{"id":19298236,"url":"https://github.com/casbin/envoy-authz","last_synced_at":"2025-04-22T09:32:20.762Z","repository":{"id":48047678,"uuid":"387784680","full_name":"casbin/envoy-authz","owner":"casbin","description":"Istio/Envoy RBAC \u0026 ABAC authorization middleware based on Casbin","archived":false,"fork":false,"pushed_at":"2023-08-08T05:37:54.000Z","size":71,"stargazers_count":20,"open_issues_count":0,"forks_count":5,"subscribers_count":4,"default_branch":"master","last_synced_at":"2024-10-29T16:58:11.568Z","etag":null,"topics":["abac","acl","auth","authz","casbin","envoy","envoy-proxy","istio","k8s","kubernetes","middleware","plugin","rbac"],"latest_commit_sha":null,"homepage":"https://github.com/casbin/casbin","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/casbin.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null},"funding":{"github":"casbin"}},"created_at":"2021-07-20T12:28:38.000Z","updated_at":"2024-03-19T14:13:25.000Z","dependencies_parsed_at":"2023-09-26T09:07:54.429Z","dependency_job_id":null,"html_url":"https://github.com/casbin/envoy-authz","commit_stats":{"total_commits":9,"total_committers":5,"mean_commits":1.8,"dds":0.5555555555555556,"last_synced_commit":"6151bf39d81679922c0f58816d8463d175c7ffad"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/casbin%2Fenvoy-authz","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/casbin%2Fenvoy-authz/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/casbin%2Fenvoy-authz/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/casbin%2Fenvoy-authz/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/casbin","download_url":"https://codeload.github.com/casbin/envoy-authz/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":223779646,"owners_count":17201287,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["abac","acl","auth","authz","casbin","envoy","envoy-proxy","istio","k8s","kubernetes","middleware","plugin","rbac"],"created_at":"2024-11-09T23:07:22.031Z","updated_at":"2024-11-09T23:07:22.775Z","avatar_url":"https://github.com/casbin.png","language":"Go","funding_links":["https://github.com/sponsors/casbin"],"categories":[],"sub_categories":[],"readme":"# envoy-authz\n\n[![Contributions Welcome](https://img.shields.io/badge/contributions-welcome-brightgreen.svg?style=flat)](https://github.com/casbin/envoy-authz/issues)\n[![Discord](https://img.shields.io/discord/1022748306096537660?logo=discord\u0026label=discord\u0026color=5865F2)](https://discord.gg/S5UjpzGZjN)\n[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)\n\n\u003cp align=\"center\"\u003e\n    \u003cimg width=\"400\" height=\"400\" src=\"casbin-envoy-logo.png\" alt=\"envoy-authz\" /\u003e\n\u003c/p\u003e\n\nEnvoy-authz is a middleware of Envoy which performs [external authorization](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ext_authz_filter#arch-overview-ext-authz) through casbin. This proxy would be deployed on any type of envoy-based service meshes like Istio. \n\n## Installation\n\n```\ngo get github.com/casbin/envoy-authz\n```\n\n## Requirements\n- Envoy 1.17+ \n- Istio or any type of service mesh\n- grpc dependencies\n\n## Working\n- A client would make a http request.\n- Envoy proxy would send that request to grpc server.\n- The grpc server would then authorize the request based on casbin policies.\n- If authorized, the request would be sent through or else, it gets denied.\n\nThe grpc server is based on protocol buffer from [external_auth.proto](https://github.com/envoyproxy/envoy/blob/master/api/envoy/service/auth/v2alpha/external_auth.proto). \n\n## Usage\n- Define the Casbin policies under config files by following this [guide](https://casbin.org/docs/how-it-works).\n\nYou can verify/test your policies on online [casbin-editor](https://casbin.org/editor/).\n\n- Start the authorizing server by running:-\n```\n$ go build .\n$ ./authz \n```\n- Load the envoy configuration:-\n```\n$  envoy -c authz.yaml -l info\n```\nOnce the envoy starts, it will start intercepting requests for the authorization process.\n\n## Integrating to Istio\nYou need to send custom headers, which would contain usernames in the JWT token OF headers for this middleware to work. You can check the official [Istio docs](https://istio.io/v1.4/docs/tasks/policy-enforcement/control-headers/) to get more info on modifying `Request Headers`.\n\n## Community\n\nIn case of any query, you can ask on our [Discord](https://discord.gg/S5UjpzGZjN).\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcasbin%2Fenvoy-authz","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcasbin%2Fenvoy-authz","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcasbin%2Fenvoy-authz/lists"}