,proto3" json:"output_claim_to_headers,omitempty"` // [TODO:Update the status whenever this feature is promoted.]
+ // Allow specifies a Jwt requirement. This is Optional, the default value is ALLOW_MISSING.
+ Allow JWTRule_Allow `protobuf:"varint,12,opt,name=allow,proto3,enum=istio.security.v1beta1.JWTRule_Allow" json:"allow,omitempty"`
}
func (x *JWTRule) Reset() {
@@ -265,6 +323,13 @@ func (x *JWTRule) GetOutputClaimToHeaders() []*ClaimToHeader {
return nil
}
+func (x *JWTRule) GetAllow() JWTRule_Allow {
+ if x != nil {
+ return x.Allow
+ }
+ return JWTRule_ALLOW_MISSING
+}
+
// This message specifies a header location to extract JWT token.
type JWTHeader struct {
state protoimpl.MessageState
@@ -392,7 +457,7 @@ var file_security_v1beta1_jwt_proto_rawDesc = []byte{
0x74, 0x69, 0x6f, 0x2e, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x62,
0x65, 0x74, 0x61, 0x31, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x61, 0x70, 0x69,
0x2f, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x5f, 0x62, 0x65, 0x68, 0x61, 0x76, 0x69, 0x6f, 0x72, 0x2e,
- 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xa7, 0x03, 0x0a, 0x07, 0x4a, 0x57, 0x54, 0x52, 0x75, 0x6c,
+ 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x9d, 0x04, 0x0a, 0x07, 0x4a, 0x57, 0x54, 0x52, 0x75, 0x6c,
0x65, 0x12, 0x1b, 0x0a, 0x06, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28,
0x09, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x06, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x12, 0x1c,
0x0a, 0x09, 0x61, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28,
@@ -418,18 +483,25 @@ var file_security_v1beta1_jwt_proto_rawDesc = []byte{
0x28, 0x0b, 0x32, 0x25, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x73, 0x65, 0x63, 0x75, 0x72,
0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x43, 0x6c, 0x61, 0x69,
0x6d, 0x54, 0x6f, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x52, 0x14, 0x6f, 0x75, 0x74, 0x70, 0x75,
- 0x74, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x54, 0x6f, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x22,
- 0x3c, 0x0a, 0x09, 0x4a, 0x57, 0x54, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x17, 0x0a, 0x04,
- 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52,
- 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x18,
- 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x22, 0x3d, 0x0a,
- 0x0d, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x54, 0x6f, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x16,
- 0x0a, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06,
- 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x14, 0x0a, 0x05, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x18,
- 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x42, 0x1f, 0x5a, 0x1d,
- 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x73, 0x65, 0x63,
- 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x62, 0x06, 0x70,
- 0x72, 0x6f, 0x74, 0x6f, 0x33,
+ 0x74, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x54, 0x6f, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x12,
+ 0x3b, 0x0a, 0x05, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x25,
+ 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2e,
+ 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x4a, 0x57, 0x54, 0x52, 0x75, 0x6c, 0x65, 0x2e,
+ 0x41, 0x6c, 0x6c, 0x6f, 0x77, 0x52, 0x05, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x22, 0x37, 0x0a, 0x05,
+ 0x41, 0x6c, 0x6c, 0x6f, 0x77, 0x12, 0x11, 0x0a, 0x0d, 0x41, 0x4c, 0x4c, 0x4f, 0x57, 0x5f, 0x4d,
+ 0x49, 0x53, 0x53, 0x49, 0x4e, 0x47, 0x10, 0x00, 0x12, 0x1b, 0x0a, 0x17, 0x41, 0x4c, 0x4c, 0x4f,
+ 0x57, 0x5f, 0x4d, 0x49, 0x53, 0x53, 0x49, 0x4e, 0x47, 0x5f, 0x4f, 0x52, 0x5f, 0x46, 0x41, 0x49,
+ 0x4c, 0x45, 0x44, 0x10, 0x01, 0x22, 0x3c, 0x0a, 0x09, 0x4a, 0x57, 0x54, 0x48, 0x65, 0x61, 0x64,
+ 0x65, 0x72, 0x12, 0x17, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
+ 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x70,
+ 0x72, 0x65, 0x66, 0x69, 0x78, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x70, 0x72, 0x65,
+ 0x66, 0x69, 0x78, 0x22, 0x3d, 0x0a, 0x0d, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x54, 0x6f, 0x48, 0x65,
+ 0x61, 0x64, 0x65, 0x72, 0x12, 0x16, 0x0a, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18, 0x01,
+ 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x14, 0x0a, 0x05,
+ 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x63, 0x6c, 0x61,
+ 0x69, 0x6d, 0x42, 0x1f, 0x5a, 0x1d, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61,
+ 0x70, 0x69, 0x2f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, 0x62, 0x65,
+ 0x74, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
}
var (
@@ -444,20 +516,23 @@ func file_security_v1beta1_jwt_proto_rawDescGZIP() []byte {
return file_security_v1beta1_jwt_proto_rawDescData
}
+var file_security_v1beta1_jwt_proto_enumTypes = make([]protoimpl.EnumInfo, 1)
var file_security_v1beta1_jwt_proto_msgTypes = make([]protoimpl.MessageInfo, 3)
var file_security_v1beta1_jwt_proto_goTypes = []interface{}{
- (*JWTRule)(nil), // 0: istio.security.v1beta1.JWTRule
- (*JWTHeader)(nil), // 1: istio.security.v1beta1.JWTHeader
- (*ClaimToHeader)(nil), // 2: istio.security.v1beta1.ClaimToHeader
+ (JWTRule_Allow)(0), // 0: istio.security.v1beta1.JWTRule.Allow
+ (*JWTRule)(nil), // 1: istio.security.v1beta1.JWTRule
+ (*JWTHeader)(nil), // 2: istio.security.v1beta1.JWTHeader
+ (*ClaimToHeader)(nil), // 3: istio.security.v1beta1.ClaimToHeader
}
var file_security_v1beta1_jwt_proto_depIdxs = []int32{
- 1, // 0: istio.security.v1beta1.JWTRule.from_headers:type_name -> istio.security.v1beta1.JWTHeader
- 2, // 1: istio.security.v1beta1.JWTRule.output_claim_to_headers:type_name -> istio.security.v1beta1.ClaimToHeader
- 2, // [2:2] is the sub-list for method output_type
- 2, // [2:2] is the sub-list for method input_type
- 2, // [2:2] is the sub-list for extension type_name
- 2, // [2:2] is the sub-list for extension extendee
- 0, // [0:2] is the sub-list for field type_name
+ 2, // 0: istio.security.v1beta1.JWTRule.from_headers:type_name -> istio.security.v1beta1.JWTHeader
+ 3, // 1: istio.security.v1beta1.JWTRule.output_claim_to_headers:type_name -> istio.security.v1beta1.ClaimToHeader
+ 0, // 2: istio.security.v1beta1.JWTRule.allow:type_name -> istio.security.v1beta1.JWTRule.Allow
+ 3, // [3:3] is the sub-list for method output_type
+ 3, // [3:3] is the sub-list for method input_type
+ 3, // [3:3] is the sub-list for extension type_name
+ 3, // [3:3] is the sub-list for extension extendee
+ 0, // [0:3] is the sub-list for field type_name
}
func init() { file_security_v1beta1_jwt_proto_init() }
@@ -508,13 +583,14 @@ func file_security_v1beta1_jwt_proto_init() {
File: protoimpl.DescBuilder{
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
RawDescriptor: file_security_v1beta1_jwt_proto_rawDesc,
- NumEnums: 0,
+ NumEnums: 1,
NumMessages: 3,
NumExtensions: 0,
NumServices: 0,
},
GoTypes: file_security_v1beta1_jwt_proto_goTypes,
DependencyIndexes: file_security_v1beta1_jwt_proto_depIdxs,
+ EnumInfos: file_security_v1beta1_jwt_proto_enumTypes,
MessageInfos: file_security_v1beta1_jwt_proto_msgTypes,
}.Build()
File_security_v1beta1_jwt_proto = out.File
diff --git a/security/v1beta1/jwt.pb.html b/security/v1beta1/jwt.pb.html
index 2e9b6c8d24d..59a6ae821b3 100644
--- a/security/v1beta1/jwt.pb.html
+++ b/security/v1beta1/jwt.pb.html
@@ -6,7 +6,7 @@
generator: protoc-gen-docs
schema: istio.security.v1beta1.JWTRule
aliases: [/docs/reference/config/security/v1beta1/jwt]
-number_of_entries: 3
+number_of_entries: 4
---
JWTRule
@@ -185,6 +185,17 @@ JWTRule
[Experimental] This feature is a experimental feature.
+ |
+
+No
+ |
+
+