diff --git a/mixer/v1/config/client/auth.pb.go b/mixer/v1/config/client/auth.pb.go
index 4010a81c259..be32101041b 100644
--- a/mixer/v1/config/client/auth.pb.go
+++ b/mixer/v1/config/client/auth.pb.go
@@ -234,6 +234,11 @@ type EndUserAuthenticationPolicySpec struct {
// JWT validation is skipped if the user's traffic request does not
// include a JWT.
Jwts []*JWT `protobuf:"bytes,2,rep,name=jwts" json:"jwts,omitempty"`
+ // If a request doesn't have JWT, it will be rejected.
+ // But some requests are OK without JWT, such as OPTIONS for CORS,
+ // or some paths for health checking.
+ // If a request matches any of no_jwt_patterns, it is OK without JWT.
+ NoJwtPatterns []*EndUserAuthenticationPolicySpec_Pattern `protobuf:"bytes,3,rep,name=no_jwt_patterns,json=noJwtPatterns" json:"no_jwt_patterns,omitempty"`
}
func (m *EndUserAuthenticationPolicySpec) Reset() { *m = EndUserAuthenticationPolicySpec{} }
@@ -242,6 +247,23 @@ func (*EndUserAuthenticationPolicySpec) Descriptor() ([]byte, []int) {
return fileDescriptorAuth, []int{1}
}
+// This message defines a pattern to match a request.
+// A pattern is matched only if both http_method and path_prefix are matched.
+type EndUserAuthenticationPolicySpec_Pattern struct {
+ // Define a HTTP method.
+ HttpMethod string `protobuf:"bytes,1,opt,name=http_method,json=httpMethod,proto3" json:"http_method,omitempty"`
+ // Defines a path prefix to match
+ PathPrefix string `protobuf:"bytes,2,opt,name=path_prefix,json=pathPrefix,proto3" json:"path_prefix,omitempty"`
+}
+
+func (m *EndUserAuthenticationPolicySpec_Pattern) Reset() {
+ *m = EndUserAuthenticationPolicySpec_Pattern{}
+}
+func (*EndUserAuthenticationPolicySpec_Pattern) ProtoMessage() {}
+func (*EndUserAuthenticationPolicySpec_Pattern) Descriptor() ([]byte, []int) {
+ return fileDescriptorAuth, []int{1, 0}
+}
+
type EndUserAuthenticationPolicySpecReference struct {
// REQUIRED. The short name of the
// EndUserAuthenticationPolicySpec. This is the resource name
@@ -284,6 +306,7 @@ func init() {
proto.RegisterType((*JWT)(nil), "istio.mixer.v1.config.client.JWT")
proto.RegisterType((*JWT_Location)(nil), "istio.mixer.v1.config.client.JWT.Location")
proto.RegisterType((*EndUserAuthenticationPolicySpec)(nil), "istio.mixer.v1.config.client.EndUserAuthenticationPolicySpec")
+ proto.RegisterType((*EndUserAuthenticationPolicySpec_Pattern)(nil), "istio.mixer.v1.config.client.EndUserAuthenticationPolicySpec.Pattern")
proto.RegisterType((*EndUserAuthenticationPolicySpecReference)(nil), "istio.mixer.v1.config.client.EndUserAuthenticationPolicySpecReference")
proto.RegisterType((*EndUserAuthenticationPolicySpecBinding)(nil), "istio.mixer.v1.config.client.EndUserAuthenticationPolicySpecBinding")
}
@@ -438,6 +461,48 @@ func (m *EndUserAuthenticationPolicySpec) MarshalTo(dAtA []byte) (int, error) {
i += n
}
}
+ if len(m.NoJwtPatterns) > 0 {
+ for _, msg := range m.NoJwtPatterns {
+ dAtA[i] = 0x1a
+ i++
+ i = encodeVarintAuth(dAtA, i, uint64(msg.Size()))
+ n, err := msg.MarshalTo(dAtA[i:])
+ if err != nil {
+ return 0, err
+ }
+ i += n
+ }
+ }
+ return i, nil
+}
+
+func (m *EndUserAuthenticationPolicySpec_Pattern) Marshal() (dAtA []byte, err error) {
+ size := m.Size()
+ dAtA = make([]byte, size)
+ n, err := m.MarshalTo(dAtA)
+ if err != nil {
+ return nil, err
+ }
+ return dAtA[:n], nil
+}
+
+func (m *EndUserAuthenticationPolicySpec_Pattern) MarshalTo(dAtA []byte) (int, error) {
+ var i int
+ _ = i
+ var l int
+ _ = l
+ if len(m.HttpMethod) > 0 {
+ dAtA[i] = 0xa
+ i++
+ i = encodeVarintAuth(dAtA, i, uint64(len(m.HttpMethod)))
+ i += copy(dAtA[i:], m.HttpMethod)
+ }
+ if len(m.PathPrefix) > 0 {
+ dAtA[i] = 0x12
+ i++
+ i = encodeVarintAuth(dAtA, i, uint64(len(m.PathPrefix)))
+ i += copy(dAtA[i:], m.PathPrefix)
+ }
return i, nil
}
@@ -591,6 +656,26 @@ func (m *EndUserAuthenticationPolicySpec) Size() (n int) {
n += 1 + l + sovAuth(uint64(l))
}
}
+ if len(m.NoJwtPatterns) > 0 {
+ for _, e := range m.NoJwtPatterns {
+ l = e.Size()
+ n += 1 + l + sovAuth(uint64(l))
+ }
+ }
+ return n
+}
+
+func (m *EndUserAuthenticationPolicySpec_Pattern) Size() (n int) {
+ var l int
+ _ = l
+ l = len(m.HttpMethod)
+ if l > 0 {
+ n += 1 + l + sovAuth(uint64(l))
+ }
+ l = len(m.PathPrefix)
+ if l > 0 {
+ n += 1 + l + sovAuth(uint64(l))
+ }
return n
}
@@ -691,6 +776,18 @@ func (this *EndUserAuthenticationPolicySpec) String() string {
}
s := strings.Join([]string{`&EndUserAuthenticationPolicySpec{`,
`Jwts:` + strings.Replace(fmt.Sprintf("%v", this.Jwts), "JWT", "JWT", 1) + `,`,
+ `NoJwtPatterns:` + strings.Replace(fmt.Sprintf("%v", this.NoJwtPatterns), "EndUserAuthenticationPolicySpec_Pattern", "EndUserAuthenticationPolicySpec_Pattern", 1) + `,`,
+ `}`,
+ }, "")
+ return s
+}
+func (this *EndUserAuthenticationPolicySpec_Pattern) String() string {
+ if this == nil {
+ return "nil"
+ }
+ s := strings.Join([]string{`&EndUserAuthenticationPolicySpec_Pattern{`,
+ `HttpMethod:` + fmt.Sprintf("%v", this.HttpMethod) + `,`,
+ `PathPrefix:` + fmt.Sprintf("%v", this.PathPrefix) + `,`,
`}`,
}, "")
return s
@@ -1143,6 +1240,145 @@ func (m *EndUserAuthenticationPolicySpec) Unmarshal(dAtA []byte) error {
return err
}
iNdEx = postIndex
+ case 3:
+ if wireType != 2 {
+ return fmt.Errorf("proto: wrong wireType = %d for field NoJwtPatterns", wireType)
+ }
+ var msglen int
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return ErrIntOverflowAuth
+ }
+ if iNdEx >= l {
+ return io.ErrUnexpectedEOF
+ }
+ b := dAtA[iNdEx]
+ iNdEx++
+ msglen |= (int(b) & 0x7F) << shift
+ if b < 0x80 {
+ break
+ }
+ }
+ if msglen < 0 {
+ return ErrInvalidLengthAuth
+ }
+ postIndex := iNdEx + msglen
+ if postIndex > l {
+ return io.ErrUnexpectedEOF
+ }
+ m.NoJwtPatterns = append(m.NoJwtPatterns, &EndUserAuthenticationPolicySpec_Pattern{})
+ if err := m.NoJwtPatterns[len(m.NoJwtPatterns)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+ return err
+ }
+ iNdEx = postIndex
+ default:
+ iNdEx = preIndex
+ skippy, err := skipAuth(dAtA[iNdEx:])
+ if err != nil {
+ return err
+ }
+ if skippy < 0 {
+ return ErrInvalidLengthAuth
+ }
+ if (iNdEx + skippy) > l {
+ return io.ErrUnexpectedEOF
+ }
+ iNdEx += skippy
+ }
+ }
+
+ if iNdEx > l {
+ return io.ErrUnexpectedEOF
+ }
+ return nil
+}
+func (m *EndUserAuthenticationPolicySpec_Pattern) Unmarshal(dAtA []byte) error {
+ l := len(dAtA)
+ iNdEx := 0
+ for iNdEx < l {
+ preIndex := iNdEx
+ var wire uint64
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return ErrIntOverflowAuth
+ }
+ if iNdEx >= l {
+ return io.ErrUnexpectedEOF
+ }
+ b := dAtA[iNdEx]
+ iNdEx++
+ wire |= (uint64(b) & 0x7F) << shift
+ if b < 0x80 {
+ break
+ }
+ }
+ fieldNum := int32(wire >> 3)
+ wireType := int(wire & 0x7)
+ if wireType == 4 {
+ return fmt.Errorf("proto: Pattern: wiretype end group for non-group")
+ }
+ if fieldNum <= 0 {
+ return fmt.Errorf("proto: Pattern: illegal tag %d (wire type %d)", fieldNum, wire)
+ }
+ switch fieldNum {
+ case 1:
+ if wireType != 2 {
+ return fmt.Errorf("proto: wrong wireType = %d for field HttpMethod", wireType)
+ }
+ var stringLen uint64
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return ErrIntOverflowAuth
+ }
+ if iNdEx >= l {
+ return io.ErrUnexpectedEOF
+ }
+ b := dAtA[iNdEx]
+ iNdEx++
+ stringLen |= (uint64(b) & 0x7F) << shift
+ if b < 0x80 {
+ break
+ }
+ }
+ intStringLen := int(stringLen)
+ if intStringLen < 0 {
+ return ErrInvalidLengthAuth
+ }
+ postIndex := iNdEx + intStringLen
+ if postIndex > l {
+ return io.ErrUnexpectedEOF
+ }
+ m.HttpMethod = string(dAtA[iNdEx:postIndex])
+ iNdEx = postIndex
+ case 2:
+ if wireType != 2 {
+ return fmt.Errorf("proto: wrong wireType = %d for field PathPrefix", wireType)
+ }
+ var stringLen uint64
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return ErrIntOverflowAuth
+ }
+ if iNdEx >= l {
+ return io.ErrUnexpectedEOF
+ }
+ b := dAtA[iNdEx]
+ iNdEx++
+ stringLen |= (uint64(b) & 0x7F) << shift
+ if b < 0x80 {
+ break
+ }
+ }
+ intStringLen := int(stringLen)
+ if intStringLen < 0 {
+ return ErrInvalidLengthAuth
+ }
+ postIndex := iNdEx + intStringLen
+ if postIndex > l {
+ return io.ErrUnexpectedEOF
+ }
+ m.PathPrefix = string(dAtA[iNdEx:postIndex])
+ iNdEx = postIndex
default:
iNdEx = preIndex
skippy, err := skipAuth(dAtA[iNdEx:])
@@ -1492,41 +1728,46 @@ var (
func init() { proto.RegisterFile("mixer/v1/config/client/auth.proto", fileDescriptorAuth) }
var fileDescriptorAuth = []byte{
- // 568 bytes of a gzipped FileDescriptorProto
- 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x53, 0x4d, 0x6e, 0xd3, 0x40,
- 0x14, 0xb6, 0x9b, 0x36, 0x75, 0x26, 0xbb, 0x01, 0x45, 0x6e, 0x55, 0x4d, 0xd3, 0x80, 0x90, 0xc5,
- 0xc2, 0x56, 0x5b, 0x71, 0x00, 0x5a, 0x5a, 0x95, 0xc2, 0x02, 0xb9, 0xad, 0x8a, 0x10, 0x92, 0xe5,
- 0x8c, 0x5f, 0x9c, 0x49, 0x1d, 0x8f, 0x99, 0xb1, 0x13, 0xb2, 0xe3, 0x08, 0x2c, 0x38, 0x04, 0x47,
- 0xe9, 0xb2, 0x0b, 0x16, 0x2c, 0x89, 0xd9, 0xb0, 0xec, 0x11, 0x90, 0x3d, 0x76, 0xb3, 0x81, 0xa6,
- 0xab, 0xbc, 0x9f, 0xef, 0xfb, 0x32, 0xdf, 0x7b, 0xcf, 0x68, 0x67, 0xcc, 0x3e, 0x83, 0x70, 0x26,
- 0xbb, 0x0e, 0xe5, 0xf1, 0x80, 0x85, 0x0e, 0x8d, 0x18, 0xc4, 0xa9, 0xe3, 0x67, 0xe9, 0xd0, 0x4e,
- 0x04, 0x4f, 0x39, 0xde, 0x62, 0x32, 0x65, 0xdc, 0x2e, 0x81, 0xf6, 0x64, 0xd7, 0x56, 0x40, 0x5b,
- 0x01, 0x37, 0x1f, 0x87, 0x3c, 0xe4, 0x25, 0xd0, 0x29, 0x22, 0xc5, 0xd9, 0x24, 0x21, 0xe7, 0x61,
- 0x04, 0x4e, 0x99, 0xf5, 0xb3, 0x81, 0x13, 0x64, 0xc2, 0x4f, 0x19, 0x8f, 0xab, 0xfe, 0xd3, 0xff,
- 0xfc, 0xad, 0x04, 0x31, 0x61, 0x14, 0x14, 0xaa, 0xf7, 0xad, 0x81, 0x1a, 0xa7, 0x97, 0xe7, 0xb8,
- 0x83, 0x9a, 0x4c, 0xca, 0x0c, 0x84, 0xa9, 0x77, 0x75, 0xab, 0xe5, 0x56, 0x19, 0xde, 0x42, 0x2d,
- 0x3f, 0x0b, 0x18, 0xc4, 0x14, 0xa4, 0xb9, 0xd2, 0x6d, 0x58, 0x2d, 0x77, 0x51, 0xc0, 0x1b, 0xc8,
- 0x18, 0x4d, 0xaf, 0xa4, 0x97, 0x09, 0x66, 0x36, 0x4a, 0xde, 0x7a, 0x91, 0x5f, 0x08, 0x86, 0xb7,
- 0x51, 0x7b, 0xc0, 0xc5, 0xd4, 0x17, 0x81, 0x37, 0x9a, 0xa6, 0xe6, 0x6a, 0x57, 0xb7, 0x0c, 0x17,
- 0x55, 0xa5, 0xd3, 0x69, 0x8a, 0xcf, 0xd1, 0x46, 0x92, 0xf5, 0x23, 0x46, 0xbd, 0x2b, 0x98, 0x79,
- 0xd4, 0xa7, 0x43, 0xf0, 0x6a, 0x0b, 0xe6, 0x5a, 0x57, 0xb7, 0xda, 0x7b, 0x1b, 0xb6, 0xf2, 0x68,
- 0xd7, 0x1e, 0xed, 0x57, 0x15, 0xc0, 0xed, 0x28, 0xee, 0x1b, 0x98, 0x1d, 0x16, 0xcc, 0xba, 0x8e,
- 0x4f, 0x50, 0x2b, 0xe2, 0xb4, 0x8c, 0xa5, 0xd9, 0xec, 0x36, 0xac, 0xf6, 0xde, 0x73, 0xfb, 0xbe,
- 0xe9, 0xda, 0xa7, 0x97, 0xe7, 0xf6, 0xdb, 0x8a, 0xe2, 0x2e, 0xc8, 0x78, 0x1f, 0x75, 0x6a, 0x6f,
- 0x1e, 0xc4, 0x13, 0x3e, 0xf3, 0x68, 0x94, 0xc9, 0x14, 0x84, 0xb9, 0x5e, 0x3a, 0x7d, 0x54, 0x39,
- 0x3d, 0x2a, 0x7a, 0x87, 0xaa, 0xb5, 0x79, 0x8c, 0x8c, 0x5a, 0x0b, 0x9b, 0xa8, 0x39, 0x04, 0x3f,
- 0xa8, 0x47, 0x7a, 0xa2, 0xb9, 0x55, 0x8e, 0x3b, 0x68, 0xed, 0x53, 0x06, 0x62, 0x66, 0xae, 0x54,
- 0x0d, 0x95, 0x1e, 0x18, 0xa8, 0x29, 0xe9, 0x10, 0xc6, 0xd0, 0x7b, 0x8f, 0xb6, 0x8f, 0xe2, 0xe0,
- 0x42, 0x82, 0x78, 0x99, 0xa5, 0x43, 0x88, 0x53, 0xa6, 0x44, 0xdf, 0xf1, 0x88, 0xd1, 0xd9, 0x59,
- 0x02, 0x14, 0xbf, 0x40, 0xab, 0xa3, 0x69, 0xaa, 0x96, 0xd2, 0xde, 0xdb, 0x59, 0x6a, 0xd2, 0x2d,
- 0xe1, 0xbd, 0x8f, 0xc8, 0x5a, 0xa2, 0xec, 0xc2, 0x00, 0x44, 0xb1, 0x5f, 0x8c, 0xd1, 0x6a, 0xec,
- 0x8f, 0xa1, 0x3a, 0x89, 0x32, 0x2e, 0x0e, 0xa2, 0xf8, 0x95, 0x89, 0x4f, 0x41, 0xbd, 0xdf, 0x5d,
- 0x14, 0x7a, 0x3f, 0x74, 0xf4, 0x6c, 0x89, 0xfc, 0x01, 0x8b, 0x03, 0x16, 0x87, 0xf8, 0x18, 0x19,
- 0xd5, 0x29, 0x4a, 0x53, 0x7f, 0xc8, 0xa2, 0x5e, 0x17, 0xcd, 0x33, 0x45, 0x71, 0xef, 0xb8, 0xb8,
- 0x8f, 0x8c, 0xa4, 0x10, 0x67, 0x50, 0xcf, 0xe2, 0xf8, 0x7e, 0x9d, 0x87, 0xda, 0x77, 0xef, 0x74,
- 0x0f, 0x2e, 0xae, 0xe7, 0x44, 0xbb, 0x99, 0x13, 0xed, 0xe7, 0x9c, 0x68, 0xb7, 0x73, 0xa2, 0x7d,
- 0xc9, 0x89, 0xfe, 0x3d, 0x27, 0xda, 0x75, 0x4e, 0xf4, 0x9b, 0x9c, 0xe8, 0xbf, 0x72, 0xa2, 0xff,
- 0xc9, 0x89, 0x76, 0x9b, 0x13, 0xfd, 0xeb, 0x6f, 0xa2, 0x7d, 0x78, 0xa2, 0x9e, 0xc0, 0xb8, 0xe3,
- 0x27, 0xcc, 0xf9, 0xf7, 0xa7, 0xd8, 0x6f, 0x96, 0x77, 0xbd, 0xff, 0x37, 0x00, 0x00, 0xff, 0xff,
- 0x5d, 0x2b, 0x9e, 0x58, 0x22, 0x04, 0x00, 0x00,
+ // 648 bytes of a gzipped FileDescriptorProto
+ 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x54, 0xc1, 0x4e, 0xdb, 0x4a,
+ 0x14, 0xb5, 0x09, 0x84, 0x64, 0xa2, 0xa7, 0x27, 0xcd, 0x7b, 0x8a, 0x4c, 0x84, 0x4c, 0x48, 0xab,
+ 0x2a, 0xea, 0xc2, 0x16, 0xa0, 0x7e, 0x40, 0xa1, 0x20, 0x1a, 0x5a, 0x09, 0x19, 0x10, 0x52, 0x55,
+ 0xc9, 0x72, 0xec, 0x9b, 0x78, 0x20, 0xf1, 0xb8, 0x33, 0xe3, 0x84, 0xec, 0xfa, 0x09, 0x5d, 0xf0,
+ 0x11, 0xfd, 0x14, 0x96, 0x2c, 0xba, 0xe8, 0xb2, 0x71, 0x37, 0x5d, 0xf2, 0x09, 0xd5, 0x78, 0xc6,
+ 0xb0, 0x69, 0x49, 0xa5, 0xae, 0x32, 0xf7, 0xdc, 0x73, 0x8e, 0xe7, 0xcc, 0xdc, 0x09, 0xda, 0x1c,
+ 0x93, 0x2b, 0x60, 0xee, 0x64, 0xcb, 0x0d, 0x69, 0x32, 0x20, 0x43, 0x37, 0x1c, 0x11, 0x48, 0x84,
+ 0x1b, 0x64, 0x22, 0x76, 0x52, 0x46, 0x05, 0xc5, 0xeb, 0x84, 0x0b, 0x42, 0x9d, 0x82, 0xe8, 0x4c,
+ 0xb6, 0x1c, 0x45, 0x74, 0x14, 0xb1, 0xf5, 0xff, 0x90, 0x0e, 0x69, 0x41, 0x74, 0xe5, 0x4a, 0x69,
+ 0x5a, 0xf6, 0x90, 0xd2, 0xe1, 0x08, 0xdc, 0xa2, 0xea, 0x67, 0x03, 0x37, 0xca, 0x58, 0x20, 0x08,
+ 0x4d, 0x74, 0xff, 0xe9, 0x6f, 0x3e, 0xcb, 0x81, 0x4d, 0x48, 0x08, 0x8a, 0xd5, 0xb9, 0xae, 0xa0,
+ 0x4a, 0xef, 0xfc, 0x14, 0x37, 0x51, 0x95, 0x70, 0x9e, 0x01, 0xb3, 0xcc, 0xb6, 0xd9, 0xad, 0x7b,
+ 0xba, 0xc2, 0xeb, 0xa8, 0x1e, 0x64, 0x11, 0x81, 0x24, 0x04, 0x6e, 0x2d, 0xb5, 0x2b, 0xdd, 0xba,
+ 0xf7, 0x00, 0xe0, 0x35, 0x54, 0xbb, 0x98, 0x5e, 0x72, 0x3f, 0x63, 0xc4, 0xaa, 0x14, 0xba, 0x55,
+ 0x59, 0x9f, 0x31, 0x82, 0x37, 0x50, 0x63, 0x40, 0xd9, 0x34, 0x60, 0x91, 0x7f, 0x31, 0x15, 0xd6,
+ 0x72, 0xdb, 0xec, 0xd6, 0x3c, 0xa4, 0xa1, 0xde, 0x54, 0xe0, 0x53, 0xb4, 0x96, 0x66, 0xfd, 0x11,
+ 0x09, 0xfd, 0x4b, 0x98, 0xf9, 0x61, 0x10, 0xc6, 0xe0, 0x97, 0x11, 0xac, 0x95, 0xb6, 0xd9, 0x6d,
+ 0x6c, 0xaf, 0x39, 0x2a, 0xa3, 0x53, 0x66, 0x74, 0x5e, 0x69, 0x82, 0xd7, 0x54, 0xda, 0x23, 0x98,
+ 0xed, 0x49, 0x65, 0x89, 0xe3, 0x43, 0x54, 0x1f, 0xd1, 0xb0, 0x58, 0x73, 0xab, 0xda, 0xae, 0x74,
+ 0x1b, 0xdb, 0xcf, 0x9d, 0xc7, 0x4e, 0xd7, 0xe9, 0x9d, 0x9f, 0x3a, 0x6f, 0xb4, 0xc4, 0x7b, 0x10,
+ 0xe3, 0x1d, 0xd4, 0x2c, 0xb3, 0xf9, 0x90, 0x4c, 0xe8, 0xcc, 0x0f, 0x47, 0x19, 0x17, 0xc0, 0xac,
+ 0xd5, 0x22, 0xe9, 0x7f, 0x3a, 0xe9, 0xbe, 0xec, 0xed, 0xa9, 0x56, 0xeb, 0x00, 0xd5, 0x4a, 0x2f,
+ 0x6c, 0xa1, 0x6a, 0x0c, 0x41, 0x54, 0x1e, 0xe9, 0xa1, 0xe1, 0xe9, 0x1a, 0x37, 0xd1, 0xca, 0x87,
+ 0x0c, 0xd8, 0xcc, 0x5a, 0xd2, 0x0d, 0x55, 0xee, 0xd6, 0x50, 0x95, 0x87, 0x31, 0x8c, 0xa1, 0x73,
+ 0xbd, 0x84, 0x36, 0xf6, 0x93, 0xe8, 0x8c, 0x03, 0x7b, 0x99, 0x89, 0x18, 0x12, 0x41, 0x94, 0xeb,
+ 0x31, 0x1d, 0x91, 0x70, 0x76, 0x92, 0x42, 0x88, 0x5f, 0xa0, 0xe5, 0x8b, 0xa9, 0x50, 0xb7, 0xd2,
+ 0xd8, 0xde, 0x5c, 0x98, 0xd2, 0x2b, 0xe8, 0x78, 0x8c, 0xfe, 0x4d, 0xa8, 0xbc, 0x13, 0x3f, 0x0d,
+ 0x84, 0x00, 0x96, 0x70, 0xab, 0x52, 0x38, 0xec, 0x3f, 0xee, 0xb0, 0x60, 0x3b, 0xce, 0xb1, 0x72,
+ 0xf3, 0xfe, 0x49, 0x68, 0x6f, 0x2a, 0x74, 0xc5, 0x5b, 0x47, 0x68, 0x55, 0xaf, 0xe5, 0x48, 0xc4,
+ 0x42, 0xa4, 0xfe, 0x18, 0x44, 0x4c, 0x23, 0x3d, 0x68, 0x48, 0x42, 0x6f, 0x0b, 0x44, 0x12, 0xd2,
+ 0x40, 0xc4, 0x7e, 0xca, 0x60, 0x40, 0xae, 0xd4, 0xe9, 0x78, 0x48, 0x42, 0xc7, 0x05, 0xd2, 0x79,
+ 0x8f, 0xba, 0x0b, 0xb6, 0xe1, 0xc1, 0x00, 0x98, 0x1c, 0x4e, 0x8c, 0xd1, 0x72, 0x12, 0x8c, 0x41,
+ 0x7f, 0xa6, 0x58, 0xcb, 0x69, 0x96, 0xbf, 0x3c, 0x0d, 0x42, 0xd0, 0xf6, 0x0f, 0x40, 0xe7, 0x8b,
+ 0x89, 0x9e, 0x2d, 0xb0, 0xdf, 0x25, 0x49, 0x44, 0x92, 0x21, 0x3e, 0x40, 0x35, 0xfd, 0x8e, 0xb8,
+ 0x65, 0xfe, 0xc9, 0x94, 0xbd, 0x96, 0xcd, 0x13, 0x25, 0xf1, 0xee, 0xb5, 0xb8, 0x8f, 0x6a, 0xa9,
+ 0x34, 0x27, 0x50, 0xde, 0xe3, 0xc1, 0x5f, 0xdd, 0xc2, 0x7d, 0x7c, 0xef, 0xde, 0x77, 0xf7, 0xec,
+ 0x66, 0x6e, 0x1b, 0xb7, 0x73, 0xdb, 0xf8, 0x3a, 0xb7, 0x8d, 0xbb, 0xb9, 0x6d, 0x7c, 0xcc, 0x6d,
+ 0xf3, 0x73, 0x6e, 0x1b, 0x37, 0xb9, 0x6d, 0xde, 0xe6, 0xb6, 0xf9, 0x2d, 0xb7, 0xcd, 0x1f, 0xb9,
+ 0x6d, 0xdc, 0xe5, 0xb6, 0xf9, 0xe9, 0xbb, 0x6d, 0xbc, 0x7b, 0xa2, 0xb6, 0x40, 0xa8, 0x1b, 0xa4,
+ 0xc4, 0xfd, 0xf5, 0xff, 0x48, 0xbf, 0x5a, 0x3c, 0xca, 0x9d, 0x9f, 0x01, 0x00, 0x00, 0xff, 0xff,
+ 0x56, 0x8e, 0x4e, 0xe7, 0xdf, 0x04, 0x00, 0x00,
}
diff --git a/mixer/v1/config/client/auth.proto b/mixer/v1/config/client/auth.proto
index ba4fad56ff3..75636892890 100644
--- a/mixer/v1/config/client/auth.proto
+++ b/mixer/v1/config/client/auth.proto
@@ -146,6 +146,22 @@ message EndUserAuthenticationPolicySpec {
// JWT validation is skipped if the user's traffic request does not
// include a JWT.
repeated JWT jwts = 2;
+
+ // This message defines a pattern to match a request.
+ // A pattern is matched only if both http_method and path_prefix are matched.
+ message Pattern {
+ // Define a HTTP method.
+ string http_method = 1;
+
+ // Defines a path prefix to match
+ string path_prefix = 2;
+ }
+
+ // If a request doesn't have JWT, it will be rejected.
+ // But some requests are OK without JWT, such as OPTIONS for CORS,
+ // or some paths for health checking.
+ // If a request matches any of no_jwt_patterns, it is OK without JWT.
+ repeated Pattern no_jwt_patterns = 3;
}
message EndUserAuthenticationPolicySpecReference {
diff --git a/mixer/v1/config/client/istio.mixer.v1.config.client.pb.html b/mixer/v1/config/client/istio.mixer.v1.config.client.pb.html
index 153e5339d2a..b90c5e52c6b 100644
--- a/mixer/v1/config/client/istio.mixer.v1.config.client.pb.html
+++ b/mixer/v1/config/client/istio.mixer.v1.config.client.pb.html
@@ -159,6 +159,46 @@ EndUserAuthenticationPolicySpec
JWT validation is skipped if the user’s traffic request does not
include a JWT.
+
+
+
+noJwtPatterns |
+EndUserAuthenticationPolicySpec.Pattern[] |
+
+ If a request doesn’t have JWT, it will be rejected.
+But some requests are OK without JWT, such as OPTIONS for CORS,
+or some paths for health checking.
+If a request matches any of nojwtpatterns, it is OK without JWT.
+
+ |
+
+
+
+EndUserAuthenticationPolicySpec.Pattern
+
+This message defines a pattern to match a request.
+A pattern is matched only if both httpmethod and pathprefix are matched.
+
+
+
+| Field |
+Type |
+Description |
+
+
+httpMethod |
+string |
+
+ Define a HTTP method.
+
+ |
+
+
+pathPrefix |
+string |
+
+ Defines a path prefix to match
+
|